public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: update to the latest 1.1.1 beta version
@ 2026-06-09 12:44 Tomas Mraz
0 siblings, 0 replies; 2+ messages in thread
From: Tomas Mraz @ 2026-06-09 12:44 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 9189f03055d4d55949fb897a1049b800327a312f
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2018-07-25T18:15:19+02:00
Stats : +13578/-14002 in 28 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/9189f03055d4d55949fb897a1049b800327a312f?branch=rebase_40beta
Log:
update to the latest 1.1.1 beta version
---
diff --git a/.gitignore b/.gitignore
index c5509e6..8bacadc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.0f-hobbled.tar.xz
/openssl-1.1.0g-hobbled.tar.xz
/openssl-1.1.0h-hobbled.tar.xz
+/openssl-1.1.1-pre8-hobbled.tar.xz
diff --git a/ec_curve.c b/ec_curve.c
index abee205..7303fe9 100644
--- a/ec_curve.c
+++ b/ec_curve.c
@@ -1,5 +1,6 @@
/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -7,26 +8,12 @@
* https://www.openssl.org/source/license.html
*/
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- *
- * Portions of the attached software ("Contribution") are developed by
- * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
- *
- * The Contribution is licensed pursuant to the OpenSSL open source
- * license provided above.
- *
- * The elliptic curve binary polynomial software is originally written by
- * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
- *
- */
-
#include <string.h>
#include "ec_lcl.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>
-#include "e_os.h"
+#include "internal/nelem.h"
typedef struct {
int field_type, /* either NID_X9_62_prime_field or
@@ -350,6 +337,8 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
}
#endif
+ EC_GROUP_set_curve_name(group, curve.nid);
+
if ((P = EC_POINT_new(group)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
@@ -415,8 +404,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
return NULL;
}
- EC_GROUP_set_curve_name(ret, nid);
-
return ret;
}
diff --git a/ectest.c b/ectest.c
index de00680..c3ac7c6 100644
--- a/ectest.c
+++ b/ectest.c
@@ -1,5 +1,6 @@
/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -7,38 +8,10 @@
* https://www.openssl.org/source/license.html
*/
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- *
- * Portions of the attached software ("Contribution") are developed by
- * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
- *
- * The Contribution is licensed pursuant to the OpenSSL open source
- * license provided above.
- *
- * The elliptic curve binary polynomial software is originally written by
- * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#ifdef FLAT_INC
-# include "e_os.h"
-#else
-# include "../e_os.h"
-#endif
-#include <string.h>
-#include <time.h>
-
-#ifdef OPENSSL_NO_EC
-int main(int argc, char *argv[])
-{
- puts("Elliptic curves are disabled.");
- return 0;
-}
-#else
+#include "internal/nelem.h"
+#include "testutil.h"
+#ifndef OPENSSL_NO_EC
# include <openssl/ec.h>
# ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
@@ -50,119 +23,80 @@ int main(int argc, char *argv[])
# include <openssl/bn.h>
# include <openssl/opensslconf.h>
-# if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
-/* suppress "too big too optimize" warning */
-# pragma warning(disable:4959)
-# endif
-
-# define ABORT do { \
- fflush(stdout); \
- fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
- ERR_print_errors_fp(stderr); \
- EXIT(1); \
-} while (0)
-
-# define TIMING_BASE_PT 0
-# define TIMING_RAND_PT 1
-# define TIMING_SIMUL 2
+static size_t crv_len = 0;
+static EC_builtin_curve *curves = NULL;
/* test multiplication with group order, long and negative scalars */
-static void group_order_tests(EC_GROUP *group)
+static int group_order_tests(EC_GROUP *group)
{
- BIGNUM *n1, *n2, *order;
- EC_POINT *P = EC_POINT_new(group);
- EC_POINT *Q = EC_POINT_new(group);
- EC_POINT *R = EC_POINT_new(group);
- EC_POINT *S = EC_POINT_new(group);
- BN_CTX *ctx = BN_CTX_new();
- int i;
-
- n1 = BN_new();
- n2 = BN_new();
- order = BN_new();
- fprintf(stdout, "verify group order ...");
- fflush(stdout);
- if (!EC_GROUP_get_order(group, order, ctx))
- ABORT;
- if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
- ABORT;
- if (!EC_POINT_is_at_infinity(group, Q))
- ABORT;
- fprintf(stdout, ".");
- fflush(stdout);
- if (!EC_GROUP_precompute_mult(group, ctx))
- ABORT;
- if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
- ABORT;
- if (!EC_POINT_is_at_infinity(group, Q))
- ABORT;
- fprintf(stdout, " ok\n");
- fprintf(stdout, "long/negative scalar tests ");
+ BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL;
+ EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL;
+ BN_CTX *ctx = NULL;
+ int i = 0, r = 0;
+
+ if (!TEST_ptr(n1 = BN_new())
+ || !TEST_ptr(n2 = BN_new())
+ || !TEST_ptr(order = BN_new())
+ || !TEST_ptr(ctx = BN_CTX_new())
+ || !TEST_ptr(P = EC_POINT_new(group))
+ || !TEST_ptr(Q = EC_POINT_new(group))
+ || !TEST_ptr(R = EC_POINT_new(group))
+ || !TEST_ptr(S = EC_POINT_new(group)))
+ goto err;
+
+ if (!TEST_true(EC_GROUP_get_order(group, order, ctx))
+ || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
+ || !TEST_true(EC_POINT_is_at_infinity(group, Q))
+ || !TEST_true(EC_GROUP_precompute_mult(group, ctx))
+ || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
+ || !TEST_true(EC_POINT_is_at_infinity(group, Q)))
+ goto err;
+
for (i = 1; i <= 2; i++) {
const BIGNUM *scalars[6];
const EC_POINT *points[6];
- fprintf(stdout, i == 1 ?
- "allowing precomputation ... " :
- "without precomputation ... ");
- if (!BN_set_word(n1, i))
- ABORT;
- /*
- * If i == 1, P will be the predefined generator for which
- * EC_GROUP_precompute_mult has set up precomputation.
- */
- if (!EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
- ABORT;
-
- if (!BN_one(n1))
- ABORT;
- /* n1 = 1 - order */
- if (!BN_sub(n1, n1, order))
- ABORT;
- if (!EC_POINT_mul(group, Q, NULL, P, n1, ctx))
- ABORT;
- if (0 != EC_POINT_cmp(group, Q, P, ctx))
- ABORT;
-
- /* n2 = 1 + order */
- if (!BN_add(n2, order, BN_value_one()))
- ABORT;
- if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
- ABORT;
- if (0 != EC_POINT_cmp(group, Q, P, ctx))
- ABORT;
-
- /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
- if (!BN_mul(n2, n1, n2, ctx))
- ABORT;
- if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
- ABORT;
- if (0 != EC_POINT_cmp(group, Q, P, ctx))
- ABORT;
+ if (!TEST_true(BN_set_word(n1, i))
+ /*
+ * If i == 1, P will be the predefined generator for which
+ * EC_GROUP_precompute_mult has set up precomputation.
+ */
+ || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
+ || !TEST_true(BN_one(n1))
+ /* n1 = 1 - order */
+ || !TEST_true(BN_sub(n1, n1, order))
+ || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
+
+ /* n2 = 1 + order */
+ || !TEST_true(BN_add(n2, order, BN_value_one()))
+ || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
+
+ /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
+ || !TEST_true(BN_mul(n2, n1, n2, ctx))
+ || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
+ goto err;
/* n2 = order^2 - 1 */
BN_set_negative(n2, 0);
- if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
- ABORT;
- /* Add P to verify the result. */
- if (!EC_POINT_add(group, Q, Q, P, ctx))
- ABORT;
- if (!EC_POINT_is_at_infinity(group, Q))
- ABORT;
-
- /* Exercise EC_POINTs_mul, including corner cases. */
- if (EC_POINT_is_at_infinity(group, P))
- ABORT;
+ if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx))
+ /* Add P to verify the result. */
+ || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx))
+ || !TEST_true(EC_POINT_is_at_infinity(group, Q))
+
+ /* Exercise EC_POINTs_mul, including corner cases. */
+ || !TEST_false(EC_POINT_is_at_infinity(group, P)))
+ goto err;
scalars[0] = scalars[1] = BN_value_one();
points[0] = points[1] = P;
- if (!EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx))
- ABORT;
- if (!EC_POINT_dbl(group, S, points[0], ctx))
- ABORT;
- if (0 != EC_POINT_cmp(group, R, S, ctx))
- ABORT;
+ if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx))
+ || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx)))
+ goto err;
scalars[0] = n1;
points[0] = Q; /* => infinity */
@@ -176,13 +110,16 @@ static void group_order_tests(EC_GROUP *group)
points[4] = P; /* => P */
scalars[5] = n2;
points[5] = Q; /* => infinity */
- if (!EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
- ABORT;
- if (!EC_POINT_is_at_infinity(group, P))
- ABORT;
+ if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
+ || !TEST_true(EC_POINT_is_at_infinity(group, P)))
+ goto err;
}
- fprintf(stdout, "ok\n");
+ r = 1;
+err:
+ if (r == 0 && i != 0)
+ TEST_info(i == 1 ? "allowing precomputation" :
+ "without precomputation");
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
@@ -191,427 +128,306 @@ static void group_order_tests(EC_GROUP *group)
BN_free(n2);
BN_free(order);
BN_CTX_free(ctx);
+ return r;
}
-static void prime_field_tests(void)
+static int prime_field_tests(void)
{
BN_CTX *ctx = NULL;
- BIGNUM *p, *a, *b;
- EC_GROUP *group;
- EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 =
- NULL, *P_384 = NULL, *P_521 = NULL;
- EC_POINT *P, *Q, *R;
- BIGNUM *x, *y, *z, *yplusone;
+ BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL;
+ EC_GROUP *group = NULL, *tmp = NULL;
+ EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL,
+ *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
+ EC_POINT *P = NULL, *Q = NULL, *R = NULL;
+ BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL;
+ const EC_POINT *points[4];
+ const BIGNUM *scalars[4];
unsigned char buf[100];
- size_t i, len;
+ size_t len, r = 0;
int k;
- ctx = BN_CTX_new();
- if (!ctx)
- ABORT;
-
- p = BN_new();
- a = BN_new();
- b = BN_new();
- if (!p || !a || !b)
- ABORT;
-
- group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use
- * EC_GROUP_new_curve_GFp so
- * that the library gets to
- * choose the EC_METHOD */
- if (!group)
- ABORT;
-
- P = EC_POINT_new(group);
- Q = EC_POINT_new(group);
- R = EC_POINT_new(group);
- if (!P || !Q || !R)
- ABORT;
-
- x = BN_new();
- y = BN_new();
- z = BN_new();
- yplusone = BN_new();
- if (x == NULL || y == NULL || z == NULL || yplusone == NULL)
- ABORT;
+ if (!TEST_ptr(ctx = BN_CTX_new())
+ || !TEST_ptr(p = BN_new())
+ || !TEST_ptr(a = BN_new())
+ || !TEST_ptr(b = BN_new())
+ /*
+ * applications should use EC_GROUP_new_curve_GFp so
+ * that the library gets to choose the EC_METHOD
+ */
+ || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))
+ || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group)))
+ || !TEST_true(EC_GROUP_copy(tmp, group)))
+ goto err;
+ EC_GROUP_free(group);
+ group = tmp;
+ tmp = NULL;
+
+ buf[0] = 0;
+ if (!TEST_ptr(P = EC_POINT_new(group))
+ || !TEST_ptr(Q = EC_POINT_new(group))
+ || !TEST_ptr(R = EC_POINT_new(group))
+ || !TEST_ptr(x = BN_new())
+ || !TEST_ptr(y = BN_new())
+ || !TEST_ptr(z = BN_new())
+ || !TEST_ptr(yplusone = BN_new()))
+ goto err;
/* Curve P-224 (FIPS PUB 186-2, App. 6) */
- if (!BN_hex2bn
- (&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001"))
- ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
- ABORT;
- if (!BN_hex2bn
- (&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
- ABORT;
- if (!BN_hex2bn
- (&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4"))
- ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
- ABORT;
-
- if (!BN_hex2bn
- (&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21"))
- ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
- ABORT;
- if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
- ABORT;
- if (!BN_hex2bn
- (&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D"))
- ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
- ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
- ABORT;
- fprintf(stdout, "\nNIST curve P-224 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
+ if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFF000000000000000000000001"))
+ || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
+ || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256"
+ "5044B0B7D7BFD8BA270B39432355FFB4"))
+ || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9"
+ "4A03C1D356C21122343280D6115C1D21"))
+ || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0,
+ ctx))
+ || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
+ || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFF16A2E0B8F03E13DD29455C5C2A3D"))
+ || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
+ goto err;
+
+ TEST_info("NIST curve P-224 -- Generator");
+ test_output_bignum("x", x);
+ test_output_bignum("y", y);
/* G_y value taken from the standard: */
- if (!BN_hex2bn
- (&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34"))
- ABORT;
- if (0 != BN_cmp(y, z))
- ABORT;
-
- if (!BN_add(yplusone, y, BN_value_one()))
- ABORT;
+ if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6"
+ "CD4375A05A07476444D5819985007E34"))
+ || !TEST_BN_eq(y, z)
+ || !TEST_true(BN_add(yplusone, y, BN_value_one()))
/*
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
- ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 224)
- ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if ((P_224 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL)
- ABORT;
- if (!EC_GROUP_copy(P_224, group))
- ABORT;
+ || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
+ yplusone, ctx))
+ || !TEST_int_eq(EC_GROUP_get_degree(group), 224)
+ || !group_order_tests(group)
+ || !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))
+ || !TEST_true(EC_GROUP_copy(P_224, group))
/* Curve P-256 (FIPS PUB 186-2, App. 6) */
- if (!BN_hex2bn
- (&p,
- "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"))
- ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
- ABORT;
- if (!BN_hex2bn
- (&a,
- "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC"))
- ABORT;
- if (!BN_hex2bn
- (&b,
- "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B"))
- ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
- ABORT;
-
- if (!BN_hex2bn
- (&x,
- "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"))
- ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
- ABORT;
- if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
- ABORT;
- if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
- "84F3B9CAC2FC632551"))
- ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
- ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
- ABORT;
- fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
+ || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000"
+ "00000000FFFFFFFFFFFFFFFFFFFFFFFF"))
+ || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000"
+ "00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
+ || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
+ "651D06B0CC53B0F63BCE3C3E27D2604B"))
+ || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+
+ || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2"
+ "77037D812DEB33A0F4A13945D898C296"))
+ || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1,
+ ctx))
+ || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
+ || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
+ "BCE6FAADA7179E84F3B9CAC2FC632551"))
+ || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
+ goto err;
+
+ TEST_info("NIST curve P-256 -- Generator");
+ test_output_bignum("x", x);
+ test_output_bignum("y", y);
/* G_y value taken from the standard: */
- if (!BN_hex2bn
- (&z,
- "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"))
- ABORT;
- if (0 != BN_cmp(y, z))
- ABORT;
-
- if (!BN_add(yplusone, y, BN_value_one()))
- ABORT;
+ if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16"
+ "2BCE33576B315ECECBB6406837BF51F5"))
+ || !TEST_BN_eq(y, z)
+ || !TEST_true(BN_add(yplusone, y, BN_value_one()))
/*
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
- ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 256)
- ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if ((P_256 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL)
- ABORT;
- if (!EC_GROUP_copy(P_256, group))
- ABORT;
+ || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
+ yplusone, ctx))
+ || !TEST_int_eq(EC_GROUP_get_degree(group), 256)
+ || !group_order_tests(group)
+ || !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))
+ || !TEST_true(EC_GROUP_copy(P_256, group))
/* Curve P-384 (FIPS PUB 186-2, App. 6) */
- if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF"))
- ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
- ABORT;
- if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC"))
- ABORT;
- if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
- "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF"))
- ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
- ABORT;
-
- if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
- "9859F741E082542A385502F25DBF55296C3A545E3872760AB7"))
- ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
- ABORT;
- if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
- ABORT;
- if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"))
- ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
- ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
- ABORT;
- fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
+ || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ "FFFFFFFF0000000000000000FFFFFFFF"))
+ || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
+ "FFFFFFFF0000000000000000FFFFFFFC"))
+ || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19"
+ "181D9C6EFE8141120314088F5013875A"
+ "C656398D8A2ED19D2A85C8EDD3EC2AEF"))
+ || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+
+ || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74"
+ "6E1D3B628BA79B9859F741E082542A38"
+ "5502F25DBF55296C3A545E3872760AB7"))
+ || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1,
+ ctx))
+ || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
+ || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
+ "581A0DB248B0A77AECEC196ACCC52973"))
+ || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
+ goto err;
+
+ TEST_info("NIST curve P-384 -- Generator");
+ test_output_bignum("x", x);
+ test_output_bignum("y", y);
/* G_y value taken from the standard: */
- if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
- "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F"))
- ABORT;
- if (0 != BN_cmp(y, z))
- ABORT;
-
- if (!BN_add(yplusone, y, BN_value_one()))
- ABORT;
+ if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29"
+ "F8F41DBD289A147CE9DA3113B5F0B8C0"
+ "0A60B1CE1D7E819D7A431D7C90EA0E5F"))
+ || !TEST_BN_eq(y, z)
+ || !TEST_true(BN_add(yplusone, y, BN_value_one()))
/*
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
- ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 384)
- ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if ((P_384 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL)
- ABORT;
- if (!EC_GROUP_copy(P_384, group))
- ABORT;
+ || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
+ yplusone, ctx))
+ || !TEST_int_eq(EC_GROUP_get_degree(group), 384)
+ || !group_order_tests(group)
+ || !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))
+ || !TEST_true(EC_GROUP_copy(P_384, group))
/* Curve P-521 (FIPS PUB 186-2, App. 6) */
-
- if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
- ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
- ABORT;
- if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
- ABORT;
- if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
- "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
- "DF883D2C34F1EF451FD46B503F00"))
- ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
- ABORT;
-
- if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
- "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
- "3C1856A429BF97E7E31C2E5BD66"))
- ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
- ABORT;
- if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
- ABORT;
- if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
- "C9B8899C47AEBB6FB71E91386409"))
- ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
- ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
- ABORT;
- fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
+ || !TEST_true(BN_hex2bn(&p, "1FF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
+ || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_true(BN_hex2bn(&a, "1FF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
+ || !TEST_true(BN_hex2bn(&b, "051"
+ "953EB9618E1C9A1F929A21A0B68540EE"
+ "A2DA725B99B315F3B8B489918EF109E1"
+ "56193951EC7E937B1652C0BD3BB1BF07"
+ "3573DF883D2C34F1EF451FD46B503F00"))
+ || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ || !TEST_true(BN_hex2bn(&x, "C6"
+ "858E06B70404E9CD9E3ECB662395B442"
+ "9C648139053FB521F828AF606B4D3DBA"
+ "A14B5E77EFE75928FE1DC127A2FFA8DE"
+ "3348B3C1856A429BF97E7E31C2E5BD66"))
+ || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0,
+ ctx))
+ || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
+ || !TEST_true(BN_hex2bn(&z, "1FF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA"
+ "51868783BF2F966B7FCC0148F709A5D0"
+ "3BB5C9B8899C47AEBB6FB71E91386409"))
+ || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
+ goto err;
+
+ TEST_info("NIST curve P-521 -- Generator");
+ test_output_bignum("x", x);
+ test_output_bignum("y", y);
/* G_y value taken from the standard: */
- if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
- "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
- "7086A272C24088BE94769FD16650"))
- ABORT;
- if (0 != BN_cmp(y, z))
- ABORT;
-
- if (!BN_add(yplusone, y, BN_value_one()))
- ABORT;
+ if (!TEST_true(BN_hex2bn(&z, "118"
+ "39296A789A3BC0045C8A5FB42C7D1BD9"
+ "98F54449579B446817AFBD17273E662C"
+ "97EE72995EF42640C550B9013FAD0761"
+ "353C7086A272C24088BE94769FD16650"))
+ || !TEST_BN_eq(y, z)
+ || !TEST_true(BN_add(yplusone, y, BN_value_one()))
/*
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
- ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 521)
- ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if ((P_521 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL)
- ABORT;
- if (!EC_GROUP_copy(P_521, group))
- ABORT;
+ || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
+ yplusone, ctx))
+ || !TEST_int_eq(EC_GROUP_get_degree(group), 521)
+ || !group_order_tests(group)
+ || !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))
+ || !TEST_true(EC_GROUP_copy(P_521, group))
/* more tests using the last curve */
/* Restore the point that got mangled in the (x, y + 1) test. */
- if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
- ABORT;
-
- if (!EC_POINT_copy(Q, P))
- ABORT;
- if (EC_POINT_is_at_infinity(group, Q))
- ABORT;
- if (!EC_POINT_dbl(group, P, P, ctx))
- ABORT;
- if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
- ABORT;
- if (!EC_POINT_invert(group, Q, ctx))
- ABORT; /* P = -2Q */
-
- if (!EC_POINT_add(group, R, P, Q, ctx))
- ABORT;
- if (!EC_POINT_add(group, R, R, Q, ctx))
- ABORT;
- if (!EC_POINT_is_at_infinity(group, R))
- ABORT; /* R = P + 2Q */
-
- {
- const EC_POINT *points[4];
- const BIGNUM *scalars[4];
- BIGNUM *scalar3;
-
- if (EC_POINT_is_at_infinity(group, Q))
- ABORT;
- points[0] = Q;
- points[1] = Q;
- points[2] = Q;
- points[3] = Q;
-
- if (!EC_GROUP_get_order(group, z, ctx))
- ABORT;
- if (!BN_add(y, z, BN_value_one()))
- ABORT;
- if (BN_is_odd(y))
- ABORT;
- if (!BN_rshift1(y, y))
- ABORT;
- scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
- scalars[1] = y;
-
- fprintf(stdout, "combined multiplication ...");
- fflush(stdout);
-
- /* z is still the group order */
- if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
- ABORT;
- if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
- ABORT;
- if (0 != EC_POINT_cmp(group, P, R, ctx))
- ABORT;
- if (0 != EC_POINT_cmp(group, R, Q, ctx))
- ABORT;
-
- fprintf(stdout, ".");
- fflush(stdout);
-
- if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0))
- ABORT;
- if (!BN_add(z, z, y))
- ABORT;
- BN_set_negative(z, 1);
- scalars[0] = y;
- scalars[1] = z; /* z = -(order + y) */
-
- if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
- ABORT;
- if (!EC_POINT_is_at_infinity(group, P))
- ABORT;
-
- fprintf(stdout, ".");
- fflush(stdout);
-
- if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0))
- ABORT;
- if (!BN_add(z, x, y))
- ABORT;
- BN_set_negative(z, 1);
- scalars[0] = x;
- scalars[1] = y;
- scalars[2] = z; /* z = -(x+y) */
-
- scalar3 = BN_new();
- if (!scalar3)
- ABORT;
- BN_zero(scalar3);
- scalars[3] = scalar3;
-
- if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
- ABORT;
- if (!EC_POINT_is_at_infinity(group, P))
- ABORT;
-
- fprintf(stdout, " ok\n\n");
-
- BN_free(scalar3);
- }
-
+ || !TEST_true(EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
+ || !TEST_true(EC_POINT_copy(Q, P))
+ || !TEST_false(EC_POINT_is_at_infinity(group, Q))
+ || !TEST_true(EC_POINT_dbl(group, P, P, ctx))
+ || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
+ || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */
+ || !TEST_true(EC_POINT_add(group, R, P, Q, ctx))
+ || !TEST_true(EC_POINT_add(group, R, R, Q, ctx))
+ || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */
+ || !TEST_false(EC_POINT_is_at_infinity(group, Q)))
+ goto err;
+ points[0] = Q;
+ points[1] = Q;
+ points[2] = Q;
+ points[3] = Q;
+
+ if (!TEST_true(EC_GROUP_get_order(group, z, ctx))
+ || !TEST_true(BN_add(y, z, BN_value_one()))
+ || !TEST_BN_even(y)
+ || !TEST_true(BN_rshift1(y, y)))
+ goto err;
+ scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
+ scalars[1] = y;
+
+ TEST_note("combined multiplication ...");
+
+ /* z is still the group order */
+ if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
+ || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx))
+ || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0))
+ || !TEST_true(BN_add(z, z, y)))
+ goto err;
+ BN_set_negative(z, 1);
+ scalars[0] = y;
+ scalars[1] = z; /* z = -(order + y) */
+
+ if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
+ || !TEST_true(EC_POINT_is_at_infinity(group, P))
+ || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0))
+ || !TEST_true(BN_add(z, x, y)))
+ goto err;
+ BN_set_negative(z, 1);
+ scalars[0] = x;
+ scalars[1] = y;
+ scalars[2] = z; /* z = -(x+y) */
+
+ if (!TEST_ptr(scalar3 = BN_new()))
+ goto err;
+ BN_zero(scalar3);
+ scalars[3] = scalar3;
+
+ if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
+ || !TEST_true(EC_POINT_is_at_infinity(group, P)))
+ goto err;
+
+ TEST_note(" ok\n");
+
+
+ r = 1;
+err:
BN_CTX_free(ctx);
BN_free(p);
BN_free(a);
BN_free(b);
EC_GROUP_free(group);
+ EC_GROUP_free(tmp);
EC_POINT_free(P);
EC_POINT_free(Q);
EC_POINT_free(R);
@@ -619,82 +435,46 @@ static void prime_field_tests(void)
BN_free(y);
BN_free(z);
BN_free(yplusone);
+ BN_free(scalar3);
EC_GROUP_free(P_224);
EC_GROUP_free(P_256);
EC_GROUP_free(P_384);
EC_GROUP_free(P_521);
-
+ return r;
}
-static void internal_curve_test(void)
+static int internal_curve_test(int n)
{
- EC_builtin_curve *curves = NULL;
- size_t crv_len = 0, n = 0;
- int ok = 1;
+ EC_GROUP *group = NULL;
+ int nid = curves[n].nid;
- crv_len = EC_get_builtin_curves(NULL, 0);
- curves = OPENSSL_malloc(sizeof(*curves) * crv_len);
- if (curves == NULL)
- return;
-
- if (!EC_get_builtin_curves(curves, crv_len)) {
- OPENSSL_free(curves);
- return;
+ if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
+ TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n",
+ OBJ_nid2sn(nid));
+ return 0;
}
-
- fprintf(stdout, "testing internal curves: ");
-
- for (n = 0; n < crv_len; n++) {
- EC_GROUP *group = NULL;
- int nid = curves[n].nid;
- if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
- ok = 0;
- fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with"
- " curve %s\n", OBJ_nid2sn(nid));
- /* try next curve */
- continue;
- }
- if (!EC_GROUP_check(group, NULL)) {
- ok = 0;
- fprintf(stdout, "\nEC_GROUP_check() failed with"
- " curve %s\n", OBJ_nid2sn(nid));
- EC_GROUP_free(group);
- /* try the next curve */
- continue;
- }
- fprintf(stdout, ".");
- fflush(stdout);
+ if (!TEST_true(EC_GROUP_check(group, NULL))) {
+ TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid));
EC_GROUP_free(group);
+ return 0;
}
- if (ok)
- fprintf(stdout, " ok\n\n");
- else {
- fprintf(stdout, " failed\n\n");
- ABORT;
- }
+ EC_GROUP_free(group);
+ return 1;
+}
- /* Test all built-in curves and let the library choose the EC_METHOD */
- for (n = 0; n < crv_len; n++) {
- EC_GROUP *group = NULL;
- int nid = curves[n].nid;
- /*
- * Skip for X25519 because low level operations such as EC_POINT_mul()
- * are not supported for this curve
- */
- if (nid == NID_X25519)
- continue;
- fprintf(stdout, "%s:\n", OBJ_nid2sn(nid));
- fflush(stdout);
- if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
- ABORT;
- }
- group_order_tests(group);
- EC_GROUP_free(group);
- }
+static int internal_curve_test_method(int n)
+{
+ int r, nid = curves[n].nid;
+ EC_GROUP *group;
- OPENSSL_free(curves);
- return;
+ if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) {
+ TEST_info("Curve %s failed\n", OBJ_nid2sn(nid));
+ return 0;
+ }
+ r = group_order_tests(group);
+ EC_GROUP_free(group);
+ return r;
}
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
@@ -715,6 +495,29 @@ struct nistp_test_params {
static const struct nistp_test_params nistp_tests_params[] = {
{
+ /* P-224 */
+ EC_GFp_nistp224_method,
+ 224,
+ /* p */
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
+ /* a */
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
+ /* b */
+ "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
+ /* Qx */
+ "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E",
+ /* Qy */
+ "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555",
+ /* Gx */
+ "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
+ /* Gy */
+ "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
+ /* order */
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
+ /* d */
+ "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8",
+ },
+ {
/* P-256 */
EC_GFp_nistp256_method,
256,
@@ -742,160 +545,165 @@ static const struct nistp_test_params nistp_tests_params[] = {
EC_GFp_nistp521_method,
521,
/* p */
- "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+ "1ff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
/* a */
- "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
+ "1ff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
/* b */
- "051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
+ "051"
+ "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1"
+ "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
/* Qx */
- "0098e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
+ "0098"
+ "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e"
+ "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
/* Qy */
- "0164350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
+ "0164"
+ "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8"
+ "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
/* Gx */
- "c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
+ "c6"
+ "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba"
+ "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
/* Gy */
- "11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
+ "118"
+ "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c"
+ "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
/* order */
- "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
+ "1ff"
+ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa"
+ "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
/* d */
- "0100085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eeedf09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
+ "0100"
+ "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee"
+ "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
},
};
-static void nistp_single_test(const struct nistp_test_params *test)
+static int nistp_single_test(int idx)
{
- BN_CTX *ctx;
- BIGNUM *p, *a, *b, *x, *y, *n, *m, *order, *yplusone;
- EC_GROUP *NISTP;
- EC_POINT *G, *P, *Q, *Q_CHECK;
-
- fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n",
- test->degree);
- ctx = BN_CTX_new();
- p = BN_new();
- a = BN_new();
- b = BN_new();
- x = BN_new();
- y = BN_new();
- m = BN_new();
- n = BN_new();
- order = BN_new();
- yplusone = BN_new();
-
- NISTP = EC_GROUP_new(test->meth());
- if (!NISTP)
- ABORT;
- if (!BN_hex2bn(&p, test->p))
- ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
- ABORT;
- if (!BN_hex2bn(&a, test->a))
- ABORT;
- if (!BN_hex2bn(&b, test->b))
- ABORT;
- if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx))
- ABORT;
- G = EC_POINT_new(NISTP);
- P = EC_POINT_new(NISTP);
- Q = EC_POINT_new(NISTP);
- Q_CHECK = EC_POINT_new(NISTP);
- if (!BN_hex2bn(&x, test->Qx))
- ABORT;
- if (!BN_hex2bn(&y, test->Qy))
- ABORT;
- if (!BN_add(yplusone, y, BN_value_one()))
- ABORT;
+ const struct nistp_test_params *test = nistp_tests_params + idx;
+ BN_CTX *ctx = NULL;
+ BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL;
+ BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL;
+ EC_GROUP *NISTP = NULL;
+ EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL;
+ int r = 0;
+
+ TEST_note("NIST curve P-%d (optimised implementation):",
+ test->degree);
+ if (!TEST_ptr(ctx = BN_CTX_new())
+ || !TEST_ptr(p = BN_new())
+ || !TEST_ptr(a = BN_new())
+ || !TEST_ptr(b = BN_new())
+ || !TEST_ptr(x = BN_new())
+ || !TEST_ptr(y = BN_new())
+ || !TEST_ptr(m = BN_new())
+ || !TEST_ptr(n = BN_new())
+ || !TEST_ptr(order = BN_new())
+ || !TEST_ptr(yplusone = BN_new())
+
+ || !TEST_ptr(NISTP = EC_GROUP_new(test->meth()))
+ || !TEST_true(BN_hex2bn(&p, test->p))
+ || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ || !TEST_true(BN_hex2bn(&a, test->a))
+ || !TEST_true(BN_hex2bn(&b, test->b))
+ || !TEST_true(EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx))
+ || !TEST_ptr(G = EC_POINT_new(NISTP))
+ || !TEST_ptr(P = EC_POINT_new(NISTP))
+ || !TEST_ptr(Q = EC_POINT_new(NISTP))
+ || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP))
+ || !TEST_true(BN_hex2bn(&x, test->Qx))
+ || !TEST_true(BN_hex2bn(&y, test->Qy))
+ || !TEST_true(BN_add(yplusone, y, BN_value_one()))
/*
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- if (EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, yplusone, ctx))
- ABORT;
- if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx))
- ABORT;
- if (!BN_hex2bn(&x, test->Gx))
- ABORT;
- if (!BN_hex2bn(&y, test->Gy))
- ABORT;
- if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx))
- ABORT;
- if (!BN_hex2bn(&order, test->order))
- ABORT;
- if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
- ABORT;
-
- fprintf(stdout, "verify degree ... ");
- if (EC_GROUP_get_degree(NISTP) != test->degree)
- ABORT;
- fprintf(stdout, "ok\n");
-
- fprintf(stdout, "NIST test vectors ... ");
- if (!BN_hex2bn(&n, test->d))
- ABORT;
+ || !TEST_false(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x,
+ yplusone, ctx))
+ || !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y,
+ ctx))
+ || !TEST_true(BN_hex2bn(&x, test->Gx))
+ || !TEST_true(BN_hex2bn(&y, test->Gy))
+ || !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx))
+ || !TEST_true(BN_hex2bn(&order, test->order))
+ || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
+ || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree))
+ goto err;
+
+ TEST_note("NIST test vectors ... ");
+ if (!TEST_true(BN_hex2bn(&n, test->d)))
+ goto err;
/* fixed point multiplication */
EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
- ABORT;
+ if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
+ goto err;
/* random point multiplication */
EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
- ABORT;
-
- /* set generator to P = 2*G, where G is the standard generator */
- if (!EC_POINT_dbl(NISTP, P, G, ctx))
- ABORT;
- if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
- ABORT;
- /* set the scalar to m=n/2, where n is the NIST test scalar */
- if (!BN_rshift(m, n, 1))
- ABORT;
+ if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+
+ /* set generator to P = 2*G, where G is the standard generator */
+ || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx))
+ || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
+ /* set the scalar to m=n/2, where n is the NIST test scalar */
+ || !TEST_true(BN_rshift(m, n, 1)))
+ goto err;
/* test the non-standard generator */
/* fixed point multiplication */
EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
- ABORT;
+ if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
+ goto err;
/* random point multiplication */
EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
- ABORT;
+ if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
/*
* We have not performed precomputation so have_precompute mult should be
* false
*/
- if (EC_GROUP_have_precompute_mult(NISTP))
- ABORT;
+ || !TEST_false(EC_GROUP_have_precompute_mult(NISTP))
/* now repeat all tests with precomputation */
- if (!EC_GROUP_precompute_mult(NISTP, ctx))
- ABORT;
- if (!EC_GROUP_have_precompute_mult(NISTP))
- ABORT;
+ || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx))
+ || !TEST_true(EC_GROUP_have_precompute_mult(NISTP)))
+ goto err;
/* fixed point multiplication */
EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
- ABORT;
+ if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
+ goto err;
/* random point multiplication */
EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
- ABORT;
+ if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
/* reset generator */
- if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
- ABORT;
+ || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())))
+ goto err;
/* fixed point multiplication */
EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
- ABORT;
+ if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
+ goto err;
/* random point multiplication */
EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
- ABORT;
-
- fprintf(stdout, "ok\n");
- group_order_tests(NISTP);
+ if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)))
+ goto err;
+
+ /* regression test for felem_neg bug */
+ if (!TEST_true(BN_set_word(m, 32))
+ || !TEST_true(BN_set_word(n, 31))
+ || !TEST_true(EC_POINT_copy(P, G))
+ || !TEST_true(EC_POINT_invert(NISTP, P, ctx))
+ || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx)))
+ goto err;
+
+ r = group_order_tests(NISTP);
+err:
EC_GROUP_free(NISTP);
EC_POINT_free(G);
EC_POINT_free(P);
@@ -911,77 +719,125 @@ static void nistp_single_test(const struct nistp_test_params *test)
BN_free(order);
BN_free(yplusone);
BN_CTX_free(ctx);
+ return r;
}
+# endif
-static void nistp_tests()
-{
- unsigned i;
+static const unsigned char p521_named[] = {
+ 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
+};
- for (i = 0; i < OSSL_NELEM(nistp_tests_params); i++) {
- nistp_single_test(&nistp_tests_params[i]);
- }
-}
-# endif
+static const unsigned char p521_explicit[] = {
+ 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a,
+ 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72,
+ 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09,
+ 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0,
+ 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34,
+ 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00,
+ 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17,
+ 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04,
+ 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e,
+ 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
+ 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b,
+ 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
+ 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e,
+ 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78,
+ 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9,
+ 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17,
+ 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40,
+ 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86,
+ 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
+ 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa,
+ 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48,
+ 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae,
+ 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
+};
-static void parameter_test(void)
+static int parameter_test(void)
{
- EC_GROUP *group, *group2;
- ECPARAMETERS *ecparameters;
+ EC_GROUP *group = NULL, *group2 = NULL;
+ ECPARAMETERS *ecparameters = NULL;
+ unsigned char *buf = NULL;
+ int r = 0, len;
+
+ if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1))
+ || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
+ || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
+ || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
+ goto err;
- fprintf(stderr, "\ntesting ecparameters conversion ...");
+ EC_GROUP_free(group);
+ group = NULL;
- group = EC_GROUP_new_by_curve_name(NID_secp384r1);
- if (!group)
- ABORT;
+ /* Test the named curve encoding, which should be default. */
+ if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1))
+ || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
+ || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named)))
+ goto err;
- ecparameters = EC_GROUP_get_ecparameters(group, NULL);
- if (!ecparameters)
- ABORT;
- group2 = EC_GROUP_new_from_ecparameters(ecparameters);
- if (!group2)
- ABORT;
- if (EC_GROUP_cmp(group, group2, NULL))
- ABORT;
+ OPENSSL_free(buf);
+ buf = NULL;
- fprintf(stderr, " ok\n");
+ /*
+ * Test the explicit encoding. P-521 requires correctly zero-padding the
+ * curve coefficients.
+ */
+ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
+ if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0)
+ || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit)))
+ goto err;
+ r = 1;
+err:
EC_GROUP_free(group);
EC_GROUP_free(group2);
ECPARAMETERS_free(ecparameters);
+ OPENSSL_free(buf);
+ return r;
}
+#endif
-static const char rnd_seed[] =
- "string to make the random number generator think it has entropy";
-
-int main(int argc, char *argv[])
+int setup_tests(void)
{
- char *p;
-
- p = getenv("OPENSSL_DEBUG_MEMORY");
- if (p != NULL && strcmp(p, "on") == 0)
- CRYPTO_set_mem_debug(1);
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-
- RAND_seed(rnd_seed, sizeof(rnd_seed)); /* or BN_generate_prime may fail */
+#ifndef OPENSSL_NO_EC
+ crv_len = EC_get_builtin_curves(NULL, 0);
+ if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len))
+ || !TEST_true(EC_get_builtin_curves(curves, crv_len)))
+ return 0;
- prime_field_tests();
- puts("");
+ ADD_TEST(parameter_test);
+ ADD_TEST(prime_field_tests);
# ifndef OPENSSL_NO_EC2M
- char2_field_tests();
+ ADD_TEST(char2_field_tests);
+ ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests));
# endif
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- nistp_tests();
+ ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params));
# endif
- /* test the internal curves */
- internal_curve_test();
-
- parameter_test();
-
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
- if (CRYPTO_mem_leaks_fp(stderr) <= 0)
- return 1;
+ ADD_ALL_TESTS(internal_curve_test, crv_len);
+ ADD_ALL_TESTS(internal_curve_test_method, crv_len);
#endif
-
- return 0;
+ return 1;
}
+
+void cleanup_tests(void)
+{
+#ifndef OPENSSL_NO_EC
+ OPENSSL_free(curves);
#endif
+}
diff --git a/openssl-1.1.0-algo-doc.patch b/openssl-1.1.0-algo-doc.patch
deleted file mode 100644
index 460d2c2..0000000
--- a/openssl-1.1.0-algo-doc.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff -up openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod
---- openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod.algo-doc 2017-01-26 15:49:18.784947229 +0100
-+++ openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod 2017-01-26 15:52:46.458556068 +0100
-@@ -152,7 +152,7 @@ corresponding OBJECT IDENTIFIER or NID_u
- EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
- EVP_MD_CTX_block_size() return the digest or block size in bytes.
-
--EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(),
-+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(), EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(),
- EVP_mdc2(), EVP_ripemd160(), EVP_blake2b512(), and EVP_blake2s256() return
- pointers to the corresponding EVP_MD structures.
-
-diff -up openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod
---- openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod.algo-doc 2017-01-26 14:10:24.000000000 +0100
-+++ openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod 2017-01-26 15:49:18.784947229 +0100
-@@ -108,6 +108,32 @@ EVP_chacha20, EVP_chacha20_poly1305 - EV
- int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
- int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
-
-+ const EVP_CIPHER *EVP_des_ede3(void);
-+ const EVP_CIPHER *EVP_des_ede3_ecb(void);
-+ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
-+ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
-+ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
-+ const EVP_CIPHER *EVP_des_ede3_ofb(void);
-+ const EVP_CIPHER *EVP_des_ede3_cbc(void);
-+ const EVP_CIPHER *EVP_aes_128_ecb(void);
-+ const EVP_CIPHER *EVP_aes_128_cbc(void);
-+ const EVP_CIPHER *EVP_aes_128_cfb1(void);
-+ const EVP_CIPHER *EVP_aes_128_cfb8(void);
-+ const EVP_CIPHER *EVP_aes_128_cfb128(void);
-+ const EVP_CIPHER *EVP_aes_128_ofb(void);
-+ const EVP_CIPHER *EVP_aes_192_ecb(void);
-+ const EVP_CIPHER *EVP_aes_192_cbc(void);
-+ const EVP_CIPHER *EVP_aes_192_cfb1(void);
-+ const EVP_CIPHER *EVP_aes_192_cfb8(void);
-+ const EVP_CIPHER *EVP_aes_192_cfb128(void);
-+ const EVP_CIPHER *EVP_aes_192_ofb(void);
-+ const EVP_CIPHER *EVP_aes_256_ecb(void);
-+ const EVP_CIPHER *EVP_aes_256_cbc(void);
-+ const EVP_CIPHER *EVP_aes_256_cfb1(void);
-+ const EVP_CIPHER *EVP_aes_256_cfb8(void);
-+ const EVP_CIPHER *EVP_aes_256_cfb128(void);
-+ const EVP_CIPHER *EVP_aes_256_ofb(void);
-+
- =head1 DESCRIPTION
-
- The EVP cipher routines are a high level interface to certain
diff --git a/openssl-1.1.0-bio-fd-preserve-nl.patch b/openssl-1.1.0-bio-fd-preserve-nl.patch
deleted file mode 100644
index 0050115..0000000
--- a/openssl-1.1.0-bio-fd-preserve-nl.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff -up openssl-1.1.0c/crypto/bio/bss_fd.c.preserve-nl openssl-1.1.0c/crypto/bio/bss_fd.c
---- openssl-1.1.0c/crypto/bio/bss_fd.c.preserve-nl 2016-11-10 15:03:44.000000000 +0100
-+++ openssl-1.1.0c/crypto/bio/bss_fd.c 2016-12-22 14:36:16.730740423 +0100
-@@ -202,8 +202,10 @@ static int fd_gets(BIO *bp, char *buf, i
- char *ptr = buf;
- char *end = buf + size - 1;
-
-- while ((ptr < end) && (fd_read(bp, ptr, 1) > 0) && (ptr[0] != '\n'))
-- ptr++;
-+ while (ptr < end && fd_read(bp, ptr, 1) > 0) {
-+ if (*ptr++ == '\n')
-+ break;
-+ }
-
- ptr[0] = '\0';
-
-diff -up openssl-1.1.0c/doc/crypto/BIO_read.pod.preserve-nl openssl-1.1.0c/doc/crypto/BIO_read.pod
---- openssl-1.1.0c/doc/crypto/BIO_read.pod.preserve-nl 2016-11-10 15:03:45.000000000 +0100
-+++ openssl-1.1.0c/doc/crypto/BIO_read.pod 2016-12-22 14:37:22.731245197 +0100
-@@ -23,7 +23,8 @@ in B<buf>. Usually this operation will a
- from the BIO of maximum length B<len-1>. There are exceptions to this,
- however; for example, BIO_gets() on a digest BIO will calculate and
- return the digest and other BIOs may not support BIO_gets() at all.
--The returned string is always NUL-terminated.
-+The returned string is always NUL-terminated and the '\n' is preserved
-+if present in the input data.
-
- BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
-
diff --git a/openssl-1.1.0-build.patch b/openssl-1.1.0-build.patch
deleted file mode 100644
index 7565642..0000000
--- a/openssl-1.1.0-build.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl
---- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build 2017-06-02 13:51:39.621289504 +0200
-+++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl 2017-06-02 13:54:45.298654812 +0200
-@@ -553,7 +553,7 @@ uninstall_runtime:
- install_man_docs:
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @echo "*** Installing manpages"
-- $(PERL) $(SRCDIR)/util/process_docs.pl \
-+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
-
- uninstall_man_docs:
-@@ -565,7 +565,7 @@ uninstall_man_docs:
- install_html_docs:
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @echo "*** Installing HTML manpages"
-- $(PERL) $(SRCDIR)/util/process_docs.pl \
-+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- --destdir=$(DESTDIR)$(HTMLDIR) --type=html
-
- uninstall_html_docs:
-diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf
---- openssl-1.1.0f/Configurations/10-main.conf.build 2017-05-25 14:46:17.000000000 +0200
-+++ openssl-1.1.0f/Configurations/10-main.conf 2017-06-02 13:51:39.622289528 +0200
-@@ -662,6 +662,7 @@ sub vms_info {
- cflags => add("-m64 -DL_ENDIAN"),
- perlasm_scheme => "linux64le",
- shared_ldflag => add("-m64"),
-+ multilib => "64",
- },
-
- "linux-armv4" => {
-@@ -702,6 +703,7 @@ sub vms_info {
- "linux-aarch64" => {
- inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
- perlasm_scheme => "linux64",
-+ multilib => "64",
- },
- "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
- inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
-diff -up openssl-1.1.0h/engines/afalg/e_afalg.c.build openssl-1.1.0h/engines/afalg/e_afalg.c
---- openssl-1.1.0h/engines/afalg/e_afalg.c.build 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/engines/afalg/e_afalg.c 2018-06-19 16:56:20.150950529 +0200
-@@ -36,14 +36,25 @@ void engine_load_afalg_int(void)
- }
- #else
-
--# include <linux/if_alg.h>
- # include <fcntl.h>
- # include <sys/utsname.h>
-
--# include <linux/aio_abi.h>
- # include <sys/syscall.h>
- # include <errno.h>
-
-+# define timespec linux_timespec
-+# define timeval linux_timeval
-+# define itimerspec linux_itimerspec
-+# define sigset_t linux_sigset_type
-+# include <linux/if_alg.h>
-+# include <linux/aio_abi.h>
-+
-+# ifndef _LINUX_TIME_H
-+# undef timespec
-+# undef timeval
-+# undef itimerspec
-+# undef sigset_t
-+# endif
- # include "e_afalg.h"
-
- # define AFALG_LIB_NAME "AFALG"
-diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt
---- openssl-1.1.0g/test/evptests.txt.build 2017-11-02 15:29:05.000000000 +0100
-+++ openssl-1.1.0g/test/evptests.txt 2017-11-03 16:37:01.253671494 +0100
-@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D
-
- PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC
-
--Derive=Alice-25519
--PeerKey=Bob-25519-PUBLIC
--SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
--
--Derive=Bob-25519
--PeerKey=Alice-25519-PUBLIC
--SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
--
- # Illegal sign/verify operations with X25519 key
-
- Sign=Alice-25519
-@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR
- Function = EVP_PKEY_verify_init
- Reason = operation not supported for this keytype
-
-+Derive=Alice-25519
-+PeerKey=Bob-25519-PUBLIC
-+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
-+
-+Derive=Bob-25519
-+PeerKey=Alice-25519-PUBLIC
-+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
-+
- ## ECDH Tests: test with randomly generated keys for all the listed curves
-
-
diff --git a/openssl-1.1.0-cc-reqs.patch b/openssl-1.1.0-cc-reqs.patch
deleted file mode 100644
index 05e0edd..0000000
--- a/openssl-1.1.0-cc-reqs.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0h/crypto/rsa/rsa_gen.c
---- openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-03-29 14:37:53.405048562 +0200
-@@ -86,6 +86,12 @@ static int rsa_builtin_keygen(RSA *rsa,
- if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
- goto err;
-
-+ /* prepare minimum p and q difference */
-+ if (!BN_one(r3))
-+ goto err;
-+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
-+ goto err;
-+
- if (BN_copy(rsa->e, e_value) == NULL)
- goto err;
-
-@@ -118,7 +124,9 @@ static int rsa_builtin_keygen(RSA *rsa,
- do {
- if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
- goto err;
-- } while (BN_cmp(rsa->p, rsa->q) == 0);
-+ if (!BN_sub(r2, rsa->q, rsa->p))
-+ goto err;
-+ } while (BN_ucmp(r2, r3) <= 0);
- if (!BN_sub(r2, rsa->q, BN_value_one()))
- goto err;
- ERR_set_mark();
diff --git a/openssl-1.1.0-chil-fixes.patch b/openssl-1.1.0-chil-fixes.patch
deleted file mode 100644
index 363d05f..0000000
--- a/openssl-1.1.0-chil-fixes.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff -up openssl-1.1.0-pre6/engines/e_chil.c.chil openssl-1.1.0-pre6/engines/e_chil.c
---- openssl-1.1.0-pre6/engines/e_chil.c.chil 2016-08-04 16:00:47.000000000 +0200
-+++ openssl-1.1.0-pre6/engines/e_chil.c 2016-08-05 16:50:13.860588775 +0200
-@@ -1195,6 +1195,11 @@ static int hwcrhk_insert_card(const char
- UI *ui;
- void *callback_data = NULL;
- UI_METHOD *ui_method = NULL;
-+ /* Despite what the documentation says prompt_info can be
-+ * an empty string.
-+ */
-+ if (prompt_info && !*prompt_info)
-+ prompt_info = NULL;
-
- if (cactx) {
- if (cactx->ui_method)
diff --git a/openssl-1.1.0-disable-ssl3.patch b/openssl-1.1.0-disable-ssl3.patch
deleted file mode 100644
index 8dd6aa2..0000000
--- a/openssl-1.1.0-disable-ssl3.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-diff -up openssl-1.1.0h/apps/s_client.c.disable-ssl3 openssl-1.1.0h/apps/s_client.c
---- openssl-1.1.0h/apps/s_client.c.disable-ssl3 2018-03-29 14:38:39.612133765 +0200
-+++ openssl-1.1.0h/apps/s_client.c 2018-03-29 14:41:51.309635904 +0200
-@@ -1489,6 +1489,9 @@ int s_client_main(int argc, char **argv)
- if (!config_ctx(cctx, ssl_args, ctx))
- goto end;
-
-+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
- if (ssl_config) {
- if (SSL_CTX_config(ctx, ssl_config) == 0) {
- BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0h/apps/s_server.c.disable-ssl3 openssl-1.1.0h/apps/s_server.c
---- openssl-1.1.0h/apps/s_server.c.disable-ssl3 2018-03-29 14:38:39.613133788 +0200
-+++ openssl-1.1.0h/apps/s_server.c 2018-03-29 14:42:27.313481477 +0200
-@@ -1619,6 +1619,9 @@ int s_server_main(int argc, char *argv[]
- if (!config_ctx(cctx, ssl_args, ctx))
- goto end;
-
-+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
- if (ssl_config) {
- if (SSL_CTX_config(ctx, ssl_config) == 0) {
- BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0h/ssl/ssl_lib.c
---- openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/ssl/ssl_lib.c 2018-03-29 14:38:39.614133811 +0200
-@@ -2653,6 +2653,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
- * or by using the SSL_CONF library.
- */
- ret->options |= SSL_OP_NO_COMPRESSION;
-+ /*
-+ * Disable SSLv3 by default. Applications can
-+ * re-enable it by configuring
-+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+ * or by using the SSL_CONF library.
-+ */
-+ ret->options |= SSL_OP_NO_SSLv3;
-
- ret->tlsext_status_type = -1;
-
-diff -up openssl-1.1.0h/test/ssl_test.c.disable-ssl3 openssl-1.1.0h/test/ssl_test.c
---- openssl-1.1.0h/test/ssl_test.c.disable-ssl3 2018-03-29 14:38:39.615133835 +0200
-+++ openssl-1.1.0h/test/ssl_test.c 2018-03-29 14:43:37.893139086 +0200
-@@ -277,6 +277,7 @@ static int execute_test(SSL_TEST_FIXTURE
- SSL_TEST_SERVERNAME_CB_NONE) {
- server2_ctx = SSL_CTX_new(TLS_server_method());
- TEST_check(server2_ctx != NULL);
-+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
- }
- client_ctx = SSL_CTX_new(TLS_client_method());
- TEST_check(SSL_CTX_set_max_proto_version(client_ctx, TLS_MAX_VERSION));
-@@ -290,11 +291,15 @@ static int execute_test(SSL_TEST_FIXTURE
- TLS_MAX_VERSION));
- TEST_check(resume_server_ctx != NULL);
- TEST_check(resume_client_ctx != NULL);
-+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
- }
- }
-
- TEST_check(server_ctx != NULL);
- TEST_check(client_ctx != NULL);
-+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
-
- TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
-
-diff -up openssl-1.1.0h/test/ssltest_old.c.disable-ssl3 openssl-1.1.0h/test/ssltest_old.c
---- openssl-1.1.0h/test/ssltest_old.c.disable-ssl3 2018-03-27 15:50:41.000000000 +0200
-+++ openssl-1.1.0h/test/ssltest_old.c 2018-03-29 14:38:39.615133835 +0200
-@@ -1460,6 +1460,11 @@ int main(int argc, char *argv[])
- ERR_print_errors(bio_err);
- goto end;
- }
-+
-+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
-+
- /*
- * Since we will use low security ciphersuites and keys for testing set
- * security level to zero by default. Tests can override this by adding
diff --git a/openssl-1.1.0-ec-curves.patch b/openssl-1.1.0-ec-curves.patch
deleted file mode 100644
index d6bd022..0000000
--- a/openssl-1.1.0-ec-curves.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-diff -up openssl-1.1.0e/apps/speed.c.curves openssl-1.1.0e/apps/speed.c
---- openssl-1.1.0e/apps/speed.c.curves 2017-02-16 12:58:20.000000000 +0100
-+++ openssl-1.1.0e/apps/speed.c 2017-02-16 15:46:22.271504354 +0100
-@@ -536,42 +536,18 @@ static OPT_PAIR rsa_choices[] = {
- #define R_EC_X25519 16
- #ifndef OPENSSL_NO_EC
- static OPT_PAIR ecdsa_choices[] = {
-- {"ecdsap160", R_EC_P160},
-- {"ecdsap192", R_EC_P192},
- {"ecdsap224", R_EC_P224},
- {"ecdsap256", R_EC_P256},
- {"ecdsap384", R_EC_P384},
- {"ecdsap521", R_EC_P521},
-- {"ecdsak163", R_EC_K163},
-- {"ecdsak233", R_EC_K233},
-- {"ecdsak283", R_EC_K283},
-- {"ecdsak409", R_EC_K409},
-- {"ecdsak571", R_EC_K571},
-- {"ecdsab163", R_EC_B163},
-- {"ecdsab233", R_EC_B233},
-- {"ecdsab283", R_EC_B283},
-- {"ecdsab409", R_EC_B409},
-- {"ecdsab571", R_EC_B571},
- {NULL}
- };
-
- static OPT_PAIR ecdh_choices[] = {
-- {"ecdhp160", R_EC_P160},
-- {"ecdhp192", R_EC_P192},
- {"ecdhp224", R_EC_P224},
- {"ecdhp256", R_EC_P256},
- {"ecdhp384", R_EC_P384},
- {"ecdhp521", R_EC_P521},
-- {"ecdhk163", R_EC_K163},
-- {"ecdhk233", R_EC_K233},
-- {"ecdhk283", R_EC_K283},
-- {"ecdhk409", R_EC_K409},
-- {"ecdhk571", R_EC_K571},
-- {"ecdhb163", R_EC_B163},
-- {"ecdhb233", R_EC_B233},
-- {"ecdhb283", R_EC_B283},
-- {"ecdhb409", R_EC_B409},
-- {"ecdhb571", R_EC_B571},
- {"ecdhx25519", R_EC_X25519},
- {NULL}
- };
-diff -up openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves openssl-1.1.0e/crypto/ec/ecp_smpl.c
---- openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves 2017-02-16 12:58:21.000000000 +0100
-+++ openssl-1.1.0e/crypto/ec/ecp_smpl.c 2017-02-16 15:46:22.264504188 +0100
-@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
- return 0;
- }
-
-+ if (BN_num_bits(p) < 224) {
-+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
-+ return 0;
-+ }
-+
- if (ctx == NULL) {
- ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
-diff -up openssl-1.1.0e/test/ecdsatest.c.curves openssl-1.1.0e/test/ecdsatest.c
---- openssl-1.1.0e/test/ecdsatest.c.curves 2017-02-16 12:58:24.000000000 +0100
-+++ openssl-1.1.0e/test/ecdsatest.c 2017-02-16 15:46:22.250503857 +0100
-@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out)
- if (!change_rand())
- goto x962_err;
-
-+#if 0
- if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
- "3342403536405981729393488334694600415596881826869351677613",
- "5735822328888155254683894997897571951568553642892029982342"))
-@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out)
- "3238135532097973577080787768312505059318910517550078427819"
- "78505179448783"))
- goto x962_err;
-+#endif
- # ifndef OPENSSL_NO_EC2M
- if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
- "87194383164871543355722284926904419997237591535066528048",
diff --git a/openssl-1.1.0-fips.patch b/openssl-1.1.0-fips.patch
deleted file mode 100644
index 48509de..0000000
--- a/openssl-1.1.0-fips.patch
+++ /dev/null
@@ -1,12252 +0,0 @@
-diff -up openssl-1.1.0h/apps/speed.c.fips openssl-1.1.0h/apps/speed.c
---- openssl-1.1.0h/apps/speed.c.fips 2018-03-29 14:44:24.617236431 +0200
-+++ openssl-1.1.0h/apps/speed.c 2018-03-29 15:02:42.171996191 +0200
-@@ -1447,7 +1447,9 @@ int speed_main(int argc, char **argv)
- if (strcmp(*argv, "openssl") == 0)
- continue;
- if (strcmp(*argv, "rsa") == 0) {
-- rsa_doit[R_RSA_512] = rsa_doit[R_RSA_1024] =
-+ if (!FIPS_mode())
-+ rsa_doit[R_RSA_512] = 1;
-+ rsa_doit[R_RSA_1024] =
- rsa_doit[R_RSA_2048] = rsa_doit[R_RSA_3072] =
- rsa_doit[R_RSA_4096] = rsa_doit[R_RSA_7680] =
- rsa_doit[R_RSA_15360] = 1;
-@@ -1460,7 +1462,9 @@ int speed_main(int argc, char **argv)
- #endif
- #ifndef OPENSSL_NO_DSA
- if (strcmp(*argv, "dsa") == 0) {
-- dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] =
-+ if (!FIPS_mode())
-+ dsa_doit[R_DSA_512] = 1;
-+ dsa_doit[R_DSA_1024] =
- dsa_doit[R_DSA_2048] = 1;
- continue;
- }
-@@ -1549,15 +1553,21 @@ int speed_main(int argc, char **argv)
- /* No parameters; turn on everything. */
- if ((argc == 0) && !doit[D_EVP]) {
- for (i = 0; i < ALGOR_NUM; i++)
-- if (i != D_EVP)
-+ if (i != D_EVP &&
-+ (!FIPS_mode() || (i != D_WHIRLPOOL &&
-+ i != D_MD2 && i != D_MD4 &&
-+ i != D_MD5 && i != D_MDC2 &&
-+ i != D_RMD160)))
- doit[i] = 1;
- #ifndef OPENSSL_NO_RSA
- for (i = 0; i < RSA_NUM; i++)
-- rsa_doit[i] = 1;
-+ if (!FIPS_mode() || i != R_RSA_512)
-+ rsa_doit[i] = 1;
- #endif
- #ifndef OPENSSL_NO_DSA
- for (i = 0; i < DSA_NUM; i++)
-- dsa_doit[i] = 1;
-+ if (!FIPS_mode() || i != R_DSA_512)
-+ dsa_doit[i] = 1;
- #endif
- #ifndef OPENSSL_NO_EC
- for (loop = 0; loop < OSSL_NELEM(ecdsa_choices); loop++)
-@@ -1606,30 +1616,46 @@ int speed_main(int argc, char **argv)
- AES_set_encrypt_key(key24, 192, &aes_ks2);
- AES_set_encrypt_key(key32, 256, &aes_ks3);
- #ifndef OPENSSL_NO_CAMELLIA
-- Camellia_set_key(key16, 128, &camellia_ks1);
-- Camellia_set_key(ckey24, 192, &camellia_ks2);
-- Camellia_set_key(ckey32, 256, &camellia_ks3);
-+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
-+ Camellia_set_key(key16, 128, &camellia_ks1);
-+ Camellia_set_key(ckey24, 192, &camellia_ks2);
-+ Camellia_set_key(ckey32, 256, &camellia_ks3);
-+ }
- #endif
- #ifndef OPENSSL_NO_IDEA
-- IDEA_set_encrypt_key(key16, &idea_ks);
-+ if (doit[D_CBC_IDEA]) {
-+ IDEA_set_encrypt_key(key16, &idea_ks);
-+ }
- #endif
- #ifndef OPENSSL_NO_SEED
-- SEED_set_key(key16, &seed_ks);
-+ if (doit[D_CBC_SEED]) {
-+ SEED_set_key(key16, &seed_ks);
-+ }
- #endif
- #ifndef OPENSSL_NO_RC4
-- RC4_set_key(&rc4_ks, 16, key16);
-+ if (doit[D_RC4]) {
-+ RC4_set_key(&rc4_ks, 16, key16);
-+ }
- #endif
- #ifndef OPENSSL_NO_RC2
-- RC2_set_key(&rc2_ks, 16, key16, 128);
-+ if (doit[D_CBC_RC2]) {
-+ RC2_set_key(&rc2_ks, 16, key16, 128);
-+ }
- #endif
- #ifndef OPENSSL_NO_RC5
-- RC5_32_set_key(&rc5_ks, 16, key16, 12);
-+ if (doit[D_CBC_RC5]) {
-+ RC5_32_set_key(&rc5_ks, 16, key16, 12);
-+ }
- #endif
- #ifndef OPENSSL_NO_BF
-- BF_set_key(&bf_ks, 16, key16);
-+ if (doit[D_CBC_BF]) {
-+ BF_set_key(&bf_ks, 16, key16);
-+ }
- #endif
- #ifndef OPENSSL_NO_CAST
-- CAST_set_key(&cast_ks, 16, key16);
-+ if (doit[D_CBC_CAST]) {
-+ CAST_set_key(&cast_ks, 16, key16);
-+ }
- #endif
- #ifndef SIGALRM
- # ifndef OPENSSL_NO_DES
-@@ -1890,6 +1916,7 @@ int speed_main(int argc, char **argv)
-
- for (i = 0; i < loopargs_len; i++) {
- loopargs[i].hctx = HMAC_CTX_new();
-+ HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- if (loopargs[i].hctx == NULL) {
- BIO_printf(bio_err, "HMAC malloc failure, exiting...");
- exit(1);
-diff -up openssl-1.1.0h/Configure.fips openssl-1.1.0h/Configure
---- openssl-1.1.0h/Configure.fips 2018-03-29 14:44:24.624236595 +0200
-+++ openssl-1.1.0h/Configure 2018-03-29 14:44:24.628236689 +0200
-@@ -314,7 +314,7 @@ $config{sdirs} = [
- "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2",
- "des", "aes", "rc2", "rc4", "rc5", "idea", "bf", "cast", "camellia", "seed", "chacha", "modes",
- "bn", "ec", "rsa", "dsa", "dh", "dso", "engine",
-- "buffer", "bio", "stack", "lhash", "rand", "err",
-+ "buffer", "bio", "stack", "lhash", "rand", "err", "fips",
- "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
- "cms", "ts", "srp", "cmac", "ct", "async", "kdf"
- ];
-diff -up openssl-1.1.0h/crypto/bn/bn_rand.c.fips openssl-1.1.0h/crypto/bn/bn_rand.c
---- openssl-1.1.0h/crypto/bn/bn_rand.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/bn/bn_rand.c 2018-03-29 14:44:24.628236689 +0200
-@@ -39,9 +39,11 @@ static int bnrand(int pseudorand, BIGNUM
- goto err;
- }
-
-- /* make a random number and set the top and bottom bits */
-- time(&tim);
-- RAND_add(&tim, sizeof(tim), 0.0);
-+ if (!FIPS_mode()) { /* in FIPS mode the RNG is always properly seeded or the module fails */
-+ /* make a random number and set the top and bottom bits */
-+ time(&tim);
-+ RAND_add(&tim, sizeof(tim), 0.0);
-+ }
-
- if (RAND_bytes(buf, bytes) <= 0)
- goto err;
-diff -up openssl-1.1.0h/crypto/dh/dh_err.c.fips openssl-1.1.0h/crypto/dh/dh_err.c
---- openssl-1.1.0h/crypto/dh/dh_err.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/dh/dh_err.c 2018-03-29 14:44:24.628236689 +0200
-@@ -25,6 +25,9 @@ static ERR_STRING_DATA DH_str_functs[] =
- {ERR_FUNC(DH_F_DH_CMS_DECRYPT), "dh_cms_decrypt"},
- {ERR_FUNC(DH_F_DH_CMS_SET_PEERKEY), "dh_cms_set_peerkey"},
- {ERR_FUNC(DH_F_DH_CMS_SET_SHARED_INFO), "dh_cms_set_shared_info"},
-+ {ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
-+ {ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"},
-+ {ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS_EX), "DH_generate_parameters_ex"},
- {ERR_FUNC(DH_F_DH_METH_DUP), "DH_meth_dup"},
- {ERR_FUNC(DH_F_DH_METH_NEW), "DH_meth_new"},
- {ERR_FUNC(DH_F_DH_METH_SET1_NAME), "DH_meth_set1_name"},
-@@ -49,9 +52,11 @@ static ERR_STRING_DATA DH_str_reasons[]
- {ERR_REASON(DH_R_INVALID_PUBKEY), "invalid public key"},
- {ERR_REASON(DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"},
- {ERR_REASON(DH_R_KEYS_NOT_SET), "keys not set"},
-+ {ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL), "key size too small"},
- {ERR_REASON(DH_R_MODULUS_TOO_LARGE), "modulus too large"},
- {ERR_REASON(DH_R_NO_PARAMETERS_SET), "no parameters set"},
- {ERR_REASON(DH_R_NO_PRIVATE_VALUE), "no private value"},
-+ {ERR_REASON(DH_R_NON_FIPS_METHOD), "non FIPS method"},
- {ERR_REASON(DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"},
- {ERR_REASON(DH_R_PEER_KEY_ERROR), "peer key error"},
- {ERR_REASON(DH_R_SHARED_INFO_ERROR), "shared info error"},
-diff -up openssl-1.1.0h/crypto/dh/dh_gen.c.fips openssl-1.1.0h/crypto/dh/dh_gen.c
---- openssl-1.1.0h/crypto/dh/dh_gen.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/dh/dh_gen.c 2018-03-29 14:44:24.628236689 +0200
-@@ -16,6 +16,9 @@
- #include "internal/cryptlib.h"
- #include <openssl/bn.h>
- #include "dh_locl.h"
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
- BN_GENCB *cb);
-@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret,
- int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
- BN_GENCB *cb)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
-+ && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
-+ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+#endif
- if (ret->meth->generate_params)
- return ret->meth->generate_params(ret, prime_len, generator, cb);
- return dh_builtin_genparams(ret, prime_len, generator, cb);
-@@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret,
- int g, ok = -1;
- BN_CTX *ctx = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
-+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-+
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;
-diff -up openssl-1.1.0h/crypto/dh/dh_key.c.fips openssl-1.1.0h/crypto/dh/dh_key.c
---- openssl-1.1.0h/crypto/dh/dh_key.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/dh/dh_key.c 2018-03-29 14:44:24.628236689 +0200
-@@ -11,6 +11,9 @@
- #include "internal/cryptlib.h"
- #include "dh_locl.h"
- #include "internal/bn_int.h"
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- static int generate_key(DH *dh);
- static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
-@@ -22,18 +25,32 @@ static int dh_finish(DH *dh);
-
- int DH_generate_key(DH *dh)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
-+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
-+ DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+#endif
- return dh->meth->generate_key(dh);
- }
-
- int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
-+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
-+ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+#endif
- return dh->meth->compute_key(key, pub_key, dh);
- }
-
- int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
- {
- int rv, pad;
-- rv = dh->meth->compute_key(key, pub_key, dh);
-+ rv = DH_compute_key(key, pub_key, dh);
- if (rv <= 0)
- return rv;
- pad = BN_num_bytes(dh->p) - rv;
-@@ -82,6 +99,14 @@ static int generate_key(DH *dh)
- BN_MONT_CTX *mont = NULL;
- BIGNUM *pub_key = NULL, *priv_key = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode()
-+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
-+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
-+ return 0;
-+ }
-+#endif
-+
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;
-@@ -165,6 +190,13 @@ static int compute_key(unsigned char *ke
- DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
- goto err;
- }
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode()
-+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
-+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-
- ctx = BN_CTX_new();
- if (ctx == NULL)
-@@ -216,6 +248,9 @@ static int dh_bn_mod_exp(const DH *dh, B
-
- static int dh_init(DH *dh)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- dh->flags |= DH_FLAG_CACHE_MONT_P;
- return (1);
- }
-diff -up openssl-1.1.0h/crypto/dsa/dsa_err.c.fips openssl-1.1.0h/crypto/dsa/dsa_err.c
---- openssl-1.1.0h/crypto/dsa/dsa_err.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/dsa/dsa_err.c 2018-03-29 14:44:24.628236689 +0200
-@@ -21,10 +21,13 @@
- static ERR_STRING_DATA DSA_str_functs[] = {
- {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
- {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
-+ {ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
- {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
- {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"},
- {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
- {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
-+ {ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"},
-+ {ERR_FUNC(DSA_F_DSA_GENERATE_PARAMETERS_EX), "DSA_generate_parameters_ex"},
- {ERR_FUNC(DSA_F_DSA_METH_DUP), "DSA_meth_dup"},
- {ERR_FUNC(DSA_F_DSA_METH_NEW), "DSA_meth_new"},
- {ERR_FUNC(DSA_F_DSA_METH_SET1_NAME), "DSA_meth_set1_name"},
-@@ -51,9 +54,12 @@ static ERR_STRING_DATA DSA_str_reasons[]
- {ERR_REASON(DSA_R_DECODE_ERROR), "decode error"},
- {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"},
- {ERR_REASON(DSA_R_INVALID_PARAMETERS), "invalid parameters"},
-+ {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"},
-+ {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
- {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"},
- {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
- {ERR_REASON(DSA_R_NO_PARAMETERS_SET), "no parameters set"},
-+ {ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"},
- {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"},
- {ERR_REASON(DSA_R_Q_NOT_PRIME), "q not prime"},
- {ERR_REASON(DSA_R_SEED_LEN_SMALL),
-diff -up openssl-1.1.0h/crypto/dsa/dsa_gen.c.fips openssl-1.1.0h/crypto/dsa/dsa_gen.c
---- openssl-1.1.0h/crypto/dsa/dsa_gen.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/dsa/dsa_gen.c 2018-03-29 14:44:24.628236689 +0200
-@@ -22,12 +22,22 @@
- #include <openssl/rand.h>
- #include <openssl/sha.h>
- #include "dsa_locl.h"
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- int DSA_generate_parameters_ex(DSA *ret, int bits,
- const unsigned char *seed_in, int seed_len,
- int *counter_ret, unsigned long *h_ret,
- BN_GENCB *cb)
- {
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
-+ && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
-+ DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
-+ return 0;
-+ }
-+# endif
- if (ret->meth->dsa_paramgen)
- return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
- counter_ret, h_ret, cb);
-@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret,
- const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
- size_t qbits = EVP_MD_size(evpmd) * 8;
-
-+# ifdef OPENSSL_FIPS
-+ return dsa_builtin_paramgen2(ret, bits, qbits, evpmd,
-+ seed_in, seed_len, -1, NULL, counter_ret,
-+ h_ret, cb);
-+# else
- return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
- seed_in, seed_len, NULL, counter_ret,
- h_ret, cb);
-+# endif
- }
- }
-
-@@ -303,7 +319,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
- int *counter_ret, unsigned long *h_ret,
- BN_GENCB *cb)
- {
-- int ok = -1;
-+ int ok = 0;
- unsigned char *seed = NULL, *seed_tmp = NULL;
- unsigned char md[EVP_MAX_MD_SIZE];
- int mdsize;
-@@ -320,6 +336,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
- if (mctx == NULL)
- goto err;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (FIPS_mode() && (L != 1024 || N != 160) &&
-+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
-+ (L != 3072 || N != 256)) {
-+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
-+ goto err;
-+ }
-+# endif
-+
- if (evpmd == NULL) {
- if (N == 160)
- evpmd = EVP_sha1();
-@@ -420,9 +450,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
- goto err;
- /* Provided seed didn't produce a prime: error */
- if (seed_in) {
-- ok = 0;
-- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME);
-- goto err;
-+ /* Different seed_out will indicate that seed_in
-+ * did not generate primes.
-+ */
-+ seed_in = NULL;
- }
-
- /* do a callback call */
-@@ -508,11 +539,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
- if (counter >= (int)(4 * L))
- break;
- }
-+#if 0
-+ /* Cannot happen */
- if (seed_in) {
- ok = 0;
- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
- goto err;
- }
-+#endif
- }
- end:
- if (!BN_GENCB_call(cb, 2, 1))
-@@ -583,7 +617,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
- BN_free(ret->g);
- ret->g = BN_dup(g);
- if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
-- ok = -1;
-+ ok = 0;
- goto err;
- }
- if (counter_ret != NULL)
-@@ -601,3 +635,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
- EVP_MD_CTX_free(mctx);
- return ok;
- }
-+
-+#ifdef OPENSSL_FIPS
-+
-+int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
-+ const EVP_MD *evpmd, const unsigned char *seed_in,
-+ size_t seed_len, int idx, unsigned char *seed_out,
-+ int *counter_ret, unsigned long *h_ret,
-+ BN_GENCB *cb)
-+{
-+ return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len,
-+ idx, seed_out, counter_ret, h_ret, cb);
-+}
-+
-+int FIPS_dsa_paramgen_check_g(DSA *dsa)
-+{
-+ BN_CTX *ctx;
-+ BIGNUM *tmp;
-+ BN_MONT_CTX *mont = NULL;
-+ int rv = -1;
-+
-+ ctx = BN_CTX_new();
-+ if (ctx == NULL)
-+ return -1;
-+ BN_CTX_start(ctx);
-+ if (BN_cmp(dsa->g, BN_value_one()) <= 0)
-+ return 0;
-+ if (BN_cmp(dsa->g, dsa->p) >= 0)
-+ return 0;
-+ tmp = BN_CTX_get(ctx);
-+ if (tmp == NULL)
-+ goto err;
-+ if ((mont=BN_MONT_CTX_new()) == NULL)
-+ goto err;
-+ if (!BN_MONT_CTX_set(mont,dsa->p,ctx))
-+ goto err;
-+ /* Work out g^q mod p */
-+ if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont))
-+ goto err;
-+ if (!BN_cmp(tmp, BN_value_one()))
-+ rv = 1;
-+ else
-+ rv = 0;
-+ err:
-+ BN_CTX_end(ctx);
-+ BN_MONT_CTX_free(mont);
-+ BN_CTX_free(ctx);
-+ return rv;
-+}
-+
-+#endif
-diff -up openssl-1.1.0h/crypto/dsa/dsa_key.c.fips openssl-1.1.0h/crypto/dsa/dsa_key.c
---- openssl-1.1.0h/crypto/dsa/dsa_key.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/dsa/dsa_key.c 2018-03-29 14:44:24.628236689 +0200
-@@ -13,10 +13,49 @@
- #include <openssl/bn.h>
- #include "dsa_locl.h"
-
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
-+
-+static int fips_check_dsa(DSA *dsa)
-+{
-+ EVP_PKEY *pk;
-+ unsigned char tbs[] = "DSA Pairwise Check Data";
-+ int ret = 0;
-+
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_DSA(pk, dsa);
-+
-+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
-+ ret = 1;
-+
-+ err:
-+ if (ret == 0) {
-+ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
-+ fips_set_selftest_fail();
-+ }
-+
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+
-+ return ret;
-+}
-+
-+#endif
-+
- static int dsa_builtin_keygen(DSA *dsa);
-
- int DSA_generate_key(DSA *dsa)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
-+ && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
-+ DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
-+ return 0;
-+ }
-+#endif
- if (dsa->meth->dsa_keygen)
- return dsa->meth->dsa_keygen(dsa);
- return dsa_builtin_keygen(dsa);
-@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa)
- BN_CTX *ctx = NULL;
- BIGNUM *pub_key = NULL, *priv_key = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {
-+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-+
- if ((ctx = BN_CTX_new()) == NULL)
- goto err;
-
-@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa)
-
- dsa->priv_key = priv_key;
- dsa->pub_key = pub_key;
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !fips_check_dsa(dsa)) {
-+ dsa->pub_key = NULL;
-+ dsa->priv_key = NULL;
-+ goto err;
-+ }
-+#endif
- ok = 1;
-
- err:
-diff -up openssl-1.1.0h/crypto/dsa/dsa_ossl.c.fips openssl-1.1.0h/crypto/dsa/dsa_ossl.c
---- openssl-1.1.0h/crypto/dsa/dsa_ossl.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/dsa/dsa_ossl.c 2018-03-29 14:44:24.629236712 +0200
-@@ -15,6 +15,9 @@
- #include <openssl/sha.h>
- #include "dsa_locl.h"
- #include <openssl/asn1.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
- static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-@@ -68,6 +71,19 @@ static DSA_SIG *dsa_do_sign(const unsign
- DSA_SIG *ret = NULL;
- int rv = 0;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
-+ }
-+
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
-+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
-+ return NULL;
-+ }
-+#endif
-+
- m = BN_new();
- xr = BN_new();
- if (m == NULL || xr == NULL)
-@@ -266,6 +282,18 @@ static int dsa_do_verify(const unsigned
- DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
- return -1;
- }
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
-+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+#endif
-
- if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
- DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
-@@ -354,6 +382,9 @@ static int dsa_do_verify(const unsigned
-
- static int dsa_init(DSA *dsa)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- dsa->flags |= DSA_FLAG_CACHE_MONT_P;
- return (1);
- }
-diff -up openssl-1.1.0h/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.0h/crypto/dsa/dsa_pmeth.c
---- openssl-1.1.0h/crypto/dsa/dsa_pmeth.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/dsa/dsa_pmeth.c 2018-03-29 14:44:24.629236712 +0200
-@@ -212,8 +212,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
- BN_GENCB_free(pcb);
- return 0;
- }
-- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
-- NULL, 0, NULL, NULL, NULL, pcb);
-+ ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
-+ NULL, 0, -1, NULL, NULL, NULL, pcb);
- BN_GENCB_free(pcb);
- if (ret)
- EVP_PKEY_assign_DSA(pkey, dsa);
-diff -up openssl-1.1.0h/crypto/ec/ecdh_ossl.c.fips openssl-1.1.0h/crypto/ec/ecdh_ossl.c
---- openssl-1.1.0h/crypto/ec/ecdh_ossl.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/ec/ecdh_ossl.c 2018-03-29 14:44:24.629236712 +0200
-@@ -33,9 +33,20 @@
- #include <openssl/ec.h>
- #include "ec_lcl.h"
-
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+
- int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
- const EC_POINT *pub_key, const EC_KEY *ecdh)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+#endif
-+
- if (ecdh->group->meth->ecdh_compute_key == NULL) {
- ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
- return 0;
-diff -up openssl-1.1.0h/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.0h/crypto/ec/ecdsa_ossl.c
---- openssl-1.1.0h/crypto/ec/ecdsa_ossl.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/ec/ecdsa_ossl.c 2018-03-29 14:44:24.629236712 +0200
-@@ -15,6 +15,10 @@
- #include <openssl/ec.h>
- #include "ec_lcl.h"
-
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+
- int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
- unsigned char *sig, unsigned int *siglen,
- const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
-@@ -217,6 +221,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
- ECDSA_SIG *ret;
- const BIGNUM *priv_key;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
-+ }
-+#endif
-+
- group = EC_KEY_get0_group(eckey);
- priv_key = EC_KEY_get0_private_key(eckey);
-
-@@ -366,6 +377,13 @@ int ossl_ecdsa_verify_sig(const unsigned
- const EC_GROUP *group;
- const EC_POINT *pub_key;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
-+ }
-+#endif
-+
- /* check input values */
- if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
- (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
-diff -up openssl-1.1.0h/crypto/ec/ec_key.c.fips openssl-1.1.0h/crypto/ec/ec_key.c
---- openssl-1.1.0h/crypto/ec/ec_key.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/ec/ec_key.c 2018-03-29 14:44:24.630236736 +0200
-@@ -177,14 +177,61 @@ int EC_KEY_up_ref(EC_KEY *r)
- return ((i > 1) ? 1 : 0);
- }
-
-+#ifdef OPENSSL_FIPS
-+
-+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
-+
-+static int fips_check_ec(EC_KEY *key)
-+{
-+ EVP_PKEY *pk;
-+ unsigned char tbs[] = "ECDSA Pairwise Check Data";
-+ int ret = 0;
-+
-+ if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */
-+ return 1;
-+
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_EC_KEY(pk, key);
-+
-+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
-+ ret = 1;
-+
-+ err:
-+ if (ret == 0) {
-+ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED);
-+ fips_set_selftest_fail();
-+ }
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ return ret;
-+}
-+
-+#endif
-+
- int EC_KEY_generate_key(EC_KEY *eckey)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(EC_F_EC_KEY_GENERATE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+#endif
- if (eckey == NULL || eckey->group == NULL) {
- ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
- return 0;
- }
-- if (eckey->meth->keygen != NULL)
-- return eckey->meth->keygen(eckey);
-+ if (eckey->meth->keygen != NULL) {
-+ int rv = eckey->meth->keygen(eckey);
-+#ifdef OPENSSL_FIPS
-+ if (rv > 0 && FIPS_mode()) {
-+ rv = fips_check_ec(eckey);
-+ }
-+#endif
-+ return rv;
-+ }
- ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
- return 0;
- }
-diff -up openssl-1.1.0h/crypto/err/err_all.c.fips openssl-1.1.0h/crypto/err/err_all.c
---- openssl-1.1.0h/crypto/err/err_all.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/err/err_all.c 2018-03-29 14:44:24.630236736 +0200
-@@ -43,9 +43,6 @@
- int err_load_crypto_strings_int(void)
- {
- if (
--#ifdef OPENSSL_FIPS
-- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata) == 0 ||
--#endif
- #ifndef OPENSSL_NO_ERR
- ERR_load_ERR_strings() == 0 || /* include error strings for SYSerr */
- ERR_load_BN_strings() == 0 ||
-diff -up openssl-1.1.0h/crypto/evp/c_allc.c.fips openssl-1.1.0h/crypto/evp/c_allc.c
---- openssl-1.1.0h/crypto/evp/c_allc.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/c_allc.c 2018-03-29 14:44:24.630236736 +0200
-@@ -17,6 +17,9 @@
- void openssl_add_all_ciphers_int(void)
- {
-
-+#ifdef OPENSSL_FIPS
-+ if (!FIPS_mode()) {
-+#endif
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cfb());
- EVP_add_cipher(EVP_des_cfb1());
-@@ -217,4 +220,70 @@ void openssl_add_all_ciphers_int(void)
- EVP_add_cipher(EVP_chacha20_poly1305());
- # endif
- #endif
-+#ifdef OPENSSL_FIPS
-+ } else {
-+# ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede3_cfb());
-+
-+ EVP_add_cipher(EVP_des_ede3_ofb());
-+
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
-+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
-+
-+ EVP_add_cipher(EVP_des_ede3());
-+ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB");
-+ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb");
-+ EVP_add_cipher(EVP_des_ede3_wrap());
-+ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap");
-+# endif
-+
-+# ifndef OPENSSL_NO_AES
-+ EVP_add_cipher(EVP_aes_128_ecb());
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_128_cfb());
-+ EVP_add_cipher(EVP_aes_128_cfb1());
-+ EVP_add_cipher(EVP_aes_128_cfb8());
-+ EVP_add_cipher(EVP_aes_128_ofb());
-+ EVP_add_cipher(EVP_aes_128_ctr());
-+ EVP_add_cipher(EVP_aes_128_gcm());
-+ EVP_add_cipher(EVP_aes_128_xts());
-+ EVP_add_cipher(EVP_aes_128_ccm());
-+ EVP_add_cipher(EVP_aes_128_wrap());
-+ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
-+ EVP_add_cipher(EVP_aes_128_wrap_pad());
-+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
-+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
-+ EVP_add_cipher(EVP_aes_192_ecb());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_192_cfb());
-+ EVP_add_cipher(EVP_aes_192_cfb1());
-+ EVP_add_cipher(EVP_aes_192_cfb8());
-+ EVP_add_cipher(EVP_aes_192_ofb());
-+ EVP_add_cipher(EVP_aes_192_ctr());
-+ EVP_add_cipher(EVP_aes_192_gcm());
-+ EVP_add_cipher(EVP_aes_192_ccm());
-+ EVP_add_cipher(EVP_aes_192_wrap());
-+ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
-+ EVP_add_cipher(EVP_aes_192_wrap_pad());
-+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
-+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
-+ EVP_add_cipher(EVP_aes_256_ecb());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_256_cfb());
-+ EVP_add_cipher(EVP_aes_256_cfb1());
-+ EVP_add_cipher(EVP_aes_256_cfb8());
-+ EVP_add_cipher(EVP_aes_256_ofb());
-+ EVP_add_cipher(EVP_aes_256_ctr());
-+ EVP_add_cipher(EVP_aes_256_gcm());
-+ EVP_add_cipher(EVP_aes_256_xts());
-+ EVP_add_cipher(EVP_aes_256_ccm());
-+ EVP_add_cipher(EVP_aes_256_wrap());
-+ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
-+ EVP_add_cipher(EVP_aes_256_wrap_pad());
-+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
-+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
-+# endif
-+ }
-+#endif
- }
-diff -up openssl-1.1.0h/crypto/evp/c_alld.c.fips openssl-1.1.0h/crypto/evp/c_alld.c
---- openssl-1.1.0h/crypto/evp/c_alld.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/c_alld.c 2018-03-29 14:44:24.630236736 +0200
-@@ -16,6 +16,9 @@
-
- void openssl_add_all_digests_int(void)
- {
-+#ifdef OPENSSL_FIPS
-+ if (!FIPS_mode()) {
-+#endif
- #ifndef OPENSSL_NO_MD4
- EVP_add_digest(EVP_md4());
- #endif
-@@ -46,4 +49,15 @@ void openssl_add_all_digests_int(void)
- EVP_add_digest(EVP_blake2b512());
- EVP_add_digest(EVP_blake2s256());
- #endif
-+#ifdef OPENSSL_FIPS
-+ } else {
-+ EVP_add_digest(EVP_sha1());
-+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+ }
-+#endif
- }
-diff -up openssl-1.1.0h/crypto/evp/digest.c.fips openssl-1.1.0h/crypto/evp/digest.c
---- openssl-1.1.0h/crypto/evp/digest.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/digest.c 2018-03-29 14:44:24.630236736 +0200
-@@ -14,6 +14,9 @@
- #include <openssl/engine.h>
- #include "internal/evp_int.h"
- #include "evp_locl.h"
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- /* This call frees resources associated with the context */
- int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
-@@ -61,6 +64,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
- int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
- {
- EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+#endif
- #ifndef OPENSSL_NO_ENGINE
- /*
- * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
-@@ -114,6 +123,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
- }
- #endif
- if (ctx->digest != type) {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (!(type->flags & EVP_MD_FLAG_FIPS)
-+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
-+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
-+ return 0;
-+ }
-+ }
-+#endif
- if (ctx->digest && ctx->digest->ctx_size) {
- OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
- ctx->md_data = NULL;
-@@ -145,6 +163,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
-
- int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- return ctx->update(ctx, data, count);
- }
-
-@@ -162,6 +183,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
- {
- int ret;
-
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
- ret = ctx->digest->final(ctx, md);
- if (size != NULL)
-diff -up openssl-1.1.0h/crypto/evp/e_aes.c.fips openssl-1.1.0h/crypto/evp/e_aes.c
---- openssl-1.1.0h/crypto/evp/e_aes.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/e_aes.c 2018-03-29 14:44:24.631236760 +0200
-@@ -1263,9 +1263,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
- return 1;
- }
-
--BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
-- BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
-- BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
-+BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
-+ BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
-+ BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
-
- static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
- {
-@@ -1311,6 +1311,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
- case EVP_CTRL_AEAD_SET_IVLEN:
- if (arg <= 0)
- return 0;
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
-+ && arg < 12)
-+ return 0;
-+# endif
- /* Allocate memory for IV if needed */
- if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
- if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
-@@ -1771,11 +1776,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
- | EVP_CIPH_CUSTOM_COPY)
-
- BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
-- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
-+ CUSTOM_FLAGS)
- BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
-- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
-+ CUSTOM_FLAGS)
- BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
-- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
-+ CUSTOM_FLAGS)
-
- static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
- {
-@@ -1910,6 +1918,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
- return 0;
- if (!out || !in || len < AES_BLOCK_SIZE)
- return 0;
-+# ifdef OPENSSL_FIPS
-+ /* Requirement of SP800-38E */
-+ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
-+ (len > (1UL << 20) * 16)) {
-+ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
-+ return 0;
-+ }
-+# endif
- if (xctx->stream)
- (*xctx->stream) (in, out, len,
- xctx->xts.key1, xctx->xts.key2,
-@@ -1927,8 +1943,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
- | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
- | EVP_CIPH_CUSTOM_COPY)
-
--BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
-- BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
-+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
-+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
-+ BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
-+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
-
- static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
- {
-@@ -2192,11 +2210,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
- #define aes_ccm_cleanup NULL
-
- BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
-- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
- BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
-- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
- BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
-- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-
- typedef struct {
- union {
-@@ -2289,7 +2307,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
- return rv ? (int)rv : -1;
- }
-
--#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
-+#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
- | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
- | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
-
-diff -up openssl-1.1.0h/crypto/evp/e_des3.c.fips openssl-1.1.0h/crypto/evp/e_des3.c
---- openssl-1.1.0h/crypto/evp/e_des3.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/e_des3.c 2018-03-29 14:44:24.631236760 +0200
-@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
- # define des_ede3_cbc_cipher des_ede_cbc_cipher
- # define des_ede3_ecb_cipher des_ede_ecb_cipher
- BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
-- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
-- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
-+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
-+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL,
-+ des3_ctrl)
-
- BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,
-- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
-- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
-+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
-+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
-+ NULL, des3_ctrl)
-
- BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,
-- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
-- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
-+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
-+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
-+ NULL, des3_ctrl)
-
- static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
- const unsigned char *iv, int enc)
-diff -up openssl-1.1.0h/crypto/evp/e_null.c.fips openssl-1.1.0h/crypto/evp/e_null.c
---- openssl-1.1.0h/crypto/evp/e_null.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/e_null.c 2018-03-29 14:44:24.631236760 +0200
-@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c
- const unsigned char *in, size_t inl);
- static const EVP_CIPHER n_cipher = {
- NID_undef,
-- 1, 0, 0, 0,
-+ 1, 0, 0,
-+ EVP_CIPH_FLAG_FIPS,
- null_init_key,
- null_cipher,
- NULL,
-diff -up openssl-1.1.0h/crypto/evp/evp_enc.c.fips openssl-1.1.0h/crypto/evp/evp_enc.c
---- openssl-1.1.0h/crypto/evp/evp_enc.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/evp_enc.c 2018-03-29 14:44:24.631236760 +0200
-@@ -16,10 +16,19 @@
- #include <openssl/engine.h>
- #include "internal/evp_int.h"
- #include "evp_locl.h"
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
- {
-- if (c == NULL)
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+#endif
-+ if (c == NULL)
- return 1;
- if (c->cipher != NULL) {
- if (c->cipher->cleanup && !c->cipher->cleanup(c))
-@@ -38,6 +47,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX
-
- EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
-+ }
-+#endif
- return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
- }
-
-@@ -66,6 +81,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- enc = 1;
- ctx->encrypt = enc;
- }
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+#endif
- #ifndef OPENSSL_NO_ENGINE
- /*
- * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
-@@ -135,7 +156,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- }
- ctx->key_len = cipher->key_len;
- /* Preserve wrap enable flag, zero everything else */
-- ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
-+ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW;
- if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
- if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
- ctx->cipher = NULL;
-@@ -194,6 +215,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- return 0;
- }
- }
-+#ifdef OPENSSL_FIPS
-+ /* After 'key' is set no further parameters changes are permissible.
-+ * So only check for non FIPS enabling at this point.
-+ */
-+ if (key && FIPS_mode()) {
-+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
-+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
-+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
-+ return 0;
-+ }
-+ }
-+#endif
-
- if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
- if (!ctx->cipher->init(ctx, key, iv, enc))
-diff -up openssl-1.1.0h/crypto/evp/evp_err.c.fips openssl-1.1.0h/crypto/evp/evp_err.c
---- openssl-1.1.0h/crypto/evp/evp_err.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/evp_err.c 2018-03-29 14:44:24.631236760 +0200
-@@ -24,6 +24,7 @@ static ERR_STRING_DATA EVP_str_functs[]
- {ERR_FUNC(EVP_F_AES_OCB_CIPHER), "aes_ocb_cipher"},
- {ERR_FUNC(EVP_F_AES_T4_INIT_KEY), "aes_t4_init_key"},
- {ERR_FUNC(EVP_F_AES_WRAP_CIPHER), "aes_wrap_cipher"},
-+ {ERR_FUNC(EVP_F_AES_XTS_CIPHER), "aes_xts_cipher"},
- {ERR_FUNC(EVP_F_ALG_MODULE_INIT), "alg_module_init"},
- {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "camellia_init_key"},
- {ERR_FUNC(EVP_F_CHACHA20_POLY1305_CTRL), "chacha20_poly1305_ctrl"},
-@@ -111,6 +112,7 @@ static ERR_STRING_DATA EVP_str_reasons[]
- {ERR_REASON(EVP_R_DECODE_ERROR), "decode error"},
- {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES), "different key types"},
- {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS), "different parameters"},
-+ {ERR_REASON(EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"},
- {ERR_REASON(EVP_R_ERROR_LOADING_SECTION), "error loading section"},
- {ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE), "error setting fips mode"},
- {ERR_REASON(EVP_R_EXPECTING_AN_HMAC_KEY), "expecting an hmac key"},
-@@ -150,6 +152,7 @@ static ERR_STRING_DATA EVP_str_reasons[]
- {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"},
- {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"},
- {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
-+ {ERR_REASON(EVP_R_TOO_LARGE), "too large"},
- {ERR_REASON(EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
- {ERR_REASON(EVP_R_UNKNOWN_DIGEST), "unknown digest"},
- {ERR_REASON(EVP_R_UNKNOWN_OPTION), "unknown option"},
-diff -up openssl-1.1.0h/crypto/evp/evp_lib.c.fips openssl-1.1.0h/crypto/evp/evp_lib.c
---- openssl-1.1.0h/crypto/evp/evp_lib.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/evp_lib.c 2018-03-29 14:44:24.631236760 +0200
-@@ -180,6 +180,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C
- int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
- const unsigned char *in, unsigned int inl)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- return ctx->cipher->do_cipher(ctx, out, in, inl);
- }
-
-diff -up openssl-1.1.0h/crypto/evp/m_sha1.c.fips openssl-1.1.0h/crypto/evp/m_sha1.c
---- openssl-1.1.0h/crypto/evp/m_sha1.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/evp/m_sha1.c 2018-03-29 15:04:23.512375176 +0200
-@@ -94,7 +94,7 @@ static const EVP_MD sha1_md = {
- NID_sha1,
- NID_sha1WithRSAEncryption,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -144,7 +144,7 @@ static const EVP_MD sha224_md = {
- NID_sha224,
- NID_sha224WithRSAEncryption,
- SHA224_DIGEST_LENGTH,
-- EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
- init224,
- update224,
- final224,
-@@ -163,7 +163,7 @@ static const EVP_MD sha256_md = {
- NID_sha256,
- NID_sha256WithRSAEncryption,
- SHA256_DIGEST_LENGTH,
-- EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
- init256,
- update256,
- final256,
-@@ -213,7 +213,7 @@ static const EVP_MD sha384_md = {
- NID_sha384,
- NID_sha384WithRSAEncryption,
- SHA384_DIGEST_LENGTH,
-- EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
- init384,
- update384,
- final384,
-@@ -232,7 +232,7 @@ static const EVP_MD sha512_md = {
- NID_sha512,
- NID_sha512WithRSAEncryption,
- SHA512_DIGEST_LENGTH,
-- EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
- init512,
- update512,
- final512,
-diff -up openssl-1.1.0h/crypto/fips/build.info.fips openssl-1.1.0h/crypto/fips/build.info
---- openssl-1.1.0h/crypto/fips/build.info.fips 2018-03-29 14:44:24.632236783 +0200
-+++ openssl-1.1.0h/crypto/fips/build.info 2018-03-29 14:44:24.632236783 +0200
-@@ -0,0 +1,15 @@
-+LIBS=../../libcrypto
-+SOURCE[../../libcrypto]=\
-+ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
-+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
-+ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
-+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
-+ fips_enc.c fips_md.c fips_dh_selftest.c fips_ers.c
-+
-+PROGRAMS_NO_INST=\
-+ fips_standalone_hmac
-+
-+SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
-+INCLUDE[fips_standalone_hmac]=../../include
-+DEPEND[fips_standalone_hmac]=../../libcrypto
-diff -up openssl-1.1.0h/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_aes_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_aes_selftest.c.fips 2018-03-29 14:44:24.632236783 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_aes_selftest.c 2018-03-29 14:44:24.632236783 +0200
-@@ -0,0 +1,372 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
-+#endif
-+
-+#ifdef OPENSSL_FIPS
-+static const struct {
-+ const unsigned char key[16];
-+ const unsigned char plaintext[16];
-+ const unsigned char ciphertext[16];
-+} tests[] = {
-+ {
-+ {
-+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
-+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
-+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
-+0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
-+ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
-+
-+int FIPS_selftest_aes()
-+{
-+ int n;
-+ int ret = 0;
-+ EVP_CIPHER_CTX *ctx;
-+
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (ctx == NULL)
-+ goto err;
-+
-+ for (n = 0; n < 1; ++n) {
-+ unsigned char key[16];
-+
-+ memcpy(key, tests[n].key, sizeof(key));
-+ if (fips_cipher_test(ctx, EVP_aes_128_ecb(),
-+ key, NULL,
-+ tests[n].plaintext,
-+ tests[n].ciphertext, 16) <= 0)
-+ goto err;
-+ }
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_free(ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
-+ return ret;
-+}
-+
-+/* AES-CCM test data from NIST public test vectors */
-+
-+static const unsigned char ccm_key[] = {
-+ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
-+ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
-+};
-+
-+static const unsigned char ccm_nonce[] = {
-+ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
-+};
-+
-+static const unsigned char ccm_adata[] = {
-+ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
-+ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
-+ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
-+};
-+
-+static const unsigned char ccm_pt[] = {
-+ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
-+ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
-+};
-+
-+static const unsigned char ccm_ct[] = {
-+ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
-+ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
-+};
-+
-+static const unsigned char ccm_tag[] = {
-+ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
-+ 0x14, 0xdb, 0x50, 0x6d
-+};
-+
-+int FIPS_selftest_aes_ccm(void)
-+{
-+ int ret = 0;
-+ unsigned char out[128], tag[16];
-+ EVP_CIPHER_CTX *ctx;
-+
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (ctx == NULL)
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
-+ sizeof(ccm_nonce), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
-+ sizeof(ccm_tag), NULL))
-+ goto err;
-+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
-+ goto err;
-+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
-+ goto err;
-+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
-+ goto err;
-+ if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
-+ goto err;
-+
-+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
-+ goto err;
-+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
-+ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+
-+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
-+ sizeof(ccm_nonce), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
-+ goto err;
-+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
-+ goto err;
-+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
-+ goto err;
-+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
-+ goto err;
-+ if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
-+ goto err;
-+
-+ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ EVP_CIPHER_CTX_free(ctx);
-+
-+ if (ret == 0) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ } else
-+ return ret;
-+
-+}
-+
-+/* AES-GCM test data from NIST public test vectors */
-+
-+static const unsigned char gcm_key[] = {
-+ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
-+ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
-+ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
-+};
-+
-+static const unsigned char gcm_iv[] = {
-+ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
-+};
-+
-+static const unsigned char gcm_pt[] = {
-+ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
-+ 0xcc, 0x2b, 0xf2, 0xa5
-+};
-+
-+static const unsigned char gcm_aad[] = {
-+ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
-+ 0x7f, 0xec, 0x78, 0xde
-+};
-+
-+static const unsigned char gcm_ct[] = {
-+ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
-+ 0xb9, 0xf2, 0x17, 0x36
-+};
-+
-+static const unsigned char gcm_tag[] = {
-+ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
-+ 0x98, 0xf7, 0x7e, 0x0c
-+};
-+
-+int FIPS_selftest_aes_gcm(void)
-+{
-+ int ret = 0;
-+ unsigned char out[128], tag[16];
-+ EVP_CIPHER_CTX *ctx;
-+
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (ctx == NULL)
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+ memset(tag, 0, sizeof(tag));
-+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
-+ sizeof(gcm_iv), NULL))
-+ goto err;
-+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1))
-+ goto err;
-+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
-+ goto err;
-+ if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
-+ goto err;
-+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
-+ goto err;
-+
-+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
-+ goto err;
-+
-+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+
-+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
-+ sizeof(gcm_iv), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
-+ goto err;
-+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0))
-+ goto err;
-+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
-+ goto err;
-+ if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
-+ goto err;
-+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
-+ goto err;
-+
-+ if (memcmp(out, gcm_pt, 16))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ EVP_CIPHER_CTX_free(ctx);
-+
-+ if (ret == 0) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ } else
-+ return ret;
-+
-+}
-+
-+static const unsigned char XTS_128_key[] = {
-+ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,
-+ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
-+ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
-+};
-+
-+static const unsigned char XTS_128_i[] = {
-+ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,
-+ 0x3e, 0x76, 0x8a, 0xd5
-+};
-+
-+static const unsigned char XTS_128_pt[] = {
-+ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,
-+ 0x07, 0x90, 0x31, 0x1c
-+};
-+
-+static const unsigned char XTS_128_ct[] = {
-+ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,
-+ 0xbe, 0x47, 0x1c, 0x63
-+};
-+
-+static const unsigned char XTS_256_key[] = {
-+ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,
-+ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
-+ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,
-+ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
-+ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,
-+ 0x2c, 0xf4, 0x1b, 0x08
-+};
-+
-+static const unsigned char XTS_256_i[] = {
-+ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,
-+ 0xa9, 0xf8, 0x75, 0x64
-+};
-+
-+static const unsigned char XTS_256_pt[] = {
-+ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,
-+ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
-+ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
-+};
-+
-+static const unsigned char XTS_256_ct[] = {
-+ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,
-+ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
-+ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
-+};
-+
-+int FIPS_selftest_aes_xts()
-+{
-+ int ret = 1;
-+ EVP_CIPHER_CTX *ctx;
-+
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (ctx == NULL)
-+ goto err;
-+
-+ if (fips_cipher_test(ctx, EVP_aes_128_xts(),
-+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
-+ sizeof(XTS_128_pt)) <= 0)
-+ ret = 0;
-+
-+ if (fips_cipher_test(ctx, EVP_aes_256_xts(),
-+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
-+ sizeof(XTS_256_pt)) <= 0)
-+ ret = 0;
-+
-+ EVP_CIPHER_CTX_free(ctx);
-+
-+ err:
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);
-+ return ret;
-+}
-+
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips.c.fips openssl-1.1.0h/crypto/fips/fips.c
---- openssl-1.1.0h/crypto/fips/fips.c.fips 2018-03-29 14:44:24.632236783 +0200
-+++ openssl-1.1.0h/crypto/fips/fips.c 2018-03-29 14:44:24.632236783 +0200
-@@ -0,0 +1,526 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#define _GNU_SOURCE
-+
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bio.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rsa.h>
-+#include <string.h>
-+#include <limits.h>
-+#include <dlfcn.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <errno.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+# include <openssl/fips.h>
-+# include "internal/thread_once.h"
-+
-+# ifndef PATH_MAX
-+# define PATH_MAX 1024
-+# endif
-+
-+static int fips_selftest_fail = 0;
-+static int fips_mode = 0;
-+static int fips_started = 0;
-+
-+static int fips_is_owning_thread(void);
-+static int fips_set_owning_thread(void);
-+static int fips_clear_owning_thread(void);
-+
-+static CRYPTO_RWLOCK *fips_lock = NULL;
-+static CRYPTO_RWLOCK *fips_owning_lock = NULL;
-+static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT;
-+
-+DEFINE_RUN_ONCE_STATIC(do_fips_lock_init)
-+{
-+ fips_lock = CRYPTO_THREAD_lock_new();
-+ fips_owning_lock = CRYPTO_THREAD_lock_new();
-+ return fips_lock != NULL && fips_owning_lock != NULL;
-+}
-+
-+# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock)
-+# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock)
-+# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock)
-+# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock)
-+
-+static void fips_set_mode(int onoff)
-+{
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (fips_started) {
-+ if (!owning_thread)
-+ fips_w_lock();
-+ fips_mode = onoff;
-+ if (!owning_thread)
-+ fips_w_unlock();
-+ }
-+}
-+
-+int FIPS_module_mode(void)
-+{
-+ int ret = 0;
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (fips_started) {
-+ if (!owning_thread)
-+ fips_r_lock();
-+ ret = fips_mode;
-+ if (!owning_thread)
-+ fips_r_unlock();
-+ }
-+ return ret;
-+}
-+
-+/* just a compat symbol - return NULL */
-+int FIPS_selftest_failed(void)
-+{
-+ int ret = 0;
-+ if (fips_started) {
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (!owning_thread)
-+ fips_r_lock();
-+ ret = fips_selftest_fail;
-+ if (!owning_thread)
-+ fips_r_unlock();
-+ }
-+ return ret;
-+}
-+
-+/* Selftest failure fatal exit routine. This will be called
-+ * during *any* cryptographic operation. It has the minimum
-+ * overhead possible to avoid too big a performance hit.
-+ */
-+
-+void FIPS_selftest_check(void)
-+{
-+ if (fips_selftest_fail) {
-+ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
-+ }
-+}
-+
-+void fips_set_selftest_fail(void)
-+{
-+ fips_selftest_fail = 1;
-+}
-+
-+/* we implement what libfipscheck does ourselves */
-+
-+static int
-+get_library_path(const char *libname, const char *symbolname, char *path,
-+ size_t pathlen)
-+{
-+ Dl_info info;
-+ void *dl, *sym;
-+ int rv = -1;
-+
-+ dl = dlopen(libname, RTLD_LAZY);
-+ if (dl == NULL) {
-+ return -1;
-+ }
-+
-+ sym = dlsym(dl, symbolname);
-+
-+ if (sym != NULL && dladdr(sym, &info)) {
-+ strncpy(path, info.dli_fname, pathlen - 1);
-+ path[pathlen - 1] = '\0';
-+ rv = 0;
-+ }
-+
-+ dlclose(dl);
-+
-+ return rv;
-+}
-+
-+static const char conv[] = "0123456789abcdef";
-+
-+static char *bin2hex(void *buf, size_t len)
-+{
-+ char *hex, *p;
-+ unsigned char *src = buf;
-+
-+ hex = malloc(len * 2 + 1);
-+ if (hex == NULL)
-+ return NULL;
-+
-+ p = hex;
-+
-+ while (len > 0) {
-+ unsigned c;
-+
-+ c = *src;
-+ src++;
-+
-+ *p = conv[c >> 4];
-+ ++p;
-+ *p = conv[c & 0x0f];
-+ ++p;
-+ --len;
-+ }
-+ *p = '\0';
-+ return hex;
-+}
-+
-+# define HMAC_PREFIX "."
-+# ifndef HMAC_SUFFIX
-+# define HMAC_SUFFIX ".hmac"
-+# endif
-+# define READ_BUFFER_LENGTH 16384
-+
-+static char *make_hmac_path(const char *origpath)
-+{
-+ char *path, *p;
-+ const char *fn;
-+
-+ path =
-+ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
-+ if (path == NULL) {
-+ return NULL;
-+ }
-+
-+ fn = strrchr(origpath, '/');
-+ if (fn == NULL) {
-+ fn = origpath;
-+ } else {
-+ ++fn;
-+ }
-+
-+ strncpy(path, origpath, fn - origpath);
-+ p = path + (fn - origpath);
-+ p = stpcpy(p, HMAC_PREFIX);
-+ p = stpcpy(p, fn);
-+ p = stpcpy(p, HMAC_SUFFIX);
-+
-+ return path;
-+}
-+
-+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
-+
-+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
-+{
-+ FILE *f = NULL;
-+ int rv = -1;
-+ unsigned char rbuf[READ_BUFFER_LENGTH];
-+ size_t len;
-+ unsigned int hlen;
-+ HMAC_CTX *c;
-+
-+ c = HMAC_CTX_new();
-+ if (c == NULL)
-+ return rv;
-+
-+ f = fopen(path, "r");
-+
-+ if (f == NULL) {
-+ goto end;
-+ }
-+
-+ if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) {
-+ goto end;
-+ }
-+
-+ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
-+ if (HMAC_Update(c, rbuf, len) <= 0) {
-+ goto end;
-+ }
-+ }
-+
-+ len = sizeof(rbuf);
-+ /* reuse rbuf for hmac */
-+ if (HMAC_Final(c, rbuf, &hlen) <= 0) {
-+ goto end;
-+ }
-+
-+ *buf = malloc(hlen);
-+ if (*buf == NULL) {
-+ goto end;
-+ }
-+
-+ *hmaclen = hlen;
-+
-+ memcpy(*buf, rbuf, hlen);
-+
-+ rv = 0;
-+ end:
-+ HMAC_CTX_free(c);
-+
-+ if (f)
-+ fclose(f);
-+
-+ return rv;
-+}
-+
-+static int FIPSCHECK_verify(const char *path)
-+{
-+ int rv = 0;
-+ FILE *hf;
-+ char *hmacpath, *p;
-+ char *hmac = NULL;
-+ size_t n;
-+
-+ hmacpath = make_hmac_path(path);
-+ if (hmacpath == NULL)
-+ return 0;
-+
-+ hf = fopen(hmacpath, "r");
-+ if (hf == NULL) {
-+ free(hmacpath);
-+ return 0;
-+ }
-+
-+ if (getline(&hmac, &n, hf) > 0) {
-+ void *buf;
-+ size_t hmaclen;
-+ char *hex;
-+
-+ if ((p = strchr(hmac, '\n')) != NULL)
-+ *p = '\0';
-+
-+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
-+ rv = -4;
-+ goto end;
-+ }
-+
-+ if ((hex = bin2hex(buf, hmaclen)) == NULL) {
-+ free(buf);
-+ rv = -5;
-+ goto end;
-+ }
-+
-+ if (strcmp(hex, hmac) != 0) {
-+ rv = -1;
-+ }
-+ free(buf);
-+ free(hex);
-+ } else {
-+ rv = -1;
-+ }
-+
-+ end:
-+ free(hmac);
-+ free(hmacpath);
-+ fclose(hf);
-+
-+ if (rv < 0)
-+ return 0;
-+
-+ /* check successful */
-+ return 1;
-+}
-+
-+static int verify_checksums(void)
-+{
-+ int rv;
-+ char path[PATH_MAX + 1];
-+ char *p;
-+
-+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
-+ are in the same directory */
-+
-+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
-+ "FIPS_mode_set", path, sizeof(path));
-+ if (rv < 0)
-+ return 0;
-+
-+ rv = FIPSCHECK_verify(path);
-+ if (!rv)
-+ return 0;
-+
-+ /* replace libcrypto with libssl */
-+ while ((p = strstr(path, "libcrypto.so")) != NULL) {
-+ p = stpcpy(p, "libssl");
-+ memmove(p, p + 3, strlen(p + 2));
-+ }
-+
-+ rv = FIPSCHECK_verify(path);
-+ if (!rv)
-+ return 0;
-+ return 1;
-+}
-+
-+# ifndef FIPS_MODULE_PATH
-+# define FIPS_MODULE_PATH "/etc/system-fips"
-+# endif
-+
-+int FIPS_module_installed(void)
-+{
-+ int rv;
-+ rv = access(FIPS_MODULE_PATH, F_OK);
-+ if (rv < 0 && errno != ENOENT)
-+ rv = 0;
-+
-+ /* Installed == true */
-+ return !rv;
-+}
-+
-+int FIPS_module_mode_set(int onoff)
-+{
-+ int ret = 0;
-+
-+ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
-+ return NULL;
-+
-+ fips_w_lock();
-+ fips_started = 1;
-+ fips_set_owning_thread();
-+
-+ if (onoff) {
-+
-+ fips_selftest_fail = 0;
-+
-+ /* Don't go into FIPS mode twice, just so we can do automagic
-+ seeding */
-+ if (FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
-+ FIPS_R_FIPS_MODE_ALREADY_SET);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+# ifdef OPENSSL_IA32_SSE2
-+ {
-+ extern unsigned int OPENSSL_ia32cap_P[2];
-+ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=
-+ (1 << 25 | 1 << 26)) {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
-+ FIPS_R_UNSUPPORTED_PLATFORM);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+ }
-+# endif
-+
-+ if (!FIPS_selftest()) {
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+ if (!verify_checksums()) {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
-+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+ fips_set_mode(onoff);
-+ ret = 1;
-+ goto end;
-+ }
-+ fips_set_mode(0);
-+ fips_selftest_fail = 0;
-+ ret = 1;
-+ end:
-+ fips_clear_owning_thread();
-+ fips_w_unlock();
-+ return ret;
-+}
-+
-+static CRYPTO_THREAD_ID fips_threadid;
-+static int fips_thread_set = 0;
-+
-+static int fips_is_owning_thread(void)
-+{
-+ int ret = 0;
-+
-+ if (fips_started) {
-+ CRYPTO_THREAD_read_lock(fips_owning_lock);
-+ if (fips_thread_set) {
-+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
-+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
-+ ret = 1;
-+ }
-+ CRYPTO_THREAD_unlock(fips_owning_lock);
-+ }
-+ return ret;
-+}
-+
-+int fips_set_owning_thread(void)
-+{
-+ int ret = 0;
-+
-+ if (fips_started) {
-+ CRYPTO_THREAD_write_lock(fips_owning_lock);
-+ if (!fips_thread_set) {
-+ fips_threadid = CRYPTO_THREAD_get_current_id();
-+ ret = 1;
-+ fips_thread_set = 1;
-+ }
-+ CRYPTO_THREAD_unlock(fips_owning_lock);
-+ }
-+ return ret;
-+}
-+
-+int fips_clear_owning_thread(void)
-+{
-+ int ret = 0;
-+
-+ if (fips_started) {
-+ CRYPTO_THREAD_write_lock(fips_owning_lock);
-+ if (fips_thread_set) {
-+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
-+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
-+ fips_thread_set = 0;
-+ }
-+ CRYPTO_THREAD_unlock(fips_owning_lock);
-+ }
-+ return ret;
-+}
-+
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c.fips 2018-03-29 14:44:24.632236783 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c 2018-03-29 14:44:24.632236783 +0200
-@@ -0,0 +1,156 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
-+#include <openssl/cmac.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+typedef struct {
-+ int nid;
-+ const unsigned char key[EVP_MAX_KEY_LENGTH];
-+ size_t keysize;
-+ const unsigned char msg[64];
-+ size_t msgsize;
-+ const unsigned char mac[32];
-+ size_t macsize;
-+} CMAC_KAT;
-+
-+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
-+static const CMAC_KAT vector[] = {
-+ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
-+ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,
-+ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,
-+ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,
-+ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,
-+ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,
-+ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,
-+ {0xfb, 0xfe, 0xa4, 0x1b,}, 32},
-+ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
-+ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,
-+ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,
-+ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,
-+ {0x0}, 0,
-+ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,
-+ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,
-+ },
-+ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
-+ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,
-+ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,
-+ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,
-+ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,
-+ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,
-+ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,
-+ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,
-+ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,
-+ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,
-+ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,
-+ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,
-+ },
-+ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
-+ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,
-+ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,
-+ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,
-+ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,
-+ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,
-+ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,
-+ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,
-+ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,
-+ },
-+};
-+
-+int FIPS_selftest_cmac()
-+{
-+ size_t n, outlen;
-+ unsigned char out[32];
-+ const EVP_CIPHER *cipher;
-+ CMAC_CTX *ctx = CMAC_CTX_new();
-+ const CMAC_KAT *t;
-+ int rv = 1;
-+
-+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
-+ cipher = FIPS_get_cipherbynid(t->nid);
-+ if (!cipher) {
-+ rv = -1;
-+ goto err;
-+ }
-+ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {
-+ rv = -1;
-+ goto err;
-+ }
-+ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!CMAC_Final(ctx, out, &outlen)) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {
-+ rv = 0;
-+ }
-+ }
-+
-+ err:
-+ CMAC_CTX_free(ctx);
-+
-+ if (rv == -1) {
-+ rv = 0;
-+ }
-+ if (!rv)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);
-+
-+ return rv;
-+}
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_des_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_des_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_des_selftest.c.fips 2018-03-29 14:44:24.632236783 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_des_selftest.c 2018-03-29 14:44:24.632236783 +0200
-@@ -0,0 +1,133 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
-+#endif
-+#include <openssl/opensslconf.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const struct {
-+ const unsigned char key[16];
-+ const unsigned char plaintext[8];
-+ const unsigned char ciphertext[8];
-+} tests2[] = {
-+ {
-+ {
-+ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,
-+ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {
-+ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {
-+ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}
-+ }, {
-+ {
-+ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,
-+ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {
-+ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {
-+ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}
-+};
-+
-+static const struct {
-+ const unsigned char key[24];
-+ const unsigned char plaintext[8];
-+ const unsigned char ciphertext[8];
-+} tests3[] = {
-+ {
-+ {
-+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
-+ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {
-+ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {
-+ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {
-+ {
-+ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,
-+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
-+ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {
-+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {
-+0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};
-+
-+int FIPS_selftest_des()
-+{
-+ int n, ret = 0;
-+ EVP_CIPHER_CTX *ctx;
-+
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (ctx == NULL)
-+ goto err;
-+
-+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
-+ for (n = 0; n < 2; ++n) {
-+ unsigned char plaintext[8];
-+
-+ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
-+ if (!fips_cipher_test(ctx, EVP_des_ede_ecb(),
-+ tests2[n].key, NULL,
-+ plaintext, tests2[n].ciphertext, 8))
-+ goto err;
-+ }
-+
-+ /* Encrypt/decrypt with 3DES and compare to known answers */
-+ for (n = 0; n < 2; ++n) {
-+ if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(),
-+ tests3[n].key, NULL,
-+ tests3[n].plaintext, tests3[n].ciphertext, 8))
-+ goto err;
-+ }
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_free(ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);
-+
-+ return ret;
-+}
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_dh_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_dh_selftest.c.fips 2018-03-29 14:44:24.633236807 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_dh_selftest.c 2018-03-29 14:44:24.633236807 +0200
-@@ -0,0 +1,180 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 2013 Red Hat, Inc.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char dh_test_2048_p[] = {
-+ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09,
-+ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11,
-+ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,
-+ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F,
-+ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC,
-+ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE,
-+ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39,
-+ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E,
-+ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2,
-+ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A,
-+ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A,
-+ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF,
-+ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7,
-+ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73,
-+ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6,
-+ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35,
-+ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED,
-+ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03,
-+ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC,
-+ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE,
-+ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58,
-+ 0x4B, 0xD8, 0x37, 0xEB
-+};
-+
-+static const unsigned char dh_test_2048_g[] = {
-+ 0x02
-+};
-+
-+static const unsigned char dh_test_2048_pub_key[] = {
-+ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA,
-+ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2,
-+ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12,
-+ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5,
-+ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D,
-+ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1,
-+ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51,
-+ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F,
-+ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6,
-+ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED,
-+ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46,
-+ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA,
-+ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1,
-+ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE,
-+ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53,
-+ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9,
-+ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3,
-+ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9,
-+ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56,
-+ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E,
-+ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9,
-+ 0x36, 0x9E, 0xDA, 0xD2
-+};
-+
-+static const unsigned char dh_test_2048_priv_key[] = {
-+ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91,
-+ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00,
-+ 0xEC, 0x55, 0xF6, 0xCC
-+};
-+
-+int FIPS_selftest_dh()
-+{
-+ DH *dh = NULL;
-+ int ret = 0;
-+ void *pub_key_bin = NULL;
-+ int len;
-+ BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL;
-+ const BIGNUM *pub_key;
-+
-+ fips_load_key_component(p, dh_test_2048);
-+ fips_load_key_component(g, dh_test_2048);
-+ /* note that the private key is much shorter than normally used
-+ * but still g ** priv_key > p
-+ */
-+ fips_load_key_component(priv_key, dh_test_2048);
-+ if ((tmp_pub_key = BN_new()) == NULL)
-+ goto err;
-+
-+ dh = DH_new();
-+
-+ if (dh == NULL)
-+ goto err;
-+
-+ DH_set0_pqg(dh, p, NULL, g);
-+ DH_set0_key(dh, tmp_pub_key, priv_key);
-+
-+ if (DH_generate_key(dh) <= 0)
-+ goto err;
-+
-+ DH_get0_key(dh, &pub_key, NULL);
-+
-+ if (pub_key == NULL)
-+ goto err;
-+
-+ len = BN_num_bytes(pub_key);
-+ if ((pub_key_bin = OPENSSL_malloc(len)) == NULL)
-+ goto err;
-+ BN_bn2bin(pub_key, pub_key_bin);
-+
-+ if (len != sizeof(dh_test_2048_pub_key) ||
-+ memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0)
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ if (dh)
-+ DH_free(dh);
-+ else {
-+ BN_free(p);
-+ BN_free(g);
-+ BN_free(priv_key);
-+ BN_free(tmp_pub_key);
-+ }
-+
-+ OPENSSL_free(pub_key_bin);
-+ return ret;
-+}
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c
---- openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c.fips 2018-03-29 14:44:24.633236807 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c 2018-03-29 14:44:24.633236807 +0200
-@@ -0,0 +1,415 @@
-+/* fips/rand/fips_drbg_ctr.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+static void inc_128(DRBG_CTR_CTX * cctx)
-+{
-+ int i;
-+ unsigned char c;
-+ unsigned char *p = cctx->V + 15;
-+ for (i = 0; i < 16; i++) {
-+ c = *p;
-+ c++;
-+ *p = c;
-+ if (c)
-+ return;
-+ p--;
-+ }
-+}
-+
-+static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,
-+ size_t inlen)
-+{
-+ size_t i, n;
-+ /* Any zero padding will have no effect on the result as we
-+ * are XORing. So just process however much input we have.
-+ */
-+
-+ if (!in || !inlen)
-+ return;
-+
-+ if (inlen < cctx->keylen)
-+ n = inlen;
-+ else
-+ n = cctx->keylen;
-+
-+ for (i = 0; i < n; i++)
-+ cctx->K[i] ^= in[i];
-+ if (inlen <= cctx->keylen)
-+ return;
-+
-+ n = inlen - cctx->keylen;
-+ /* Should never happen */
-+ if (n > 16)
-+ n = 16;
-+ for (i = 0; i < 16; i++)
-+ cctx->V[i] ^= in[i + cctx->keylen];
-+}
-+
-+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
-+
-+static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,
-+ const unsigned char *in)
-+{
-+ int i;
-+ for (i = 0; i < 16; i++)
-+ out[i] ^= in[i];
-+ AES_encrypt(out, out, &cctx->df_ks);
-+#if 0
-+ fprintf(stderr, "BCC in+out\n");
-+ BIO_dump_fp(stderr, in, 16);
-+ BIO_dump_fp(stderr, out, 16);
-+#endif
-+}
-+
-+/* Handle several BCC operations for as much data as we need for K and X */
-+static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)
-+{
-+ ctr_BCC_block(cctx, cctx->KX, in);
-+ ctr_BCC_block(cctx, cctx->KX + 16, in);
-+ if (cctx->keylen != 16)
-+ ctr_BCC_block(cctx, cctx->KX + 32, in);
-+}
-+
-+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
-+ * see 10.4.2 stage 7.
-+ */
-+static void ctr_BCC_init(DRBG_CTR_CTX * cctx)
-+{
-+ memset(cctx->KX, 0, 48);
-+ memset(cctx->bltmp, 0, 16);
-+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
-+ cctx->bltmp[3] = 1;
-+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
-+ if (cctx->keylen != 16) {
-+ cctx->bltmp[3] = 2;
-+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
-+ }
-+}
-+
-+/* Process several blocks into BCC algorithm, some possibly partial */
-+static void ctr_BCC_update(DRBG_CTR_CTX * cctx,
-+ const unsigned char *in, size_t inlen)
-+{
-+ if (!in || !inlen)
-+ return;
-+ /* If we have partial block handle it first */
-+ if (cctx->bltmp_pos) {
-+ size_t left = 16 - cctx->bltmp_pos;
-+ /* If we now have a complete block process it */
-+ if (inlen >= left) {
-+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
-+ ctr_BCC_blocks(cctx, cctx->bltmp);
-+ cctx->bltmp_pos = 0;
-+ inlen -= left;
-+ in += left;
-+ }
-+ }
-+ /* Process zero or more complete blocks */
-+ while (inlen >= 16) {
-+ ctr_BCC_blocks(cctx, in);
-+ in += 16;
-+ inlen -= 16;
-+ }
-+ /* Copy any remaining partial block to the temporary buffer */
-+ if (inlen > 0) {
-+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
-+ cctx->bltmp_pos += inlen;
-+ }
-+}
-+
-+static void ctr_BCC_final(DRBG_CTR_CTX * cctx)
-+{
-+ if (cctx->bltmp_pos) {
-+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
-+ ctr_BCC_blocks(cctx, cctx->bltmp);
-+ }
-+}
-+
-+static void ctr_df(DRBG_CTR_CTX * cctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len)
-+{
-+ size_t inlen;
-+ unsigned char *p = cctx->bltmp;
-+ static unsigned char c80 = 0x80;
-+
-+ ctr_BCC_init(cctx);
-+ if (!in1)
-+ in1len = 0;
-+ if (!in2)
-+ in2len = 0;
-+ if (!in3)
-+ in3len = 0;
-+ inlen = in1len + in2len + in3len;
-+ /* Initialise L||N in temporary block */
-+ *p++ = (inlen >> 24) & 0xff;
-+ *p++ = (inlen >> 16) & 0xff;
-+ *p++ = (inlen >> 8) & 0xff;
-+ *p++ = inlen & 0xff;
-+ /* NB keylen is at most 32 bytes */
-+ *p++ = 0;
-+ *p++ = 0;
-+ *p++ = 0;
-+ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
-+ cctx->bltmp_pos = 8;
-+ ctr_BCC_update(cctx, in1, in1len);
-+ ctr_BCC_update(cctx, in2, in2len);
-+ ctr_BCC_update(cctx, in3, in3len);
-+ ctr_BCC_update(cctx, &c80, 1);
-+ ctr_BCC_final(cctx);
-+ /* Set up key K */
-+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
-+ /* X follows key K */
-+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
-+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
-+ if (cctx->keylen != 16)
-+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
-+#if 0
-+ fprintf(stderr, "Output of ctr_df:\n");
-+ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
-+#endif
-+}
-+
-+/* NB the no-df Update in SP800-90 specifies a constant input length
-+ * of seedlen, however other uses of this algorithm pad the input with
-+ * zeroes if necessary and have up to two parameters XORed together,
-+ * handle both cases in this function instead.
-+ */
-+
-+static void ctr_Update(DRBG_CTX *dctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *nonce, size_t noncelen)
-+{
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ /* ks is already setup for correct key */
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
-+ /* If keylen longer than 128 bits need extra encrypt */
-+ if (cctx->keylen != 16) {
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
-+ }
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
-+ /* If 192 bit key part of V is on end of K */
-+ if (cctx->keylen == 24) {
-+ memcpy(cctx->V + 8, cctx->V, 8);
-+ memcpy(cctx->V, cctx->K + 24, 8);
-+ }
-+
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
-+ /* If no input reuse existing derived value */
-+ if (in1 || nonce || in2)
-+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
-+ /* If this a reuse input in1len != 0 */
-+ if (in1len)
-+ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
-+ } else {
-+ ctr_XOR(cctx, in1, in1len);
-+ ctr_XOR(cctx, in2, in2len);
-+ }
-+
-+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
-+#if 0
-+ fprintf(stderr, "K+V after update is:\n");
-+ BIO_dump_fp(stderr, cctx->K, cctx->keylen);
-+ BIO_dump_fp(stderr, cctx->V, 16);
-+#endif
-+}
-+
-+static int drbg_ctr_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *nonce, size_t noncelen,
-+ const unsigned char *pers, size_t perslen)
-+{
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ memset(cctx->K, 0, sizeof(cctx->K));
-+ memset(cctx->V, 0, sizeof(cctx->V));
-+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
-+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
-+ return 1;
-+}
-+
-+static int drbg_ctr_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *adin, size_t adinlen)
-+{
-+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
-+ return 1;
-+}
-+
-+static int drbg_ctr_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adinlen)
-+{
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ if (adin && adinlen) {
-+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
-+ /* This means we reuse derived value */
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
-+ adin = NULL;
-+ adinlen = 1;
-+ }
-+ } else
-+ adinlen = 0;
-+
-+ for (;;) {
-+ inc_128(cctx);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
-+ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
-+ dctx->lb_valid = 1;
-+ continue;
-+ }
-+ if (outlen < 16) {
-+ /* Use K as temp space as it will be updated */
-+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, cctx->K))
-+ return 0;
-+ memcpy(out, cctx->K, outlen);
-+ break;
-+ }
-+ AES_encrypt(cctx->V, out, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ out += 16;
-+ outlen -= 16;
-+ if (outlen == 0)
-+ break;
-+ }
-+
-+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
-+
-+ return 1;
-+
-+}
-+
-+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
-+{
-+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
-+ return 1;
-+}
-+
-+int fips_drbg_ctr_init(DRBG_CTX *dctx)
-+{
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+
-+ size_t keylen;
-+
-+ switch (dctx->type) {
-+ case NID_aes_128_ctr:
-+ keylen = 16;
-+ break;
-+
-+ case NID_aes_192_ctr:
-+ keylen = 24;
-+ break;
-+
-+ case NID_aes_256_ctr:
-+ keylen = 32;
-+ break;
-+
-+ default:
-+ return -2;
-+ }
-+
-+ dctx->instantiate = drbg_ctr_instantiate;
-+ dctx->reseed = drbg_ctr_reseed;
-+ dctx->generate = drbg_ctr_generate;
-+ dctx->uninstantiate = drbg_ctr_uninstantiate;
-+
-+ cctx->keylen = keylen;
-+ dctx->strength = keylen * 8;
-+ dctx->blocklength = 16;
-+ dctx->seedlen = keylen + 16;
-+
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
-+ /* df initialisation */
-+ static unsigned char df_key[32] = {
-+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
-+ };
-+ /* Set key schedule for df_key */
-+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
-+
-+ dctx->min_entropy = cctx->keylen;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+ } else {
-+ dctx->min_entropy = dctx->seedlen;
-+ dctx->max_entropy = dctx->seedlen;
-+ /* Nonce not used */
-+ dctx->min_nonce = 0;
-+ dctx->max_nonce = 0;
-+ dctx->max_pers = dctx->seedlen;
-+ dctx->max_adin = dctx->seedlen;
-+ }
-+
-+ dctx->max_request = 1 << 16;
-+ dctx->reseed_interval = 1 << 24;
-+
-+ return 1;
-+}
-diff -up openssl-1.1.0h/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_hash.c
---- openssl-1.1.0h/crypto/fips/fips_drbg_hash.c.fips 2018-03-29 14:44:24.633236807 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_drbg_hash.c 2018-03-29 14:44:24.633236807 +0200
-@@ -0,0 +1,361 @@
-+/* fips/rand/fips_drbg_hash.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+/* This is Hash_df from SP 800-90 10.4.1 */
-+
-+static int hash_df(DRBG_CTX *dctx, unsigned char *out,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len,
-+ const unsigned char *in4, size_t in4len)
-+{
-+ EVP_MD_CTX *mctx = dctx->d.hash.mctx;
-+ unsigned char *vtmp = dctx->d.hash.vtmp;
-+ unsigned char tmp[6];
-+ /* Standard only ever needs seedlen bytes which is always less than
-+ * maximum permitted so no need to check length.
-+ */
-+ size_t outlen = dctx->seedlen;
-+ tmp[0] = 1;
-+ tmp[1] = ((outlen * 8) >> 24) & 0xff;
-+ tmp[2] = ((outlen * 8) >> 16) & 0xff;
-+ tmp[3] = ((outlen * 8) >> 8) & 0xff;
-+ tmp[4] = (outlen * 8) & 0xff;
-+ if (!in1) {
-+ tmp[5] = (unsigned char)in1len;
-+ in1 = tmp + 5;
-+ in1len = 1;
-+ }
-+ for (;;) {
-+ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
-+ return 0;
-+ if (!FIPS_digestupdate(mctx, tmp, 5))
-+ return 0;
-+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
-+ return 0;
-+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
-+ return 0;
-+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
-+ return 0;
-+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
-+ return 0;
-+ if (outlen < dctx->blocklength) {
-+ if (!FIPS_digestfinal(mctx, vtmp, NULL))
-+ return 0;
-+ memcpy(out, vtmp, outlen);
-+ OPENSSL_cleanse(vtmp, dctx->blocklength);
-+ return 1;
-+ } else if (!FIPS_digestfinal(mctx, out, NULL))
-+ return 0;
-+
-+ outlen -= dctx->blocklength;
-+ if (outlen == 0)
-+ return 1;
-+ tmp[0]++;
-+ out += dctx->blocklength;
-+ }
-+}
-+
-+/* Add an unsigned buffer to the buf value, storing the result in buf. For
-+ * this algorithm the length of input never exceeds the seed length.
-+ */
-+
-+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
-+ unsigned char *in, size_t inlen)
-+{
-+ size_t i = inlen;
-+ const unsigned char *q;
-+ unsigned char c, *p;
-+ p = buf + dctx->seedlen;
-+ q = in + inlen;
-+
-+ OPENSSL_assert(i <= dctx->seedlen);
-+
-+ /* Special case: zero length, just increment buffer */
-+ if (i)
-+ c = 0;
-+ else
-+ c = 1;
-+
-+ while (i) {
-+ int r;
-+ p--;
-+ q--;
-+ r = *p + *q + c;
-+ /* Carry */
-+ if (r > 0xff)
-+ c = 1;
-+ else
-+ c = 0;
-+ *p = r & 0xff;
-+ i--;
-+ }
-+
-+ i = dctx->seedlen - inlen;
-+
-+ /* If not adding whole buffer handle final carries */
-+ if (c && i) {
-+ do {
-+ p--;
-+ c = *p;
-+ c++;
-+ *p = c;
-+ if (c)
-+ return;
-+ } while (i--);
-+ }
-+}
-+
-+/* Finalise and add hash to V */
-+
-+static int ctx_add_md(DRBG_CTX *dctx)
-+{
-+ if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
-+ return 0;
-+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
-+ return 1;
-+}
-+
-+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
-+{
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ if (outlen == 0)
-+ return 1;
-+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
-+ for (;;) {
-+ FIPS_digestinit(hctx->mctx, hctx->md);
-+ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
-+ FIPS_digestfinal(hctx->mctx, dctx->lb, NULL);
-+ dctx->lb_valid = 1;
-+ } else if (outlen < dctx->blocklength) {
-+ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL);
-+ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
-+ return 0;
-+ memcpy(out, hctx->vtmp, outlen);
-+ return 1;
-+ } else {
-+ FIPS_digestfinal(hctx->mctx, out, NULL);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ outlen -= dctx->blocklength;
-+ if (outlen == 0)
-+ return 1;
-+ out += dctx->blocklength;
-+ }
-+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
-+ }
-+}
-+
-+static int drbg_hash_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *nonce, size_t nonce_len,
-+ const unsigned char *pstr, size_t pstr_len)
-+{
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ if (!hash_df(dctx, hctx->V,
-+ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))
-+ return 0;
-+ if (!hash_df(dctx, hctx->C,
-+ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
-+ return 0;
-+
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after instantiate:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hash_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *adin, size_t adin_len)
-+{
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ /* V about to be updated so use C as output instead */
-+ if (!hash_df(dctx, hctx->C,
-+ NULL, 1, hctx->V, dctx->seedlen,
-+ ent, ent_len, adin, adin_len))
-+ return 0;
-+ memcpy(hctx->V, hctx->C, dctx->seedlen);
-+ if (!hash_df(dctx, hctx->C, NULL, 0,
-+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
-+ return 0;
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after reseed:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hash_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adin_len)
-+{
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ EVP_MD_CTX *mctx = hctx->mctx;
-+ unsigned char tmp[4];
-+ if (adin && adin_len) {
-+ tmp[0] = 2;
-+ if (!FIPS_digestinit(mctx, hctx->md))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, tmp, 1))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, adin, adin_len))
-+ return 0;
-+ if (!ctx_add_md(dctx))
-+ return 0;
-+ }
-+ if (!hash_gen(dctx, out, outlen))
-+ return 0;
-+
-+ tmp[0] = 3;
-+ if (!FIPS_digestinit(mctx, hctx->md))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, tmp, 1))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
-+ return 0;
-+
-+ if (!ctx_add_md(dctx))
-+ return 0;
-+
-+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
-+
-+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
-+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
-+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
-+ tmp[3] = dctx->reseed_counter & 0xff;
-+ ctx_add_buf(dctx, hctx->V, tmp, 4);
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after generate:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
-+{
-+ EVP_MD_CTX_free(dctx->d.hash.mctx);
-+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
-+ return 1;
-+}
-+
-+int fips_drbg_hash_init(DRBG_CTX *dctx)
-+{
-+ const EVP_MD *md;
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ md = FIPS_get_digestbynid(dctx->type);
-+ if (!md)
-+ return -2;
-+ switch (dctx->type) {
-+ case NID_sha1:
-+ dctx->strength = 128;
-+ break;
-+
-+ case NID_sha224:
-+ dctx->strength = 192;
-+ break;
-+
-+ default:
-+ dctx->strength = 256;
-+ break;
-+ }
-+
-+ dctx->instantiate = drbg_hash_instantiate;
-+ dctx->reseed = drbg_hash_reseed;
-+ dctx->generate = drbg_hash_generate;
-+ dctx->uninstantiate = drbg_hash_uninstantiate;
-+
-+ dctx->d.hash.md = md;
-+ hctx->mctx = EVP_MD_CTX_new();
-+ if (hctx->mctx == NULL)
-+ return -1;
-+
-+ /* These are taken from SP 800-90 10.1 table 2 */
-+
-+ dctx->blocklength = EVP_MD_size(md);
-+ if (dctx->blocklength > 32)
-+ dctx->seedlen = 111;
-+ else
-+ dctx->seedlen = 55;
-+
-+ dctx->min_entropy = dctx->strength / 8;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+
-+ dctx->max_request = 1 << 16;
-+ dctx->reseed_interval = 1 << 24;
-+
-+ return 1;
-+}
-diff -up openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c
---- openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c.fips 2018-03-29 14:44:24.633236807 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c 2018-03-29 14:44:24.633236807 +0200
-@@ -0,0 +1,272 @@
-+/* fips/rand/fips_drbg_hmac.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/aes.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+static int drbg_hmac_update(DRBG_CTX *dctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len)
-+{
-+ static unsigned char c0 = 0, c1 = 1;
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ HMAC_CTX *hctx = hmac->hctx;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+ if (!HMAC_Update(hctx, &c0, 1))
-+ return 0;
-+ if (in1len && !HMAC_Update(hctx, in1, in1len))
-+ return 0;
-+ if (in2len && !HMAC_Update(hctx, in2, in2len))
-+ return 0;
-+ if (in3len && !HMAC_Update(hctx, in3, in3len))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->K, NULL))
-+ return 0;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+
-+ if (!in1len && !in2len && !in3len)
-+ return 1;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+ if (!HMAC_Update(hctx, &c1, 1))
-+ return 0;
-+ if (in1len && !HMAC_Update(hctx, in1, in1len))
-+ return 0;
-+ if (in2len && !HMAC_Update(hctx, in2, in2len))
-+ return 0;
-+ if (in3len && !HMAC_Update(hctx, in3, in3len))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->K, NULL))
-+ return 0;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+
-+ return 1;
-+
-+}
-+
-+static int drbg_hmac_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *nonce, size_t nonce_len,
-+ const unsigned char *pstr, size_t pstr_len)
-+{
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ memset(hmac->K, 0, dctx->blocklength);
-+ memset(hmac->V, 1, dctx->blocklength);
-+ if (!drbg_hmac_update(dctx,
-+ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
-+ return 0;
-+
-+#ifdef HMAC_DRBG_TRACE
-+ fprintf(stderr, "K+V after instantiate:\n");
-+ hexprint(stderr, hmac->K, hmac->blocklength);
-+ hexprint(stderr, hmac->V, hmac->blocklength);
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hmac_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *adin, size_t adin_len)
-+{
-+ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))
-+ return 0;
-+
-+#ifdef HMAC_DRBG_TRACE
-+ {
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ fprintf(stderr, "K+V after reseed:\n");
-+ hexprint(stderr, hmac->K, hmac->blocklength);
-+ hexprint(stderr, hmac->V, hmac->blocklength);
-+ }
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hmac_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adin_len)
-+{
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ HMAC_CTX *hctx = hmac->hctx;
-+ const unsigned char *Vtmp = hmac->V;
-+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
-+ return 0;
-+ for (;;) {
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
-+ return 0;
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
-+ if (!HMAC_Final(hctx, dctx->lb, NULL))
-+ return 0;
-+ dctx->lb_valid = 1;
-+ Vtmp = dctx->lb;
-+ continue;
-+ } else if (outlen > dctx->blocklength) {
-+ if (!HMAC_Final(hctx, out, NULL))
-+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ Vtmp = out;
-+ } else {
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, hmac->V))
-+ return 0;
-+ memcpy(out, hmac->V, outlen);
-+ break;
-+ }
-+ out += dctx->blocklength;
-+ outlen -= dctx->blocklength;
-+ }
-+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
-+ return 0;
-+
-+ return 1;
-+}
-+
-+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
-+{
-+ HMAC_CTX_free(dctx->d.hmac.hctx);
-+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
-+ return 1;
-+}
-+
-+int fips_drbg_hmac_init(DRBG_CTX *dctx)
-+{
-+ const EVP_MD *md = NULL;
-+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
-+ dctx->strength = 256;
-+ switch (dctx->type) {
-+ case NID_hmacWithSHA1:
-+ md = EVP_sha1();
-+ dctx->strength = 128;
-+ break;
-+
-+ case NID_hmacWithSHA224:
-+ md = EVP_sha224();
-+ dctx->strength = 192;
-+ break;
-+
-+ case NID_hmacWithSHA256:
-+ md = EVP_sha256();
-+ break;
-+
-+ case NID_hmacWithSHA384:
-+ md = EVP_sha384();
-+ break;
-+
-+ case NID_hmacWithSHA512:
-+ md = EVP_sha512();
-+ break;
-+
-+ default:
-+ dctx->strength = 0;
-+ return -2;
-+ }
-+ dctx->instantiate = drbg_hmac_instantiate;
-+ dctx->reseed = drbg_hmac_reseed;
-+ dctx->generate = drbg_hmac_generate;
-+ dctx->uninstantiate = drbg_hmac_uninstantiate;
-+ hctx->hctx = HMAC_CTX_new();
-+ if (hctx->hctx == NULL)
-+ return -1;
-+ hctx->md = md;
-+ dctx->blocklength = M_EVP_MD_size(md);
-+ dctx->seedlen = M_EVP_MD_size(md);
-+
-+ dctx->min_entropy = dctx->strength / 8;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+
-+ dctx->max_request = 1 << 16;
-+ dctx->reseed_interval = 1 << 24;
-+
-+ return 1;
-+}
-diff -up openssl-1.1.0h/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_lib.c
---- openssl-1.1.0h/crypto/fips/fips_drbg_lib.c.fips 2018-03-29 14:44:24.633236807 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_drbg_lib.c 2018-03-29 14:44:24.633236807 +0200
-@@ -0,0 +1,555 @@
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
-+#include <openssl/fips_rand.h>
-+#include "fips_locl.h"
-+#include "fips_rand_lcl.h"
-+
-+/* Support framework for SP800-90 DRBGs */
-+
-+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
-+{
-+ int rv;
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ dctx->xflags = flags;
-+ dctx->type = type;
-+
-+ dctx->iflags = 0;
-+ dctx->entropy_blocklen = 0;
-+ dctx->health_check_cnt = 0;
-+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
-+
-+ rv = fips_drbg_hash_init(dctx);
-+
-+ if (rv == -2)
-+ rv = fips_drbg_ctr_init(dctx);
-+ if (rv == -2)
-+ rv = fips_drbg_hmac_init(dctx);
-+
-+ if (rv <= 0) {
-+ if (rv == -2)
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
-+ else
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
-+ }
-+
-+ /* If not in test mode run selftests on DRBG of the same type */
-+
-+ if (!(dctx->xflags & DRBG_FLAG_TEST)) {
-+ if (!FIPS_drbg_health_check(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
-+ return 0;
-+ }
-+ }
-+
-+ return rv;
-+}
-+
-+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
-+{
-+ DRBG_CTX *dctx;
-+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
-+ if (!dctx) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
-+ return NULL;
-+ }
-+
-+ if (type == 0) {
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->type = 0;
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ return dctx;
-+ }
-+
-+ if (FIPS_drbg_init(dctx, type, flags) <= 0) {
-+ OPENSSL_free(dctx);
-+ return NULL;
-+ }
-+
-+ return dctx;
-+}
-+
-+void FIPS_drbg_free(DRBG_CTX *dctx)
-+{
-+ if (dctx->uninstantiate)
-+ dctx->uninstantiate(dctx);
-+ /* Don't free up default DRBG */
-+ if (dctx == FIPS_get_default_drbg()) {
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->type = 0;
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ } else {
-+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
-+ OPENSSL_free(dctx);
-+ }
-+}
-+
-+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+{
-+ unsigned char *tout, *p;
-+ size_t bl = dctx->entropy_blocklen, rv;
-+ if (!dctx->get_entropy)
-+ return 0;
-+ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
-+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
-+ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
-+ min_len + bl, max_len + bl);
-+ if (tout == NULL)
-+ return 0;
-+ *pout = tout + bl;
-+ if (rv < (min_len + bl) || (rv % bl))
-+ return 0;
-+ /* Compare consecutive blocks for continuous PRNG test */
-+ for (p = tout; p < tout + rv - bl; p += bl) {
-+ if (!memcmp(p, p + bl, bl)) {
-+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
-+ return 0;
-+ }
-+ }
-+ rv -= bl;
-+ if (rv > max_len)
-+ return max_len;
-+ return rv;
-+}
-+
-+static void fips_cleanup_entropy(DRBG_CTX *dctx,
-+ unsigned char *out, size_t olen)
-+{
-+ size_t bl;
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ bl = 0;
-+ else
-+ bl = dctx->entropy_blocklen;
-+ /* Call cleanup with original arguments */
-+ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
-+}
-+
-+int FIPS_drbg_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *pers, size_t perslen)
-+{
-+ size_t entlen = 0, noncelen = 0;
-+ unsigned char *nonce = NULL, *entropy = NULL;
-+
-+#if 0
-+ /* Put here so error script picks them up */
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
-+ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
-+#endif
-+
-+ int r = 0;
-+
-+ if (perslen > dctx->max_pers) {
-+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
-+ goto end;
-+ }
-+
-+ if (!dctx->instantiate) {
-+ r = FIPS_R_DRBG_NOT_INITIALISED;
-+ goto end;
-+ }
-+
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED) {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else
-+ r = FIPS_R_ALREADY_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_ERROR;
-+
-+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
-+ dctx->min_entropy, dctx->max_entropy);
-+
-+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
-+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
-+ goto end;
-+ }
-+
-+ if (dctx->max_nonce > 0 && dctx->get_nonce) {
-+ noncelen = dctx->get_nonce(dctx, &nonce,
-+ dctx->strength / 2,
-+ dctx->min_nonce, dctx->max_nonce);
-+
-+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
-+ r = FIPS_R_ERROR_RETRIEVING_NONCE;
-+ goto end;
-+ }
-+
-+ }
-+
-+ if (!dctx->instantiate(dctx,
-+ entropy, entlen, nonce, noncelen, pers, perslen)) {
-+ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_READY;
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ dctx->reseed_counter = 1;
-+
-+ end:
-+
-+ if (entropy && dctx->cleanup_entropy)
-+ fips_cleanup_entropy(dctx, entropy, entlen);
-+
-+ if (nonce && dctx->cleanup_nonce)
-+ dctx->cleanup_nonce(dctx, nonce, noncelen);
-+
-+ if (dctx->status == DRBG_STATUS_READY)
-+ return 1;
-+
-+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
-+
-+ return 0;
-+
-+}
-+
-+static int drbg_reseed(DRBG_CTX *dctx,
-+ const unsigned char *adin, size_t adinlen, int hcheck)
-+{
-+ unsigned char *entropy = NULL;
-+ size_t entlen = 0;
-+ int r = 0;
-+
-+#if 0
-+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
-+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
-+#endif
-+ if (dctx->status != DRBG_STATUS_READY
-+ && dctx->status != DRBG_STATUS_RESEED) {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
-+ r = FIPS_R_NOT_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ if (!adin)
-+ adinlen = 0;
-+ else if (adinlen > dctx->max_adin) {
-+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_ERROR;
-+ /* Peform health check on all reseed operations if not a prediction
-+ * resistance request and not in test mode.
-+ */
-+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {
-+ if (!FIPS_drbg_health_check(dctx)) {
-+ r = FIPS_R_SELFTEST_FAILURE;
-+ goto end;
-+ }
-+ }
-+
-+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
-+ dctx->min_entropy, dctx->max_entropy);
-+
-+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
-+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
-+ goto end;
-+ }
-+
-+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
-+ goto end;
-+
-+ dctx->status = DRBG_STATUS_READY;
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ dctx->reseed_counter = 1;
-+ end:
-+
-+ if (entropy && dctx->cleanup_entropy)
-+ fips_cleanup_entropy(dctx, entropy, entlen);
-+
-+ if (dctx->status == DRBG_STATUS_READY)
-+ return 1;
-+
-+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_DRBG_RESEED, r);
-+
-+ return 0;
-+}
-+
-+int FIPS_drbg_reseed(DRBG_CTX *dctx,
-+ const unsigned char *adin, size_t adinlen)
-+{
-+ return drbg_reseed(dctx, adin, adinlen, 1);
-+}
-+
-+static int fips_drbg_check(DRBG_CTX *dctx)
-+{
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ return 1;
-+ dctx->health_check_cnt++;
-+ if (dctx->health_check_cnt >= dctx->health_check_interval) {
-+ if (!FIPS_drbg_health_check(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+}
-+
-+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-+ int prediction_resistance,
-+ const unsigned char *adin, size_t adinlen)
-+{
-+ int r = 0;
-+
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (!fips_drbg_check(dctx))
-+ return 0;
-+
-+ if (dctx->status != DRBG_STATUS_READY
-+ && dctx->status != DRBG_STATUS_RESEED) {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
-+ r = FIPS_R_NOT_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ if (outlen > dctx->max_request) {
-+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
-+ return 0;
-+ }
-+
-+ if (adinlen > dctx->max_adin) {
-+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
-+ goto end;
-+ }
-+
-+ if (dctx->iflags & DRBG_CUSTOM_RESEED)
-+ dctx->generate(dctx, NULL, outlen, NULL, 0);
-+ else if (dctx->reseed_counter >= dctx->reseed_interval)
-+ dctx->status = DRBG_STATUS_RESEED;
-+
-+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
-+ /* If prediction resistance request don't do health check */
-+ int hcheck = prediction_resistance ? 0 : 1;
-+
-+ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {
-+ r = FIPS_R_RESEED_ERROR;
-+ goto end;
-+ }
-+ adin = NULL;
-+ adinlen = 0;
-+ }
-+
-+ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {
-+ r = FIPS_R_GENERATE_ERROR;
-+ dctx->status = DRBG_STATUS_ERROR;
-+ goto end;
-+ }
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {
-+ if (dctx->reseed_counter >= dctx->reseed_interval)
-+ dctx->status = DRBG_STATUS_RESEED;
-+ else
-+ dctx->reseed_counter++;
-+ }
-+
-+ end:
-+ if (r) {
-+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
-+ return 0;
-+ }
-+
-+ return 1;
-+}
-+
-+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
-+{
-+ int rv;
-+ if (!dctx->uninstantiate)
-+ rv = 1;
-+ else
-+ rv = dctx->uninstantiate(dctx);
-+ /* Although we'd like to cleanse here we can't because we have to
-+ * test the uninstantiate really zeroes the data.
-+ */
-+ memset(&dctx->d, 0, sizeof(dctx->d));
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ /* If method has problems uninstantiating, return error */
-+ return rv;
-+}
-+
-+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_entropy) (DRBG_CTX *ctx,
-+ unsigned char **pout,
-+ int entropy,
-+ size_t min_len,
-+ size_t max_len),
-+ void (*cleanup_entropy) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen),
-+ size_t entropy_blocklen,
-+ size_t (*get_nonce) (DRBG_CTX *ctx,
-+ unsigned char **pout,
-+ int entropy, size_t min_len,
-+ size_t max_len),
-+ void (*cleanup_nonce) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen))
-+{
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ return 0;
-+ dctx->entropy_blocklen = entropy_blocklen;
-+ dctx->get_entropy = get_entropy;
-+ dctx->cleanup_entropy = cleanup_entropy;
-+ dctx->get_nonce = get_nonce;
-+ dctx->cleanup_nonce = cleanup_nonce;
-+ return 1;
-+}
-+
-+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_adin) (DRBG_CTX *ctx,
-+ unsigned char **pout),
-+ void (*cleanup_adin) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen),
-+ int (*rand_seed_cb) (DRBG_CTX *ctx,
-+ const void *buf,
-+ int num),
-+ int (*rand_add_cb) (DRBG_CTX *ctx,
-+ const void *buf, int num,
-+ double entropy))
-+{
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ return 0;
-+ dctx->get_adin = get_adin;
-+ dctx->cleanup_adin = cleanup_adin;
-+ dctx->rand_seed_cb = rand_seed_cb;
-+ dctx->rand_add_cb = rand_add_cb;
-+ return 1;
-+}
-+
-+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
-+{
-+ return dctx->app_data;
-+}
-+
-+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
-+{
-+ dctx->app_data = app_data;
-+}
-+
-+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
-+{
-+ return dctx->blocklength;
-+}
-+
-+int FIPS_drbg_get_strength(DRBG_CTX *dctx)
-+{
-+ return dctx->strength;
-+}
-+
-+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
-+{
-+ dctx->health_check_interval = interval;
-+}
-+
-+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
-+{
-+ dctx->reseed_interval = interval;
-+}
-+
-+static int drbg_stick = 0;
-+
-+void FIPS_drbg_stick(int onoff)
-+{
-+ drbg_stick = onoff;
-+}
-+
-+/* Continuous DRBG utility function */
-+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
-+{
-+ /* No CPRNG in test mode */
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ return 1;
-+ /* Check block is valid: should never happen */
-+ if (dctx->lb_valid == 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ if (drbg_stick)
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ /* Check against last block: fail if match */
-+ if (!memcmp(dctx->lb, out, dctx->blocklength)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ /* Save last block for next comparison */
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ return 1;
-+}
-diff -up openssl-1.1.0h/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_rand.c
---- openssl-1.1.0h/crypto/fips/fips_drbg_rand.c.fips 2018-03-29 14:44:24.633236807 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_drbg_rand.c 2018-03-29 14:44:24.633236807 +0200
-@@ -0,0 +1,183 @@
-+/* fips/rand/fips_drbg_rand.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include "internal/thread_once.h"
-+#include <openssl/err.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
-+
-+/* Since we only have one global PRNG used at any time in OpenSSL use a global
-+ * variable to store context.
-+ */
-+
-+static DRBG_CTX ossl_dctx;
-+
-+static CRYPTO_RWLOCK *fips_rand_lock = NULL;
-+static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT;
-+
-+DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init)
-+{
-+ fips_rand_lock = CRYPTO_THREAD_lock_new();
-+ return fips_rand_lock != NULL;
-+}
-+
-+DRBG_CTX *FIPS_get_default_drbg(void)
-+{
-+ if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init))
-+ return NULL;
-+ return &ossl_dctx;
-+}
-+
-+static int fips_drbg_bytes(unsigned char *out, int count)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ int rv = 0;
-+ unsigned char *adin = NULL;
-+ size_t adinlen = 0;
-+ CRYPTO_THREAD_write_lock(fips_rand_lock);
-+ do {
-+ size_t rcnt;
-+ if (count > (int)dctx->max_request)
-+ rcnt = dctx->max_request;
-+ else
-+ rcnt = count;
-+ if (dctx->get_adin) {
-+ adinlen = dctx->get_adin(dctx, &adin);
-+ if (adinlen && !adin) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES,
-+ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
-+ goto err;
-+ }
-+ }
-+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
-+ if (adin) {
-+ if (dctx->cleanup_adin)
-+ dctx->cleanup_adin(dctx, adin, adinlen);
-+ adin = NULL;
-+ }
-+ if (!rv)
-+ goto err;
-+ out += rcnt;
-+ count -= rcnt;
-+ }
-+ while (count);
-+ rv = 1;
-+ err:
-+ CRYPTO_THREAD_unlock(fips_rand_lock);
-+ return rv;
-+}
-+
-+static int fips_drbg_pseudo(unsigned char *out, int count)
-+{
-+ if (fips_drbg_bytes(out, count) <= 0)
-+ return -1;
-+ return 1;
-+}
-+
-+static int fips_drbg_status(void)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ int rv;
-+ CRYPTO_THREAD_read_lock(fips_rand_lock);
-+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
-+ CRYPTO_THREAD_unlock(fips_rand_lock);
-+ return rv;
-+}
-+
-+static void fips_drbg_cleanup(void)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ CRYPTO_THREAD_write_lock(fips_rand_lock);
-+ FIPS_drbg_uninstantiate(dctx);
-+ CRYPTO_THREAD_unlock(fips_rand_lock);
-+}
-+
-+static int fips_drbg_seed(const void *seed, int seedlen)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ CRYPTO_THREAD_write_lock(fips_rand_lock);
-+ if (dctx->rand_seed_cb)
-+ return dctx->rand_seed_cb(dctx, seed, seedlen);
-+ CRYPTO_THREAD_unlock(fips_rand_lock);
-+ return 1;
-+}
-+
-+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ CRYPTO_THREAD_write_lock(fips_rand_lock);
-+ if (dctx->rand_add_cb)
-+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
-+ CRYPTO_THREAD_unlock(fips_rand_lock);
-+ return 1;
-+}
-+
-+static const RAND_METHOD rand_drbg_meth = {
-+ fips_drbg_seed,
-+ fips_drbg_bytes,
-+ fips_drbg_cleanup,
-+ fips_drbg_add,
-+ fips_drbg_pseudo,
-+ fips_drbg_status
-+};
-+
-+const RAND_METHOD *FIPS_drbg_method(void)
-+{
-+ return &rand_drbg_meth;
-+}
-diff -up openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c.fips 2018-03-29 14:44:24.634236830 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c 2018-03-29 14:44:24.634236830 +0200
-@@ -0,0 +1,828 @@
-+/* fips/rand/fips_drbg_selftest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+#include "fips_locl.h"
-+
-+#include "fips_drbg_selftest.h"
-+
-+typedef struct {
-+ int post;
-+ int nid;
-+ unsigned int flags;
-+
-+ /* KAT data for no PR */
-+ const unsigned char *ent;
-+ size_t entlen;
-+ const unsigned char *nonce;
-+ size_t noncelen;
-+ const unsigned char *pers;
-+ size_t perslen;
-+ const unsigned char *adin;
-+ size_t adinlen;
-+ const unsigned char *entreseed;
-+ size_t entreseedlen;
-+ const unsigned char *adinreseed;
-+ size_t adinreseedlen;
-+ const unsigned char *adin2;
-+ size_t adin2len;
-+ const unsigned char *kat;
-+ size_t katlen;
-+ const unsigned char *kat2;
-+ size_t kat2len;
-+
-+ /* KAT data for PR */
-+ const unsigned char *ent_pr;
-+ size_t entlen_pr;
-+ const unsigned char *nonce_pr;
-+ size_t noncelen_pr;
-+ const unsigned char *pers_pr;
-+ size_t perslen_pr;
-+ const unsigned char *adin_pr;
-+ size_t adinlen_pr;
-+ const unsigned char *entpr_pr;
-+ size_t entprlen_pr;
-+ const unsigned char *ading_pr;
-+ size_t adinglen_pr;
-+ const unsigned char *entg_pr;
-+ size_t entglen_pr;
-+ const unsigned char *kat_pr;
-+ size_t katlen_pr;
-+ const unsigned char *kat2_pr;
-+ size_t kat2len_pr;
-+
-+} DRBG_SELFTEST_DATA;
-+
-+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
-+ pr##_entropyinput, sizeof(pr##_entropyinput), \
-+ pr##_nonce, sizeof(pr##_nonce), \
-+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
-+ pr##_additionalinput, sizeof(pr##_additionalinput), \
-+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
-+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
-+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
-+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
-+ pr##_returnedbits, sizeof(pr##_returnedbits), \
-+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
-+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
-+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
-+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
-+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
-+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
-+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
-+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
-+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
-+ }
-+
-+#define make_drbg_test_data_df(nid, pr, p) \
-+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
-+
-+#define make_drbg_test_data_ec(curve, md, pr, p) \
-+ make_drbg_test_data((curve << 16) | md , 0, pr, p)
-+
-+static DRBG_SELFTEST_DATA drbg_test[] = {
-+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
-+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
-+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
-+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
-+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
-+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
-+ make_drbg_test_data(NID_sha1, 0, sha1, 0),
-+ make_drbg_test_data(NID_sha224, 0, sha224, 0),
-+ make_drbg_test_data(NID_sha256, 0, sha256, 1),
-+ make_drbg_test_data(NID_sha384, 0, sha384, 0),
-+ make_drbg_test_data(NID_sha512, 0, sha512, 0),
-+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
-+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
-+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
-+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
-+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
-+ {0, 0, 0}
-+};
-+
-+typedef struct {
-+ const unsigned char *ent;
-+ size_t entlen;
-+ int entcnt;
-+ const unsigned char *nonce;
-+ size_t noncelen;
-+ int noncecnt;
-+} TEST_ENT;
-+
-+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+{
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->ent;
-+ t->entcnt++;
-+ return t->entlen;
-+}
-+
-+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+{
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->nonce;
-+ t->noncecnt++;
-+ return t->noncelen;
-+}
-+
-+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
-+ int quick)
-+{
-+ TEST_ENT t;
-+ int rv = 0;
-+ size_t adinlen;
-+ unsigned char randout[1024];
-+
-+ /* Initial test without PR */
-+
-+ /* Instantiate DRBG with test entropy, nonce and personalisation
-+ * string.
-+ */
-+
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, &t);
-+
-+ t.ent = td->ent;
-+ t.entlen = td->entlen;
-+ t.nonce = td->nonce;
-+ t.noncelen = td->noncelen;
-+ t.entcnt = 0;
-+ t.noncecnt = 0;
-+
-+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
-+ goto err;
-+
-+ /* Note for CTR without DF some additional input values
-+ * ignore bytes after the keylength: so reduce adinlen
-+ * to half to ensure invalid data is fed in.
-+ */
-+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
-+ adinlen = td->adinlen / 2;
-+ else
-+ adinlen = td->adinlen;
-+
-+ /* Generate with no PR and verify output matches expected data */
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat, td->katlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
-+ goto err2;
-+ }
-+ /* If abbreviated POST end of test */
-+ if (quick) {
-+ rv = 1;
-+ goto err;
-+ }
-+ /* Reseed DRBG with test entropy and additional input */
-+ t.ent = td->entreseed;
-+ t.entlen = td->entreseedlen;
-+
-+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
-+ goto err;
-+
-+ /* Generate with no PR and verify output matches expected data */
-+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
-+ td->adin2, td->adin2len))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat2, td->kat2len)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
-+ goto err2;
-+ }
-+
-+ FIPS_drbg_uninstantiate(dctx);
-+
-+ /* Now test with PR */
-+
-+ /* Instantiate DRBG with test entropy, nonce and personalisation
-+ * string.
-+ */
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, &t);
-+
-+ t.ent = td->ent_pr;
-+ t.entlen = td->entlen_pr;
-+ t.nonce = td->nonce_pr;
-+ t.noncelen = td->noncelen_pr;
-+ t.entcnt = 0;
-+ t.noncecnt = 0;
-+
-+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
-+ goto err;
-+
-+ /* Now generate with PR: we need to supply entropy as this will
-+ * perform a reseed operation. Check output matches expected value.
-+ */
-+
-+ t.ent = td->entpr_pr;
-+ t.entlen = td->entprlen_pr;
-+
-+ /* Note for CTR without DF some additional input values
-+ * ignore bytes after the keylength: so reduce adinlen
-+ * to half to ensure invalid data is fed in.
-+ */
-+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
-+ adinlen = td->adinlen_pr / 2;
-+ else
-+ adinlen = td->adinlen_pr;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
-+ td->adin_pr, adinlen))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat_pr, td->katlen_pr)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
-+ goto err2;
-+ }
-+
-+ /* Now generate again with PR: supply new entropy again.
-+ * Check output matches expected value.
-+ */
-+
-+ t.ent = td->entg_pr;
-+ t.entlen = td->entglen_pr;
-+
-+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
-+ td->ading_pr, td->adinglen_pr))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
-+ goto err2;
-+ }
-+ /* All OK, test complete */
-+ rv = 1;
-+
-+ err:
-+ if (rv == 0)
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
-+ err2:
-+ FIPS_drbg_uninstantiate(dctx);
-+
-+ return rv;
-+
-+}
-+
-+/* Initialise a DRBG based on selftest data */
-+
-+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)
-+{
-+
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, t);
-+
-+ t->ent = td->ent;
-+ t->entlen = td->entlen;
-+ t->nonce = td->nonce;
-+ t->noncelen = td->noncelen;
-+ t->entcnt = 0;
-+ t->noncecnt = 0;
-+ return 1;
-+}
-+
-+/* Initialise and instantiate DRBG based on selftest data */
-+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
-+ TEST_ENT * t)
-+{
-+ if (!do_drbg_init(dctx, td, t))
-+ return 0;
-+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
-+ return 0;
-+
-+ return 1;
-+}
-+
-+/* This function performs extensive error checking as required by SP800-90.
-+ * Induce several failure modes and check an error condition is set.
-+ * This function along with fips_drbg_single_kat peforms the health checking
-+ * operation.
-+ */
-+
-+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)
-+{
-+ unsigned char randout[1024];
-+ TEST_ENT t;
-+ size_t i;
-+ unsigned int reseed_counter_tmp;
-+ unsigned char *p = (unsigned char *)dctx;
-+
-+ /* Initialise DRBG */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ /* Don't report induced errors */
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Personalisation string tests */
-+
-+ /* Test detection of too large personlisation string */
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Entropy source tests */
-+
-+ /* Test entropy source failure detecion: i.e. returns no data */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Try to generate output from uninstantiated DRBG */
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_GENERATE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Test insufficient entropy */
-+
-+ t.entlen = dctx->min_entropy - 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test too much entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->max_entropy + 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Nonce tests */
-+
-+ /* Test too small nonce */
-+
-+ if (dctx->min_nonce) {
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.noncelen = dctx->min_nonce - 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_NONCE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ }
-+
-+ /* Test too large nonce */
-+
-+ if (dctx->max_nonce) {
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.noncelen = dctx->max_nonce + 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_NONCE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ }
-+
-+ /* Instantiate with valid data. */
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+
-+ /* Check generation is now OK */
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Request too much data for one request */
-+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
-+ td->adin, td->adinlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Try too large additional input */
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, dctx->max_adin + 1)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Check prediction resistance request fails if entropy source
-+ * failure.
-+ */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
-+ td->adin, td->adinlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Instantiate again with valid data */
-+
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+ /* Test reseed counter works */
-+ /* Save initial reseed counter */
-+ reseed_counter_tmp = dctx->reseed_counter;
-+ /* Set reseed counter to beyond interval */
-+ dctx->reseed_counter = dctx->reseed_interval;
-+
-+ /* Generate output and check entropy has been requested for reseed */
-+ t.entcnt = 0;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+ if (t.entcnt != 1) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
-+ goto err;
-+ }
-+ /* Check reseed counter has been reset */
-+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Check prediction resistance request fails if entropy source
-+ * failure.
-+ */
-+
-+ t.entlen = 0;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
-+ td->adin, td->adinlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+ /* Test reseed counter works */
-+ /* Save initial reseed counter */
-+ reseed_counter_tmp = dctx->reseed_counter;
-+ /* Set reseed counter to beyond interval */
-+ dctx->reseed_counter = dctx->reseed_interval;
-+
-+ /* Generate output and check entropy has been requested for reseed */
-+ t.entcnt = 0;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+ if (t.entcnt != 1) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
-+ goto err;
-+ }
-+ /* Check reseed counter has been reset */
-+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Explicit reseed tests */
-+
-+ /* Test explicit reseed with too large additional input */
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with entropy source failure */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with too much entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->max_entropy + 1;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with too little entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->min_entropy - 1;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ p = (unsigned char *)&dctx->d;
-+ /* Standard says we have to check uninstantiate really zeroes
-+ * the data...
-+ */
-+ for (i = 0; i < sizeof(dctx->d); i++) {
-+ if (*p != 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
-+ goto err;
-+ }
-+ p++;
-+ }
-+
-+ return 1;
-+
-+ err:
-+ /* A real error as opposed to an induced one: underlying function will
-+ * indicate the error.
-+ */
-+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
-+ FIPS_drbg_uninstantiate(dctx);
-+ return 0;
-+
-+}
-+
-+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
-+{
-+ DRBG_SELFTEST_DATA *td;
-+ flags |= DRBG_FLAG_TEST;
-+ for (td = drbg_test; td->nid != 0; td++) {
-+ if (td->nid == nid && td->flags == flags) {
-+ if (!fips_drbg_single_kat(dctx, td, 0))
-+ return 0;
-+ return fips_drbg_error_check(dctx, td);
-+ }
-+ }
-+ return 0;
-+}
-+
-+int FIPS_drbg_health_check(DRBG_CTX *dctx)
-+{
-+ int rv;
-+ DRBG_CTX *tctx = NULL;
-+ tctx = FIPS_drbg_new(0, 0);
-+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ if (!tctx)
-+ return 0;
-+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
-+ if (tctx)
-+ FIPS_drbg_free(tctx);
-+ if (rv)
-+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ else
-+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ if (!rv)
-+ dctx->status = DRBG_STATUS_ERROR;
-+ else
-+ dctx->health_check_cnt = 0;
-+ return rv;
-+}
-+
-+int FIPS_selftest_drbg(void)
-+{
-+ DRBG_CTX *dctx;
-+ DRBG_SELFTEST_DATA *td;
-+ int rv = 1;
-+ dctx = FIPS_drbg_new(0, 0);
-+ if (!dctx)
-+ return 0;
-+ for (td = drbg_test; td->nid != 0; td++) {
-+ if (td->post != 1)
-+ continue;
-+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 1;
-+ if (!fips_drbg_single_kat(dctx, td, 1)) {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 0;
-+ }
-+ FIPS_drbg_free(dctx);
-+ return rv;
-+}
-+
-+int FIPS_selftest_drbg_all(void)
-+{
-+ DRBG_CTX *dctx;
-+ DRBG_SELFTEST_DATA *td;
-+ int rv = 1;
-+ dctx = FIPS_drbg_new(0, 0);
-+ if (!dctx)
-+ return 0;
-+ for (td = drbg_test; td->nid != 0; td++) {
-+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 1;
-+ if (!fips_drbg_single_kat(dctx, td, 0)) {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_drbg_error_check(dctx, td)) {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 0;
-+ }
-+ FIPS_drbg_free(dctx);
-+ return rv;
-+}
-diff -up openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h
---- openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h.fips 2018-03-29 14:44:24.634236830 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h 2018-03-29 14:44:24.634236830 +0200
-@@ -0,0 +1,1791 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+/* Selftest and health check data for the SP800-90 DRBG */
-+
-+#define __fips_constseg
-+
-+/* AES-128 use df PR */
-+__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {
-+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
-+ 0xc8, 0xdb, 0xff, 0x12
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {
-+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
-+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
-+ 0xd7, 0xd7, 0x01, 0x67
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_additionalinput[] = {
-+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
-+ 0x9a, 0x47, 0x08, 0x76
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
-+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
-+ 0x09, 0xfb, 0xa3, 0xb6
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
-+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
-+ 0x66, 0x1c, 0xea, 0x5b
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
-+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
-+ 0x3f, 0x5e, 0x31, 0x06
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
-+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
-+ 0xa7, 0xe3, 0xa8, 0x67
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {
-+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
-+ 0x0f, 0x38, 0x43, 0xc6
-+};
-+
-+/* AES-128 use df No PR */
-+__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {
-+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
-+ 0x9d, 0x7d, 0x1c, 0x9b
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {
-+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_personalizationstring[] = {
-+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
-+ 0x38, 0x66, 0xba, 0x1b
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {
-+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
-+ 0xb5, 0xe2, 0xb2, 0x41
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {
-+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
-+ 0xe7, 0x57, 0x11, 0xb4
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_entropyinputreseed[] = {
-+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
-+ 0xc7, 0xc4, 0x9e, 0x39
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_additionalinputreseed[] = {
-+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
-+ 0xc8, 0x93, 0xfa, 0x84
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {
-+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
-+ 0x06, 0x0c, 0x15, 0x2c
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {
-+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
-+ 0x46, 0x81, 0xc7, 0x19
-+};
-+
-+/* AES-192 use df PR */
-+__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {
-+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
-+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {
-+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
-+ 0xd1, 0x80, 0x78, 0xfa
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
-+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
-+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
-+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_additionalinput[] = {
-+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
-+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
-+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
-+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
-+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
-+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
-+ 0x19, 0x30, 0x6b, 0x67
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
-+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
-+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
-+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
-+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
-+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {
-+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
-+ 0x7e, 0x1a, 0x2b, 0x83
-+};
-+
-+/* AES-192 use df No PR */
-+__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {
-+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
-+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {
-+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
-+ 0x77, 0xd7, 0x41, 0x0e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_personalizationstring[] = {
-+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
-+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
-+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {
-+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
-+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
-+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {
-+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
-+ 0xb7, 0xed, 0xe9, 0xea
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_entropyinputreseed[] = {
-+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
-+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_additionalinputreseed[] = {
-+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
-+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
-+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {
-+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
-+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
-+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {
-+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
-+ 0x1a, 0xf9, 0x13, 0x28
-+};
-+
-+/* AES-256 use df PR */
-+__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {
-+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
-+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
-+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {
-+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
-+ 0x2b, 0x36, 0xff, 0xa4
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
-+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
-+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
-+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_additionalinput[] = {
-+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
-+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
-+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
-+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
-+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
-+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
-+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
-+ 0x17, 0xab, 0x3c, 0x7a
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
-+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
-+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
-+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
-+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
-+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
-+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {
-+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
-+ 0xd9, 0xe2, 0x97, 0x00
-+};
-+
-+/* AES-256 use df No PR */
-+__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {
-+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
-+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
-+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {
-+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
-+ 0x4c, 0x44, 0x84, 0x40
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_personalizationstring[] = {
-+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
-+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
-+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {
-+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
-+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
-+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {
-+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
-+ 0x28, 0x0c, 0x3b, 0xc1
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_entropyinputreseed[] = {
-+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
-+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
-+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_additionalinputreseed[] = {
-+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
-+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
-+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {
-+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
-+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
-+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {
-+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
-+ 0xfa, 0xfd, 0x35, 0x5e
-+};
-+
-+/* AES-128 no df PR */
-+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {
-+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
-+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
-+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {
-+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
-+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
-+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
-+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_additionalinput[] = {
-+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
-+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
-+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
-+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
-+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
-+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
-+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
-+ 0xaf, 0x19, 0x32, 0x16
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
-+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
-+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
-+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
-+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
-+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
-+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {
-+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
-+ 0x57, 0x82, 0x33, 0xaf
-+};
-+
-+/* AES-128 no df No PR */
-+__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {
-+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
-+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
-+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {
-+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_personalizationstring[] = {
-+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
-+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
-+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {
-+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
-+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
-+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {
-+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
-+ 0xed, 0x3e, 0x65, 0xc2
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_entropyinputreseed[] = {
-+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
-+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
-+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_additionalinputreseed[] = {
-+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
-+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
-+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {
-+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
-+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
-+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {
-+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
-+ 0x81, 0x37, 0x19, 0xd4
-+};
-+
-+/* AES-192 no df PR */
-+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {
-+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
-+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
-+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
-+ 0x17, 0x1f, 0x8d, 0x9a
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {
-+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
-+ 0x61, 0x5c, 0xee, 0x0f
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
-+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
-+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
-+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
-+ 0x57, 0x2e, 0xe7, 0x55
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_additionalinput[] = {
-+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
-+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
-+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
-+ 0xe2, 0xd0, 0x0c, 0x2f
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
-+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
-+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
-+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
-+ 0x1d, 0x30, 0xb3, 0x78
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
-+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
-+ 0x7e, 0x3e, 0x0c, 0x26
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
-+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
-+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
-+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
-+ 0x0c, 0x4b, 0xee, 0x6e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
-+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
-+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
-+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
-+ 0x8e, 0x0a, 0x83, 0xdf
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {
-+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
-+ 0xb9, 0xa1, 0x21, 0x68
-+};
-+
-+/* AES-192 no df No PR */
-+__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {
-+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
-+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
-+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
-+ 0x94, 0xc3, 0x59, 0x63
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {
-+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
-+ 0x29, 0xfd, 0x45, 0x71
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_personalizationstring[] = {
-+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
-+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
-+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
-+ 0x3b, 0x88, 0xce, 0x35
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {
-+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
-+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
-+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
-+ 0x3e, 0xbe, 0xd4, 0x8e
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {
-+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
-+ 0x45, 0xe7, 0x4a, 0xc5
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_entropyinputreseed[] = {
-+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
-+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
-+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
-+ 0x9b, 0xcb, 0x7e, 0x75
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_additionalinputreseed[] = {
-+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
-+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
-+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
-+ 0x5d, 0x7a, 0x25, 0x79
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {
-+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
-+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
-+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
-+ 0x91, 0x6a, 0xe3, 0x5f
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {
-+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
-+ 0x66, 0x67, 0x2c, 0x92
-+};
-+
-+/* AES-256 no df PR */
-+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {
-+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
-+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
-+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
-+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {
-+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
-+ 0xcc, 0x4b, 0xee, 0x2e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
-+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
-+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
-+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
-+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_additionalinput[] = {
-+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
-+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
-+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
-+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
-+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
-+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
-+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
-+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
-+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
-+ 0x79, 0x60, 0x93, 0xcf
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
-+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
-+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
-+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
-+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
-+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
-+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
-+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
-+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {
-+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
-+ 0x2d, 0x5f, 0x4a, 0x46
-+};
-+
-+/* AES-256 no df No PR */
-+__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {
-+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
-+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
-+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
-+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {
-+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
-+ 0x43, 0x96, 0xb9, 0xf0
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_personalizationstring[] = {
-+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
-+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
-+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
-+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {
-+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
-+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
-+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
-+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {
-+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
-+ 0xd2, 0x25, 0x75, 0x0e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_entropyinputreseed[] = {
-+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
-+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
-+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
-+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_additionalinputreseed[] = {
-+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
-+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
-+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
-+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {
-+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
-+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
-+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
-+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {
-+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
-+ 0xf6, 0x02, 0x32, 0xe2
-+};
-+
-+/* SHA-1 PR */
-+__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {
-+ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,
-+ 0x31, 0xa5, 0x91, 0x13
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_nonce[] = {
-+ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {
-+ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,
-+ 0xda, 0xea, 0x77, 0x52
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {
-+ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,
-+ 0x6a, 0x51, 0xe3, 0xf8
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {
-+ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,
-+ 0xcb, 0xa9, 0x36, 0x7a
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {
-+ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,
-+ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {
-+ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,
-+ 0x16, 0x03, 0x19, 0x47
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {
-+ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,
-+ 0xae, 0xcd, 0x8c, 0xc4
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {
-+ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,
-+ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87
-+};
-+
-+/* SHA-1 No PR */
-+__fips_constseg static const unsigned char sha1_entropyinput[] = {
-+ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,
-+ 0xe2, 0x7f, 0x4c, 0x7b
-+};
-+
-+__fips_constseg static const unsigned char sha1_nonce[] = {
-+ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14
-+};
-+
-+__fips_constseg static const unsigned char sha1_personalizationstring[] = {
-+ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,
-+ 0x28, 0xec, 0x6d, 0xca
-+};
-+
-+__fips_constseg static const unsigned char sha1_additionalinput[] = {
-+ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,
-+ 0xc0, 0x72, 0xca, 0x28
-+};
-+
-+__fips_constseg static const unsigned char sha1_int_returnedbits[] = {
-+ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,
-+ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea
-+};
-+
-+__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {
-+ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,
-+ 0xd6, 0x99, 0x27, 0xed
-+};
-+
-+__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {
-+ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,
-+ 0x84, 0x3d, 0xd4, 0xc0
-+};
-+
-+__fips_constseg static const unsigned char sha1_additionalinput2[] = {
-+ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,
-+ 0x52, 0x65, 0xcd, 0x96
-+};
-+
-+__fips_constseg static const unsigned char sha1_returnedbits[] = {
-+ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,
-+ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7
-+};
-+
-+/* SHA-224 PR */
-+__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {
-+ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,
-+ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_nonce[] = {
-+ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {
-+ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,
-+ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {
-+ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,
-+ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {
-+ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,
-+ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {
-+ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,
-+ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,
-+ 0x54, 0x60, 0xee, 0x6a
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {
-+ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,
-+ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {
-+ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,
-+ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {
-+ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,
-+ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,
-+ 0xdd, 0x11, 0x4c, 0xc4
-+};
-+
-+/* SHA-224 No PR */
-+__fips_constseg static const unsigned char sha224_entropyinput[] = {
-+ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,
-+ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb
-+};
-+
-+__fips_constseg static const unsigned char sha224_nonce[] = {
-+ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0
-+};
-+
-+__fips_constseg static const unsigned char sha224_personalizationstring[] = {
-+ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,
-+ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c
-+};
-+
-+__fips_constseg static const unsigned char sha224_additionalinput[] = {
-+ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,
-+ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f
-+};
-+
-+__fips_constseg static const unsigned char sha224_int_returnedbits[] = {
-+ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,
-+ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,
-+ 0x55, 0x22, 0x9a, 0xad
-+};
-+
-+__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {
-+ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,
-+ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17
-+};
-+
-+__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {
-+ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,
-+ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19
-+};
-+
-+__fips_constseg static const unsigned char sha224_additionalinput2[] = {
-+ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,
-+ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6
-+};
-+
-+__fips_constseg static const unsigned char sha224_returnedbits[] = {
-+ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,
-+ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,
-+ 0x3b, 0xa7, 0x5c, 0x93
-+};
-+
-+/* SHA-256 PR */
-+__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {
-+ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,
-+ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,
-+ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_nonce[] = {
-+ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,
-+ 0x2b, 0x91, 0x4d, 0x38
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {
-+ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,
-+ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,
-+ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {
-+ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,
-+ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,
-+ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {
-+ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,
-+ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,
-+ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {
-+ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,
-+ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,
-+ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {
-+ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,
-+ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,
-+ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {
-+ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,
-+ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,
-+ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {
-+ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,
-+ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,
-+ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2
-+};
-+
-+/* SHA-256 No PR */
-+__fips_constseg static const unsigned char sha256_entropyinput[] = {
-+ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,
-+ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,
-+ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c
-+};
-+
-+__fips_constseg static const unsigned char sha256_nonce[] = {
-+ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,
-+ 0x5d, 0x6f, 0x6d, 0x35
-+};
-+
-+__fips_constseg static const unsigned char sha256_personalizationstring[] = {
-+ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,
-+ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,
-+ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c
-+};
-+
-+__fips_constseg static const unsigned char sha256_additionalinput[] = {
-+ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,
-+ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,
-+ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87
-+};
-+
-+__fips_constseg static const unsigned char sha256_int_returnedbits[] = {
-+ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,
-+ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,
-+ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76
-+};
-+
-+__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {
-+ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,
-+ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,
-+ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d
-+};
-+
-+__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {
-+ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,
-+ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,
-+ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8
-+};
-+
-+__fips_constseg static const unsigned char sha256_additionalinput2[] = {
-+ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,
-+ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,
-+ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda
-+};
-+
-+__fips_constseg static const unsigned char sha256_returnedbits[] = {
-+ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,
-+ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,
-+ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3
-+};
-+
-+/* SHA-384 PR */
-+__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {
-+ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,
-+ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,
-+ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_nonce[] = {
-+ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,
-+ 0x38, 0x3e, 0x2e, 0x56
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {
-+ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,
-+ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,
-+ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {
-+ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,
-+ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,
-+ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {
-+ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,
-+ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,
-+ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {
-+ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,
-+ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,
-+ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,
-+ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {
-+ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,
-+ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,
-+ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {
-+ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,
-+ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,
-+ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {
-+ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,
-+ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,
-+ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,
-+ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66
-+};
-+
-+/* SHA-384 No PR */
-+__fips_constseg static const unsigned char sha384_entropyinput[] = {
-+ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,
-+ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,
-+ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4
-+};
-+
-+__fips_constseg static const unsigned char sha384_nonce[] = {
-+ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,
-+ 0x44, 0xaf, 0x2f, 0x09
-+};
-+
-+__fips_constseg static const unsigned char sha384_personalizationstring[] = {
-+ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,
-+ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,
-+ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1
-+};
-+
-+__fips_constseg static const unsigned char sha384_additionalinput[] = {
-+ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,
-+ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,
-+ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48
-+};
-+
-+__fips_constseg static const unsigned char sha384_int_returnedbits[] = {
-+ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,
-+ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,
-+ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,
-+ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a
-+};
-+
-+__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {
-+ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,
-+ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,
-+ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c
-+};
-+
-+__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {
-+ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,
-+ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,
-+ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22
-+};
-+
-+__fips_constseg static const unsigned char sha384_additionalinput2[] = {
-+ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,
-+ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,
-+ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94
-+};
-+
-+__fips_constseg static const unsigned char sha384_returnedbits[] = {
-+ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,
-+ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,
-+ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,
-+ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7
-+};
-+
-+/* SHA-512 PR */
-+__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {
-+ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,
-+ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,
-+ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_nonce[] = {
-+ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,
-+ 0x88, 0xc7, 0xa2, 0xc4
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {
-+ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,
-+ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,
-+ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {
-+ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,
-+ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,
-+ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {
-+ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,
-+ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,
-+ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {
-+ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,
-+ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,
-+ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,
-+ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,
-+ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,
-+ 0xe2, 0xc6, 0x8b, 0xc3
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {
-+ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,
-+ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,
-+ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {
-+ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,
-+ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,
-+ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {
-+ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,
-+ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,
-+ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,
-+ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,
-+ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,
-+ 0x67, 0xf7, 0x68, 0xdd
-+};
-+
-+/* SHA-512 No PR */
-+__fips_constseg static const unsigned char sha512_entropyinput[] = {
-+ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,
-+ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,
-+ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd
-+};
-+
-+__fips_constseg static const unsigned char sha512_nonce[] = {
-+ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,
-+ 0x5a, 0x64, 0xf0, 0xf7
-+};
-+
-+__fips_constseg static const unsigned char sha512_personalizationstring[] = {
-+ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,
-+ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,
-+ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0
-+};
-+
-+__fips_constseg static const unsigned char sha512_additionalinput[] = {
-+ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,
-+ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,
-+ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34
-+};
-+
-+__fips_constseg static const unsigned char sha512_int_returnedbits[] = {
-+ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,
-+ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,
-+ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,
-+ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,
-+ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,
-+ 0x28, 0xd4, 0x39, 0x9a
-+};
-+
-+__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {
-+ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,
-+ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,
-+ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee
-+};
-+
-+__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {
-+ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,
-+ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,
-+ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20
-+};
-+
-+__fips_constseg static const unsigned char sha512_additionalinput2[] = {
-+ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,
-+ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,
-+ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92
-+};
-+
-+__fips_constseg static const unsigned char sha512_returnedbits[] = {
-+ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,
-+ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,
-+ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,
-+ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,
-+ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,
-+ 0x68, 0xde, 0x42, 0xb5
-+};
-+
-+/* HMAC SHA-1 PR */
-+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {
-+ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,
-+ 0x2c, 0x18, 0x17, 0x1b
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {
-+ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha1_pr_personalizationstring[] = {
-+ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,
-+ 0x80, 0xe2, 0x7f, 0x2a
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {
-+ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,
-+ 0xd7, 0xbb, 0x42, 0x09
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {
-+ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,
-+ 0x23, 0x87, 0x2a, 0xed
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {
-+ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,
-+ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {
-+ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,
-+ 0xa0, 0x4b, 0x93, 0x6e
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {
-+ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,
-+ 0x0f, 0xff, 0x2e, 0xaf
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {
-+ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,
-+ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8
-+};
-+
-+/* HMAC SHA-1 No PR */
-+__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {
-+ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,
-+ 0x17, 0xfe, 0x47, 0x70
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_nonce[] = {
-+ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {
-+ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,
-+ 0x72, 0xf7, 0xd3, 0x5e
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {
-+ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,
-+ 0xbb, 0xe3, 0xaa, 0xea
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {
-+ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,
-+ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {
-+ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,
-+ 0x86, 0x52, 0x6d, 0x9c
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {
-+ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,
-+ 0x79, 0xc5, 0x82, 0x28
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {
-+ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,
-+ 0x8a, 0xca, 0xa4, 0x7f
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {
-+ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,
-+ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0
-+};
-+
-+/* HMAC SHA-224 PR */
-+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {
-+ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,
-+ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {
-+ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha224_pr_personalizationstring[] = {
-+ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,
-+ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {
-+ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,
-+ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {
-+ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,
-+ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {
-+ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,
-+ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,
-+ 0x41, 0xfe, 0x99, 0xf2
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {
-+ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,
-+ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {
-+ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,
-+ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {
-+ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,
-+ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,
-+ 0x6d, 0xd8, 0x9e, 0x72
-+};
-+
-+/* HMAC SHA-224 No PR */
-+__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {
-+ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,
-+ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_nonce[] = {
-+ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha224_personalizationstring[] = {
-+ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,
-+ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {
-+ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,
-+ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {
-+ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,
-+ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,
-+ 0xcd, 0xd6, 0xa9, 0xcc
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {
-+ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,
-+ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha224_additionalinputreseed[] = {
-+ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,
-+ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {
-+ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,
-+ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {
-+ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,
-+ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,
-+ 0x45, 0x84, 0xa8, 0x94
-+};
-+
-+/* HMAC SHA-256 PR */
-+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {
-+ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,
-+ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,
-+ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {
-+ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,
-+ 0xaa, 0xd3, 0x30, 0x9a
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha256_pr_personalizationstring[] = {
-+ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,
-+ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,
-+ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {
-+ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,
-+ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,
-+ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {
-+ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,
-+ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,
-+ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {
-+ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,
-+ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,
-+ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {
-+ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,
-+ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,
-+ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {
-+ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,
-+ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,
-+ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {
-+ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,
-+ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,
-+ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e
-+};
-+
-+/* HMAC SHA-256 No PR */
-+__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {
-+ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,
-+ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,
-+ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_nonce[] = {
-+ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,
-+ 0xc7, 0xfc, 0xc2, 0x01
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha256_personalizationstring[] = {
-+ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,
-+ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,
-+ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {
-+ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,
-+ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,
-+ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {
-+ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,
-+ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,
-+ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {
-+ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,
-+ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,
-+ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha256_additionalinputreseed[] = {
-+ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,
-+ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,
-+ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {
-+ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,
-+ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,
-+ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {
-+ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,
-+ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,
-+ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0
-+};
-+
-+/* HMAC SHA-384 PR */
-+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {
-+ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,
-+ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,
-+ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {
-+ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,
-+ 0xee, 0x16, 0xc9, 0xde
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha384_pr_personalizationstring[] = {
-+ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,
-+ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,
-+ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {
-+ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,
-+ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,
-+ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {
-+ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,
-+ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,
-+ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {
-+ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,
-+ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,
-+ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,
-+ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {
-+ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,
-+ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,
-+ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {
-+ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,
-+ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,
-+ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {
-+ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,
-+ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,
-+ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,
-+ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75
-+};
-+
-+/* HMAC SHA-384 No PR */
-+__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {
-+ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,
-+ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,
-+ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_nonce[] = {
-+ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,
-+ 0x38, 0xe3, 0xeb, 0x62
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha384_personalizationstring[] = {
-+ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,
-+ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,
-+ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {
-+ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,
-+ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,
-+ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {
-+ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,
-+ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,
-+ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,
-+ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {
-+ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,
-+ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,
-+ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha384_additionalinputreseed[] = {
-+ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,
-+ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,
-+ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {
-+ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,
-+ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,
-+ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {
-+ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,
-+ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,
-+ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,
-+ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb
-+};
-+
-+/* HMAC SHA-512 PR */
-+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {
-+ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,
-+ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,
-+ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {
-+ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,
-+ 0x86, 0xea, 0xaf, 0xa2
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha512_pr_personalizationstring[] = {
-+ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,
-+ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,
-+ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {
-+ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,
-+ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,
-+ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {
-+ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,
-+ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,
-+ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {
-+ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,
-+ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,
-+ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,
-+ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,
-+ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,
-+ 0x05, 0x17, 0xbe, 0x0d
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {
-+ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,
-+ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,
-+ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {
-+ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,
-+ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,
-+ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {
-+ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,
-+ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,
-+ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,
-+ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,
-+ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,
-+ 0xb6, 0xaf, 0xbc, 0xd3
-+};
-+
-+/* HMAC SHA-512 No PR */
-+__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {
-+ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,
-+ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,
-+ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_nonce[] = {
-+ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,
-+ 0xd9, 0xaf, 0x43, 0x3c
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha512_personalizationstring[] = {
-+ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,
-+ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,
-+ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {
-+ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,
-+ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,
-+ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {
-+ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,
-+ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,
-+ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,
-+ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,
-+ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,
-+ 0xb1, 0x57, 0x69, 0xe8
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {
-+ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,
-+ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,
-+ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha512_additionalinputreseed[] = {
-+ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,
-+ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,
-+ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {
-+ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,
-+ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,
-+ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {
-+ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,
-+ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,
-+ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,
-+ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,
-+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
-+ 0xc2, 0xd6, 0xfd, 0xa5
-+};
-diff -up openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c.fips 2018-03-29 14:44:24.634236830 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c 2018-03-29 14:44:24.634236830 +0200
-@@ -0,0 +1,195 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char dsa_test_2048_p[] = {
-+ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
-+ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
-+ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,
-+ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,
-+ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,
-+ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,
-+ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,
-+ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,
-+ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,
-+ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,
-+ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,
-+ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,
-+ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,
-+ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,
-+ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,
-+ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,
-+ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,
-+ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,
-+ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,
-+ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,
-+ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,
-+ 0xdb, 0xa0, 0x69, 0xe9
-+};
-+
-+static const unsigned char dsa_test_2048_q[] = {
-+ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,
-+ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,
-+ 0x74, 0x41, 0xa0, 0xa5
-+};
-+
-+static const unsigned char dsa_test_2048_g[] = {
-+ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,
-+ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,
-+ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,
-+ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,
-+ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,
-+ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,
-+ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,
-+ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,
-+ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,
-+ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,
-+ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,
-+ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,
-+ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,
-+ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,
-+ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,
-+ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,
-+ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,
-+ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,
-+ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,
-+ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,
-+ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,
-+ 0xb3, 0xc2, 0xa9, 0x66
-+};
-+
-+static const unsigned char dsa_test_2048_pub_key[] = {
-+ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,
-+ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,
-+ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,
-+ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,
-+ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,
-+ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,
-+ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,
-+ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,
-+ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,
-+ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,
-+ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,
-+ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,
-+ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,
-+ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,
-+ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,
-+ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,
-+ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,
-+ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,
-+ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,
-+ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,
-+ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,
-+ 0xf7, 0xda, 0xb1, 0x4f
-+};
-+
-+static const unsigned char dsa_test_2048_priv_key[] = {
-+ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,
-+ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,
-+ 0xec, 0x55, 0xf6, 0xcc
-+};
-+
-+int FIPS_selftest_dsa()
-+{
-+ DSA *dsa = NULL;
-+ EVP_PKEY *pk = NULL;
-+ int ret = -1;
-+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL;
-+
-+ fips_load_key_component(p, dsa_test_2048);
-+ fips_load_key_component(q, dsa_test_2048);
-+ fips_load_key_component(g, dsa_test_2048);
-+ fips_load_key_component(pub_key, dsa_test_2048);
-+ fips_load_key_component(priv_key, dsa_test_2048);
-+
-+ dsa = DSA_new();
-+
-+ if (dsa == NULL)
-+ goto err;
-+
-+ DSA_set0_pqg(dsa, p, q, g);
-+
-+ DSA_set0_key(dsa, pub_key, priv_key);
-+
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_DSA(pk, dsa);
-+
-+ if (!fips_pkey_signature_test(pk, NULL, 0,
-+ NULL, 0, EVP_sha256(), 0, "DSA SHA256"))
-+ goto err;
-+ ret = 1;
-+
-+ err:
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (dsa)
-+ DSA_free(dsa);
-+ else {
-+ BN_free(p);
-+ BN_free(q);
-+ BN_free(g);
-+ BN_free(pub_key);
-+ BN_free(priv_key);
-+ }
-+ return ret;
-+}
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c.fips 2018-03-29 14:44:24.635236854 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c 2018-03-29 14:44:24.635236854 +0200
-@@ -0,0 +1,242 @@
-+/* fips/ecdh/fips_ecdh_selftest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2011.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/ec.h>
-+#include <openssl/ecdh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+# include "fips_locl.h"
-+
-+static const unsigned char p256_qcavsx[] = {
-+ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62,
-+ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13,
-+ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50
-+};
-+
-+static const unsigned char p256_qcavsy[] = {
-+ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f,
-+ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf,
-+ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e
-+};
-+
-+static const unsigned char p256_qiutx[] = {
-+ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c,
-+ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1,
-+ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f
-+};
-+
-+static const unsigned char p256_qiuty[] = {
-+ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae,
-+ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75,
-+ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8
-+};
-+
-+static const unsigned char p256_qiutd[] = {
-+ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3,
-+ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc,
-+ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8
-+};
-+
-+static const unsigned char p256_ziut[] = {
-+ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a,
-+ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77,
-+ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f
-+};
-+
-+typedef struct {
-+ int curve;
-+ const unsigned char *x1;
-+ size_t x1len;
-+ const unsigned char *y1;
-+ size_t y1len;
-+ const unsigned char *d1;
-+ size_t d1len;
-+ const unsigned char *x2;
-+ size_t x2len;
-+ const unsigned char *y2;
-+ size_t y2len;
-+ const unsigned char *z;
-+ size_t zlen;
-+} ECDH_SELFTEST_DATA;
-+
-+# define make_ecdh_test(nid, pr) { nid, \
-+ pr##_qiutx, sizeof(pr##_qiutx), \
-+ pr##_qiuty, sizeof(pr##_qiuty), \
-+ pr##_qiutd, sizeof(pr##_qiutd), \
-+ pr##_qcavsx, sizeof(pr##_qcavsx), \
-+ pr##_qcavsy, sizeof(pr##_qcavsy), \
-+ pr##_ziut, sizeof(pr##_ziut) }
-+
-+static ECDH_SELFTEST_DATA test_ecdh_data[] = {
-+ make_ecdh_test(NID_X9_62_prime256v1, p256),
-+};
-+
-+int FIPS_selftest_ecdh(void)
-+{
-+ EC_KEY *ec1 = NULL, *ec2 = NULL;
-+ const EC_POINT *ecp = NULL;
-+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
-+ unsigned char *ztmp = NULL;
-+ int rv = 1;
-+ size_t i;
-+
-+ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {
-+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
-+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
-+ continue;
-+ ztmp = OPENSSL_malloc(ecd->zlen);
-+
-+ x = BN_bin2bn(ecd->x1, ecd->x1len, x);
-+ y = BN_bin2bn(ecd->y1, ecd->y1len, y);
-+ d = BN_bin2bn(ecd->d1, ecd->d1len, d);
-+
-+ if (!x || !y || !d || !ztmp) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ ec1 = EC_KEY_new_by_curve_name(ecd->curve);
-+ if (!ec1) {
-+ rv = -1;
-+ goto err;
-+ }
-+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
-+
-+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!EC_KEY_set_private_key(ec1, d)) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ x = BN_bin2bn(ecd->x2, ecd->x2len, x);
-+ y = BN_bin2bn(ecd->y2, ecd->y2len, y);
-+
-+ if (!x || !y) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ ec2 = EC_KEY_new_by_curve_name(ecd->curve);
-+ if (!ec2) {
-+ rv = -1;
-+ goto err;
-+ }
-+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
-+
-+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ ecp = EC_KEY_get0_public_key(ec2);
-+ if (!ecp) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
-+ ztmp[0] ^= 0x1;
-+
-+ if (memcmp(ztmp, ecd->z, ecd->zlen)) {
-+ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
-+ rv = 0;
-+ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
-+ goto err;
-+
-+ EC_KEY_free(ec1);
-+ ec1 = NULL;
-+ EC_KEY_free(ec2);
-+ ec2 = NULL;
-+ OPENSSL_free(ztmp);
-+ ztmp = NULL;
-+ }
-+
-+ err:
-+
-+ if (x)
-+ BN_clear_free(x);
-+ if (y)
-+ BN_clear_free(y);
-+ if (d)
-+ BN_clear_free(d);
-+ if (ec1)
-+ EC_KEY_free(ec1);
-+ if (ec2)
-+ EC_KEY_free(ec2);
-+ if (ztmp)
-+ OPENSSL_free(ztmp);
-+
-+ return rv;
-+
-+}
-+
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c.fips 2018-03-29 14:44:24.635236854 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c 2018-03-29 14:44:24.635236854 +0200
-@@ -0,0 +1,166 @@
-+/* fips/ecdsa/fips_ecdsa_selftest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2011.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/ec.h>
-+#include <openssl/ecdsa.h>
-+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const char P_256_name[] = "ECDSA P-256";
-+
-+static const unsigned char P_256_d[] = {
-+ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f,
-+ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87,
-+ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64
-+};
-+
-+static const unsigned char P_256_qx[] = {
-+ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e,
-+ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31,
-+ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07
-+};
-+
-+static const unsigned char P_256_qy[] = {
-+ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b,
-+ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e,
-+ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb
-+};
-+
-+typedef struct {
-+ int curve;
-+ const char *name;
-+ const unsigned char *x;
-+ size_t xlen;
-+ const unsigned char *y;
-+ size_t ylen;
-+ const unsigned char *d;
-+ size_t dlen;
-+} EC_SELFTEST_DATA;
-+
-+# define make_ecdsa_test(nid, pr) { nid, pr##_name, \
-+ pr##_qx, sizeof(pr##_qx), \
-+ pr##_qy, sizeof(pr##_qy), \
-+ pr##_d, sizeof(pr##_d)}
-+
-+static EC_SELFTEST_DATA test_ec_data[] = {
-+ make_ecdsa_test(NID_X9_62_prime256v1, P_256),
-+};
-+
-+int FIPS_selftest_ecdsa()
-+{
-+ EC_KEY *ec = NULL;
-+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
-+ EVP_PKEY *pk = NULL;
-+ int rv = 0;
-+ size_t i;
-+
-+ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) {
-+ EC_SELFTEST_DATA *ecd = test_ec_data + i;
-+
-+ x = BN_bin2bn(ecd->x, ecd->xlen, x);
-+ y = BN_bin2bn(ecd->y, ecd->ylen, y);
-+ d = BN_bin2bn(ecd->d, ecd->dlen, d);
-+
-+ if (!x || !y || !d)
-+ goto err;
-+
-+ ec = EC_KEY_new_by_curve_name(ecd->curve);
-+ if (!ec)
-+ goto err;
-+
-+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
-+ goto err;
-+
-+ if (!EC_KEY_set_private_key(ec, d))
-+ goto err;
-+
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_EC_KEY(pk, ec);
-+
-+ if (!fips_pkey_signature_test(pk, NULL, 0,
-+ NULL, 0, EVP_sha256(), 0, ecd->name))
-+ goto err;
-+ }
-+
-+ rv = 1;
-+
-+ err:
-+
-+ if (x)
-+ BN_clear_free(x);
-+ if (y)
-+ BN_clear_free(y);
-+ if (d)
-+ BN_clear_free(d);
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (ec)
-+ EC_KEY_free(ec);
-+
-+ return rv;
-+
-+}
-+
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_enc.c.fips openssl-1.1.0h/crypto/fips/fips_enc.c
---- openssl-1.1.0h/crypto/fips/fips_enc.c.fips 2018-03-29 14:44:24.635236854 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_enc.c 2018-03-29 14:44:24.635236854 +0200
-@@ -0,0 +1,189 @@
-+/* fipe/evp/fips_enc.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
-+{
-+ switch (nid) {
-+ case NID_aes_128_cbc:
-+ return EVP_aes_128_cbc();
-+
-+ case NID_aes_128_ccm:
-+ return EVP_aes_128_ccm();
-+
-+ case NID_aes_128_cfb1:
-+ return EVP_aes_128_cfb1();
-+
-+ case NID_aes_128_cfb128:
-+ return EVP_aes_128_cfb128();
-+
-+ case NID_aes_128_cfb8:
-+ return EVP_aes_128_cfb8();
-+
-+ case NID_aes_128_ctr:
-+ return EVP_aes_128_ctr();
-+
-+ case NID_aes_128_ecb:
-+ return EVP_aes_128_ecb();
-+
-+ case NID_aes_128_gcm:
-+ return EVP_aes_128_gcm();
-+
-+ case NID_aes_128_ofb128:
-+ return EVP_aes_128_ofb();
-+
-+ case NID_aes_128_xts:
-+ return EVP_aes_128_xts();
-+
-+ case NID_aes_192_cbc:
-+ return EVP_aes_192_cbc();
-+
-+ case NID_aes_192_ccm:
-+ return EVP_aes_192_ccm();
-+
-+ case NID_aes_192_cfb1:
-+ return EVP_aes_192_cfb1();
-+
-+ case NID_aes_192_cfb128:
-+ return EVP_aes_192_cfb128();
-+
-+ case NID_aes_192_cfb8:
-+ return EVP_aes_192_cfb8();
-+
-+ case NID_aes_192_ctr:
-+ return EVP_aes_192_ctr();
-+
-+ case NID_aes_192_ecb:
-+ return EVP_aes_192_ecb();
-+
-+ case NID_aes_192_gcm:
-+ return EVP_aes_192_gcm();
-+
-+ case NID_aes_192_ofb128:
-+ return EVP_aes_192_ofb();
-+
-+ case NID_aes_256_cbc:
-+ return EVP_aes_256_cbc();
-+
-+ case NID_aes_256_ccm:
-+ return EVP_aes_256_ccm();
-+
-+ case NID_aes_256_cfb1:
-+ return EVP_aes_256_cfb1();
-+
-+ case NID_aes_256_cfb128:
-+ return EVP_aes_256_cfb128();
-+
-+ case NID_aes_256_cfb8:
-+ return EVP_aes_256_cfb8();
-+
-+ case NID_aes_256_ctr:
-+ return EVP_aes_256_ctr();
-+
-+ case NID_aes_256_ecb:
-+ return EVP_aes_256_ecb();
-+
-+ case NID_aes_256_gcm:
-+ return EVP_aes_256_gcm();
-+
-+ case NID_aes_256_ofb128:
-+ return EVP_aes_256_ofb();
-+
-+ case NID_aes_256_xts:
-+ return EVP_aes_256_xts();
-+
-+ case NID_des_ede_ecb:
-+ return EVP_des_ede();
-+
-+ case NID_des_ede3_ecb:
-+ return EVP_des_ede3();
-+
-+ case NID_des_ede3_cbc:
-+ return EVP_des_ede3_cbc();
-+
-+ case NID_des_ede3_cfb1:
-+ return EVP_des_ede3_cfb1();
-+
-+ case NID_des_ede3_cfb64:
-+ return EVP_des_ede3_cfb64();
-+
-+ case NID_des_ede3_cfb8:
-+ return EVP_des_ede3_cfb8();
-+
-+ case NID_des_ede3_ofb64:
-+ return EVP_des_ede3_ofb();
-+
-+ case NID_des_ede_cbc:
-+ return EVP_des_ede_cbc();
-+
-+ case NID_des_ede_cfb64:
-+ return EVP_des_ede_cfb64();
-+
-+ case NID_des_ede_ofb64:
-+ return EVP_des_ede_ofb();
-+
-+ default:
-+ return NULL;
-+
-+ }
-+}
-diff -up openssl-1.1.0h/crypto/fips/fips_err.h.fips openssl-1.1.0h/crypto/fips/fips_err.h
---- openssl-1.1.0h/crypto/fips/fips_err.h.fips 2018-03-29 14:44:24.635236854 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_err.h 2018-03-29 14:44:24.635236854 +0200
-@@ -0,0 +1,196 @@
-+/* crypto/fips_err.h */
-+/* ====================================================================
-+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+/*
-+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
-+ * made to it will be overwritten when the script next updates this file,
-+ * only reason strings will be preserved.
-+ */
-+
-+#include <stdio.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+/* BEGIN ERROR CODES */
-+#ifndef OPENSSL_NO_ERR
-+
-+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0)
-+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason)
-+
-+static ERR_STRING_DATA FIPS_str_functs[] = {
-+ {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"},
-+ {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"},
-+ {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"},
-+ {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},
-+ {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"},
-+ {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},
-+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"},
-+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"},
-+ {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"},
-+ {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"},
-+ {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"},
-+ {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"},
-+ {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"},
-+ {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"},
-+ {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"},
-+ {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"},
-+ {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"},
-+ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"},
-+ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"},
-+ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
-+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
-+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
-+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"},
-+ {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},
-+ {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"},
-+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"},
-+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"},
-+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"},
-+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"},
-+ {0, NULL}
-+};
-+
-+static ERR_STRING_DATA FIPS_str_reasons[] = {
-+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED),
-+ "additional input error undetected"},
-+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG),
-+ "additional input too long"},
-+ {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"},
-+ {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"},
-+ {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"},
-+ {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"},
-+ {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED),
-+ "entropy not requested for reseed"},
-+ {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"},
-+ {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"},
-+ {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"},
-+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),
-+ "error retrieving additional input"},
-+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"},
-+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"},
-+ {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),
-+ "fingerprint does not match"},
-+ {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"},
-+ {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"},
-+ {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"},
-+ {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"},
-+ {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED),
-+ "generate error undetected"},
-+ {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"},
-+ {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"},
-+ {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"},
-+ {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"},
-+ {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"},
-+ {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"},
-+ {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"},
-+ {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"},
-+ {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"},
-+ {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"},
-+ {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"},
-+ {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED),
-+ "personalisation error undetected"},
-+ {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG),
-+ "personalisation string too long"},
-+ {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"},
-+ {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"},
-+ {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),
-+ "request length error undetected"},
-+ {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),
-+ "request too large for drbg"},
-+ {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"},
-+ {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"},
-+ {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"},
-+ {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"},
-+ {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"},
-+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"},
-+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),
-+ "uninstantiate zeroise error"},
-+ {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"},
-+ {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"},
-+ {0, NULL}
-+};
-+
-+#endif
-+
-+int ERR_load_FIPS_strings(void)
-+{
-+#ifndef OPENSSL_NO_ERR
-+
-+ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) {
-+ ERR_load_strings(0, FIPS_str_functs);
-+ ERR_load_strings(0, FIPS_str_reasons);
-+ }
-+#endif
-+ return 1;
-+}
-diff -up openssl-1.1.0h/crypto/fips/fips_ers.c.fips openssl-1.1.0h/crypto/fips/fips_ers.c
---- openssl-1.1.0h/crypto/fips/fips_ers.c.fips 2018-03-29 14:44:24.635236854 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_ers.c 2018-03-29 14:44:24.635236854 +0200
-@@ -0,0 +1,7 @@
-+#include <openssl/opensslconf.h>
-+
-+#ifdef OPENSSL_FIPS
-+# include "fips_err.h"
-+#else
-+static void *dummy = &dummy;
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c.fips 2018-03-29 14:44:24.635236854 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c 2018-03-29 14:44:24.635236854 +0200
-@@ -0,0 +1,134 @@
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+#include <openssl/hmac.h>
-+
-+#ifdef OPENSSL_FIPS
-+typedef struct {
-+ const EVP_MD *(*alg) (void);
-+ const char *key, *iv;
-+ unsigned char kaval[EVP_MAX_MD_SIZE];
-+} HMAC_KAT;
-+
-+static const HMAC_KAT vector[] = {
-+ {EVP_sha1,
-+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,
-+ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,
-+ 0xc6, 0xc7, 0x5d, 0x24}
-+ },
-+ {EVP_sha224,
-+ /* just keep extending the above... */
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,
-+ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,
-+ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,
-+ 0x8c, 0x8d, 0x12, 0xc7}
-+ },
-+ {EVP_sha256,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,
-+ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,
-+ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,
-+ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}
-+ },
-+ {EVP_sha384,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,
-+ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,
-+ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,
-+ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,
-+ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,
-+ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}
-+ },
-+ {EVP_sha512,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,
-+ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,
-+ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,
-+ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,
-+ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,
-+ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,
-+ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,
-+ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}
-+ },
-+};
-+
-+int FIPS_selftest_hmac()
-+{
-+ int n;
-+ unsigned int outlen;
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ const EVP_MD *md;
-+ const HMAC_KAT *t;
-+
-+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
-+ md = (*t->alg) ();
-+ HMAC(md, t->key, strlen(t->key),
-+ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);
-+
-+ if (memcmp(out, t->kaval, outlen)) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+}
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_locl.h.fips openssl-1.1.0h/crypto/fips/fips_locl.h
---- openssl-1.1.0h/crypto/fips/fips_locl.h.fips 2018-03-29 14:44:24.635236854 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_locl.h 2018-03-29 14:44:24.635236854 +0200
-@@ -0,0 +1,71 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#ifdef OPENSSL_FIPS
-+
-+# ifdef __cplusplus
-+extern "C" {
-+# endif
-+
-+# define FIPS_MAX_CIPHER_TEST_SIZE 32
-+# define fips_load_key_component(comp, pre) \
-+ comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \
-+ if (!comp) \
-+ goto err
-+
-+# define fips_post_started(id, subid, ex) 1
-+# define fips_post_success(id, subid, ex) 1
-+# define fips_post_failed(id, subid, ex) 1
-+# define fips_post_corrupt(id, subid, ex) 1
-+# define fips_post_status() 1
-+
-+# ifdef __cplusplus
-+}
-+# endif
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_md.c.fips openssl-1.1.0h/crypto/fips/fips_md.c
---- openssl-1.1.0h/crypto/fips/fips_md.c.fips 2018-03-29 14:44:24.635236854 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_md.c 2018-03-29 14:44:24.635236854 +0200
-@@ -0,0 +1,144 @@
-+/* fips/evp/fips_md.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+/* Minimal standalone FIPS versions of Digest operations */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/objects.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_MD *FIPS_get_digestbynid(int nid)
-+{
-+ switch (nid) {
-+ case NID_sha1:
-+ return EVP_sha1();
-+
-+ case NID_sha224:
-+ return EVP_sha224();
-+
-+ case NID_sha256:
-+ return EVP_sha256();
-+
-+ case NID_sha384:
-+ return EVP_sha384();
-+
-+ case NID_sha512:
-+ return EVP_sha512();
-+
-+ default:
-+ return NULL;
-+ }
-+}
-diff -up openssl-1.1.0h/crypto/fips/fips_post.c.fips openssl-1.1.0h/crypto/fips/fips_post.c
---- openssl-1.1.0h/crypto/fips/fips_post.c.fips 2018-03-29 14:44:24.636236877 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_post.c 2018-03-29 14:44:24.635236854 +0200
-@@ -0,0 +1,222 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <openssl/crypto.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bio.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rsa.h>
-+#include <openssl/dsa.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <limits.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+/* Power on self test (POST) support functions */
-+
-+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
-+# include "fips_locl.h"
-+
-+/* Run all selftests */
-+int FIPS_selftest(void)
-+{
-+ int rv = 1;
-+ if (!FIPS_selftest_drbg())
-+ rv = 0;
-+ if (!FIPS_selftest_sha1())
-+ rv = 0;
-+ if (!FIPS_selftest_sha2())
-+ rv = 0;
-+ if (!FIPS_selftest_hmac())
-+ rv = 0;
-+ if (!FIPS_selftest_cmac())
-+ rv = 0;
-+ if (!FIPS_selftest_aes())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_ccm())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_gcm())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_xts())
-+ rv = 0;
-+ if (!FIPS_selftest_des())
-+ rv = 0;
-+ if (!FIPS_selftest_rsa())
-+ rv = 0;
-+ if (!FIPS_selftest_ecdsa())
-+ rv = 0;
-+ if (!FIPS_selftest_dsa())
-+ rv = 0;
-+ if (!FIPS_selftest_dh())
-+ rv = 0;
-+ if (!FIPS_selftest_ecdh())
-+ rv = 0;
-+ return rv;
-+}
-+
-+/* Generalized public key test routine. Signs and verifies the data
-+ * supplied in tbs using mesage digest md and setting option digest
-+ * flags md_flags. If the 'kat' parameter is not NULL it will
-+ * additionally check the signature matches it: a known answer test
-+ * The string "fail_str" is used for identification purposes in case
-+ * of failure. If "pkey" is NULL just perform a message digest check.
-+ */
-+
-+int fips_pkey_signature_test(EVP_PKEY *pkey,
-+ const unsigned char *tbs, int tbslen,
-+ const unsigned char *kat, unsigned int katlen,
-+ const EVP_MD *digest, unsigned int flags,
-+ const char *fail_str)
-+{
-+ int ret = 0;
-+ unsigned char sigtmp[256], *sig = sigtmp;
-+ size_t siglen = sizeof(sigtmp);
-+ EVP_MD_CTX *mctx;
-+ EVP_PKEY_CTX *pctx;
-+
-+ if (digest == NULL)
-+ digest = EVP_sha256();
-+
-+ mctx = EVP_MD_CTX_new();
-+
-+ if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
-+ && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) {
-+ sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey)));
-+ siglen = RSA_size(EVP_PKEY_get0_RSA(pkey));
-+ }
-+ if (!sig || ! mctx) {
-+ EVP_MD_CTX_free(mctx);
-+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
-+ return 0;
-+ }
-+
-+ if (tbslen == -1)
-+ tbslen = strlen((char *)tbs);
-+
-+ if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0)
-+ goto error;
-+
-+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
-+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
-+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
-+ }
-+
-+ if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0)
-+ goto error;
-+
-+ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0)
-+ goto error;
-+
-+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
-+ goto error;
-+
-+ if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0)
-+ goto error;
-+
-+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
-+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
-+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
-+ }
-+
-+ if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0)
-+ goto error;
-+
-+ ret = EVP_DigestVerifyFinal(mctx, sig, siglen);
-+
-+ error:
-+ if (sig != sigtmp)
-+ OPENSSL_free(sig);
-+ EVP_MD_CTX_free(mctx);
-+ if (ret <= 0) {
-+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
-+ if (fail_str)
-+ ERR_add_error_data(2, "Type=", fail_str);
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+/* Generalized symmetric cipher test routine. Encrypt data, verify result
-+ * against known answer, decrypt and compare with original plaintext.
-+ */
-+
-+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-+ const unsigned char *key,
-+ const unsigned char *iv,
-+ const unsigned char *plaintext,
-+ const unsigned char *ciphertext, int len)
-+{
-+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
-+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
-+
-+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
-+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
-+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
-+
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
-+ return 0;
-+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
-+ return 0;
-+ if (memcmp(citmp, ciphertext, len))
-+ return 0;
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
-+ return 0;
-+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
-+ return 0;
-+ if (memcmp(pltmp, plaintext, len))
-+ return 0;
-+ return 1;
-+}
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.0h/crypto/fips/fips_rand_lcl.h
---- openssl-1.1.0h/crypto/fips/fips_rand_lcl.h.fips 2018-03-29 14:44:24.636236877 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_rand_lcl.h 2018-03-29 14:44:24.636236877 +0200
-@@ -0,0 +1,209 @@
-+/* fips/rand/fips_rand_lcl.h */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
-+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
-+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
-+
-+/* 888 bits from 10.1 table 2 */
-+#define HASH_PRNG_MAX_SEEDLEN 111
-+
-+struct drbg_hash_ctx_st {
-+ const EVP_MD *md;
-+ EVP_MD_CTX *mctx;
-+ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
-+ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
-+ /* Temporary value storage: should always exceed max digest length */
-+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
-+};
-+
-+struct drbg_hmac_ctx_st {
-+ const EVP_MD *md;
-+ HMAC_CTX *hctx;
-+ unsigned char K[EVP_MAX_MD_SIZE];
-+ unsigned char V[EVP_MAX_MD_SIZE];
-+};
-+
-+struct drbg_ctr_ctx_st {
-+ AES_KEY ks;
-+ size_t keylen;
-+ unsigned char K[32];
-+ unsigned char V[16];
-+ /* Temp variables used by derivation function */
-+ AES_KEY df_ks;
-+ AES_KEY df_kxks;
-+ /* Temporary block storage used by ctr_df */
-+ unsigned char bltmp[16];
-+ size_t bltmp_pos;
-+ unsigned char KX[48];
-+};
-+
-+/* DRBG internal flags */
-+
-+/* Functions shouldn't call err library */
-+#define DRBG_FLAG_NOERR 0x1
-+/* Custom reseed checking */
-+#define DRBG_CUSTOM_RESEED 0x2
-+
-+/* DRBG status values */
-+/* not initialised */
-+#define DRBG_STATUS_UNINITIALISED 0
-+/* ok and ready to generate random bits */
-+#define DRBG_STATUS_READY 1
-+/* reseed required */
-+#define DRBG_STATUS_RESEED 2
-+/* fatal error condition */
-+#define DRBG_STATUS_ERROR 3
-+
-+/* A default maximum length: larger than any reasonable value used in pratice */
-+
-+#define DRBG_MAX_LENGTH 0x7ffffff0
-+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
-+ * so use max digest length.
-+ */
-+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
-+
-+#define DRBG_HEALTH_INTERVAL (1 << 24)
-+
-+/* DRBG context structure */
-+
-+struct drbg_ctx_st {
-+ /* First types common to all implementations */
-+ /* DRBG type: a NID for the underlying algorithm */
-+ int type;
-+ /* Various external flags */
-+ unsigned int xflags;
-+ /* Various internal use only flags */
-+ unsigned int iflags;
-+ /* Used for periodic health checks */
-+ int health_check_cnt, health_check_interval;
-+
-+ /* The following parameters are setup by mechanism drbg_init() call */
-+ int strength;
-+ size_t blocklength;
-+ size_t max_request;
-+
-+ size_t min_entropy, max_entropy;
-+ size_t min_nonce, max_nonce;
-+ size_t max_pers, max_adin;
-+ unsigned int reseed_counter;
-+ unsigned int reseed_interval;
-+ size_t seedlen;
-+ int status;
-+ /* Application data: typically used by test get_entropy */
-+ void *app_data;
-+ /* Implementation specific structures */
-+ union {
-+ DRBG_HASH_CTX hash;
-+ DRBG_HMAC_CTX hmac;
-+ DRBG_CTR_CTX ctr;
-+ } d;
-+ /* Initialiase PRNG and setup callbacks below */
-+ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);
-+ /* Intantiate PRNG */
-+ int (*instantiate) (DRBG_CTX *ctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *nonce, size_t noncelen,
-+ const unsigned char *pers, size_t perslen);
-+ /* reseed */
-+ int (*reseed) (DRBG_CTX *ctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *adin, size_t adinlen);
-+ /* generat output */
-+ int (*generate) (DRBG_CTX *ctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adinlen);
-+ /* uninstantiate */
-+ int (*uninstantiate) (DRBG_CTX *ctx);
-+
-+ /* Entropy source block length */
-+ size_t entropy_blocklen;
-+
-+ /* entropy gathering function */
-+ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len);
-+ /* Indicates we have finished with entropy buffer */
-+ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+
-+ /* nonce gathering function */
-+ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len);
-+ /* Indicates we have finished with nonce buffer */
-+ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+
-+ /* Continuous random number test temporary area */
-+ /* Last block */
-+ unsigned char lb[EVP_MAX_MD_SIZE];
-+ /* set if lb is valid */
-+ int lb_valid;
-+
-+ /* Callbacks used when called through RAND interface */
-+ /* Get any additional input for generate */
-+ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
-+ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+ /* Callback for RAND_seed(), RAND_add() */
-+ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);
-+ int (*rand_add_cb) (DRBG_CTX *ctx,
-+ const void *buf, int num, double entropy);
-+};
-+
-+int fips_drbg_ctr_init(DRBG_CTX *dctx);
-+int fips_drbg_hash_init(DRBG_CTX *dctx);
-+int fips_drbg_hmac_init(DRBG_CTX *dctx);
-+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
-+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
-+
-+#define FIPS_digestinit EVP_DigestInit
-+#define FIPS_digestupdate EVP_DigestUpdate
-+#define FIPS_digestfinal EVP_DigestFinal
-+#define M_EVP_MD_size EVP_MD_size
-diff -up openssl-1.1.0h/crypto/fips/fips_rand_lib.c.fips openssl-1.1.0h/crypto/fips/fips_rand_lib.c
---- openssl-1.1.0h/crypto/fips/fips_rand_lib.c.fips 2018-03-29 14:44:24.636236877 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_rand_lib.c 2018-03-29 14:44:24.636236877 +0200
-@@ -0,0 +1,234 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
-+ be defined and gettimeofday() won't be declared with strict compilers
-+ like DEC C in ANSI C mode. */
-+#ifndef _XOPEN_SOURCE_EXTENDED
-+# define _XOPEN_SOURCE_EXTENDED 1
-+#endif
-+
-+#include <openssl/crypto.h>
-+#include <openssl/rand.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include "internal/fips_int.h"
-+#include <openssl/fips_rand.h>
-+#include "e_os.h"
-+
-+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
-+# include <sys/time.h>
-+#endif
-+#if defined(OPENSSL_SYS_VXWORKS)
-+# include <time.h>
-+#endif
-+#ifndef OPENSSL_SYS_WIN32
-+# ifdef OPENSSL_UNISTD
-+# include OPENSSL_UNISTD
-+# else
-+# include <unistd.h>
-+# endif
-+#endif
-+
-+/* FIPS API for PRNG use. Similar to RAND functionality but without
-+ * ENGINE and additional checking for non-FIPS rand methods.
-+ */
-+
-+static const RAND_METHOD *fips_rand_meth = NULL;
-+static int fips_approved_rand_meth = 0;
-+static int fips_rand_bits = 0;
-+
-+/* Allows application to override number of bits and uses non-FIPS methods */
-+void FIPS_rand_set_bits(int nbits)
-+{
-+ fips_rand_bits = nbits;
-+}
-+
-+int FIPS_rand_set_method(const RAND_METHOD *meth)
-+{
-+ if (!fips_rand_bits) {
-+ if (meth == FIPS_drbg_method())
-+ fips_approved_rand_meth = 1;
-+ else {
-+ fips_approved_rand_meth = 0;
-+ if (FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ }
-+ }
-+ fips_rand_meth = meth;
-+ return 1;
-+}
-+
-+const RAND_METHOD *FIPS_rand_get_method(void)
-+{
-+ return fips_rand_meth;
-+}
-+
-+void FIPS_rand_reset(void)
-+{
-+ if (fips_rand_meth && fips_rand_meth->cleanup)
-+ fips_rand_meth->cleanup();
-+}
-+
-+int FIPS_rand_seed(const void *buf, int num)
-+{
-+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->seed)
-+ fips_rand_meth->seed(buf, num);
-+ return 1;
-+}
-+
-+int FIPS_rand_bytes(unsigned char *buf, int num)
-+{
-+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->bytes)
-+ return fips_rand_meth->bytes(buf, num);
-+ return 0;
-+}
-+
-+int FIPS_rand_status(void)
-+{
-+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->status)
-+ return fips_rand_meth->status();
-+ return 0;
-+}
-+
-+/* Return instantiated strength of PRNG. For DRBG this is an internal
-+ * parameter. Any other type of PRNG is not approved and returns 0 in
-+ * FIPS mode and maximum 256 outside FIPS mode.
-+ */
-+
-+int FIPS_rand_strength(void)
-+{
-+ if (fips_rand_bits)
-+ return fips_rand_bits;
-+ if (fips_approved_rand_meth == 1)
-+ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
-+ else if (fips_approved_rand_meth == 0) {
-+ if (FIPS_module_mode())
-+ return 0;
-+ else
-+ return 256;
-+ }
-+ return 0;
-+}
-+
-+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
-+{
-+# ifdef OPENSSL_SYS_WIN32
-+ FILETIME ft;
-+# elif defined(OPENSSL_SYS_VXWORKS)
-+ struct timespec ts;
-+# else
-+ struct timeval tv;
-+# endif
-+
-+# ifndef GETPID_IS_MEANINGLESS
-+ unsigned long pid;
-+# endif
-+
-+# ifdef OPENSSL_SYS_WIN32
-+ GetSystemTimeAsFileTime(&ft);
-+ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);
-+ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);
-+ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);
-+ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);
-+ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);
-+ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);
-+ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);
-+ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);
-+# elif defined(OPENSSL_SYS_VXWORKS)
-+ clock_gettime(CLOCK_REALTIME, &ts);
-+ buf[0] = (unsigned char)(ts.tv_sec & 0xff);
-+ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);
-+ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);
-+ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);
-+ buf[4] = (unsigned char)(ts.tv_nsec & 0xff);
-+ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);
-+ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);
-+ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);
-+# else
-+ gettimeofday(&tv, NULL);
-+ buf[0] = (unsigned char)(tv.tv_sec & 0xff);
-+ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);
-+ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);
-+ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);
-+ buf[4] = (unsigned char)(tv.tv_usec & 0xff);
-+ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);
-+ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);
-+ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);
-+# endif
-+ buf[8] = (unsigned char)(*pctr & 0xff);
-+ buf[9] = (unsigned char)((*pctr >> 8) & 0xff);
-+ buf[10] = (unsigned char)((*pctr >> 16) & 0xff);
-+ buf[11] = (unsigned char)((*pctr >> 24) & 0xff);
-+
-+ (*pctr)++;
-+
-+# ifndef GETPID_IS_MEANINGLESS
-+ pid = (unsigned long)getpid();
-+ buf[12] = (unsigned char)(pid & 0xff);
-+ buf[13] = (unsigned char)((pid >> 8) & 0xff);
-+ buf[14] = (unsigned char)((pid >> 16) & 0xff);
-+ buf[15] = (unsigned char)((pid >> 24) & 0xff);
-+# endif
-+}
-+
-diff -up openssl-1.1.0h/crypto/fips/fips_randtest.c.fips openssl-1.1.0h/crypto/fips/fips_randtest.c
---- openssl-1.1.0h/crypto/fips/fips_randtest.c.fips 2018-03-29 14:44:24.636236877 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_randtest.c 2018-03-29 14:44:24.636236877 +0200
-@@ -0,0 +1,247 @@
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <ctype.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+
-+#include "e_os.h"
-+
-+#ifndef OPENSSL_FIPS
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RAND support\n");
-+ return (0);
-+}
-+
-+#else
-+
-+# include "fips_utl.h"
-+# include <openssl/fips.h>
-+
-+typedef struct {
-+ unsigned char DT[16];
-+ unsigned char V[16];
-+ unsigned char R[16];
-+} AES_PRNG_MCT;
-+
-+static const unsigned char aes_128_mct_key[16] =
-+ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5,
-+ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48
-+};
-+
-+static const AES_PRNG_MCT aes_128_mct_tv = {
-+ /* DT */
-+ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b,
-+ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac},
-+ /* V */
-+ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97,
-+ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1},
-+ /* R */
-+ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb,
-+ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73}
-+};
-+
-+static const unsigned char aes_192_mct_key[24] =
-+ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73,
-+ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91,
-+ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a
-+};
-+
-+static const AES_PRNG_MCT aes_192_mct_tv = {
-+ /* DT */
-+ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9,
-+ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52},
-+ /* V */
-+ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64,
-+ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d},
-+ /* R */
-+ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21,
-+ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47}
-+};
-+
-+static const unsigned char aes_256_mct_key[32] =
-+ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a,
-+ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0,
-+ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d,
-+ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50
-+};
-+
-+static const AES_PRNG_MCT aes_256_mct_tv = {
-+ /* DT */
-+ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee,
-+ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c},
-+ /* V */
-+ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1,
-+ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca},
-+ /* R */
-+ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1,
-+ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d}
-+};
-+
-+static void dump(const unsigned char *b, int n)
-+{
-+ while (n-- > 0) {
-+ printf(" %02x", *b++);
-+ }
-+}
-+
-+static void compare(const unsigned char *result,
-+ const unsigned char *expected, int n)
-+{
-+ int i;
-+
-+ for (i = 0; i < n; ++i)
-+ if (result[i] != expected[i]) {
-+ puts("Random test failed, got:");
-+ dump(result, n);
-+ puts("\n expected:");
-+ dump(expected, n);
-+ putchar('\n');
-+ EXIT(1);
-+ }
-+}
-+
-+static void run_test(const unsigned char *key, int keylen,
-+ const AES_PRNG_MCT * tv)
-+{
-+ unsigned char buf[16], dt[16];
-+ int i, j;
-+ FIPS_x931_reset();
-+ FIPS_x931_test_mode();
-+ FIPS_x931_set_key(key, keylen);
-+ FIPS_x931_seed(tv->V, 16);
-+ memcpy(dt, tv->DT, 16);
-+ for (i = 0; i < 10000; i++) {
-+ FIPS_x931_set_dt(dt);
-+ FIPS_x931_bytes(buf, 16);
-+ /* Increment DT */
-+ for (j = 15; j >= 0; j--) {
-+ dt[j]++;
-+ if (dt[j])
-+ break;
-+ }
-+ }
-+
-+ compare(buf, tv->R, 16);
-+}
-+
-+int main()
-+{
-+ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
-+ printf("FIPS PRNG test 1 done\n");
-+ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
-+ printf("FIPS PRNG test 2 done\n");
-+ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
-+ printf("FIPS PRNG test 3 done\n");
-+ return 0;
-+}
-+
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c.fips 2018-03-29 14:44:24.636236877 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c 2018-03-29 14:44:24.636236877 +0200
-@@ -0,0 +1,578 @@
-+/* ====================================================================
-+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
-+#endif
-+#include <openssl/rsa.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include <openssl/opensslconf.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+static int setrsakey(RSA *key)
-+{
-+ static const unsigned char keydata_n[] = {
-+ 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a,
-+ 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00,
-+ 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca,
-+ 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a,
-+ 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba,
-+ 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe,
-+ 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1,
-+ 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75,
-+ 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f,
-+ 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc,
-+ 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e,
-+ 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1,
-+ 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9,
-+ 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4,
-+ 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40,
-+ 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4,
-+ 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e,
-+ 0x03, 0x71
-+ };
-+
-+ static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 };
-+
-+ static const unsigned char keydata_d[] = {
-+ 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23,
-+ 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58,
-+ 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06,
-+ 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4,
-+ 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53,
-+ 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde,
-+ 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe,
-+ 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b,
-+ 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3,
-+ 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76,
-+ 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6,
-+ 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c,
-+ 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44,
-+ 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34,
-+ 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32,
-+ 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20,
-+ 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d,
-+ 0x01
-+ };
-+
-+ static const unsigned char keydata_p[] = {
-+ 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f,
-+ 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43,
-+ 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec,
-+ 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66,
-+ 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3,
-+ 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1,
-+ 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3,
-+ 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c,
-+ 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad
-+ };
-+
-+ static const unsigned char keydata_q[] = {
-+ 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8,
-+ 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e,
-+ 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c,
-+ 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e,
-+ 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c,
-+ 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f,
-+ 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7,
-+ 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b,
-+ 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55
-+ };
-+
-+ static const unsigned char keydata_dmp1[] = {
-+ 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e,
-+ 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16,
-+ 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74,
-+ 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34,
-+ 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7,
-+ 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3,
-+ 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff,
-+ 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6,
-+ 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1
-+ };
-+
-+ static const unsigned char keydata_dmq1[] = {
-+ 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75,
-+ 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f,
-+ 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1,
-+ 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b,
-+ 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c,
-+ 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e,
-+ 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78,
-+ 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab,
-+ 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61
-+ };
-+
-+ static const unsigned char keydata_iqmp[] = {
-+ 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d,
-+ 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38,
-+ 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91,
-+ 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80,
-+ 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b,
-+ 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b,
-+ 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6,
-+ 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf,
-+ 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf
-+ };
-+
-+ int rv = 0;
-+ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
-+
-+ fips_load_key_component(n, keydata);
-+ fips_load_key_component(e, keydata);
-+ fips_load_key_component(d, keydata);
-+ fips_load_key_component(p, keydata);
-+ fips_load_key_component(q, keydata);
-+ fips_load_key_component(dmp1, keydata);
-+ fips_load_key_component(dmq1, keydata);
-+ fips_load_key_component(iqmp, keydata);
-+
-+ RSA_set0_key(key, n, e, d);
-+ RSA_set0_factors(key, p, q);
-+ RSA_set0_crt_params(key, dmp1, dmq1, iqmp);
-+
-+ rv = 1;
-+err:
-+ if (!rv) {
-+ BN_free(n);
-+ BN_free(e);
-+ BN_free(d);
-+ BN_free(p);
-+ BN_free(q);
-+ BN_free(dmp1);
-+ BN_free(dmq1);
-+ BN_free(iqmp);
-+ }
-+ return rv;
-+}
-+
-+/* Known Answer Test (KAT) data for the above RSA private key signing
-+ * kat_tbs.
-+ */
-+
-+static const unsigned char kat_tbs[] =
-+ "OpenSSL FIPS 140-2 Public Key RSA KAT";
-+
-+static const unsigned char kat_RSA_PSS_SHA1[] = {
-+ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3,
-+ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B,
-+ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84,
-+ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B,
-+ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9,
-+ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19,
-+ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98,
-+ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5,
-+ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4,
-+ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A,
-+ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70,
-+ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1,
-+ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C,
-+ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF,
-+ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99,
-+ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45,
-+ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF,
-+ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F,
-+ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01,
-+ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC,
-+ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05,
-+ 0xCE, 0x08, 0x1D, 0x89
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA224[] = {
-+ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA,
-+ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3,
-+ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3,
-+ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3,
-+ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7,
-+ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53,
-+ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A,
-+ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE,
-+ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06,
-+ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08,
-+ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D,
-+ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07,
-+ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70,
-+ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64,
-+ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17,
-+ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69,
-+ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97,
-+ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D,
-+ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5,
-+ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B,
-+ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD,
-+ 0x2D, 0x84, 0x03, 0xB7
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA256[] = {
-+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
-+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
-+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,
-+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,
-+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,
-+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,
-+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,
-+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,
-+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,
-+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,
-+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,
-+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,
-+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,
-+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,
-+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,
-+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,
-+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,
-+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,
-+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,
-+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,
-+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,
-+ 0x2B, 0x31, 0xB9, 0x7D
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA384[] = {
-+ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D,
-+ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03,
-+ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27,
-+ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC,
-+ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1,
-+ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6,
-+ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA,
-+ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB,
-+ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3,
-+ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5,
-+ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70,
-+ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E,
-+ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C,
-+ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0,
-+ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62,
-+ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07,
-+ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88,
-+ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7,
-+ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5,
-+ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D,
-+ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF,
-+ 0x90, 0xD2, 0xA6, 0x2B
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA512[] = {
-+ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32,
-+ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06,
-+ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D,
-+ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B,
-+ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D,
-+ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44,
-+ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B,
-+ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D,
-+ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD,
-+ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C,
-+ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1,
-+ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A,
-+ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE,
-+ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D,
-+ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F,
-+ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF,
-+ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F,
-+ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94,
-+ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE,
-+ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A,
-+ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0,
-+ 0x17, 0x2C, 0x13, 0xE0
-+};
-+
-+static const unsigned char kat_RSA_SHA1[] = {
-+ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA,
-+ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C,
-+ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE,
-+ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94,
-+ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08,
-+ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC,
-+ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0,
-+ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54,
-+ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F,
-+ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A,
-+ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF,
-+ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD,
-+ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8,
-+ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5,
-+ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F,
-+ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF,
-+ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60,
-+ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9,
-+ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC,
-+ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37,
-+ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF,
-+ 0x27, 0x90, 0xE2, 0x01
-+};
-+
-+static const unsigned char kat_RSA_SHA224[] = {
-+ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86,
-+ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8,
-+ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89,
-+ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39,
-+ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3,
-+ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E,
-+ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8,
-+ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4,
-+ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66,
-+ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6,
-+ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC,
-+ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9,
-+ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53,
-+ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA,
-+ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45,
-+ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC,
-+ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33,
-+ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5,
-+ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8,
-+ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83,
-+ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B,
-+ 0xDB, 0x70, 0x00, 0xF6
-+};
-+
-+static const unsigned char kat_RSA_SHA256[] = {
-+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
-+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
-+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,
-+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,
-+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,
-+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,
-+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,
-+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,
-+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,
-+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,
-+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,
-+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,
-+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,
-+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,
-+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,
-+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,
-+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,
-+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,
-+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,
-+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,
-+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,
-+ 0x47, 0x9D, 0x18, 0xD7
-+};
-+
-+static const unsigned char kat_RSA_SHA384[] = {
-+ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00,
-+ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D,
-+ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2,
-+ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B,
-+ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF,
-+ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1,
-+ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C,
-+ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E,
-+ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76,
-+ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4,
-+ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9,
-+ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4,
-+ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56,
-+ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39,
-+ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00,
-+ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F,
-+ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D,
-+ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26,
-+ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9,
-+ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD,
-+ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4,
-+ 0x7E, 0x37, 0x1D, 0x96
-+};
-+
-+static const unsigned char kat_RSA_SHA512[] = {
-+ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3,
-+ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F,
-+ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02,
-+ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B,
-+ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3,
-+ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1,
-+ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79,
-+ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1,
-+ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E,
-+ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1,
-+ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED,
-+ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE,
-+ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69,
-+ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2,
-+ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F,
-+ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3,
-+ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B,
-+ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86,
-+ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F,
-+ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A,
-+ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E,
-+ 0x43, 0xA8, 0x34, 0x0A
-+};
-+
-+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext,
-+ int ptlen)
-+{
-+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
-+ int ret = 0;
-+ int len;
-+
-+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ctbuf)
-+ goto err;
-+
-+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len <= 0)
-+ goto err;
-+ /* Check ciphertext doesn't match plaintext */
-+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))
-+ goto err;
-+
-+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ptbuf)
-+ goto err;
-+
-+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len != ptlen)
-+ goto err;
-+ if (memcmp(ptbuf, plaintext, len))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ if (ctbuf)
-+ OPENSSL_free(ctbuf);
-+ if (ptbuf)
-+ OPENSSL_free(ptbuf);
-+ return ret;
-+}
-+
-+int FIPS_selftest_rsa()
-+{
-+ int ret = 0;
-+ RSA *key;
-+ EVP_PKEY *pk = NULL;
-+
-+ if ((key = RSA_new()) == NULL)
-+ goto err;
-+
-+ if (!setrsakey(key))
-+ goto err;
-+
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_RSA(pk, key);
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA1 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
-+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA224 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
-+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA256 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
-+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA384 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
-+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA512 PKCS#1"))
-+ goto err;
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA1 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA224,
-+ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA256,
-+ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA384,
-+ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA512,
-+ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
-+ goto err;
-+
-+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ if (key)
-+ RSA_free(key);
-+ return ret;
-+}
-+
-+#endif /* def OPENSSL_FIPS */
-diff -up openssl-1.1.0h/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_sha_selftest.c
---- openssl-1.1.0h/crypto/fips/fips_sha_selftest.c.fips 2018-03-29 14:44:24.636236877 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_sha_selftest.c 2018-03-29 14:44:24.636236877 +0200
-@@ -0,0 +1,138 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+#include <openssl/sha.h>
-+
-+#ifdef OPENSSL_FIPS
-+static const char test[][60] = {
-+ "",
-+ "abc",
-+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
-+};
-+
-+static const unsigned char ret[][SHA_DIGEST_LENGTH] = {
-+ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
-+ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},
-+ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,
-+ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},
-+ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,
-+ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},
-+};
-+
-+int FIPS_selftest_sha1()
-+{
-+ int n;
-+
-+ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {
-+ unsigned char md[SHA_DIGEST_LENGTH];
-+
-+ EVP_Digest(test[n], strlen(test[n]), md, NULL,
-+ EVP_sha1(), NULL);
-+ if (memcmp(md, ret[n], sizeof md)) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+}
-+
-+static const unsigned char msg_sha256[] =
-+ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
-+ 0xfc
-+};
-+
-+static const unsigned char dig_sha256[] =
-+ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
-+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
-+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
-+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a
-+};
-+
-+static const unsigned char msg_sha512[] =
-+ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
-+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd
-+};
-+
-+static const unsigned char dig_sha512[] =
-+ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
-+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
-+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
-+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
-+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
-+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
-+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
-+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43
-+};
-+
-+int FIPS_selftest_sha2(void)
-+{
-+ unsigned char md[SHA512_DIGEST_LENGTH];
-+
-+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
-+ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
-+ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ return 1;
-+}
-+
-+#endif
-diff -up openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c
---- openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c.fips 2018-03-29 14:44:24.636236877 +0200
-+++ openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c 2018-03-29 14:44:24.636236877 +0200
-@@ -0,0 +1,127 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/opensslconf.h>
-+#include <openssl/hmac.h>
-+#include <openssl/sha.h>
-+
-+int main(int argc, char **argv)
-+{
-+#ifdef OPENSSL_FIPS
-+ static char key[] = "orboDeJITITejsirpADONivirpUkvarP";
-+ int n, binary = 0;
-+
-+ if (argc < 2) {
-+ fprintf(stderr, "%s [<file>]+\n", argv[0]);
-+ exit(1);
-+ }
-+
-+ n = 1;
-+ if (!strcmp(argv[n], "-binary")) {
-+ n++;
-+ binary = 1; /* emit binary fingerprint... */
-+ }
-+
-+ for (; n < argc; ++n) {
-+ FILE *f = fopen(argv[n], "rb");
-+ HMAC_CTX *hmac_ctx;
-+ unsigned char mac[EVP_MAX_MD_SIZE];
-+ unsigned int len;
-+ unsigned int i;
-+
-+ if (!f) {
-+ perror(argv[n]);
-+ exit(2);
-+ }
-+ hmac_ctx = HMAC_CTX_new();
-+ if (!hmac_ctx)
-+ exit(3);
-+
-+ if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) {
-+ fprintf(stderr, "HMAC SHA256 initialization failed.\n");
-+ exit(4);
-+ }
-+
-+ for (;;) {
-+ char buf[1024];
-+ size_t l = fread(buf, 1, sizeof buf, f);
-+
-+ if (l == 0) {
-+ if (ferror(f)) {
-+ perror(argv[n]);
-+ exit(3);
-+ } else
-+ break;
-+ }
-+ if (HMAC_Update(hmac_ctx, buf, l) <= 0) {
-+ fprintf(stderr, "HMAC_Update() failed.\n");
-+ exit(4);
-+ }
-+ }
-+ if (HMAC_Final(hmac_ctx, mac, &len) <= 0) {
-+ fprintf(stderr, "HMAC_Final() failed.\n");
-+ exit(4);
-+ }
-+
-+ if (binary) {
-+ fwrite(mac, len, 1, stdout);
-+ break; /* ... for single(!) file */
-+ }
-+
-+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
-+ for (i = 0; i < len; ++i)
-+ printf("%02x", mac[i]);
-+ printf("\n");
-+ }
-+#endif
-+ return 0;
-+}
-diff -up openssl-1.1.0h/crypto/hmac/hmac.c.fips openssl-1.1.0h/crypto/hmac/hmac.c
---- openssl-1.1.0h/crypto/hmac/hmac.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/hmac/hmac.c 2018-03-29 14:44:24.636236877 +0200
-@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
- }
-
- if (key != NULL) {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS)
-+ && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-+ || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-+ || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
-+ goto err;
-+#endif
- reset = 1;
- j = EVP_MD_block_size(md);
- OPENSSL_assert(j <= (int)sizeof(ctx->key));
-diff -up openssl-1.1.0h/crypto/include/internal/fips_int.h.fips openssl-1.1.0h/crypto/include/internal/fips_int.h
---- openssl-1.1.0h/crypto/include/internal/fips_int.h.fips 2018-03-29 14:44:24.637236901 +0200
-+++ openssl-1.1.0h/crypto/include/internal/fips_int.h 2018-03-29 14:44:24.637236901 +0200
-@@ -0,0 +1,101 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <openssl/opensslconf.h>
-+#include <openssl/evp.h>
-+
-+#ifndef OPENSSL_FIPS
-+# error FIPS is disabled.
-+#endif
-+
-+#ifdef OPENSSL_FIPS
-+
-+int FIPS_module_mode_set(int onoff);
-+int FIPS_module_mode(void);
-+int FIPS_module_installed(void);
-+int FIPS_selftest_sha1(void);
-+int FIPS_selftest_sha2(void);
-+int FIPS_selftest_aes_ccm(void);
-+int FIPS_selftest_aes_gcm(void);
-+int FIPS_selftest_aes_xts(void);
-+int FIPS_selftest_aes(void);
-+int FIPS_selftest_des(void);
-+int FIPS_selftest_rsa(void);
-+int FIPS_selftest_dsa(void);
-+int FIPS_selftest_ecdsa(void);
-+int FIPS_selftest_ecdh(void);
-+int FIPS_selftest_dh(void);
-+void FIPS_drbg_stick(int onoff);
-+int FIPS_selftest_hmac(void);
-+int FIPS_selftest_drbg(void);
-+int FIPS_selftest_cmac(void);
-+
-+int fips_pkey_signature_test(EVP_PKEY *pkey,
-+ const unsigned char *tbs, int tbslen,
-+ const unsigned char *kat,
-+ unsigned int katlen,
-+ const EVP_MD *digest,
-+ unsigned int md_flags, const char *fail_str);
-+
-+int fips_cipher_test(EVP_CIPHER_CTX *ctx,
-+ const EVP_CIPHER *cipher,
-+ const unsigned char *key,
-+ const unsigned char *iv,
-+ const unsigned char *plaintext,
-+ const unsigned char *ciphertext, int len);
-+
-+void fips_set_selftest_fail(void);
-+
-+const EVP_MD *FIPS_get_digestbynid(int nid);
-+
-+const EVP_CIPHER *FIPS_get_cipherbynid(int nid);
-+
-+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
-+
-+#endif
-diff -up openssl-1.1.0h/crypto/o_fips.c.fips openssl-1.1.0h/crypto/o_fips.c
---- openssl-1.1.0h/crypto/o_fips.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/o_fips.c 2018-03-29 14:44:24.637236901 +0200
-@@ -9,7 +9,10 @@
-
- #include "internal/cryptlib.h"
- #ifdef OPENSSL_FIPS
-+# include <openssl/rand.h>
- # include <openssl/fips.h>
-+# include <openssl/fips_rand.h>
-+# include "internal/fips_int.h"
- #endif
-
- int FIPS_mode(void)
-@@ -24,7 +27,15 @@ int FIPS_mode(void)
- int FIPS_mode_set(int r)
- {
- #ifdef OPENSSL_FIPS
-- return FIPS_module_mode_set(r);
-+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
-+ return 1;
-+ if (!FIPS_module_mode_set(r))
-+ return 0;
-+ if (r)
-+ RAND_set_rand_method(FIPS_rand_get_method());
-+ else
-+ RAND_set_rand_method(NULL);
-+ return 1;
- #else
- if (r == 0)
- return 1;
-diff -up openssl-1.1.0h/crypto/o_init.c.fips openssl-1.1.0h/crypto/o_init.c
---- openssl-1.1.0h/crypto/o_init.c.fips 2018-03-27 15:50:38.000000000 +0200
-+++ openssl-1.1.0h/crypto/o_init.c 2018-03-29 14:44:24.637236901 +0200
-@@ -7,11 +7,50 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <e_os.h>
- #include <openssl/err.h>
- #ifdef OPENSSL_FIPS
--# include <openssl/fips.h>
-+# include <sys/types.h>
-+# include <sys/stat.h>
-+# include <fcntl.h>
-+# include <unistd.h>
-+# include <errno.h>
-+# include <stdlib.h>
- # include <openssl/rand.h>
-+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
-+
-+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
-+
-+static void init_fips_mode(void)
-+{
-+ char buf[2] = "0";
-+ int fd;
-+
-+ /* Ensure the selftests always run */
-+ FIPS_mode_set(1);
-+
-+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
-+ buf[0] = '1';
-+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
-+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
-+ close(fd);
-+ }
-+ /* Failure reading the fips mode switch file means just not
-+ * switching into FIPS mode. We would break too many things
-+ * otherwise..
-+ */
-+
-+ if (buf[0] != '1') {
-+ /* drop down to non-FIPS mode if it is not requested */
-+ FIPS_mode_set(0);
-+ } else {
-+ /* abort if selftest failed */
-+ FIPS_selftest_check();
-+ }
-+}
- #endif
-
- /*
-@@ -19,16 +58,29 @@
- * sets FIPS callbacks
- */
-
--void OPENSSL_init(void)
-+void __attribute__ ((constructor)) OPENSSL_init_library(void)
- {
- static int done = 0;
- if (done)
- return;
- done = 1;
- #ifdef OPENSSL_FIPS
-- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
-- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
-- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
-+ if (!FIPS_module_installed()) {
-+ return;
-+ }
- RAND_init_fips();
-+ init_fips_mode();
-+ if (!FIPS_mode()) {
-+ /* Clean up prematurely set default rand method */
-+ RAND_set_rand_method(NULL);
-+ }
-+#endif
-+#if 0
-+ fprintf(stderr, "Called OPENSSL_init\n");
- #endif
- }
-+
-+void OPENSSL_init(void)
-+{
-+ OPENSSL_init_library();
-+}
-diff -up openssl-1.1.0h/crypto/rand/md_rand.c.fips openssl-1.1.0h/crypto/rand/md_rand.c
---- openssl-1.1.0h/crypto/rand/md_rand.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/rand/md_rand.c 2018-03-29 14:44:24.637236901 +0200
-@@ -360,7 +360,7 @@ static int rand_bytes(unsigned char *buf
- CRYPTO_THREAD_unlock(rand_tmp_lock);
- crypto_lock_rand = 1;
-
-- if (!initialized) {
-+ if (!initialized || FIPS_mode()) {
- RAND_poll();
- initialized = 1;
- }
-diff -up openssl-1.1.0h/crypto/rand/rand_err.c.fips openssl-1.1.0h/crypto/rand/rand_err.c
---- openssl-1.1.0h/crypto/rand/rand_err.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/rand/rand_err.c 2018-03-29 14:44:24.637236901 +0200
-@@ -20,10 +20,13 @@
-
- static ERR_STRING_DATA RAND_str_functs[] = {
- {ERR_FUNC(RAND_F_RAND_BYTES), "RAND_bytes"},
-+ {ERR_FUNC(RAND_F_RAND_INIT_FIPS), "RAND_init_fips"},
- {0, NULL}
- };
-
- static ERR_STRING_DATA RAND_str_reasons[] = {
-+ {ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG), "error initialising DRBG"},
-+ {ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG), "error instantiating DRBG"},
- {ERR_REASON(RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"},
- {0, NULL}
- };
-diff -up openssl-1.1.0h/crypto/rand/rand_lcl.h.fips openssl-1.1.0h/crypto/rand/rand_lcl.h
---- openssl-1.1.0h/crypto/rand/rand_lcl.h.fips 2018-03-29 14:44:24.359230371 +0200
-+++ openssl-1.1.0h/crypto/rand/rand_lcl.h 2018-03-29 14:44:24.637236901 +0200
-@@ -10,7 +10,7 @@
- #ifndef HEADER_RAND_LCL_H
- # define HEADER_RAND_LCL_H
-
--# define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
-+# define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */
-
- # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
- # define USE_SHA1_RAND
-diff -up openssl-1.1.0h/crypto/rand/rand_lib.c.fips openssl-1.1.0h/crypto/rand/rand_lib.c
---- openssl-1.1.0h/crypto/rand/rand_lib.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/rand/rand_lib.c 2018-03-29 14:44:24.637236901 +0200
-@@ -18,6 +18,8 @@
- #ifdef OPENSSL_FIPS
- # include <openssl/fips.h>
- # include <openssl/fips_rand.h>
-+# include "rand_lcl.h"
-+# include "internal/fips_int.h"
- #endif
-
- #ifndef OPENSSL_NO_ENGINE
-@@ -162,3 +164,127 @@ int RAND_status(void)
- return meth->status();
- return 0;
- }
-+
-+#ifdef OPENSSL_FIPS
-+
-+/*
-+ * FIPS DRBG initialisation code. This sets up the DRBG for use by the rest
-+ * of OpenSSL.
-+ */
-+
-+/*
-+ * Entropy gatherer: use standard OpenSSL PRNG to seed (this will gather
-+ * entropy internally through RAND_poll().
-+ */
-+
-+static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+{
-+ /* Round up request to multiple of block size */
-+ min_len = ((min_len + 19) / 20) * 20;
-+ *pout = OPENSSL_malloc(min_len);
-+ if (!*pout)
-+ return 0;
-+ if (RAND_OpenSSL()->bytes(*pout, min_len) <= 0) {
-+ OPENSSL_free(*pout);
-+ *pout = NULL;
-+ return 0;
-+ }
-+ return min_len;
-+}
-+
-+static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
-+{
-+ if (out) {
-+ OPENSSL_cleanse(out, olen);
-+ OPENSSL_free(out);
-+ }
-+}
-+
-+/*
-+ * Set "additional input" when generating random data. This uses the current
-+ * PID, a time value and a counter.
-+ */
-+
-+static size_t drbg_get_adin(DRBG_CTX *ctx, unsigned char **pout)
-+{
-+ /* Use of static variables is OK as this happens under a lock */
-+ static unsigned char buf[16];
-+ static unsigned long counter;
-+ FIPS_get_timevec(buf, &counter);
-+ *pout = buf;
-+ return sizeof(buf);
-+}
-+
-+/*
-+ * RAND_add() and RAND_seed() pass through to OpenSSL PRNG so it is
-+ * correctly seeded by RAND_poll().
-+ */
-+
-+static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen,
-+ double entropy)
-+{
-+ RAND_OpenSSL()->add(in, inlen, entropy);
-+ if (FIPS_rand_status()) {
-+ FIPS_drbg_reseed(ctx, NULL, 0);
-+ }
-+ return 1;
-+}
-+
-+static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
-+{
-+ RAND_OpenSSL()->seed(in, inlen);
-+ if (FIPS_rand_status()) {
-+ FIPS_drbg_reseed(ctx, NULL, 0);
-+ }
-+ return 1;
-+}
-+
-+# ifndef OPENSSL_DRBG_DEFAULT_TYPE
-+# define OPENSSL_DRBG_DEFAULT_TYPE NID_aes_256_ctr
-+# endif
-+# ifndef OPENSSL_DRBG_DEFAULT_FLAGS
-+# define OPENSSL_DRBG_DEFAULT_FLAGS DRBG_FLAG_CTR_USE_DF
-+# endif
-+
-+static int fips_drbg_type = OPENSSL_DRBG_DEFAULT_TYPE;
-+static int fips_drbg_flags = OPENSSL_DRBG_DEFAULT_FLAGS;
-+
-+void RAND_set_fips_drbg_type(int type, int flags)
-+{
-+ fips_drbg_type = type;
-+ fips_drbg_flags = flags;
-+}
-+
-+int RAND_init_fips(void)
-+{
-+ DRBG_CTX *dctx;
-+ size_t plen;
-+ unsigned char pers[32], *p;
-+
-+ dctx = FIPS_get_default_drbg();
-+ if (dctx == NULL ||
-+ FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0) {
-+ RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INITIALISING_DRBG);
-+ return 0;
-+ }
-+
-+ FIPS_drbg_set_callbacks(dctx,
-+ drbg_get_entropy, drbg_free_entropy, 20,
-+ drbg_get_entropy, drbg_free_entropy);
-+ FIPS_drbg_set_rand_callbacks(dctx, drbg_get_adin, 0,
-+ drbg_rand_seed, drbg_rand_add);
-+ /* Personalisation string: a string followed by date time vector */
-+ strcpy((char *)pers, "OpenSSL DRBG2.0");
-+ plen = drbg_get_adin(dctx, &p);
-+ memcpy(pers + 16, p, plen);
-+
-+ if (FIPS_drbg_instantiate(dctx, pers, sizeof(pers)) <= 0) {
-+ RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INSTANTIATING_DRBG);
-+ return 0;
-+ }
-+ FIPS_rand_set_method(FIPS_drbg_method());
-+ return 1;
-+}
-+
-+#endif
-diff -up openssl-1.1.0h/crypto/rsa/rsa_crpt.c.fips openssl-1.1.0h/crypto/rsa/rsa_crpt.c
---- openssl-1.1.0h/crypto/rsa/rsa_crpt.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/rsa/rsa_crpt.c 2018-03-29 14:44:24.637236901 +0200
-@@ -28,24 +28,52 @@ int RSA_size(const RSA *r)
- int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
- RSA *rsa, int padding)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-+ RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-+ return -1;
-+ }
-+#endif
- return (rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
- }
-
- int RSA_private_encrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,
-+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
-+ return -1;
-+ }
-+#endif
- return (rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
- }
-
- int RSA_private_decrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-+ RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-+ return -1;
-+ }
-+#endif
- return (rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
- }
-
- int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
- RSA *rsa, int padding)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
-+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
-+ return -1;
-+ }
-+#endif
- return (rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
- }
-
-diff -up openssl-1.1.0h/crypto/rsa/rsa_err.c.fips openssl-1.1.0h/crypto/rsa/rsa_err.c
---- openssl-1.1.0h/crypto/rsa/rsa_err.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/rsa/rsa_err.c 2018-03-29 14:44:24.638236924 +0200
-@@ -21,6 +21,7 @@
- static ERR_STRING_DATA RSA_str_functs[] = {
- {ERR_FUNC(RSA_F_CHECK_PADDING_MD), "check_padding_md"},
- {ERR_FUNC(RSA_F_ENCODE_PKCS1), "encode_pkcs1"},
-+ {ERR_FUNC(RSA_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"},
- {ERR_FUNC(RSA_F_INT_RSA_VERIFY), "int_rsa_verify"},
- {ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "old_rsa_priv_decode"},
- {ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "pkey_rsa_ctrl"},
-@@ -33,6 +34,7 @@ static ERR_STRING_DATA RSA_str_functs[]
- {ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
- {ERR_FUNC(RSA_F_RSA_CHECK_KEY_EX), "RSA_check_key_ex"},
- {ERR_FUNC(RSA_F_RSA_CMS_DECRYPT), "rsa_cms_decrypt"},
-+ {ERR_FUNC(RSA_F_RSA_GENERATE_KEY_EX), "RSA_generate_key_ex"},
- {ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "rsa_item_verify"},
- {ERR_FUNC(RSA_F_RSA_METH_DUP), "RSA_meth_dup"},
- {ERR_FUNC(RSA_F_RSA_METH_NEW), "RSA_meth_new"},
-@@ -76,8 +78,14 @@ static ERR_STRING_DATA RSA_str_functs[]
- {ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
- {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
- {ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "rsa_priv_encode"},
-+ {ERR_FUNC(RSA_F_RSA_PRIVATE_DECRYPT), "RSA_private_decrypt"},
-+ {ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"},
- {ERR_FUNC(RSA_F_RSA_PSS_TO_CTX), "rsa_pss_to_ctx"},
- {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "rsa_pub_decode"},
-+ {ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"},
-+ {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
-+ {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
-+ {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
- {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
- {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
- {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),
-@@ -135,10 +143,13 @@ static ERR_STRING_DATA RSA_str_reasons[]
- {ERR_REASON(RSA_R_LAST_OCTET_INVALID), "last octet invalid"},
- {ERR_REASON(RSA_R_MODULUS_TOO_LARGE), "modulus too large"},
- {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"},
-+ {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"},
- {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),
- "null before block missing"},
- {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q), "n does not equal p q"},
- {ERR_REASON(RSA_R_OAEP_DECODING_ERROR), "oaep decoding error"},
-+ {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),
-+ "operation not allowed in FIPS mode"},
- {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
- "operation not supported for this keytype"},
- {ERR_REASON(RSA_R_PADDING_CHECK_FAILED), "padding check failed"},
-diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips openssl-1.1.0h/crypto/rsa/rsa_gen.c
---- openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips 2018-06-08 14:56:32.413411585 +0200
-+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-06-18 14:51:57.773846354 +0200
-@@ -18,6 +18,75 @@
- #include "internal/cryptlib.h"
- #include <openssl/bn.h>
- #include "rsa_locl.h"
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+# include "internal/fips_int.h"
-+
-+int fips_check_rsa(RSA *rsa)
-+{
-+ const unsigned char tbs[] = "RSA Pairwise Check Data";
-+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
-+ int len, ret = 0;
-+ EVP_PKEY *pk;
-+
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_RSA(pk, rsa);
-+
-+ /* Perform pairwise consistency signature test */
-+ if (!fips_pkey_signature_test(pk, tbs, -1,
-+ NULL, 0, EVP_sha1(),
-+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
-+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
-+ EVP_MD_CTX_FLAG_PAD_X931, NULL)
-+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, NULL))
-+ goto err;
-+ /* Now perform pairwise consistency encrypt/decrypt test */
-+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ctbuf)
-+ goto err;
-+
-+ len =
-+ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,
-+ RSA_PKCS1_PADDING);
-+ if (len <= 0)
-+ goto err;
-+ /* Check ciphertext doesn't match plaintext */
-+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
-+ goto err;
-+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
-+
-+ if (!ptbuf)
-+ goto err;
-+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len != (sizeof(tbs) - 1))
-+ goto err;
-+ if (memcmp(ptbuf, tbs, len))
-+ goto err;
-+
-+ ret = 1;
-+
-+ if (!ptbuf)
-+ goto err;
-+
-+ err:
-+ if (ret == 0) {
-+ fips_set_selftest_fail();
-+ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);
-+ }
-+
-+ if (ctbuf)
-+ OPENSSL_free(ctbuf);
-+ if (ptbuf)
-+ OPENSSL_free(ptbuf);
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+
-+ return ret;
-+}
-+#endif
-
- static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
- BN_GENCB *cb);
-@@ -31,11 +100,281 @@ static int rsa_builtin_keygen(RSA *rsa,
- */
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-+ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
-+ return 0;
-+ }
-+#endif
- if (rsa->meth->rsa_keygen)
- return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
- return rsa_builtin_keygen(rsa, bits, e_value, cb);
- }
-
-+#ifdef OPENSSL_FIPS
-+static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
-+ BN_GENCB *cb)
-+{
-+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
-+ BN_CTX *ctx = NULL;
-+ int ok = -1;
-+ int i;
-+ int n = 0;
-+ int test = 0;
-+ int pbits = bits / 2;
-+ unsigned long error = 0;
-+
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if ((pbits & 0xFF)
-+ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) {
-+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);
-+ return 0;
-+ }
-+
-+ ctx = BN_CTX_new();
-+ if (ctx == NULL)
-+ goto err;
-+ BN_CTX_start(ctx);
-+ r0 = BN_CTX_get(ctx);
-+ r1 = BN_CTX_get(ctx);
-+ r2 = BN_CTX_get(ctx);
-+ r3 = BN_CTX_get(ctx);
-+
-+ if (r3 == NULL)
-+ goto err;
-+
-+ /* We need the RSA components non-NULL */
-+ if (!rsa->n && ((rsa->n = BN_new()) == NULL))
-+ goto err;
-+ if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
-+ goto err;
-+ if (!rsa->e && ((rsa->e = BN_new()) == NULL))
-+ goto err;
-+ if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
-+ goto err;
-+ if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
-+ goto err;
-+ if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
-+ goto err;
-+ if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
-+ goto err;
-+ if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
-+ goto err;
-+
-+ if (!BN_set_word(r0, RSA_F4))
-+ goto err;
-+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) {
-+ ok = 0; /* we set our own err */
-+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE);
-+ goto err;
-+ }
-+
-+ /* prepare approximate minimum p and q */
-+ if (!BN_set_word(r0, 0xB504F334))
-+ goto err;
-+ if (!BN_lshift(r0, r0, pbits - 32))
-+ goto err;
-+
-+ /* prepare minimum p and q difference */
-+ if (!BN_one(r3))
-+ goto err;
-+ if (!BN_lshift(r3, r3, pbits - 100))
-+ goto err;
-+
-+ BN_copy(rsa->e, e_value);
-+
-+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
-+ test = 1;
-+
-+ BN_set_flags(r0, BN_FLG_CONSTTIME);
-+ BN_set_flags(r1, BN_FLG_CONSTTIME);
-+ BN_set_flags(r2, BN_FLG_CONSTTIME);
-+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
-+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
-+
-+ retry:
-+ /* generate p and q */
-+ for (i = 0; i < 5 * pbits; i++) {
-+ ploop:
-+ if (!test)
-+ if (!BN_rand(rsa->p, pbits, 0, 1))
-+ goto err;
-+ if (BN_cmp(rsa->p, r0) < 0) {
-+ if (test)
-+ goto err;
-+ goto ploop;
-+ }
-+
-+ if (!BN_sub(r2, rsa->p, BN_value_one()))
-+ goto err;
-+ ERR_set_mark();
-+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
-+ /* GCD == 1 since inverse exists */
-+ int r;
-+ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,
-+ cb);
-+ if (r == -1 || (test && r <= 0))
-+ goto err;
-+ if (r > 0)
-+ break;
-+ } else {
-+ error = ERR_peek_last_error();
-+ if (ERR_GET_LIB(error) == ERR_LIB_BN
-+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
-+ /* GCD != 1 */
-+ ERR_pop_to_mark();
-+ } else {
-+ goto err;
-+ }
-+ }
-+ if (!BN_GENCB_call(cb, 2, n++))
-+ goto err;
-+ }
-+
-+ if (!BN_GENCB_call(cb, 3, 0))
-+ goto err;
-+
-+ if (i >= 5 * pbits)
-+ /* prime not found */
-+ goto err;
-+
-+ for (i = 0; i < 5 * pbits; i++) {
-+ qloop:
-+ if (!test)
-+ if (!BN_rand(rsa->q, pbits, 0, 1))
-+ goto err;
-+ if (BN_cmp(rsa->q, r0) < 0) {
-+ if (test)
-+ goto err;
-+ goto qloop;
-+ }
-+ if (!BN_sub(r2, rsa->q, rsa->p))
-+ goto err;
-+ if (BN_ucmp(r2, r3) <= 0) {
-+ if (test)
-+ goto err;
-+ goto qloop;
-+ }
-+
-+ if (!BN_sub(r2, rsa->q, BN_value_one()))
-+ goto err;
-+ ERR_set_mark();
-+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
-+ /* GCD == 1 since inverse exists */
-+ int r;
-+ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,
-+ cb);
-+ if (r == -1 || (test && r <= 0))
-+ goto err;
-+ if (r > 0)
-+ break;
-+ } else {
-+ error = ERR_peek_last_error();
-+ if (ERR_GET_LIB(error) == ERR_LIB_BN
-+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
-+ /* GCD != 1 */
-+ ERR_pop_to_mark();
-+ } else {
-+ goto err;
-+ }
-+ }
-+ if (!BN_GENCB_call(cb, 2, n++))
-+ goto err;
-+ }
-+
-+ if (!BN_GENCB_call(cb, 3, 1))
-+ goto err;
-+
-+ if (i >= 5 * pbits)
-+ /* prime not found */
-+ goto err;
-+
-+ if (test) {
-+ /* do not try to calculate the remaining key values */
-+ BN_clear(rsa->n);
-+ ok = 1;
-+ goto err;
-+ }
-+
-+ if (BN_cmp(rsa->p, rsa->q) < 0) {
-+ tmp = rsa->p;
-+ rsa->p = rsa->q;
-+ rsa->q = tmp;
-+ }
-+
-+ /* calculate n */
-+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
-+ goto err;
-+
-+ /* calculate d */
-+ if (!BN_sub(r1, rsa->p, BN_value_one()))
-+ goto err; /* p-1 */
-+ if (!BN_sub(r2, rsa->q, BN_value_one()))
-+ goto err; /* q-1 */
-+
-+ /* note that computing gcd is not safe to timing attacks */
-+ if (!BN_gcd(r0, r1, r2, ctx))
-+ goto err;
-+
-+ {
-+ if (!BN_div(r0, NULL, r1, r0, ctx))
-+ goto err;
-+
-+ if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */
-+ goto err;
-+
-+ if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */
-+ goto err;
-+ }
-+
-+ if (BN_num_bits(rsa->d) < pbits)
-+ goto retry; /* d is too small */
-+
-+ {
-+ BIGNUM *d = BN_new();
-+
-+ if (d == NULL)
-+ goto err;
-+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-+
-+ if (/* calculate d mod (p-1) */
-+ !BN_mod(rsa->dmp1, d, r1, ctx)
-+ /* calculate d mod (q-1) */
-+ || !BN_mod(rsa->dmq1, d, r2, ctx)) {
-+ BN_free(d);
-+ goto err;
-+ }
-+ /* We MUST free d before any further use of rsa->d */
-+ BN_free(d);
-+ }
-+
-+ /* calculate inverse of q mod p */
-+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx))
-+ goto err;
-+
-+ if (!fips_check_rsa(rsa))
-+ goto err;
-+
-+ ok = 1;
-+ err:
-+ if (ok == -1) {
-+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
-+ ok = 0;
-+ }
-+ if (ctx != NULL) {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+
-+ return ok;
-+}
-+#endif
-+
- static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
- BN_GENCB *cb)
- {
-@@ -44,6 +383,16 @@ static int rsa_builtin_keygen(RSA *rsa,
- BN_CTX *ctx = NULL;
- unsigned long error = 0;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
-+ return 0;
-+ }
-+ return fips_rsa_builtin_keygen(rsa, bits, e_value, cb);
-+ }
-+#endif
-+
- /*
- * When generating ridiculously small keys, we can get stuck
- * continually regenerating the same prime values.
-diff -up openssl-1.1.0h/crypto/rsa/rsa_lib.c.fips openssl-1.1.0h/crypto/rsa/rsa_lib.c
---- openssl-1.1.0h/crypto/rsa/rsa_lib.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/rsa/rsa_lib.c 2018-03-29 14:44:24.638236924 +0200
-@@ -32,6 +32,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
- * to deal with which ENGINE it comes from.
- */
- const RSA_METHOD *mtmp;
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
-+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
-+ return 0;
-+ }
-+#endif
- mtmp = rsa->meth;
- if (mtmp->finish)
- mtmp->finish(rsa);
-@@ -64,7 +70,6 @@ RSA *RSA_new_method(ENGINE *engine)
-
- ret->meth = RSA_get_default_method();
- #ifndef OPENSSL_NO_ENGINE
-- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
- if (engine) {
- if (!ENGINE_init(engine)) {
- RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
-@@ -81,8 +86,19 @@ RSA *RSA_new_method(ENGINE *engine)
- }
- }
- #endif
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
-+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
-+# ifndef OPENSSL_NO_ENGINE
-+ if (ret->engine)
-+ ENGINE_finish(ret->engine);
-+# endif
-+ OPENSSL_free(ret);
-+ return NULL;
-+ }
-+#endif
-
-- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
-+ ret->flags = ret->meth->flags;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
- goto err;
- }
-diff -up openssl-1.1.0h/crypto/rsa/rsa_ossl.c.fips openssl-1.1.0h/crypto/rsa/rsa_ossl.c
---- openssl-1.1.0h/crypto/rsa/rsa_ossl.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/rsa/rsa_ossl.c 2018-03-29 14:44:24.638236924 +0200
-@@ -11,6 +11,10 @@
- #include "internal/bn_int.h"
- #include "rsa_locl.h"
-
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+
- static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
- static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
-@@ -45,6 +49,12 @@ static const RSA_METHOD *default_RSA_met
-
- void RSA_set_default_method(const RSA_METHOD *meth)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
-+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
-+ return;
-+ }
-+#endif
- default_RSA_meth = meth;
- }
-
-@@ -66,6 +76,22 @@ static int rsa_ossl_public_encrypt(int f
- unsigned char *buf = NULL;
- BN_CTX *ctx = NULL;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
-+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+# endif
-+
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
- RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
- return -1;
-@@ -245,6 +271,22 @@ static int rsa_ossl_private_encrypt(int
- BIGNUM *unblind = NULL;
- BN_BLINDING *blinding = NULL;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
-+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+# endif
-+
- if ((ctx = BN_CTX_new()) == NULL)
- goto err;
- BN_CTX_start(ctx);
-@@ -380,6 +422,22 @@ static int rsa_ossl_private_decrypt(int
- BIGNUM *unblind = NULL;
- BN_BLINDING *blinding = NULL;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
-+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+# endif
-+
- if ((ctx = BN_CTX_new()) == NULL)
- goto err;
- BN_CTX_start(ctx);
-@@ -504,6 +562,22 @@ static int rsa_ossl_public_decrypt(int f
- unsigned char *buf = NULL;
- BN_CTX *ctx = NULL;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
-+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+# endif
-+
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
- RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
- return -1;
-diff -up openssl-1.1.0h/crypto/rsa/rsa_sign.c.fips openssl-1.1.0h/crypto/rsa/rsa_sign.c
---- openssl-1.1.0h/crypto/rsa/rsa_sign.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/rsa/rsa_sign.c 2018-03-29 14:44:24.638236924 +0200
-@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch
- unsigned char *tmps = NULL;
- const unsigned char *encoded = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-+ RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
-+ return 0;
-+ }
-+#endif
- if (rsa->meth->rsa_sign) {
- return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
- }
-@@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch
- RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
- goto err;
- }
-- encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa,
-- RSA_PKCS1_PADDING);
-+ /* NB: call underlying method directly to avoid FIPS blocking */
-+ encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa,
-+ RSA_PKCS1_PADDING) : 0;
- if (encrypt_len <= 0)
- goto err;
-
-diff -up openssl-1.1.0h/crypto/sha/sha_locl.h.fips openssl-1.1.0h/crypto/sha/sha_locl.h
---- openssl-1.1.0h/crypto/sha/sha_locl.h.fips 2018-03-29 14:44:24.237227506 +0200
-+++ openssl-1.1.0h/crypto/sha/sha_locl.h 2018-03-29 14:44:24.638236924 +0200
-@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c
-
- int HASH_INIT(SHA_CTX *c)
- {
-+#if defined(OPENSSL_FIPS)
-+ FIPS_selftest_check();
-+#endif
- memset(c, 0, sizeof(*c));
- c->h0 = INIT_DATA_h0;
- c->h1 = INIT_DATA_h1;
-diff -up openssl-1.1.0h/crypto/sha/sha256.c.fips openssl-1.1.0h/crypto/sha/sha256.c
---- openssl-1.1.0h/crypto/sha/sha256.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/sha/sha256.c 2018-03-29 14:44:24.639236948 +0200
-@@ -18,6 +18,9 @@
-
- int SHA224_Init(SHA256_CTX *c)
- {
-+# ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+# endif
- memset(c, 0, sizeof(*c));
- c->h[0] = 0xc1059ed8UL;
- c->h[1] = 0x367cd507UL;
-@@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c)
-
- int SHA256_Init(SHA256_CTX *c)
- {
-+# ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+# endif
- memset(c, 0, sizeof(*c));
- c->h[0] = 0x6a09e667UL;
- c->h[1] = 0xbb67ae85UL;
-diff -up openssl-1.1.0h/crypto/sha/sha512.c.fips openssl-1.1.0h/crypto/sha/sha512.c
---- openssl-1.1.0h/crypto/sha/sha512.c.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/crypto/sha/sha512.c 2018-03-29 14:44:24.639236948 +0200
-@@ -62,6 +62,9 @@
-
- int SHA384_Init(SHA512_CTX *c)
- {
-+# ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+# endif
- c->h[0] = U64(0xcbbb9d5dc1059ed8);
- c->h[1] = U64(0x629a292a367cd507);
- c->h[2] = U64(0x9159015a3070dd17);
-@@ -80,6 +83,9 @@ int SHA384_Init(SHA512_CTX *c)
-
- int SHA512_Init(SHA512_CTX *c)
- {
-+# ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+# endif
- c->h[0] = U64(0x6a09e667f3bcc908);
- c->h[1] = U64(0xbb67ae8584caa73b);
- c->h[2] = U64(0x3c6ef372fe94f82b);
-diff -up openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod.fips openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod
---- openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod.fips 2018-03-27 15:50:39.000000000 +0200
-+++ openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod 2018-03-29 14:44:24.639236948 +0200
-@@ -29,8 +29,10 @@ B<bits> is the length of the prime p to
- For lengths under 2048 bits, the length of q is 160 bits; for lengths
- greater than or equal to 2048 bits, the length of q is set to 256 bits.
-
--If B<seed> is NULL, the primes will be generated at random.
--If B<seed_len> is less than the length of q, an error is returned.
-+If B<seed> is NULL, or it does not generate primes, the primes will be
-+generated at random.
-+If B<seed_len> is less than the length of q, an error is returned
-+if old DSA parameter generation method is used as a backend.
-
- DSA_generate_parameters_ex() places the iteration count in
- *B<counter_ret> and a counter used for finding a generator in
-diff -up openssl-1.1.0h/include/openssl/crypto.h.fips openssl-1.1.0h/include/openssl/crypto.h
---- openssl-1.1.0h/include/openssl/crypto.h.fips 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/include/openssl/crypto.h 2018-03-29 14:44:24.640236971 +0200
-@@ -336,6 +336,11 @@ int OPENSSL_isservice(void);
- int FIPS_mode(void);
- int FIPS_mode_set(int r);
-
-+# ifdef OPENSSL_FIPS
-+/* die if FIPS selftest failed */
-+void FIPS_selftest_check(void);
-+# endif
-+
- void OPENSSL_init(void);
-
- struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result);
-diff -up openssl-1.1.0h/include/openssl/dh.h.fips openssl-1.1.0h/include/openssl/dh.h
---- openssl-1.1.0h/include/openssl/dh.h.fips 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/include/openssl/dh.h 2018-03-29 14:44:24.640236971 +0200
-@@ -30,6 +30,7 @@ extern "C" {
- # endif
-
- # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
-+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
-
- # define DH_FLAG_CACHE_MONT_P 0x01
-
-@@ -325,6 +326,9 @@ int ERR_load_DH_strings(void);
- # define DH_F_DH_CMS_DECRYPT 114
- # define DH_F_DH_CMS_SET_PEERKEY 115
- # define DH_F_DH_CMS_SET_SHARED_INFO 116
-+# define DH_F_DH_COMPUTE_KEY 203
-+# define DH_F_DH_GENERATE_KEY 202
-+# define DH_F_DH_GENERATE_PARAMETERS_EX 201
- # define DH_F_DH_METH_DUP 117
- # define DH_F_DH_METH_NEW 118
- # define DH_F_DH_METH_SET1_NAME 119
-@@ -346,10 +350,12 @@ int ERR_load_DH_strings(void);
- # define DH_R_DECODE_ERROR 104
- # define DH_R_INVALID_PUBKEY 102
- # define DH_R_KDF_PARAMETER_ERROR 112
-+# define DH_R_KEY_SIZE_TOO_SMALL 201
- # define DH_R_KEYS_NOT_SET 108
- # define DH_R_MODULUS_TOO_LARGE 103
- # define DH_R_NO_PARAMETERS_SET 107
- # define DH_R_NO_PRIVATE_VALUE 100
-+# define DH_R_NON_FIPS_METHOD 202
- # define DH_R_PARAMETER_ENCODING_ERROR 105
- # define DH_R_PEER_KEY_ERROR 111
- # define DH_R_SHARED_INFO_ERROR 113
-diff -up openssl-1.1.0h/include/openssl/dsa.h.fips openssl-1.1.0h/include/openssl/dsa.h
---- openssl-1.1.0h/include/openssl/dsa.h.fips 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/include/openssl/dsa.h 2018-03-29 14:44:24.641236994 +0200
-@@ -36,6 +36,7 @@ extern "C" {
- # endif
-
- # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
-+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048
-
- # define DSA_FLAG_CACHE_MONT_P 0x01
- # if OPENSSL_API_COMPAT < 0x10100000L
-@@ -146,9 +147,9 @@ int DSAparams_print_fp(FILE *fp, const D
- int DSA_print_fp(FILE *bp, const DSA *x, int off);
- # endif
-
--# define DSS_prime_checks 50
-+# define DSS_prime_checks 64
- /*
-- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
-+ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of
- * Rabin-Miller
- */
- # define DSA_is_prime(n, callback, cb_arg) \
-@@ -241,8 +242,11 @@ int ERR_load_DSA_strings(void);
- /* Function codes. */
- # define DSA_F_DSAPARAMS_PRINT 100
- # define DSA_F_DSAPARAMS_PRINT_FP 101
-+# define DSA_F_DSA_BUILTIN_KEYGEN 202
- # define DSA_F_DSA_BUILTIN_PARAMGEN 125
- # define DSA_F_DSA_BUILTIN_PARAMGEN2 126
-+# define DSA_F_DSA_GENERATE_KEY 201
-+# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200
- # define DSA_F_DSA_DO_SIGN 112
- # define DSA_F_DSA_DO_VERIFY 113
- # define DSA_F_DSA_METH_DUP 127
-@@ -269,9 +273,12 @@ int ERR_load_DSA_strings(void);
- # define DSA_R_DECODE_ERROR 104
- # define DSA_R_INVALID_DIGEST_TYPE 106
- # define DSA_R_INVALID_PARAMETERS 112
-+# define DSA_R_KEY_SIZE_INVALID 201
-+# define DSA_R_KEY_SIZE_TOO_SMALL 202
- # define DSA_R_MISSING_PARAMETERS 101
- # define DSA_R_MODULUS_TOO_LARGE 103
- # define DSA_R_NO_PARAMETERS_SET 107
-+# define DSA_R_NON_FIPS_DSA_METHOD 200
- # define DSA_R_PARAMETER_ENCODING_ERROR 105
- # define DSA_R_Q_NOT_PRIME 113
- # define DSA_R_SEED_LEN_SMALL 110
-diff -up openssl-1.1.0h/include/openssl/evp.h.fips openssl-1.1.0h/include/openssl/evp.h
---- openssl-1.1.0h/include/openssl/evp.h.fips 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/include/openssl/evp.h 2018-03-29 14:44:24.641236994 +0200
-@@ -1461,6 +1461,7 @@ int ERR_load_EVP_strings(void);
- # define EVP_F_AES_OCB_CIPHER 169
- # define EVP_F_AES_T4_INIT_KEY 178
- # define EVP_F_AES_WRAP_CIPHER 170
-+# define EVP_F_AES_XTS_CIPHER 200
- # define EVP_F_ALG_MODULE_INIT 177
- # define EVP_F_CAMELLIA_INIT_KEY 159
- # define EVP_F_CHACHA20_POLY1305_CTRL 182
-@@ -1539,6 +1540,7 @@ int ERR_load_EVP_strings(void);
- # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133
- # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138
- # define EVP_R_DECODE_ERROR 114
-+# define EVP_R_DISABLED_FOR_FIPS 200
- # define EVP_R_DIFFERENT_KEY_TYPES 101
- # define EVP_R_DIFFERENT_PARAMETERS 153
- # define EVP_R_ERROR_LOADING_SECTION 165
-@@ -1575,6 +1577,7 @@ int ERR_load_EVP_strings(void);
- # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
- # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
- # define EVP_R_PUBLIC_KEY_NOT_RSA 106
-+# define EVP_R_TOO_LARGE 201
- # define EVP_R_UNKNOWN_CIPHER 160
- # define EVP_R_UNKNOWN_DIGEST 161
- # define EVP_R_UNKNOWN_OPTION 169
-diff -up openssl-1.1.0h/include/openssl/fips.h.fips openssl-1.1.0h/include/openssl/fips.h
---- openssl-1.1.0h/include/openssl/fips.h.fips 2018-03-29 14:44:24.641236994 +0200
-+++ openssl-1.1.0h/include/openssl/fips.h 2018-03-29 14:44:24.641236994 +0200
-@@ -0,0 +1,186 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <openssl/opensslconf.h>
-+#include <openssl/dsa.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#ifndef OPENSSL_FIPS
-+# error FIPS is disabled.
-+#endif
-+
-+#ifdef OPENSSL_FIPS
-+
-+# ifdef __cplusplus
-+extern "C" {
-+# endif
-+
-+ int FIPS_selftest(void);
-+ int FIPS_selftest_failed(void);
-+ int FIPS_selftest_drbg_all(void);
-+
-+ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
-+ const EVP_MD *evpmd, const unsigned char *seed_in,
-+ size_t seed_len, int idx, unsigned char *seed_out,
-+ int *counter_ret, unsigned long *h_ret,
-+ BN_GENCB *cb);
-+ int FIPS_dsa_paramgen_check_g(DSA *dsa);
-+
-+/* BEGIN ERROR CODES */
-+/* The following lines are auto generated by the script mkerr.pl. Any changes
-+ * made after this point may be overwritten when the script is next run.
-+ */
-+ int ERR_load_FIPS_strings(void);
-+
-+/* Error codes for the FIPS functions. */
-+
-+/* Function codes. */
-+# define FIPS_F_DH_BUILTIN_GENPARAMS 100
-+# define FIPS_F_DRBG_RESEED 121
-+# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
-+# define FIPS_F_DSA_DO_SIGN 102
-+# define FIPS_F_DSA_DO_VERIFY 103
-+# define FIPS_F_EVP_CIPHER_CTX_NEW 137
-+# define FIPS_F_EVP_CIPHER_CTX_RESET 122
-+# define FIPS_F_ECDH_COMPUTE_KEY 123
-+# define FIPS_F_EVP_CIPHERINIT_EX 124
-+# define FIPS_F_EVP_DIGESTINIT_EX 125
-+# define FIPS_F_FIPS_CHECK_DSA 104
-+# define FIPS_F_FIPS_CHECK_EC 142
-+# define FIPS_F_FIPS_CHECK_RSA 106
-+# define FIPS_F_FIPS_DRBG_BYTES 131
-+# define FIPS_F_FIPS_DRBG_CHECK 146
-+# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
-+# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
-+# define FIPS_F_FIPS_DRBG_GENERATE 134
-+# define FIPS_F_FIPS_DRBG_INIT 135
-+# define FIPS_F_FIPS_DRBG_INSTANTIATE 138
-+# define FIPS_F_FIPS_DRBG_NEW 139
-+# define FIPS_F_FIPS_DRBG_RESEED 140
-+# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
-+# define FIPS_F_FIPS_GET_ENTROPY 147
-+# define FIPS_F_FIPS_MODULE_MODE_SET 108
-+# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
-+# define FIPS_F_FIPS_RAND_BYTES 114
-+# define FIPS_F_FIPS_RAND_SEED 128
-+# define FIPS_F_FIPS_RAND_SET_METHOD 126
-+# define FIPS_F_FIPS_RAND_STATUS 127
-+# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101
-+# define FIPS_F_FIPS_SELFTEST_AES 110
-+# define FIPS_F_FIPS_SELFTEST_AES_CCM 145
-+# define FIPS_F_FIPS_SELFTEST_AES_GCM 129
-+# define FIPS_F_FIPS_SELFTEST_AES_XTS 144
-+# define FIPS_F_FIPS_SELFTEST_CMAC 130
-+# define FIPS_F_FIPS_SELFTEST_DES 111
-+# define FIPS_F_FIPS_SELFTEST_DSA 112
-+# define FIPS_F_FIPS_SELFTEST_ECDSA 133
-+# define FIPS_F_FIPS_SELFTEST_HMAC 113
-+# define FIPS_F_FIPS_SELFTEST_SHA1 115
-+# define FIPS_F_FIPS_SELFTEST_SHA2 105
-+# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
-+# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148
-+# define FIPS_F_RSA_BUILTIN_KEYGEN 116
-+# define FIPS_F_RSA_OSSL_INIT 149
-+# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117
-+# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118
-+# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119
-+# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120
-+
-+/* Reason codes. */
-+# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
-+# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
-+# define FIPS_R_ALREADY_INSTANTIATED 134
-+# define FIPS_R_DRBG_NOT_INITIALISED 152
-+# define FIPS_R_DRBG_STUCK 103
-+# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
-+# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
-+# define FIPS_R_ENTROPY_SOURCE_STUCK 142
-+# define FIPS_R_ERROR_INITIALISING_DRBG 115
-+# define FIPS_R_ERROR_INSTANTIATING_DRBG 127
-+# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
-+# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
-+# define FIPS_R_ERROR_RETRIEVING_NONCE 140
-+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
-+# define FIPS_R_FIPS_MODE_ALREADY_SET 102
-+# define FIPS_R_FIPS_SELFTEST_FAILED 106
-+# define FIPS_R_FUNCTION_ERROR 116
-+# define FIPS_R_GENERATE_ERROR 137
-+# define FIPS_R_GENERATE_ERROR_UNDETECTED 118
-+# define FIPS_R_INSTANTIATE_ERROR 119
-+# define FIPS_R_INTERNAL_ERROR 121
-+# define FIPS_R_INVALID_KEY_LENGTH 109
-+# define FIPS_R_IN_ERROR_STATE 123
-+# define FIPS_R_KEY_TOO_SHORT 108
-+# define FIPS_R_NONCE_ERROR_UNDETECTED 149
-+# define FIPS_R_NON_FIPS_METHOD 100
-+# define FIPS_R_NOPR_TEST1_FAILURE 145
-+# define FIPS_R_NOPR_TEST2_FAILURE 146
-+# define FIPS_R_NOT_INSTANTIATED 126
-+# define FIPS_R_PAIRWISE_TEST_FAILED 107
-+# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
-+# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
-+# define FIPS_R_PR_TEST1_FAILURE 147
-+# define FIPS_R_PR_TEST2_FAILURE 148
-+# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
-+# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
-+# define FIPS_R_RESEED_COUNTER_ERROR 132
-+# define FIPS_R_RESEED_ERROR 133
-+# define FIPS_R_SELFTEST_FAILED 101
-+# define FIPS_R_SELFTEST_FAILURE 135
-+# define FIPS_R_TEST_FAILURE 117
-+# define FIPS_R_UNINSTANTIATE_ERROR 141
-+# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
-+# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
-+# define FIPS_R_UNSUPPORTED_PLATFORM 113
-+
-+# ifdef __cplusplus
-+}
-+# endif
-+#endif
-diff -up openssl-1.1.0h/include/openssl/fips_rand.h.fips openssl-1.1.0h/include/openssl/fips_rand.h
---- openssl-1.1.0h/include/openssl/fips_rand.h.fips 2018-03-29 14:44:24.641236994 +0200
-+++ openssl-1.1.0h/include/openssl/fips_rand.h 2018-03-29 14:44:24.641236994 +0200
-@@ -0,0 +1,145 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#ifndef HEADER_FIPS_RAND_H
-+# define HEADER_FIPS_RAND_H
-+
-+# include <openssl/aes.h>
-+# include <openssl/evp.h>
-+# include <openssl/hmac.h>
-+# include <openssl/rand.h>
-+
-+# ifdef OPENSSL_FIPS
-+
-+# ifdef __cplusplus
-+extern "C" {
-+# endif
-+ typedef struct drbg_ctx_st DRBG_CTX;
-+/* DRBG external flags */
-+/* Flag for CTR mode only: use derivation function ctr_df */
-+# define DRBG_FLAG_CTR_USE_DF 0x1
-+/* PRNG is in test state */
-+# define DRBG_FLAG_TEST 0x2
-+
-+ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
-+ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
-+ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *pers, size_t perslen);
-+ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
-+ size_t adinlen);
-+ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-+ int prediction_resistance,
-+ const unsigned char *adin, size_t adinlen);
-+
-+ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
-+ void FIPS_drbg_free(DRBG_CTX *dctx);
-+
-+ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_entropy) (DRBG_CTX *ctx,
-+ unsigned char **pout,
-+ int entropy,
-+ size_t min_len,
-+ size_t max_len),
-+ void (*cleanup_entropy) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen),
-+ size_t entropy_blocklen,
-+ size_t (*get_nonce) (DRBG_CTX *ctx,
-+ unsigned char **pout,
-+ int entropy,
-+ size_t min_len,
-+ size_t max_len),
-+ void (*cleanup_nonce) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen));
-+
-+ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_adin) (DRBG_CTX *ctx,
-+ unsigned char
-+ **pout),
-+ void (*cleanup_adin) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen),
-+ int (*rand_seed_cb) (DRBG_CTX *ctx,
-+ const void *buf,
-+ int num),
-+ int (*rand_add_cb) (DRBG_CTX *ctx,
-+ const void *buf,
-+ int num,
-+ double entropy));
-+
-+ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
-+ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
-+ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
-+ int FIPS_drbg_get_strength(DRBG_CTX *dctx);
-+ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
-+ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
-+
-+ int FIPS_drbg_health_check(DRBG_CTX *dctx);
-+
-+ DRBG_CTX *FIPS_get_default_drbg(void);
-+ const RAND_METHOD *FIPS_drbg_method(void);
-+
-+ int FIPS_rand_set_method(const RAND_METHOD *meth);
-+ const RAND_METHOD *FIPS_rand_get_method(void);
-+
-+ void FIPS_rand_set_bits(int nbits);
-+
-+ int FIPS_rand_strength(void);
-+
-+/* 1.0.0 compat functions */
-+ int FIPS_rand_seed(const void *buf, int num);
-+ int FIPS_rand_bytes(unsigned char *out, int outlen);
-+ void FIPS_rand_reset(void);
-+ int FIPS_rand_status(void);
-+# ifdef __cplusplus
-+}
-+# endif
-+# endif
-+#endif
-diff -up openssl-1.1.0h/include/openssl/opensslconf.h.in.fips openssl-1.1.0h/include/openssl/opensslconf.h.in
---- openssl-1.1.0h/include/openssl/opensslconf.h.in.fips 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/include/openssl/opensslconf.h.in 2018-03-29 14:44:24.642237018 +0200
-@@ -136,6 +136,11 @@ extern "C" {
-
- #define RC4_INT {- $config{rc4_int} -}
-
-+/* Always build FIPS module */
-+#ifndef OPENSSL_FIPS
-+# define OPENSSL_FIPS
-+#endif
-+
- #ifdef __cplusplus
- }
- #endif
-diff -up openssl-1.1.0h/include/openssl/rand.h.fips openssl-1.1.0h/include/openssl/rand.h
---- openssl-1.1.0h/include/openssl/rand.h.fips 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/include/openssl/rand.h 2018-03-29 14:44:24.642237018 +0200
-@@ -67,6 +67,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void
- DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
- #endif
-
-+# ifdef OPENSSL_FIPS
-+void RAND_set_fips_drbg_type(int type, int flags);
-+int RAND_init_fips(void);
-+# endif
-+
- /* BEGIN ERROR CODES */
- /*
- * The following lines are auto generated by the script mkerr.pl. Any changes
-@@ -79,8 +84,11 @@ int ERR_load_RAND_strings(void);
-
- /* Function codes. */
- # define RAND_F_RAND_BYTES 100
-+# define RAND_F_RAND_INIT_FIPS 200
-
- /* Reason codes. */
-+# define RAND_R_ERROR_INITIALISING_DRBG 200
-+# define RAND_R_ERROR_INSTANTIATING_DRBG 201
- # define RAND_R_PRNG_NOT_SEEDED 100
-
- # ifdef __cplusplus
-diff -up openssl-1.1.0h/include/openssl/rsa.h.fips openssl-1.1.0h/include/openssl/rsa.h
---- openssl-1.1.0h/include/openssl/rsa.h.fips 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/include/openssl/rsa.h 2018-03-29 14:44:24.642237018 +0200
-@@ -463,6 +463,7 @@ int ERR_load_RSA_strings(void);
- /* Function codes. */
- # define RSA_F_CHECK_PADDING_MD 140
- # define RSA_F_ENCODE_PKCS1 146
-+# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206
- # define RSA_F_INT_RSA_VERIFY 145
- # define RSA_F_OLD_RSA_PRIV_DECODE 147
- # define RSA_F_PKEY_RSA_CTRL 143
-@@ -475,6 +476,7 @@ int ERR_load_RSA_strings(void);
- # define RSA_F_RSA_CHECK_KEY 123
- # define RSA_F_RSA_CHECK_KEY_EX 160
- # define RSA_F_RSA_CMS_DECRYPT 159
-+# define RSA_F_RSA_GENERATE_KEY_EX 204
- # define RSA_F_RSA_ITEM_VERIFY 148
- # define RSA_F_RSA_METH_DUP 161
- # define RSA_F_RSA_METH_NEW 162
-@@ -509,9 +511,15 @@ int ERR_load_RSA_strings(void);
- # define RSA_F_RSA_PRINT 115
- # define RSA_F_RSA_PRINT_FP 116
- # define RSA_F_RSA_PRIV_ENCODE 138
-+# define RSA_F_RSA_PRIVATE_DECRYPT 200
-+# define RSA_F_RSA_PRIVATE_ENCRYPT 201
- # define RSA_F_RSA_PSS_TO_CTX 155
- # define RSA_F_RSA_PUB_DECODE 139
-+# define RSA_F_RSA_PUBLIC_DECRYPT 202
-+# define RSA_F_RSA_PUBLIC_ENCRYPT 203
- # define RSA_F_RSA_SETUP_BLINDING 136
-+# define RSA_F_RSA_SET_DEFAULT_METHOD 205
-+# define RSA_F_RSA_SET_METHOD 204
- # define RSA_F_RSA_SIGN 117
- # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
- # define RSA_F_RSA_VERIFY 119
-@@ -558,9 +566,11 @@ int ERR_load_RSA_strings(void);
- # define RSA_R_LAST_OCTET_INVALID 134
- # define RSA_R_MODULUS_TOO_LARGE 105
- # define RSA_R_NO_PUBLIC_EXPONENT 140
-+# define RSA_R_NON_FIPS_RSA_METHOD 200
- # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
- # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
- # define RSA_R_OAEP_DECODING_ERROR 121
-+# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201
- # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
- # define RSA_R_PADDING_CHECK_FAILED 114
- # define RSA_R_PKCS_DECODING_ERROR 159
-diff -up openssl-1.1.0h/ssl/ssl_ciph.c.fips openssl-1.1.0h/ssl/ssl_ciph.c
---- openssl-1.1.0h/ssl/ssl_ciph.c.fips 2018-03-29 14:44:24.625236619 +0200
-+++ openssl-1.1.0h/ssl/ssl_ciph.c 2018-03-29 14:44:24.643237042 +0200
-@@ -404,7 +404,8 @@ void ssl_load_ciphers(void)
- }
- }
- /* Make sure we can access MD5 and SHA1 */
-- OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
-+ if (!FIPS_mode())
-+ OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
- OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL);
-
- disabled_mkey_mask = 0;
-@@ -687,7 +688,7 @@ static void ssl_cipher_collect_ciphers(c
- /* drop those that use any of that is not available */
- if (c == NULL || !c->valid)
- continue;
-- if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
-+ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS))
- continue;
- if ((c->algorithm_mkey & disabled_mkey) ||
- (c->algorithm_auth & disabled_auth) ||
-diff -up openssl-1.1.0h/ssl/ssl_init.c.fips openssl-1.1.0h/ssl/ssl_init.c
---- openssl-1.1.0h/ssl/ssl_init.c.fips 2018-03-27 15:50:40.000000000 +0200
-+++ openssl-1.1.0h/ssl/ssl_init.c 2018-03-29 14:44:24.643237042 +0200
-@@ -28,6 +28,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
- fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
- "Adding SSL ciphers and digests\n");
- #endif
-+#ifdef OPENSSL_FIPS
-+ if (!FIPS_mode()) {
-+#endif
-+
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cbc());
- EVP_add_cipher(EVP_des_ede3_cbc());
-@@ -84,6 +88,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
- EVP_add_digest(EVP_sha256());
- EVP_add_digest(EVP_sha384());
- EVP_add_digest(EVP_sha512());
-+#ifdef OPENSSL_FIPS
-+ } else {
-+# ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+# endif
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_128_gcm());
-+ EVP_add_cipher(EVP_aes_256_gcm());
-+ EVP_add_cipher(EVP_aes_128_ccm());
-+ EVP_add_cipher(EVP_aes_256_ccm());
-+# ifndef OPENSSL_NO_MD5
-+ /* needed even in the FIPS mode for TLS-1.0 */
-+ EVP_add_digest(EVP_md5_sha1());
-+# endif
-+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
-+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+ }
-+#endif
- #ifndef OPENSSL_NO_COMP
- # ifdef OPENSSL_INIT_DEBUG
- fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
-diff -up openssl-1.1.0h/ssl/ssl_lib.c.fips openssl-1.1.0h/ssl/ssl_lib.c
---- openssl-1.1.0h/ssl/ssl_lib.c.fips 2018-03-29 14:44:24.625236619 +0200
-+++ openssl-1.1.0h/ssl/ssl_lib.c 2018-03-29 14:44:24.643237042 +0200
-@@ -2588,13 +2588,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
- if (ret->param == NULL)
- goto err;
-
-- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
-- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
-- goto err2;
-- }
-- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
-- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
-- goto err2;
-+ if (!FIPS_mode()) {
-+ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
-+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
-+ goto err2;
-+ }
-+ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
-+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
-+ goto err2;
-+ }
-+ } else {
-+ ret->min_proto_version = TLS1_VERSION;
- }
-
- if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL)
-diff -up openssl-1.1.0h/test/dsatest.c.fips openssl-1.1.0h/test/dsatest.c
---- openssl-1.1.0h/test/dsatest.c.fips 2018-03-27 15:50:41.000000000 +0200
-+++ openssl-1.1.0h/test/dsatest.c 2018-03-29 14:44:24.644237065 +0200
-@@ -32,41 +32,42 @@ int main(int argc, char *argv[])
-
- static int dsa_cb(int p, int n, BN_GENCB *arg);
-
--/*
-- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS
-- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1
-- */
- static unsigned char seed[20] = {
-- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,
-- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,
-+ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,
-+ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,
- };
-
- static unsigned char out_p[] = {
-- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
-- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
-- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
-- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
-- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
-- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
-- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
-- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
-+ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,
-+ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,
-+ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,
-+ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,
-+ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,
-+ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,
-+ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,
-+ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,
-+ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,
-+ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,
-+ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,
- };
-
- static unsigned char out_q[] = {
-- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
-- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
-- 0xda, 0xce, 0x91, 0x5f,
-+ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,
-+ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,
- };
-
- static unsigned char out_g[] = {
-- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
-- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
-- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
-- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
-- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
-- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
-- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
-- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
-+ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,
-+ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,
-+ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,
-+ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,
-+ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,
-+ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,
-+ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,
-+ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,
-+ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,
-+ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,
-+ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,
- };
-
- static const unsigned char str1[] = "12345678901234567890";
-@@ -102,7 +103,7 @@ int main(int argc, char **argv)
- goto end;
-
- BN_GENCB_set(cb, dsa_cb, bio_err);
-- if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
-+ if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
- seed, 20,
- &counter,
- &h, cb))
-@@ -116,8 +117,8 @@ int main(int argc, char **argv)
- BIO_printf(bio_err, "\ncounter=%d h=%ld\n", counter, h);
-
- DSA_print(bio_err, dsa, 0);
-- if (counter != 105) {
-- BIO_printf(bio_err, "counter should be 105\n");
-+ if (counter != 239) {
-+ BIO_printf(bio_err, "counter should be 239\n");
- goto end;
- }
- if (h != 2) {
-diff -up openssl-1.1.0h/util/libcrypto.num.fips openssl-1.1.0h/util/libcrypto.num
---- openssl-1.1.0h/util/libcrypto.num.fips 2018-03-27 15:50:41.000000000 +0200
-+++ openssl-1.1.0h/util/libcrypto.num 2018-03-29 18:06:26.962651662 +0200
-@@ -4232,5 +4232,40 @@ ZINT64_it
- ZINT64_it 4215 1_1_0f EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
- CRYPTO_secure_clear_free 4315 1_1_0g EXIST::FUNCTION:
- EVP_PKEY_set1_engine 4347 1_1_0g EXIST::FUNCTION:ENGINE
--OCSP_resp_get0_signer 4374 1_1_0h EXIST::FUNCTION:OCSP
-+FIPS_drbg_reseed 4348 1_1_0g EXIST::FUNCTION:
-+FIPS_selftest_check 4349 1_1_0g EXIST::FUNCTION:
-+FIPS_rand_set_method 4350 1_1_0g EXIST::FUNCTION:
-+FIPS_get_default_drbg 4351 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_set_reseed_interval 4352 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_set_app_data 4353 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_method 4354 1_1_0g EXIST::FUNCTION:
-+FIPS_rand_status 4355 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_instantiate 4356 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_set_callbacks 4357 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_new 4358 1_1_0g EXIST::FUNCTION:
-+FIPS_dsa_paramgen_check_g 4359 1_1_0g EXIST::FUNCTION:
-+FIPS_selftest 4360 1_1_0g EXIST::FUNCTION:
-+FIPS_rand_set_bits 4361 1_1_0g EXIST::FUNCTION:
-+FIPS_rand_bytes 4362 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_get_app_data 4363 1_1_0g EXIST::FUNCTION:
-+FIPS_selftest_failed 4364 1_1_0g EXIST::FUNCTION:
-+FIPS_dsa_builtin_paramgen2 4365 1_1_0g EXIST::FUNCTION:
-+FIPS_rand_reset 4366 1_1_0g EXIST::FUNCTION:
-+ERR_load_FIPS_strings 4367 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_generate 4368 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_uninstantiate 4369 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_set_check_interval 4370 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_free 4371 1_1_0g EXIST::FUNCTION:
-+FIPS_selftest_drbg_all 4372 1_1_0g EXIST::FUNCTION:
-+FIPS_rand_get_method 4373 1_1_0g EXIST::FUNCTION:
-+RAND_set_fips_drbg_type 4374 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_health_check 4375 1_1_0g EXIST::FUNCTION:
-+RAND_init_fips 4376 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_set_rand_callbacks 4377 1_1_0g EXIST::FUNCTION:
-+FIPS_rand_seed 4378 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_get_strength 4379 1_1_0g EXIST::FUNCTION:
-+FIPS_rand_strength 4380 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_get_blocklength 4381 1_1_0g EXIST::FUNCTION:
-+FIPS_drbg_init 4382 1_1_0g EXIST::FUNCTION:
-+OCSP_resp_get0_signer 4384 1_1_0h EXIST::FUNCTION:OCSP
- X509_get0_authority_key_id 4448 1_1_0h EXIST::FUNCTION:
-diff -up openssl-1.1.0h/util/mkdef.pl.fips openssl-1.1.0h/util/mkdef.pl
---- openssl-1.1.0h/util/mkdef.pl.fips 2018-03-27 15:50:41.000000000 +0200
-+++ openssl-1.1.0h/util/mkdef.pl 2018-03-29 14:44:24.644237065 +0200
-@@ -311,6 +311,8 @@ $crypto.=" include/openssl/modes.h";
- $crypto.=" include/openssl/async.h";
- $crypto.=" include/openssl/ct.h";
- $crypto.=" include/openssl/kdf.h";
-+$crypto.=" include/openssl/fips.h";
-+$crypto.=" include/openssl/fips_rand.h";
-
- my $symhacks="include/openssl/symhacks.h";
-
diff --git a/openssl-1.1.0-manfix.patch b/openssl-1.1.0-manfix.patch
deleted file mode 100644
index 53fc603..0000000
--- a/openssl-1.1.0-manfix.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-diff -up openssl-1.1.0g/doc/apps/ec.pod.manfix openssl-1.1.0g/doc/apps/ec.pod
---- openssl-1.1.0g/doc/apps/ec.pod.manfix 2017-11-02 15:29:04.000000000 +0100
-+++ openssl-1.1.0g/doc/apps/ec.pod 2017-11-03 16:09:31.714027145 +0100
-@@ -101,10 +101,6 @@ prints out the public, private key compo
-
- this option prevents output of the encoded version of the key.
-
--=item B<-modulus>
--
--this option prints out the value of the public key component of the key.
--
- =item B<-pubin>
-
- by default a private key is read from the input file: with this option a
-diff -up openssl-1.1.0g/doc/apps/openssl.pod.manfix openssl-1.1.0g/doc/apps/openssl.pod
---- openssl-1.1.0g/doc/apps/openssl.pod.manfix 2017-11-02 15:29:04.000000000 +0100
-+++ openssl-1.1.0g/doc/apps/openssl.pod 2017-11-03 16:11:48.478245311 +0100
-@@ -170,7 +170,7 @@ Create or examine a Netscape certificate
-
- Online Certificate Status Protocol utility.
-
--=item L<B<passwd>|passwd(1)>
-+=item L<B<passwd>|sslpasswd(1)>
-
- Generation of hashed passwords.
-
-@@ -198,7 +198,7 @@ Public key algorithm parameter managemen
-
- Public key algorithm cryptographic operation utility.
-
--=item L<B<rand>|rand(1)>
-+=item L<B<rand>|sslrand(1)>
-
- Generate pseudo-random bytes.
-
-@@ -432,13 +432,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
- L<ec(1)>, L<ecparam(1)>,
- L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
- L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
--L<passwd(1)>,
- L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
- L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>,
--L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
-+L<rehash(1)>, L<req(1)>, L<rsa(1)>,
- L<rsautl(1)>, L<s_client(1)>,
- L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
- L<smime(1)>, L<speed(1)>, L<spkac(1)>,
-+L<sslpasswd(1)>, L<sslrand(1)>,
- L<ts(1)>,
- L<verify(1)>, L<version(1)>, L<x509(1)>,
- L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
diff --git a/openssl-1.1.0-missing-quotes.patch b/openssl-1.1.0-missing-quotes.patch
deleted file mode 100644
index 3fb8784..0000000
--- a/openssl-1.1.0-missing-quotes.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff -up openssl-1.1.0h/util/dofile.pl.missing-quotes openssl-1.1.0h/util/dofile.pl
---- openssl-1.1.0h/util/dofile.pl.missing-quotes 2018-03-27 15:50:41.000000000 +0200
-+++ openssl-1.1.0h/util/dofile.pl 2018-04-03 11:59:36.742091742 +0200
-@@ -99,9 +99,9 @@ package main;
- # This adds quotes (") around the given string, and escapes any $, @, \,
- # " and ' by prepending a \ to them.
- sub quotify1 {
-- my $s = my $orig = shift @_;
-+ my $s = shift @_;
- $s =~ s/([\$\@\\"'])/\\$1/g;
-- $s ne $orig || $s =~ /\s/ ? '"'.$s.'"' : $s;
-+ '"'.$s.'"';
- }
-
- # quotify_l LIST
diff --git a/openssl-1.1.0-secure-getenv.patch b/openssl-1.1.0-secure-getenv.patch
deleted file mode 100644
index 2fb8ae6..0000000
--- a/openssl-1.1.0-secure-getenv.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-diff -up openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_api.c
---- openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv 2017-11-02 15:29:02.000000000 +0100
-+++ openssl-1.1.0g/crypto/conf/conf_api.c 2017-11-03 16:12:31.826265323 +0100
-@@ -9,6 +9,8 @@
-
- /* Part of the code in here was originally in conf.c, which is now removed */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdlib.h>
- #include <string.h>
- #include <openssl/conf.h>
-@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf,
- if (v != NULL)
- return (v->value);
- if (strcmp(section, "ENV") == 0) {
-- p = getenv(name);
-+ p = secure_getenv(name);
- if (p != NULL)
- return (p);
- }
-@@ -95,7 +97,7 @@ char *_CONF_get_string(const CONF *conf,
- else
- return (NULL);
- } else
-- return (getenv(name));
-+ return (secure_getenv(name));
- }
-
- static unsigned long conf_value_hash(const CONF_VALUE *v)
-diff -up openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_mod.c
---- openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv 2017-11-02 15:29:02.000000000 +0100
-+++ openssl-1.1.0g/crypto/conf/conf_mod.c 2017-11-03 16:12:31.827265347 +0100
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <ctype.h>
- #include <openssl/crypto.h>
-@@ -478,7 +480,7 @@ char *CONF_get1_default_config_file(void
- char *file;
- int len;
-
-- file = getenv("OPENSSL_CONF");
-+ file = secure_getenv("OPENSSL_CONF");
- if (file)
- return OPENSSL_strdup(file);
-
-diff -up openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv openssl-1.1.0g/crypto/engine/eng_list.c
---- openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv 2017-11-02 15:29:03.000000000 +0100
-+++ openssl-1.1.0g/crypto/engine/eng_list.c 2017-11-03 16:12:31.827265347 +0100
-@@ -13,6 +13,8 @@
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "eng_int.h"
-
- /*
-@@ -322,7 +324,7 @@ ENGINE *ENGINE_by_id(const char *id)
- * Prevent infinite recursion if we're looking for the dynamic engine.
- */
- if (strcmp(id, "dynamic")) {
-- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
-+ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
- load_dir = ENGINESDIR;
- iterator = ENGINE_by_id("dynamic");
- if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
-diff -up openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv openssl-1.1.0g/crypto/rand/randfile.c
---- openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv 2017-11-02 15:29:03.000000000 +0100
-+++ openssl-1.1.0g/crypto/rand/randfile.c 2017-11-03 16:12:31.827265347 +0100
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "internal/cryptlib.h"
-
- #include <errno.h>
-@@ -317,10 +319,10 @@ const char *RAND_file_name(char *buf, si
- if (OPENSSL_issetugid() != 0) {
- use_randfile = 0;
- } else {
-- s = getenv("RANDFILE");
-+ s = secure_getenv("RANDFILE");
- if (s == NULL || *s == '\0') {
- use_randfile = 0;
-- s = getenv("HOME");
-+ s = secure_getenv("HOME");
- }
- }
- #endif
-diff -up openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv openssl-1.1.0g/crypto/x509/by_dir.c
---- openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv 2017-11-02 15:29:04.000000000 +0100
-+++ openssl-1.1.0g/crypto/x509/by_dir.c 2017-11-03 16:12:31.827265347 +0100
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -78,7 +80,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
- switch (cmd) {
- case X509_L_ADD_DIR:
- if (argl == X509_FILETYPE_DEFAULT) {
-- dir = (char *)getenv(X509_get_default_cert_dir_env());
-+ dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
- if (dir)
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
- else
-diff -up openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv openssl-1.1.0g/crypto/x509/by_file.c
---- openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv 2017-11-02 15:29:04.000000000 +0100
-+++ openssl-1.1.0g/crypto/x509/by_file.c 2017-11-03 16:14:13.230649686 +0100
-@@ -7,6 +7,8 @@
- * https://www.openssl.org/source/license.html
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -47,7 +49,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
- switch (cmd) {
- case X509_L_FILE_LOAD:
- if (argl == X509_FILETYPE_DEFAULT) {
-- file = getenv(X509_get_default_cert_file_env());
-+ file = secure_getenv(X509_get_default_cert_file_env());
- if (file)
- ok = (X509_load_cert_crl_file(ctx, file,
- X509_FILETYPE_PEM) != 0);
diff --git a/openssl-1.1.0-silent-rnd-write.patch b/openssl-1.1.0-silent-rnd-write.patch
deleted file mode 100644
index da4137c..0000000
--- a/openssl-1.1.0-silent-rnd-write.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up openssl-1.1.0h/apps/app_rand.c.silent-rnd-write openssl-1.1.0h/apps/app_rand.c
---- openssl-1.1.0h/apps/app_rand.c.silent-rnd-write 2018-03-27 15:50:37.000000000 +0200
-+++ openssl-1.1.0h/apps/app_rand.c 2018-03-29 15:27:24.597891091 +0200
-@@ -91,6 +91,7 @@ long app_RAND_load_files(char *name)
- int app_RAND_write_file(const char *file)
- {
- char buffer[200];
-+ const char *origfile = file;
-
- if (egdsocket || !seeded)
- /*
-@@ -103,8 +104,10 @@ int app_RAND_write_file(const char *file
- if (file == NULL)
- file = RAND_file_name(buffer, sizeof(buffer));
- if (file == NULL || !RAND_write_file(file)) {
-- BIO_printf(bio_err, "unable to write 'random state'\n");
-- return 0;
-+ if (origfile != NULL) {
-+ BIO_printf(bio_err, "unable to write 'random state'\n");
-+ return 0;
-+ }
- }
- return 1;
- }
diff --git a/openssl-1.1.0-system-cipherlist.patch b/openssl-1.1.0-system-cipherlist.patch
deleted file mode 100644
index 9f63162..0000000
--- a/openssl-1.1.0-system-cipherlist.patch
+++ /dev/null
@@ -1,317 +0,0 @@
-diff -up openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0e/Configurations/unix-Makefile.tmpl
---- openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist 2017-02-16 16:15:38.658931413 +0100
-+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl 2017-02-16 16:15:38.675931806 +0100
-@@ -161,6 +161,10 @@ MANDIR=$(INSTALLTOP)/share/man
- DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
- HTMLDIR=$(DOCDIR)/html
-
-+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
-+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
-+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
-+
- # MANSUFFIX is for the benefit of anyone who may want to have a suffix
- # appended after the manpage file section number. "ssl" is popular,
- # resulting in files such as config.5ssl rather than config.5.
-@@ -171,7 +175,7 @@ HTMLSUFFIX=html
-
- CROSS_COMPILE= {- $config{cross_compile_prefix} -}
- CC= $(CROSS_COMPILE){- $target{cc} -}
--CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
-+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"\$(SYSTEM_CIPHERS_FILE_DEFINE)","-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
- CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
- LDFLAGS= {- $target{lflags} -}
- PLIB_LDFLAGS= {- $target{plib_lflags} -}
-diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure
---- openssl-1.1.0e/Configure.system-cipherlist 2017-02-16 12:58:20.000000000 +0100
-+++ openssl-1.1.0e/Configure 2017-02-16 16:15:38.679931899 +0100
-@@ -18,7 +18,7 @@ use if $^O ne "VMS", 'File::Glob' => qw/
-
- # see INSTALL for instructions.
-
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
-+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
-
- # Options:
- #
-@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher>
- # This becomes the value of OPENSSLDIR in Makefile and in C.
- # (Default: PREFIX/ssl)
- #
-+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
-+# cipher is specified (default).
-+#
- # --cross-compile-prefix Add specified prefix to binutils components.
- #
- # --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
-@@ -293,6 +296,7 @@ $config{openssldir}="";
- $config{processor}="";
- $config{libdir}="";
- $config{cross_compile_prefix}="";
-+$config{system_ciphers_file}="";
- $config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/";
- my $nofipscanistercheck=0;
- $config{baseaddr}="0xFB00000";
-@@ -718,6 +722,10 @@ while (@argvcopy)
- {
- $config{baseaddr}="$1";
- }
-+ elsif (/^--system-ciphers-file=(.*)$/)
-+ {
-+ $config{system_ciphers_file}=$1;
-+ }
- elsif (/^--cross-compile-prefix=(.*)$/)
- {
- $config{cross_compile_prefix}=$1;
-@@ -851,6 +859,8 @@ if ($target =~ m/^CygWin32(-.*)$/) {
- $target = "Cygwin".$1;
- }
-
-+chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/;
-+
- foreach (sort (keys %disabled))
- {
- $config{options} .= " no-$_";
-diff -up openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist openssl-1.1.0e/doc/apps/ciphers.pod
---- openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist 2017-02-16 12:58:22.000000000 +0100
-+++ openssl-1.1.0e/doc/apps/ciphers.pod 2017-02-16 16:37:14.043219953 +0100
-@@ -181,6 +181,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
-
- The cipher suites not enabled by B<ALL>, currently B<eNULL>.
-
-+=item B<PROFILE=SYSTEM>
-+
-+The list of enabled cipher suites will be loaded from the system crypto policy
-+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
-+See also L<update-crypto-policies(8)>.
-+This is the default behavior unless an application explicitly sets a cipher
-+list. If used in a cipher list configuration value this string must be at the
-+beginning of the cipher list, otherwise it will not be recognized.
-+
- =item B<HIGH>
-
- "high" encryption cipher suites. This currently means those with key lengths
-diff -up openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist openssl-1.1.0e/include/openssl/ssl.h
---- openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
-+++ openssl-1.1.0e/include/openssl/ssl.h 2017-02-16 16:15:38.676931830 +0100
-@@ -201,6 +201,11 @@ extern "C" {
- * throwing out anonymous and unencrypted ciphersuites! (The latter are not
- * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
- */
-+# ifdef SYSTEM_CIPHERS_FILE
-+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
-+# else
-+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
-+# endif
-
- /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
- # define SSL_SENT_SHUTDOWN 1
-diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_ciph.c
---- openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
-+++ openssl-1.1.0e/ssl/ssl_ciph.c 2017-02-16 16:15:38.691932177 +0100
-@@ -1289,6 +1289,50 @@ static int check_suiteb_cipher_list(cons
- }
- #endif
-
-+#ifdef SYSTEM_CIPHERS_FILE
-+static char *load_system_str(const char *suffix)
-+{
-+ FILE *fp;
-+ char buf[1024];
-+ char *new_rules;
-+ unsigned len, slen;
-+
-+ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
-+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
-+ /* cannot open or file is empty */
-+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
-+ }
-+
-+ if (fp)
-+ fclose(fp);
-+
-+ slen = strlen(suffix);
-+ len = strlen(buf);
-+
-+ if (buf[len - 1] == '\n') {
-+ len--;
-+ buf[len] = 0;
-+ }
-+ if (buf[len - 1] == '\r') {
-+ len--;
-+ buf[len] = 0;
-+ }
-+
-+ new_rules = OPENSSL_malloc(len + slen + 1);
-+ if (new_rules == 0)
-+ return NULL;
-+
-+ memcpy(new_rules, buf, len);
-+ if (slen > 0) {
-+ memcpy(&new_rules[len], suffix, slen);
-+ len += slen;
-+ }
-+ new_rules[len] = 0;
-+
-+ return new_rules;
-+}
-+#endif
-+
- STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
- **cipher_list, STACK_OF(SSL_CIPHER)
- **cipher_list_by_id,
-@@ -1296,19 +1341,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- {
- int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
- uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
-- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
-+ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list;
- const char *rule_p;
- CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
- const SSL_CIPHER **ca_list = NULL;
-+#ifdef SYSTEM_CIPHERS_FILE
-+ char *new_rules = NULL;
-+
-+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
-+ char *p = rule_str + 14;
-+
-+ new_rules = load_system_str(p);
-+ rule_str = new_rules;
-+ }
-+#endif
-
- /*
- * Return with error if nothing to do.
- */
- if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
-- return NULL;
-+ goto end;
- #ifndef OPENSSL_NO_EC
- if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
-- return NULL;
-+ goto end;
- #endif
-
- /*
-@@ -1331,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
- if (co_list == NULL) {
- SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-- return (NULL); /* Failure */
-+ goto end;
- }
-
- ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1401,8 +1456,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- * in force within each class
- */
- if (!ssl_cipher_strength_sort(&head, &tail)) {
-- OPENSSL_free(co_list);
-- return NULL;
-+ goto end;
- }
-
- /*
-@@ -1447,9 +1501,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
- ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
- if (ca_list == NULL) {
-- OPENSSL_free(co_list);
- SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-- return (NULL); /* Failure */
-+ goto end;
- }
- ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
- disabled_mkey, disabled_auth, disabled_enc,
-@@ -1475,8 +1528,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- OPENSSL_free(ca_list); /* Not needed anymore */
-
- if (!ok) { /* Rule processing failure */
-- OPENSSL_free(co_list);
-- return (NULL);
-+ goto end;
- }
-
- /*
-@@ -1484,8 +1536,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- * if we cannot get one.
- */
- if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
-- OPENSSL_free(co_list);
-- return (NULL);
-+ goto end;
- }
-
- /*
-@@ -1496,21 +1547,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- if (curr->active
- && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
- if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
-- OPENSSL_free(co_list);
- sk_SSL_CIPHER_free(cipherstack);
-- return NULL;
-+ cipherstack = NULL;
-+ goto end;
- }
- #ifdef CIPHER_DEBUG
- fprintf(stderr, "<%s>\n", curr->cipher->name);
- #endif
- }
- }
-- OPENSSL_free(co_list); /* Not needed any longer */
-
- tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
- if (tmp_cipher_list == NULL) {
- sk_SSL_CIPHER_free(cipherstack);
-- return NULL;
-+ cipherstack = NULL;
-+ goto end;
- }
- sk_SSL_CIPHER_free(*cipher_list);
- *cipher_list = cipherstack;
-@@ -1520,6 +1571,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
-
- sk_SSL_CIPHER_sort(*cipher_list_by_id);
-+
-+ end:
-+ OPENSSL_free(co_list);
-+#ifdef SYSTEM_CIPHERS_FILE
-+ OPENSSL_free(new_rules);
-+#endif
- return (cipherstack);
- }
-
-diff -up openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0e/ssl/ssl_lib.c
---- openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist 2017-02-16 16:15:38.673931760 +0100
-+++ openssl-1.1.0e/ssl/ssl_lib.c 2017-02-16 16:15:38.692932200 +0100
-@@ -509,7 +509,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
-
- sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
- &(ctx->cipher_list_by_id),
-- SSL_DEFAULT_CIPHER_LIST, ctx->cert);
-+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
- if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
- SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
- return (0);
-@@ -2403,7 +2403,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
- #endif
- if (!ssl_create_cipher_list(ret->method,
- &ret->cipher_list, &ret->cipher_list_by_id,
-- SSL_DEFAULT_CIPHER_LIST, ret->cert)
-+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
- || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
- goto err2;
-diff -up openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist openssl-1.1.0e/test/cipherlist_test.c
---- openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist 2017-02-16 12:58:24.000000000 +0100
-+++ openssl-1.1.0e/test/cipherlist_test.c 2017-02-16 16:15:38.677931853 +0100
-@@ -190,7 +190,9 @@ int main(int argc, char **argv)
- {
- int result = 0;
-
-+#ifndef SYSTEM_CIPHERS_FILE
- ADD_TEST(test_default_cipherlist_implicit);
-+#endif
- ADD_TEST(test_default_cipherlist_explicit);
-
- result = run_tests(argv[0]);
diff --git a/openssl-1.1.0-version-add-engines.patch b/openssl-1.1.0-version-add-engines.patch
deleted file mode 100644
index f4b7cf9..0000000
--- a/openssl-1.1.0-version-add-engines.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -up openssl-1.1.0h/apps/version.c.version-add-engines openssl-1.1.0h/apps/version.c
---- openssl-1.1.0h/apps/version.c.version-add-engines 2018-03-27 15:50:37.000000000 +0200
-+++ openssl-1.1.0h/apps/version.c 2018-03-29 14:33:30.732879537 +0200
-@@ -52,7 +52,7 @@ int version_main(int argc, char **argv)
- {
- int ret = 1, dirty = 0;
- int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
-- int engdir = 0;
-+ int engdir = 0, engines = 0;
- char *prog;
- OPTION_CHOICE o;
-
-@@ -90,7 +90,7 @@ opthelp:
- dirty = version = 1;
- break;
- case OPT_A:
-- options = cflags = version = date = platform = dir = engdir = 1;
-+ options = cflags = version = date = platform = dir = engdir = engines = 1;
- break;
- }
- }
-@@ -139,6 +139,16 @@ opthelp:
- printf("%s\n", OpenSSL_version(OPENSSL_DIR));
- if (engdir)
- printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR));
-+ if (engines) {
-+ ENGINE *e;
-+ printf("engines: ");
-+ e = ENGINE_get_first();
-+ while (e) {
-+ printf("%s ", ENGINE_get_id(e));
-+ e = ENGINE_get_next(e);
-+ }
-+ printf("\n");
-+ }
- ret = 0;
- end:
- return (ret);
diff --git a/openssl-1.1.1-build.patch b/openssl-1.1.1-build.patch
new file mode 100644
index 0000000..cfe20f6
--- /dev/null
+++ b/openssl-1.1.1-build.patch
@@ -0,0 +1,40 @@
+diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build 2018-06-20 16:48:09.000000000 +0200
++++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-16 17:15:38.108831031 +0200
+@@ -680,7 +680,7 @@ uninstall_runtime:
+ install_man_docs:
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(ECHO) "*** Installing manpages"
+- $(PERL) $(SRCDIR)/util/process_docs.pl \
++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
+
+ uninstall_man_docs:
+@@ -692,7 +692,7 @@ uninstall_man_docs:
+ install_html_docs:
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(ECHO) "*** Installing HTML manpages"
+- $(PERL) $(SRCDIR)/util/process_docs.pl \
++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ --destdir=$(DESTDIR)$(HTMLDIR) --type=html
+
+ uninstall_html_docs:
+diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf
+--- openssl-1.1.1-pre8/Configurations/10-main.conf.build 2018-06-20 16:48:09.000000000 +0200
++++ openssl-1.1.1-pre8/Configurations/10-main.conf 2018-07-16 17:17:10.312045203 +0200
+@@ -693,6 +693,7 @@ my %targets = (
+ cxxflags => add("-m64"),
+ lib_cppflags => add("-DL_ENDIAN"),
+ perlasm_scheme => "linux64le",
++ multilib => "64",
+ },
+
+ "linux-armv4" => {
+@@ -733,6 +734,7 @@ my %targets = (
+ "linux-aarch64" => {
+ inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
+ perlasm_scheme => "linux64",
++ multilib => "64",
+ },
+ "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
+ inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
diff --git a/openssl-1.1.1-disable-ssl3.patch b/openssl-1.1.1-disable-ssl3.patch
new file mode 100644
index 0000000..19acdd1
--- /dev/null
+++ b/openssl-1.1.1-disable-ssl3.patch
@@ -0,0 +1,89 @@
+diff -up openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_client.c
+--- openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200
++++ openssl-1.1.1-pre8/apps/s_client.c 2018-07-16 18:16:40.070186323 +0200
+@@ -1681,6 +1681,9 @@ int s_client_main(int argc, char **argv)
+ if (sdebug)
+ ssl_ctx_security_debug(ctx, sdebug);
+
++ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
++
+ if (!config_ctx(cctx, ssl_args, ctx))
+ goto end;
+
+diff -up openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_server.c
+--- openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200
++++ openssl-1.1.1-pre8/apps/s_server.c 2018-07-16 18:17:17.300055551 +0200
+@@ -1760,6 +1760,9 @@ int s_server_main(int argc, char *argv[]
+ if (sdebug)
+ ssl_ctx_security_debug(ctx, sdebug);
+
++ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
++
+ if (!config_ctx(cctx, ssl_args, ctx))
+ goto end;
+
+diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c
+--- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-16 18:08:20.001487652 +0200
+@@ -3016,6 +3016,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ */
+ ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
+
++ /*
++ * Disable SSLv3 by default. Applications can
++ * re-enable it by configuring
++ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
++ * or by using the SSL_CONF API.
++ */
++ ret->options |= SSL_OP_NO_SSLv3;
++
+ ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
+
+ /*
+diff -up openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 openssl-1.1.1-pre8/test/ssl_test.c
+--- openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200
++++ openssl-1.1.1-pre8/test/ssl_test.c 2018-07-16 18:18:34.806865121 +0200
+@@ -443,6 +443,7 @@ static int test_handshake(int idx)
+ SSL_TEST_SERVERNAME_CB_NONE) {
+ if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
+ goto err;
++ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
+ if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
+ TLS_MAX_VERSION)))
+ goto err;
+@@ -464,6 +465,8 @@ static int test_handshake(int idx)
+ if (!TEST_ptr(resume_server_ctx)
+ || !TEST_ptr(resume_client_ctx))
+ goto err;
++ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
++ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
+ }
+ }
+
+@@ -477,6 +480,9 @@ static int test_handshake(int idx)
+ || !TEST_int_gt(CONF_modules_load(conf, test_app, 0), 0))
+ goto err;
+
++ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
++ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
++
+ if (!SSL_CTX_config(server_ctx, "server")
+ || !SSL_CTX_config(client_ctx, "client")) {
+ goto err;
+diff -up openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 openssl-1.1.1-pre8/test/ssltest_old.c
+--- openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200
++++ openssl-1.1.1-pre8/test/ssltest_old.c 2018-07-16 18:08:20.002487676 +0200
+@@ -1358,6 +1358,11 @@ int main(int argc, char *argv[])
+ ERR_print_errors(bio_err);
+ goto end;
+ }
++
++ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
++ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
++ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
++
+ /*
+ * Since we will use low security ciphersuites and keys for testing set
+ * security level to zero by default. Tests can override this by adding
diff --git a/openssl-1.1.1-ec-curves.patch b/openssl-1.1.1-ec-curves.patch
new file mode 100644
index 0000000..b26263f
--- /dev/null
+++ b/openssl-1.1.1-ec-curves.patch
@@ -0,0 +1,94 @@
+diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c
+--- openssl-1.1.1-pre8/apps/speed.c.curves 2018-07-17 08:48:56.106625020 +0200
++++ openssl-1.1.1-pre8/apps/speed.c 2018-07-17 08:50:07.526521809 +0200
+@@ -511,56 +511,20 @@ static double rsa_results[RSA_NUM][2];
+ #define R_EC_X448 23
+ #ifndef OPENSSL_NO_EC
+ static OPT_PAIR ecdsa_choices[] = {
+- {"ecdsap160", R_EC_P160},
+- {"ecdsap192", R_EC_P192},
+ {"ecdsap224", R_EC_P224},
+ {"ecdsap256", R_EC_P256},
+ {"ecdsap384", R_EC_P384},
+ {"ecdsap521", R_EC_P521},
+- {"ecdsak163", R_EC_K163},
+- {"ecdsak233", R_EC_K233},
+- {"ecdsak283", R_EC_K283},
+- {"ecdsak409", R_EC_K409},
+- {"ecdsak571", R_EC_K571},
+- {"ecdsab163", R_EC_B163},
+- {"ecdsab233", R_EC_B233},
+- {"ecdsab283", R_EC_B283},
+- {"ecdsab409", R_EC_B409},
+- {"ecdsab571", R_EC_B571},
+- {"ecdsabrp256r1", R_EC_BRP256R1},
+- {"ecdsabrp256t1", R_EC_BRP256T1},
+- {"ecdsabrp384r1", R_EC_BRP384R1},
+- {"ecdsabrp384t1", R_EC_BRP384T1},
+- {"ecdsabrp512r1", R_EC_BRP512R1},
+- {"ecdsabrp512t1", R_EC_BRP512T1}
+ };
+ # define ECDSA_NUM OSSL_NELEM(ecdsa_choices)
+
+ static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */
+
+ static const OPT_PAIR ecdh_choices[] = {
+- {"ecdhp160", R_EC_P160},
+- {"ecdhp192", R_EC_P192},
+ {"ecdhp224", R_EC_P224},
+ {"ecdhp256", R_EC_P256},
+ {"ecdhp384", R_EC_P384},
+ {"ecdhp521", R_EC_P521},
+- {"ecdhk163", R_EC_K163},
+- {"ecdhk233", R_EC_K233},
+- {"ecdhk283", R_EC_K283},
+- {"ecdhk409", R_EC_K409},
+- {"ecdhk571", R_EC_K571},
+- {"ecdhb163", R_EC_B163},
+- {"ecdhb233", R_EC_B233},
+- {"ecdhb283", R_EC_B283},
+- {"ecdhb409", R_EC_B409},
+- {"ecdhb571", R_EC_B571},
+- {"ecdhbrp256r1", R_EC_BRP256R1},
+- {"ecdhbrp256t1", R_EC_BRP256T1},
+- {"ecdhbrp384r1", R_EC_BRP384R1},
+- {"ecdhbrp384t1", R_EC_BRP384T1},
+- {"ecdhbrp512r1", R_EC_BRP512R1},
+- {"ecdhbrp512t1", R_EC_BRP512T1},
+ {"ecdhx25519", R_EC_X25519},
+ {"ecdhx448", R_EC_X448}
+ };
+diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c
+--- openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c 2018-07-17 08:48:56.107625044 +0200
+@@ -141,6 +141,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
+ return 0;
+ }
+
++ if (BN_num_bits(p) < 224) {
++ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
++ return 0;
++ }
++
+ if (ctx == NULL) {
+ ctx = new_ctx = BN_CTX_new();
+ if (ctx == NULL)
+diff -up openssl-1.1.1-pre8/test/ecdsatest.c.curves openssl-1.1.1-pre8/test/ecdsatest.c
+--- openssl-1.1.1-pre8/test/ecdsatest.c.curves 2018-06-20 16:48:14.000000000 +0200
++++ openssl-1.1.1-pre8/test/ecdsatest.c 2018-07-17 08:48:56.107625044 +0200
+@@ -173,6 +173,7 @@ static int x9_62_tests(void)
+ if (!change_rand())
+ goto x962_err;
+
++#if 0
+ if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1,
+ "3342403536405981729393488334694600415596881826869351677613",
+ "5735822328888155254683894997897571951568553642892029982342")))
+@@ -183,6 +184,7 @@ static int x9_62_tests(void)
+ "3238135532097973577080787768312505059318910517550078427819"
+ "78505179448783")))
+ goto x962_err;
++#endif
+
+ # ifndef OPENSSL_NO_EC2M
+ if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1,
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
new file mode 100644
index 0000000..9f32b03
--- /dev/null
+++ b/openssl-1.1.1-fips.patch
@@ -0,0 +1,12153 @@
+diff -up openssl-1.1.1-pre8/apps/speed.c.fips openssl-1.1.1-pre8/apps/speed.c
+--- openssl-1.1.1-pre8/apps/speed.c.fips 2018-07-25 17:26:58.393624416 +0200
++++ openssl-1.1.1-pre8/apps/speed.c 2018-07-25 17:26:58.402624632 +0200
+@@ -1550,7 +1550,8 @@ int speed_main(int argc, char **argv)
+ continue;
+ if (strcmp(*argv, "rsa") == 0) {
+ for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++)
+- rsa_doit[loop] = 1;
++ if (!FIPS_mode() || loop != R_RSA_512)
++ rsa_doit[loop] = 1;
+ continue;
+ }
+ if (found(*argv, rsa_choices, &i)) {
+@@ -1560,7 +1561,9 @@ int speed_main(int argc, char **argv)
+ #endif
+ #ifndef OPENSSL_NO_DSA
+ if (strcmp(*argv, "dsa") == 0) {
+- dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] =
++ if (!FIPS_mode())
++ dsa_doit[R_DSA_512] = 1;
++ dsa_doit[R_DSA_1024] =
+ dsa_doit[R_DSA_2048] = 1;
+ continue;
+ }
+@@ -1683,15 +1686,21 @@ int speed_main(int argc, char **argv)
+ /* No parameters; turn on everything. */
+ if ((argc == 0) && !doit[D_EVP]) {
+ for (i = 0; i < ALGOR_NUM; i++)
+- if (i != D_EVP)
++ if (i != D_EVP &&
++ (!FIPS_mode() || (i != D_WHIRLPOOL &&
++ i != D_MD2 && i != D_MD4 &&
++ i != D_MD5 && i != D_MDC2 &&
++ i != D_RMD160)))
+ doit[i] = 1;
+ #ifndef OPENSSL_NO_RSA
+ for (i = 0; i < RSA_NUM; i++)
+- rsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_RSA_512)
++ rsa_doit[i] = 1;
+ #endif
+ #ifndef OPENSSL_NO_DSA
+ for (i = 0; i < DSA_NUM; i++)
+- dsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_DSA_512)
++ dsa_doit[i] = 1;
+ #endif
+ #ifndef OPENSSL_NO_EC
+ for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
+@@ -1745,30 +1754,46 @@ int speed_main(int argc, char **argv)
+ AES_set_encrypt_key(key24, 192, &aes_ks2);
+ AES_set_encrypt_key(key32, 256, &aes_ks3);
+ #ifndef OPENSSL_NO_CAMELLIA
+- Camellia_set_key(key16, 128, &camellia_ks1);
+- Camellia_set_key(ckey24, 192, &camellia_ks2);
+- Camellia_set_key(ckey32, 256, &camellia_ks3);
++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
++ Camellia_set_key(key16, 128, &camellia_ks1);
++ Camellia_set_key(ckey24, 192, &camellia_ks2);
++ Camellia_set_key(ckey32, 256, &camellia_ks3);
++ }
+ #endif
+ #ifndef OPENSSL_NO_IDEA
+- IDEA_set_encrypt_key(key16, &idea_ks);
++ if (doit[D_CBC_IDEA]) {
++ IDEA_set_encrypt_key(key16, &idea_ks);
++ }
+ #endif
+ #ifndef OPENSSL_NO_SEED
+- SEED_set_key(key16, &seed_ks);
++ if (doit[D_CBC_SEED]) {
++ SEED_set_key(key16, &seed_ks);
++ }
+ #endif
+ #ifndef OPENSSL_NO_RC4
+- RC4_set_key(&rc4_ks, 16, key16);
++ if (doit[D_RC4]) {
++ RC4_set_key(&rc4_ks, 16, key16);
++ }
+ #endif
+ #ifndef OPENSSL_NO_RC2
+- RC2_set_key(&rc2_ks, 16, key16, 128);
++ if (doit[D_CBC_RC2]) {
++ RC2_set_key(&rc2_ks, 16, key16, 128);
++ }
+ #endif
+ #ifndef OPENSSL_NO_RC5
+- RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ if (doit[D_CBC_RC5]) {
++ RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ }
+ #endif
+ #ifndef OPENSSL_NO_BF
+- BF_set_key(&bf_ks, 16, key16);
++ if (doit[D_CBC_BF]) {
++ BF_set_key(&bf_ks, 16, key16);
++ }
+ #endif
+ #ifndef OPENSSL_NO_CAST
+- CAST_set_key(&cast_ks, 16, key16);
++ if (doit[D_CBC_CAST]) {
++ CAST_set_key(&cast_ks, 16, key16);
++ }
+ #endif
+ #ifndef SIGALRM
+ # ifndef OPENSSL_NO_DES
+@@ -2059,6 +2084,7 @@ int speed_main(int argc, char **argv)
+
+ for (i = 0; i < loopargs_len; i++) {
+ loopargs[i].hctx = HMAC_CTX_new();
++ HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ if (loopargs[i].hctx == NULL) {
+ BIO_printf(bio_err, "HMAC malloc failure, exiting...");
+ exit(1);
+diff -up openssl-1.1.1-pre8/Configure.fips openssl-1.1.1-pre8/Configure
+--- openssl-1.1.1-pre8/Configure.fips 2018-07-25 17:26:58.399624560 +0200
++++ openssl-1.1.1-pre8/Configure 2018-07-25 17:26:58.402624632 +0200
+@@ -306,7 +306,7 @@ $config{sdirs} = [
+ "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3",
+ "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes",
+ "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine",
+- "buffer", "bio", "stack", "lhash", "rand", "err",
++ "buffer", "bio", "stack", "lhash", "rand", "err", "fips",
+ "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
+ "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
+ ];
+diff -up openssl-1.1.1-pre8/crypto/dh/dh_err.c.fips openssl-1.1.1-pre8/crypto/dh/dh_err.c
+--- openssl-1.1.1-pre8/crypto/dh/dh_err.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/dh/dh_err.c 2018-07-25 17:26:58.402624632 +0200
+@@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0),
+ "dh_cms_set_shared_info"},
++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"},
++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"},
++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"},
+@@ -72,12 +75,14 @@ static const ERR_STRING_DATA DH_str_reas
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"},
++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR),
+ "not suitable generator"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"},
++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
+ "parameter encoding error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+diff -up openssl-1.1.1-pre8/crypto/dh/dh_gen.c.fips openssl-1.1.1-pre8/crypto/dh/dh_gen.c
+--- openssl-1.1.1-pre8/crypto/dh/dh_gen.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/dh/dh_gen.c 2018-07-25 17:26:58.402624632 +0200
+@@ -16,6 +16,9 @@
+ #include "internal/cryptlib.h"
+ #include <openssl/bn.h>
+ #include "dh_locl.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
+ BN_GENCB *cb);
+@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret,
+ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
+ BN_GENCB *cb)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
++ && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
++ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
++ return 0;
++ }
++#endif
+ if (ret->meth->generate_params)
+ return ret->meth->generate_params(ret, prime_len, generator, cb);
+ return dh_builtin_genparams(ret, prime_len, generator, cb);
+@@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret,
+ int g, ok = -1;
+ BN_CTX *ctx = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
++ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+diff -up openssl-1.1.1-pre8/crypto/dh/dh_key.c.fips openssl-1.1.1-pre8/crypto/dh/dh_key.c
+--- openssl-1.1.1-pre8/crypto/dh/dh_key.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/dh/dh_key.c 2018-07-25 17:26:58.402624632 +0200
+@@ -11,6 +11,9 @@
+ #include "internal/cryptlib.h"
+ #include "dh_locl.h"
+ #include "internal/bn_int.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static int generate_key(DH *dh);
+ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
+@@ -22,18 +25,32 @@ static int dh_finish(DH *dh);
+
+ int DH_generate_key(DH *dh)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
++ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
++ DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
++ return 0;
++ }
++#endif
+ return dh->meth->generate_key(dh);
+ }
+
+ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
++ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
++ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
++ return 0;
++ }
++#endif
+ return dh->meth->compute_key(key, pub_key, dh);
+ }
+
+ int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ {
+ int rv, pad;
+- rv = dh->meth->compute_key(key, pub_key, dh);
++ rv = DH_compute_key(key, pub_key, dh);
+ if (rv <= 0)
+ return rv;
+ pad = BN_num_bytes(dh->p) - rv;
+@@ -82,6 +99,14 @@ static int generate_key(DH *dh)
+ BN_MONT_CTX *mont = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()
++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ return 0;
++ }
++#endif
++
+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+@@ -170,6 +195,13 @@ static int compute_key(unsigned char *ke
+ DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
+ goto err;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()
++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+@@ -221,6 +253,9 @@ static int dh_bn_mod_exp(const DH *dh, B
+
+ static int dh_init(DH *dh)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dh->flags |= DH_FLAG_CACHE_MONT_P;
+ return 1;
+ }
+diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_err.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_err.c
+--- openssl-1.1.1-pre8/crypto/dsa/dsa_err.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/dsa/dsa_err.c 2018-07-25 17:26:58.402624632 +0200
+@@ -16,12 +16,15 @@
+ static const ERR_STRING_DATA DSA_str_functs[] = {
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"},
++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_KEYGEN, 0), "dsa_builtin_keygen"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0),
+ "dsa_builtin_paramgen"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0),
+ "dsa_builtin_paramgen2"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"},
++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"},
++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"},
+@@ -51,9 +54,12 @@ static const ERR_STRING_DATA DSA_str_rea
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE),
+ "invalid digest type"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"},
++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"},
++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},
++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
+ "parameter encoding error"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
+diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c
+--- openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c 2018-07-25 17:26:58.403624656 +0200
+@@ -22,12 +22,22 @@
+ #include <openssl/rand.h>
+ #include <openssl/sha.h>
+ #include "dsa_locl.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ int DSA_generate_parameters_ex(DSA *ret, int bits,
+ const unsigned char *seed_in, int seed_len,
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb)
+ {
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
++ && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
++ DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
++ return 0;
++ }
++# endif
+ if (ret->meth->dsa_paramgen)
+ return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
+ counter_ret, h_ret, cb);
+@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret,
+ const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
+ size_t qbits = EVP_MD_size(evpmd) * 8;
+
++# ifdef OPENSSL_FIPS
++ return dsa_builtin_paramgen2(ret, bits, qbits, evpmd,
++ seed_in, seed_len, -1, NULL, counter_ret,
++ h_ret, cb);
++# else
+ return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
+ seed_in, seed_len, NULL, counter_ret,
+ h_ret, cb);
++# endif
+ }
+ }
+
+@@ -310,7 +326,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb)
+ {
+- int ok = -1;
++ int ok = 0;
+ unsigned char *seed = NULL, *seed_tmp = NULL;
+ unsigned char md[EVP_MAX_MD_SIZE];
+ int mdsize;
+@@ -327,6 +343,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
+ if (mctx == NULL)
+ goto err;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (FIPS_mode() && (L != 1024 || N != 160) &&
++ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
++ (L != 3072 || N != 256)) {
++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
++ goto err;
++ }
++# endif
++
+ if (evpmd == NULL) {
+ if (N == 160)
+ evpmd = EVP_sha1();
+@@ -427,9 +457,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
+ goto err;
+ /* Provided seed didn't produce a prime: error */
+ if (seed_in) {
+- ok = 0;
+- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME);
+- goto err;
++ /* Different seed_out will indicate that seed_in
++ * did not generate primes.
++ */
++ seed_in = NULL;
+ }
+
+ /* do a callback call */
+@@ -515,11 +546,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
+ if (counter >= (int)(4 * L))
+ break;
+ }
++#if 0
++ /* Cannot happen */
+ if (seed_in) {
+ ok = 0;
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
+ goto err;
+ }
++#endif
+ }
+ end:
+ if (!BN_GENCB_call(cb, 2, 1))
+@@ -590,7 +624,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
+ BN_free(ret->g);
+ ret->g = BN_dup(g);
+ if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
+- ok = -1;
++ ok = 0;
+ goto err;
+ }
+ if (counter_ret != NULL)
+@@ -608,3 +642,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
+ EVP_MD_CTX_free(mctx);
+ return ok;
+ }
++
++#ifdef OPENSSL_FIPS
++
++int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
++ const EVP_MD *evpmd, const unsigned char *seed_in,
++ size_t seed_len, int idx, unsigned char *seed_out,
++ int *counter_ret, unsigned long *h_ret,
++ BN_GENCB *cb)
++{
++ return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len,
++ idx, seed_out, counter_ret, h_ret, cb);
++}
++
++int FIPS_dsa_paramgen_check_g(DSA *dsa)
++{
++ BN_CTX *ctx;
++ BIGNUM *tmp;
++ BN_MONT_CTX *mont = NULL;
++ int rv = -1;
++
++ ctx = BN_CTX_new();
++ if (ctx == NULL)
++ return -1;
++ BN_CTX_start(ctx);
++ if (BN_cmp(dsa->g, BN_value_one()) <= 0)
++ return 0;
++ if (BN_cmp(dsa->g, dsa->p) >= 0)
++ return 0;
++ tmp = BN_CTX_get(ctx);
++ if (tmp == NULL)
++ goto err;
++ if ((mont=BN_MONT_CTX_new()) == NULL)
++ goto err;
++ if (!BN_MONT_CTX_set(mont,dsa->p,ctx))
++ goto err;
++ /* Work out g^q mod p */
++ if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont))
++ goto err;
++ if (!BN_cmp(tmp, BN_value_one()))
++ rv = 1;
++ else
++ rv = 0;
++ err:
++ BN_CTX_end(ctx);
++ BN_MONT_CTX_free(mont);
++ BN_CTX_free(ctx);
++ return rv;
++}
++
++#endif
+diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_key.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_key.c
+--- openssl-1.1.1-pre8/crypto/dsa/dsa_key.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/dsa/dsa_key.c 2018-07-25 17:26:58.403624656 +0200
+@@ -13,10 +13,49 @@
+ #include <openssl/bn.h>
+ #include "dsa_locl.h"
+
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "internal/fips_int.h"
++
++static int fips_check_dsa(DSA *dsa)
++{
++ EVP_PKEY *pk;
++ unsigned char tbs[] = "DSA Pairwise Check Data";
++ int ret = 0;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_DSA(pk, dsa);
++
++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
++ ret = 1;
++
++ err:
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
++ fips_set_selftest_fail();
++ }
++
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++}
++
++#endif
++
+ static int dsa_builtin_keygen(DSA *dsa);
+
+ int DSA_generate_key(DSA *dsa)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
++ && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
++ DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
++ return 0;
++ }
++#endif
+ if (dsa->meth->dsa_keygen)
+ return dsa->meth->dsa_keygen(dsa);
+ return dsa_builtin_keygen(dsa);
+@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa)
+ BN_CTX *ctx = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {
++ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+
+@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa)
+
+ dsa->priv_key = priv_key;
+ dsa->pub_key = pub_key;
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !fips_check_dsa(dsa)) {
++ dsa->pub_key = NULL;
++ dsa->priv_key = NULL;
++ goto err;
++ }
++#endif
+ ok = 1;
+
+ err:
+diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c
+--- openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c 2018-07-25 17:26:58.403624656 +0200
+@@ -13,6 +13,9 @@
+ #include <openssl/sha.h>
+ #include "dsa_locl.h"
+ #include <openssl/asn1.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+ static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+@@ -66,6 +69,19 @@ static DSA_SIG *dsa_do_sign(const unsign
+ DSA_SIG *ret = NULL;
+ int rv = 0;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
++ return NULL;
++ }
++#endif
++
+ m = BN_new();
+ xr = BN_new();
+ if (m == NULL || xr == NULL)
+@@ -264,6 +280,18 @@ static int dsa_do_verify(const unsigned
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
+ return -1;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++#endif
+
+ if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
+@@ -352,6 +380,9 @@ static int dsa_do_verify(const unsigned
+
+ static int dsa_init(DSA *dsa)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dsa->flags |= DSA_FLAG_CACHE_MONT_P;
+ return 1;
+ }
+diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c
+--- openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c 2018-07-25 17:26:58.403624656 +0200
+@@ -221,8 +221,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
+ BN_GENCB_free(pcb);
+ return 0;
+ }
+- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
+- NULL, 0, NULL, NULL, NULL, pcb);
++ ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
++ NULL, 0, -1, NULL, NULL, NULL, pcb);
+ BN_GENCB_free(pcb);
+ if (ret)
+ EVP_PKEY_assign_DSA(pkey, dsa);
+diff -up openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c
+--- openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c 2018-07-25 17:26:58.403624656 +0200
+@@ -19,9 +19,20 @@
+ #include <openssl/ec.h>
+ #include "ec_lcl.h"
+
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
+ const EC_POINT *pub_key, const EC_KEY *ecdh)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++#endif
++
+ if (ecdh->group->meth->ecdh_compute_key == NULL) {
+ ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
+ return 0;
+diff -up openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c
+--- openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c 2018-07-25 17:26:58.403624656 +0200
+@@ -15,6 +15,10 @@
+ #include <openssl/ec.h>
+ #include "ec_lcl.h"
+
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
+ unsigned char *sig, unsigned int *siglen,
+ const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
+@@ -204,6 +208,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+ ECDSA_SIG *ret;
+ const BIGNUM *priv_key;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++#endif
++
+ group = EC_KEY_get0_group(eckey);
+ priv_key = EC_KEY_get0_private_key(eckey);
+
+@@ -408,6 +419,13 @@ int ossl_ecdsa_verify_sig(const unsigned
+ const EC_GROUP *group;
+ const EC_POINT *pub_key;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++#endif
++
+ /* check input values */
+ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
+ (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
+diff -up openssl-1.1.1-pre8/crypto/ec/ec_key.c.fips openssl-1.1.1-pre8/crypto/ec/ec_key.c
+--- openssl-1.1.1-pre8/crypto/ec/ec_key.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/ec/ec_key.c 2018-07-25 17:26:58.403624656 +0200
+@@ -178,14 +178,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY
+ return eckey->engine;
+ }
+
++#ifdef OPENSSL_FIPS
++
++# include <openssl/fips.h>
++# include "internal/fips_int.h"
++
++static int fips_check_ec(EC_KEY *key)
++{
++ EVP_PKEY *pk;
++ unsigned char tbs[] = "ECDSA Pairwise Check Data";
++ int ret = 0;
++
++ if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */
++ return 1;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_EC_KEY(pk, key);
++
++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
++ ret = 1;
++
++ err:
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED);
++ fips_set_selftest_fail();
++ }
++ if (pk)
++ EVP_PKEY_free(pk);
++ return ret;
++}
++
++#endif
++
+ int EC_KEY_generate_key(EC_KEY *eckey)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_NOT_INITIALIZED);
++ return 0;
++ }
++#endif
+ if (eckey == NULL || eckey->group == NULL) {
+ ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+- if (eckey->meth->keygen != NULL)
+- return eckey->meth->keygen(eckey);
++ if (eckey->meth->keygen != NULL) {
++ int rv = eckey->meth->keygen(eckey);
++
++#ifdef OPENSSL_FIPS
++ if (rv > 0 && FIPS_mode()) {
++ rv = fips_check_ec(eckey);
++ }
++#endif
++ return rv;
++ }
+ ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
+ return 0;
+ }
+diff -up openssl-1.1.1-pre8/crypto/evp/c_allc.c.fips openssl-1.1.1-pre8/crypto/evp/c_allc.c
+--- openssl-1.1.1-pre8/crypto/evp/c_allc.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/c_allc.c 2018-07-25 17:26:58.404624680 +0200
+@@ -17,6 +17,9 @@
+ void openssl_add_all_ciphers_int(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ if (!FIPS_mode()) {
++#endif
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cfb());
+ EVP_add_cipher(EVP_des_cfb1());
+@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void)
+ EVP_add_cipher(EVP_chacha20_poly1305());
+ # endif
+ #endif
++#ifdef OPENSSL_FIPS
++ } else {
++# ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede3_cfb());
++
++ EVP_add_cipher(EVP_des_ede3_ofb());
++
++ EVP_add_cipher(EVP_des_ede3_cbc());
++ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
++ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
++
++ EVP_add_cipher(EVP_des_ede3());
++ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB");
++ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb");
++ EVP_add_cipher(EVP_des_ede3_wrap());
++ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap");
++# endif
++
++# ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_ecb());
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_128_cfb());
++ EVP_add_cipher(EVP_aes_128_cfb1());
++ EVP_add_cipher(EVP_aes_128_cfb8());
++ EVP_add_cipher(EVP_aes_128_ofb());
++ EVP_add_cipher(EVP_aes_128_ctr());
++ EVP_add_cipher(EVP_aes_128_gcm());
++ EVP_add_cipher(EVP_aes_128_xts());
++ EVP_add_cipher(EVP_aes_128_ccm());
++ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
++ EVP_add_cipher(EVP_aes_128_wrap_pad());
++ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
++ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
++ EVP_add_cipher(EVP_aes_192_ecb());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_192_cfb());
++ EVP_add_cipher(EVP_aes_192_cfb1());
++ EVP_add_cipher(EVP_aes_192_cfb8());
++ EVP_add_cipher(EVP_aes_192_ofb());
++ EVP_add_cipher(EVP_aes_192_ctr());
++ EVP_add_cipher(EVP_aes_192_gcm());
++ EVP_add_cipher(EVP_aes_192_ccm());
++ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
++ EVP_add_cipher(EVP_aes_192_wrap_pad());
++ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
++ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
++ EVP_add_cipher(EVP_aes_256_ecb());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_256_cfb());
++ EVP_add_cipher(EVP_aes_256_cfb1());
++ EVP_add_cipher(EVP_aes_256_cfb8());
++ EVP_add_cipher(EVP_aes_256_ofb());
++ EVP_add_cipher(EVP_aes_256_ctr());
++ EVP_add_cipher(EVP_aes_256_gcm());
++ EVP_add_cipher(EVP_aes_256_xts());
++ EVP_add_cipher(EVP_aes_256_ccm());
++ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
++ EVP_add_cipher(EVP_aes_256_wrap_pad());
++ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
++ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
++# endif
++ }
++#endif
+ }
+diff -up openssl-1.1.1-pre8/crypto/evp/c_alld.c.fips openssl-1.1.1-pre8/crypto/evp/c_alld.c
+--- openssl-1.1.1-pre8/crypto/evp/c_alld.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/c_alld.c 2018-07-25 17:26:58.404624680 +0200
+@@ -16,6 +16,9 @@
+
+ void openssl_add_all_digests_int(void)
+ {
++#ifdef OPENSSL_FIPS
++ if (!FIPS_mode()) {
++#endif
+ #ifndef OPENSSL_NO_MD4
+ EVP_add_digest(EVP_md4());
+ #endif
+@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void)
+ EVP_add_digest(EVP_sha3_512());
+ EVP_add_digest(EVP_shake128());
+ EVP_add_digest(EVP_shake256());
++#ifdef OPENSSL_FIPS
++ } else {
++ EVP_add_digest(EVP_md5_sha1());
++ EVP_add_digest(EVP_sha1());
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++ EVP_add_digest(EVP_sha512_224());
++ EVP_add_digest(EVP_sha512_256());
++ EVP_add_digest(EVP_sha3_224());
++ EVP_add_digest(EVP_sha3_256());
++ EVP_add_digest(EVP_sha3_384());
++ EVP_add_digest(EVP_sha3_512());
++ EVP_add_digest(EVP_shake128());
++ EVP_add_digest(EVP_shake256());
++ }
++#endif
+ }
+diff -up openssl-1.1.1-pre8/crypto/evp/digest.c.fips openssl-1.1.1-pre8/crypto/evp/digest.c
+--- openssl-1.1.1-pre8/crypto/evp/digest.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/digest.c 2018-07-25 17:26:58.404624680 +0200
+@@ -14,6 +14,9 @@
+ #include <openssl/engine.h>
+ #include "internal/evp_int.h"
+ #include "evp_locl.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ /* This call frees resources associated with the context */
+ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
+@@ -61,6 +64,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
+ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+ {
+ EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ /*
+ * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
+@@ -114,6 +123,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ }
+ #endif
+ if (ctx->digest != type) {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (!(type->flags & EVP_MD_FLAG_FIPS)
++ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
++ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ return 0;
++ }
++ }
++#endif
+ if (ctx->digest && ctx->digest->ctx_size) {
+ OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
+ ctx->md_data = NULL;
+@@ -145,6 +163,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+
+ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ return ctx->update(ctx, data, count);
+ }
+
+@@ -162,6 +183,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
+ {
+ int ret;
+
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
+ ret = ctx->digest->final(ctx, md);
+ if (size != NULL)
+diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/evp/e_aes.c
+--- openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/e_aes.c 2018-07-25 17:26:58.404624680 +0200
+@@ -2776,9 +2776,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
+ return 1;
+ }
+
+-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
+- BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
+- BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
++BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
++ BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
++ BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
+
+ static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
+ {
+@@ -2824,6 +2824,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
+ case EVP_CTRL_AEAD_SET_IVLEN:
+ if (arg <= 0)
+ return 0;
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
++ && arg < 12)
++ return 0;
++# endif
+ /* Allocate memory for IV if needed */
+ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
+ if (gctx->iv != c->iv)
+@@ -3273,11 +3278,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+ | EVP_CIPH_CUSTOM_COPY)
+
+ BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
+- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
++ CUSTOM_FLAGS)
+ BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
+- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
++ CUSTOM_FLAGS)
+ BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
+- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
++ CUSTOM_FLAGS)
+
+ static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+ {
+@@ -3412,6 +3420,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+ return 0;
+ if (!out || !in || len < AES_BLOCK_SIZE)
+ return 0;
++# ifdef OPENSSL_FIPS
++ /* Requirement of SP800-38E */
++ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
++ (len > (1UL << 20) * 16)) {
++ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
++ return 0;
++ }
++# endif
+ if (xctx->stream)
+ (*xctx->stream) (in, out, len,
+ xctx->xts.key1, xctx->xts.key2,
+@@ -3429,8 +3445,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
+ | EVP_CIPH_CUSTOM_COPY)
+
+-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
+- BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
++BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
++ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
++ BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
++ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
+
+ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+ {
+@@ -3695,11 +3713,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
+ #define aes_ccm_cleanup NULL
+
+ BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
+- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
+- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
+- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+
+ typedef struct {
+ union {
+@@ -3792,7 +3810,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
+ return rv ? (int)rv : -1;
+ }
+
+-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
++#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
+ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
+ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
+
+diff -up openssl-1.1.1-pre8/crypto/evp/e_des3.c.fips openssl-1.1.1-pre8/crypto/evp/e_des3.c
+--- openssl-1.1.1-pre8/crypto/evp/e_des3.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/e_des3.c 2018-07-25 17:26:58.405624704 +0200
+@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
+ # define des_ede3_cbc_cipher des_ede_cbc_cipher
+ # define des_ede3_ecb_cipher des_ede_ecb_cipher
+ BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
+- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
+- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
++ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
++ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL,
++ des3_ctrl)
+
+ BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,
+- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
+- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
++ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
++ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
++ NULL, des3_ctrl)
+
+ BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,
+- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
+- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
++ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
++ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
++ NULL, des3_ctrl)
+
+ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+ const unsigned char *iv, int enc)
+diff -up openssl-1.1.1-pre8/crypto/evp/e_null.c.fips openssl-1.1.1-pre8/crypto/evp/e_null.c
+--- openssl-1.1.1-pre8/crypto/evp/e_null.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/e_null.c 2018-07-25 17:26:58.405624704 +0200
+@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c
+ const unsigned char *in, size_t inl);
+ static const EVP_CIPHER n_cipher = {
+ NID_undef,
+- 1, 0, 0, 0,
++ 1, 0, 0,
++ EVP_CIPH_FLAG_FIPS,
+ null_init_key,
+ null_cipher,
+ NULL,
+diff -up openssl-1.1.1-pre8/crypto/evp/evp_enc.c.fips openssl-1.1.1-pre8/crypto/evp/evp_enc.c
+--- openssl-1.1.1-pre8/crypto/evp/evp_enc.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/evp_enc.c 2018-07-25 17:26:58.405624704 +0200
+@@ -17,10 +17,19 @@
+ #include <openssl/engine.h>
+ #include "internal/evp_int.h"
+ #include "evp_locl.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
+ {
+- if (c == NULL)
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++#endif
++ if (c == NULL)
+ return 1;
+ if (c->cipher != NULL) {
+ if (c->cipher->cleanup && !c->cipher->cleanup(c))
+@@ -39,6 +48,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX
+
+ EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++#endif
+ return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
+ }
+
+@@ -67,6 +82,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ enc = 1;
+ ctx->encrypt = enc;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ /*
+ * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
+@@ -136,7 +157,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ }
+ ctx->key_len = cipher->key_len;
+ /* Preserve wrap enable flag, zero everything else */
+- ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
++ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW;
+ if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
+ ctx->cipher = NULL;
+@@ -195,6 +216,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ return 0;
+ }
+ }
++#ifdef OPENSSL_FIPS
++ /* After 'key' is set no further parameters changes are permissible.
++ * So only check for non FIPS enabling at this point.
++ */
++ if (key && FIPS_mode()) {
++ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
++ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
++ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ return 0;
++ }
++ }
++#endif
+
+ if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
+ if (!ctx->cipher->init(ctx, key, iv, enc))
+diff -up openssl-1.1.1-pre8/crypto/evp/evp_err.c.fips openssl-1.1.1-pre8/crypto/evp/evp_err.c
+--- openssl-1.1.1-pre8/crypto/evp/evp_err.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/evp_err.c 2018-07-25 17:26:58.405624704 +0200
+@@ -20,6 +20,7 @@ static const ERR_STRING_DATA EVP_str_fun
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
++ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"},
+@@ -177,6 +178,7 @@ static const ERR_STRING_DATA EVP_str_rea
+ "different key types"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS),
+ "different parameters"},
++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION),
+ "error loading section"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE),
+@@ -239,6 +241,7 @@ static const ERR_STRING_DATA EVP_str_rea
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR),
+ "private key encode error"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_LARGE), "too large"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},
+diff -up openssl-1.1.1-pre8/crypto/evp/evp_lib.c.fips openssl-1.1.1-pre8/crypto/evp/evp_lib.c
+--- openssl-1.1.1-pre8/crypto/evp/evp_lib.c.fips 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/evp_lib.c 2018-07-25 17:26:58.405624704 +0200
+@@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C
+ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, unsigned int inl)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ return ctx->cipher->do_cipher(ctx, out, in, inl);
+ }
+
+diff -up openssl-1.1.1-pre8/crypto/evp/m_sha1.c.fips openssl-1.1.1-pre8/crypto/evp/m_sha1.c
+--- openssl-1.1.1-pre8/crypto/evp/m_sha1.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/evp/m_sha1.c 2018-07-25 17:26:58.405624704 +0200
+@@ -95,7 +95,7 @@ static const EVP_MD sha1_md = {
+ NID_sha1,
+ NID_sha1WithRSAEncryption,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+@@ -145,7 +145,7 @@ static const EVP_MD sha224_md = {
+ NID_sha224,
+ NID_sha224WithRSAEncryption,
+ SHA224_DIGEST_LENGTH,
+- EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+ init224,
+ update224,
+ final224,
+@@ -164,7 +164,7 @@ static const EVP_MD sha256_md = {
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
+- EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+ init256,
+ update256,
+ final256,
+@@ -224,7 +224,7 @@ static const EVP_MD sha512_224_md = {
+ NID_sha512_224,
+ NID_sha512_224WithRSAEncryption,
+ SHA224_DIGEST_LENGTH,
+- EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+ init512_224,
+ update512,
+ final512,
+@@ -243,7 +243,7 @@ static const EVP_MD sha512_256_md = {
+ NID_sha512_256,
+ NID_sha512_256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
+- EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+ init512_256,
+ update512,
+ final512,
+@@ -262,7 +262,7 @@ static const EVP_MD sha384_md = {
+ NID_sha384,
+ NID_sha384WithRSAEncryption,
+ SHA384_DIGEST_LENGTH,
+- EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+ init384,
+ update384,
+ final384,
+@@ -281,7 +281,7 @@ static const EVP_MD sha512_md = {
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ SHA512_DIGEST_LENGTH,
+- EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+ init512,
+ update512,
+ final512,
+diff -up openssl-1.1.1-pre8/crypto/fips/build.info.fips openssl-1.1.1-pre8/crypto/fips/build.info
+--- openssl-1.1.1-pre8/crypto/fips/build.info.fips 2018-07-25 17:26:58.405624704 +0200
++++ openssl-1.1.1-pre8/crypto/fips/build.info 2018-07-25 17:26:58.405624704 +0200
+@@ -0,0 +1,15 @@
++LIBS=../../libcrypto
++SOURCE[../../libcrypto]=\
++ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
++ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
++ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
++ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
++ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
++ fips_enc.c fips_md.c fips_dh_selftest.c fips_ers.c
++
++PROGRAMS_NO_INST=\
++ fips_standalone_hmac
++
++SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
++INCLUDE[fips_standalone_hmac]=../../include
++DEPEND[fips_standalone_hmac]=../../libcrypto
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c 2018-07-25 17:26:58.405624704 +0200
+@@ -0,0 +1,372 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "internal/fips_int.h"
++#endif
++
++#ifdef OPENSSL_FIPS
++static const struct {
++ const unsigned char key[16];
++ const unsigned char plaintext[16];
++ const unsigned char ciphertext[16];
++} tests[] = {
++ {
++ {
++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
++ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
++ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
++0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
++ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
++
++int FIPS_selftest_aes()
++{
++ int n;
++ int ret = 0;
++ EVP_CIPHER_CTX *ctx;
++
++ ctx = EVP_CIPHER_CTX_new();
++ if (ctx == NULL)
++ goto err;
++
++ for (n = 0; n < 1; ++n) {
++ unsigned char key[16];
++
++ memcpy(key, tests[n].key, sizeof(key));
++ if (fips_cipher_test(ctx, EVP_aes_128_ecb(),
++ key, NULL,
++ tests[n].plaintext,
++ tests[n].ciphertext, 16) <= 0)
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_free(ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
++ return ret;
++}
++
++/* AES-CCM test data from NIST public test vectors */
++
++static const unsigned char ccm_key[] = {
++ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
++ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
++};
++
++static const unsigned char ccm_nonce[] = {
++ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
++};
++
++static const unsigned char ccm_adata[] = {
++ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
++ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
++ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
++};
++
++static const unsigned char ccm_pt[] = {
++ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
++ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
++};
++
++static const unsigned char ccm_ct[] = {
++ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
++ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
++};
++
++static const unsigned char ccm_tag[] = {
++ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
++ 0x14, 0xdb, 0x50, 0x6d
++};
++
++int FIPS_selftest_aes_ccm(void)
++{
++ int ret = 0;
++ unsigned char out[128], tag[16];
++ EVP_CIPHER_CTX *ctx;
++
++ ctx = EVP_CIPHER_CTX_new();
++ if (ctx == NULL)
++ goto err;
++
++ memset(out, 0, sizeof(out));
++ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
++ sizeof(ccm_nonce), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
++ sizeof(ccm_tag), NULL))
++ goto err;
++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
++ goto err;
++ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
++ goto err;
++ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++ goto err;
++ if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
++ goto err;
++
++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
++ goto err;
++ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
++ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
++ goto err;
++
++ memset(out, 0, sizeof(out));
++
++ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
++ sizeof(ccm_nonce), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
++ goto err;
++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
++ goto err;
++ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
++ goto err;
++ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++ goto err;
++ if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
++ goto err;
++
++ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
++ goto err;
++
++ ret = 1;
++
++ err:
++ EVP_CIPHER_CTX_free(ctx);
++
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ } else
++ return ret;
++
++}
++
++/* AES-GCM test data from NIST public test vectors */
++
++static const unsigned char gcm_key[] = {
++ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
++ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
++ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
++};
++
++static const unsigned char gcm_iv[] = {
++ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
++};
++
++static const unsigned char gcm_pt[] = {
++ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
++ 0xcc, 0x2b, 0xf2, 0xa5
++};
++
++static const unsigned char gcm_aad[] = {
++ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
++ 0x7f, 0xec, 0x78, 0xde
++};
++
++static const unsigned char gcm_ct[] = {
++ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
++ 0xb9, 0xf2, 0x17, 0x36
++};
++
++static const unsigned char gcm_tag[] = {
++ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
++ 0x98, 0xf7, 0x7e, 0x0c
++};
++
++int FIPS_selftest_aes_gcm(void)
++{
++ int ret = 0;
++ unsigned char out[128], tag[16];
++ EVP_CIPHER_CTX *ctx;
++
++ ctx = EVP_CIPHER_CTX_new();
++ if (ctx == NULL)
++ goto err;
++
++ memset(out, 0, sizeof(out));
++ memset(tag, 0, sizeof(tag));
++ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
++ sizeof(gcm_iv), NULL))
++ goto err;
++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1))
++ goto err;
++ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++ goto err;
++ if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
++ goto err;
++ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
++ goto err;
++
++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
++ goto err;
++
++ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
++ goto err;
++
++ memset(out, 0, sizeof(out));
++
++ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
++ sizeof(gcm_iv), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
++ goto err;
++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0))
++ goto err;
++ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++ goto err;
++ if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
++ goto err;
++ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
++ goto err;
++
++ if (memcmp(out, gcm_pt, 16))
++ goto err;
++
++ ret = 1;
++
++ err:
++ EVP_CIPHER_CTX_free(ctx);
++
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ } else
++ return ret;
++
++}
++
++static const unsigned char XTS_128_key[] = {
++ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,
++ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
++ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
++};
++
++static const unsigned char XTS_128_i[] = {
++ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,
++ 0x3e, 0x76, 0x8a, 0xd5
++};
++
++static const unsigned char XTS_128_pt[] = {
++ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,
++ 0x07, 0x90, 0x31, 0x1c
++};
++
++static const unsigned char XTS_128_ct[] = {
++ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,
++ 0xbe, 0x47, 0x1c, 0x63
++};
++
++static const unsigned char XTS_256_key[] = {
++ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,
++ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
++ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,
++ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
++ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,
++ 0x2c, 0xf4, 0x1b, 0x08
++};
++
++static const unsigned char XTS_256_i[] = {
++ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,
++ 0xa9, 0xf8, 0x75, 0x64
++};
++
++static const unsigned char XTS_256_pt[] = {
++ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,
++ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
++ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
++};
++
++static const unsigned char XTS_256_ct[] = {
++ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,
++ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
++ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
++};
++
++int FIPS_selftest_aes_xts()
++{
++ int ret = 1;
++ EVP_CIPHER_CTX *ctx;
++
++ ctx = EVP_CIPHER_CTX_new();
++ if (ctx == NULL)
++ goto err;
++
++ if (fips_cipher_test(ctx, EVP_aes_128_xts(),
++ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
++ sizeof(XTS_128_pt)) <= 0)
++ ret = 0;
++
++ if (fips_cipher_test(ctx, EVP_aes_256_xts(),
++ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
++ sizeof(XTS_256_pt)) <= 0)
++ ret = 0;
++
++ EVP_CIPHER_CTX_free(ctx);
++
++ err:
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);
++ return ret;
++}
++
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips.c.fips openssl-1.1.1-pre8/crypto/fips/fips.c
+--- openssl-1.1.1-pre8/crypto/fips/fips.c.fips 2018-07-25 17:26:58.406624728 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips.c 2018-07-25 17:26:58.406624728 +0200
+@@ -0,0 +1,526 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define _GNU_SOURCE
++
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <string.h>
++#include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++# include <openssl/fips.h>
++# include "internal/thread_once.h"
++
++# ifndef PATH_MAX
++# define PATH_MAX 1024
++# endif
++
++static int fips_selftest_fail = 0;
++static int fips_mode = 0;
++static int fips_started = 0;
++
++static int fips_is_owning_thread(void);
++static int fips_set_owning_thread(void);
++static int fips_clear_owning_thread(void);
++
++static CRYPTO_RWLOCK *fips_lock = NULL;
++static CRYPTO_RWLOCK *fips_owning_lock = NULL;
++static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT;
++
++DEFINE_RUN_ONCE_STATIC(do_fips_lock_init)
++{
++ fips_lock = CRYPTO_THREAD_lock_new();
++ fips_owning_lock = CRYPTO_THREAD_lock_new();
++ return fips_lock != NULL && fips_owning_lock != NULL;
++}
++
++# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock)
++# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock)
++# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock)
++# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock)
++
++static void fips_set_mode(int onoff)
++{
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_started) {
++ if (!owning_thread)
++ fips_w_lock();
++ fips_mode = onoff;
++ if (!owning_thread)
++ fips_w_unlock();
++ }
++}
++
++int FIPS_module_mode(void)
++{
++ int ret = 0;
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_started) {
++ if (!owning_thread)
++ fips_r_lock();
++ ret = fips_mode;
++ if (!owning_thread)
++ fips_r_unlock();
++ }
++ return ret;
++}
++
++/* just a compat symbol - return NULL */
++int FIPS_selftest_failed(void)
++{
++ int ret = 0;
++ if (fips_started) {
++ int owning_thread = fips_is_owning_thread();
++
++ if (!owning_thread)
++ fips_r_lock();
++ ret = fips_selftest_fail;
++ if (!owning_thread)
++ fips_r_unlock();
++ }
++ return ret;
++}
++
++/* Selftest failure fatal exit routine. This will be called
++ * during *any* cryptographic operation. It has the minimum
++ * overhead possible to avoid too big a performance hit.
++ */
++
++void FIPS_selftest_check(void)
++{
++ if (fips_selftest_fail) {
++ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
++ }
++}
++
++void fips_set_selftest_fail(void)
++{
++ fips_selftest_fail = 1;
++}
++
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path,
++ size_t pathlen)
++{
++ Dl_info info;
++ void *dl, *sym;
++ int rv = -1;
++
++ dl = dlopen(libname, RTLD_LAZY);
++ if (dl == NULL) {
++ return -1;
++ }
++
++ sym = dlsym(dl, symbolname);
++
++ if (sym != NULL && dladdr(sym, &info)) {
++ strncpy(path, info.dli_fname, pathlen - 1);
++ path[pathlen - 1] = '\0';
++ rv = 0;
++ }
++
++ dlclose(dl);
++
++ return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *bin2hex(void *buf, size_t len)
++{
++ char *hex, *p;
++ unsigned char *src = buf;
++
++ hex = malloc(len * 2 + 1);
++ if (hex == NULL)
++ return NULL;
++
++ p = hex;
++
++ while (len > 0) {
++ unsigned c;
++
++ c = *src;
++ src++;
++
++ *p = conv[c >> 4];
++ ++p;
++ *p = conv[c & 0x0f];
++ ++p;
++ --len;
++ }
++ *p = '\0';
++ return hex;
++}
++
++# define HMAC_PREFIX "."
++# ifndef HMAC_SUFFIX
++# define HMAC_SUFFIX ".hmac"
++# endif
++# define READ_BUFFER_LENGTH 16384
++
++static char *make_hmac_path(const char *origpath)
++{
++ char *path, *p;
++ const char *fn;
++
++ path =
++ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++ if (path == NULL) {
++ return NULL;
++ }
++
++ fn = strrchr(origpath, '/');
++ if (fn == NULL) {
++ fn = origpath;
++ } else {
++ ++fn;
++ }
++
++ strncpy(path, origpath, fn - origpath);
++ p = path + (fn - origpath);
++ p = stpcpy(p, HMAC_PREFIX);
++ p = stpcpy(p, fn);
++ p = stpcpy(p, HMAC_SUFFIX);
++
++ return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++ FILE *f = NULL;
++ int rv = -1;
++ unsigned char rbuf[READ_BUFFER_LENGTH];
++ size_t len;
++ unsigned int hlen;
++ HMAC_CTX *c;
++
++ c = HMAC_CTX_new();
++ if (c == NULL)
++ return rv;
++
++ f = fopen(path, "r");
++
++ if (f == NULL) {
++ goto end;
++ }
++
++ if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) {
++ goto end;
++ }
++
++ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++ if (HMAC_Update(c, rbuf, len) <= 0) {
++ goto end;
++ }
++ }
++
++ len = sizeof(rbuf);
++ /* reuse rbuf for hmac */
++ if (HMAC_Final(c, rbuf, &hlen) <= 0) {
++ goto end;
++ }
++
++ *buf = malloc(hlen);
++ if (*buf == NULL) {
++ goto end;
++ }
++
++ *hmaclen = hlen;
++
++ memcpy(*buf, rbuf, hlen);
++
++ rv = 0;
++ end:
++ HMAC_CTX_free(c);
++
++ if (f)
++ fclose(f);
++
++ return rv;
++}
++
++static int FIPSCHECK_verify(const char *path)
++{
++ int rv = 0;
++ FILE *hf;
++ char *hmacpath, *p;
++ char *hmac = NULL;
++ size_t n;
++
++ hmacpath = make_hmac_path(path);
++ if (hmacpath == NULL)
++ return 0;
++
++ hf = fopen(hmacpath, "r");
++ if (hf == NULL) {
++ free(hmacpath);
++ return 0;
++ }
++
++ if (getline(&hmac, &n, hf) > 0) {
++ void *buf;
++ size_t hmaclen;
++ char *hex;
++
++ if ((p = strchr(hmac, '\n')) != NULL)
++ *p = '\0';
++
++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++ rv = -4;
++ goto end;
++ }
++
++ if ((hex = bin2hex(buf, hmaclen)) == NULL) {
++ free(buf);
++ rv = -5;
++ goto end;
++ }
++
++ if (strcmp(hex, hmac) != 0) {
++ rv = -1;
++ }
++ free(buf);
++ free(hex);
++ } else {
++ rv = -1;
++ }
++
++ end:
++ free(hmac);
++ free(hmacpath);
++ fclose(hf);
++
++ if (rv < 0)
++ return 0;
++
++ /* check successful */
++ return 1;
++}
++
++static int verify_checksums(void)
++{
++ int rv;
++ char path[PATH_MAX + 1];
++ char *p;
++
++ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
++ are in the same directory */
++
++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
++ "FIPS_mode_set", path, sizeof(path));
++ if (rv < 0)
++ return 0;
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++
++ /* replace libcrypto with libssl */
++ while ((p = strstr(path, "libcrypto.so")) != NULL) {
++ p = stpcpy(p, "libssl");
++ memmove(p, p + 3, strlen(p + 2));
++ }
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++ return 1;
++}
++
++# ifndef FIPS_MODULE_PATH
++# define FIPS_MODULE_PATH "/etc/system-fips"
++# endif
++
++int FIPS_module_installed(void)
++{
++ int rv;
++ rv = access(FIPS_MODULE_PATH, F_OK);
++ if (rv < 0 && errno != ENOENT)
++ rv = 0;
++
++ /* Installed == true */
++ return !rv;
++}
++
++int FIPS_module_mode_set(int onoff)
++{
++ int ret = 0;
++
++ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
++ return NULL;
++
++ fips_w_lock();
++ fips_started = 1;
++ fips_set_owning_thread();
++
++ if (onoff) {
++
++ fips_selftest_fail = 0;
++
++ /* Don't go into FIPS mode twice, just so we can do automagic
++ seeding */
++ if (FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FIPS_MODE_ALREADY_SET);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++# ifdef OPENSSL_IA32_SSE2
++ {
++ extern unsigned int OPENSSL_ia32cap_P[2];
++ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=
++ (1 << 25 | 1 << 26)) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_UNSUPPORTED_PLATFORM);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++ }
++# endif
++
++ if (!FIPS_selftest()) {
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ if (!verify_checksums()) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ fips_set_mode(onoff);
++ ret = 1;
++ goto end;
++ }
++ fips_set_mode(0);
++ fips_selftest_fail = 0;
++ ret = 1;
++ end:
++ fips_clear_owning_thread();
++ fips_w_unlock();
++ return ret;
++}
++
++static CRYPTO_THREAD_ID fips_threadid;
++static int fips_thread_set = 0;
++
++static int fips_is_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_THREAD_read_lock(fips_owning_lock);
++ if (fips_thread_set) {
++ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
++ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
++ ret = 1;
++ }
++ CRYPTO_THREAD_unlock(fips_owning_lock);
++ }
++ return ret;
++}
++
++int fips_set_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_THREAD_write_lock(fips_owning_lock);
++ if (!fips_thread_set) {
++ fips_threadid = CRYPTO_THREAD_get_current_id();
++ ret = 1;
++ fips_thread_set = 1;
++ }
++ CRYPTO_THREAD_unlock(fips_owning_lock);
++ }
++ return ret;
++}
++
++int fips_clear_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_THREAD_write_lock(fips_owning_lock);
++ if (fips_thread_set) {
++ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
++ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
++ fips_thread_set = 0;
++ }
++ CRYPTO_THREAD_unlock(fips_owning_lock);
++ }
++ return ret;
++}
++
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c 2018-07-25 17:26:58.406624728 +0200
+@@ -0,0 +1,156 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include "internal/fips_int.h"
++#include <openssl/cmac.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++ int nid;
++ const unsigned char key[EVP_MAX_KEY_LENGTH];
++ size_t keysize;
++ const unsigned char msg[64];
++ size_t msgsize;
++ const unsigned char mac[32];
++ size_t macsize;
++} CMAC_KAT;
++
++/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
++static const CMAC_KAT vector[] = {
++ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
++ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,
++ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,
++ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,
++ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,
++ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,
++ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,
++ {0xfb, 0xfe, 0xa4, 0x1b,}, 32},
++ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
++ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,
++ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,
++ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,
++ {0x0}, 0,
++ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,
++ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,
++ },
++ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
++ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,
++ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,
++ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,
++ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,
++ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,
++ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,
++ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,
++ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,
++ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,
++ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,
++ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,
++ },
++ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
++ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,
++ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,
++ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,
++ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,
++ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,
++ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,
++ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,
++ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,
++ },
++};
++
++int FIPS_selftest_cmac()
++{
++ size_t n, outlen;
++ unsigned char out[32];
++ const EVP_CIPHER *cipher;
++ CMAC_CTX *ctx = CMAC_CTX_new();
++ const CMAC_KAT *t;
++ int rv = 1;
++
++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++ cipher = FIPS_get_cipherbynid(t->nid);
++ if (!cipher) {
++ rv = -1;
++ goto err;
++ }
++ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {
++ rv = -1;
++ goto err;
++ }
++ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!CMAC_Final(ctx, out, &outlen)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {
++ rv = 0;
++ }
++ }
++
++ err:
++ CMAC_CTX_free(ctx);
++
++ if (rv == -1) {
++ rv = 0;
++ }
++ if (!rv)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);
++
++ return rv;
++}
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c 2018-07-25 17:26:58.406624728 +0200
+@@ -0,0 +1,133 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "internal/fips_int.h"
++#endif
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static const struct {
++ const unsigned char key[16];
++ const unsigned char plaintext[8];
++ const unsigned char ciphertext[8];
++} tests2[] = {
++ {
++ {
++ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,
++ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {
++ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {
++ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}
++ }, {
++ {
++ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,
++ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {
++ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {
++ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}
++};
++
++static const struct {
++ const unsigned char key[24];
++ const unsigned char plaintext[8];
++ const unsigned char ciphertext[8];
++} tests3[] = {
++ {
++ {
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
++ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {
++ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {
++ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {
++ {
++ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,
++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
++ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {
++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {
++0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};
++
++int FIPS_selftest_des()
++{
++ int n, ret = 0;
++ EVP_CIPHER_CTX *ctx;
++
++ ctx = EVP_CIPHER_CTX_new();
++ if (ctx == NULL)
++ goto err;
++
++ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
++ for (n = 0; n < 2; ++n) {
++ unsigned char plaintext[8];
++
++ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
++ if (!fips_cipher_test(ctx, EVP_des_ede_ecb(),
++ tests2[n].key, NULL,
++ plaintext, tests2[n].ciphertext, 8))
++ goto err;
++ }
++
++ /* Encrypt/decrypt with 3DES and compare to known answers */
++ for (n = 0; n < 2; ++n) {
++ if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(),
++ tests3[n].key, NULL,
++ tests3[n].plaintext, tests3[n].ciphertext, 8))
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_free(ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);
++
++ return ret;
++}
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c 2018-07-25 17:26:58.406624728 +0200
+@@ -0,0 +1,180 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 2013 Red Hat, Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dh.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dh_test_2048_p[] = {
++ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09,
++ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11,
++ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,
++ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F,
++ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC,
++ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE,
++ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39,
++ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E,
++ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2,
++ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A,
++ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A,
++ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF,
++ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7,
++ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73,
++ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6,
++ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35,
++ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED,
++ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03,
++ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC,
++ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE,
++ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58,
++ 0x4B, 0xD8, 0x37, 0xEB
++};
++
++static const unsigned char dh_test_2048_g[] = {
++ 0x02
++};
++
++static const unsigned char dh_test_2048_pub_key[] = {
++ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA,
++ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2,
++ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12,
++ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5,
++ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D,
++ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1,
++ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51,
++ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F,
++ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6,
++ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED,
++ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46,
++ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA,
++ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1,
++ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE,
++ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53,
++ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9,
++ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3,
++ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9,
++ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56,
++ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E,
++ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9,
++ 0x36, 0x9E, 0xDA, 0xD2
++};
++
++static const unsigned char dh_test_2048_priv_key[] = {
++ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91,
++ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00,
++ 0xEC, 0x55, 0xF6, 0xCC
++};
++
++int FIPS_selftest_dh()
++{
++ DH *dh = NULL;
++ int ret = 0;
++ void *pub_key_bin = NULL;
++ int len;
++ BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL;
++ const BIGNUM *pub_key;
++
++ fips_load_key_component(p, dh_test_2048);
++ fips_load_key_component(g, dh_test_2048);
++ /* note that the private key is much shorter than normally used
++ * but still g ** priv_key > p
++ */
++ fips_load_key_component(priv_key, dh_test_2048);
++ if ((tmp_pub_key = BN_new()) == NULL)
++ goto err;
++
++ dh = DH_new();
++
++ if (dh == NULL)
++ goto err;
++
++ DH_set0_pqg(dh, p, NULL, g);
++ DH_set0_key(dh, tmp_pub_key, priv_key);
++
++ if (DH_generate_key(dh) <= 0)
++ goto err;
++
++ DH_get0_key(dh, &pub_key, NULL);
++
++ if (pub_key == NULL)
++ goto err;
++
++ len = BN_num_bytes(pub_key);
++ if ((pub_key_bin = OPENSSL_malloc(len)) == NULL)
++ goto err;
++ BN_bn2bin(pub_key, pub_key_bin);
++
++ if (len != sizeof(dh_test_2048_pub_key) ||
++ memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0)
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (dh)
++ DH_free(dh);
++ else {
++ BN_free(p);
++ BN_free(g);
++ BN_free(priv_key);
++ BN_free(tmp_pub_key);
++ }
++
++ OPENSSL_free(pub_key_bin);
++ return ret;
++}
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c.fips 2018-07-25 17:26:58.406624728 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c 2018-07-25 17:26:58.406624728 +0200
+@@ -0,0 +1,415 @@
++/* fips/rand/fips_drbg_ctr.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static void inc_128(DRBG_CTR_CTX * cctx)
++{
++ int i;
++ unsigned char c;
++ unsigned char *p = cctx->V + 15;
++ for (i = 0; i < 16; i++) {
++ c = *p;
++ c++;
++ *p = c;
++ if (c)
++ return;
++ p--;
++ }
++}
++
++static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,
++ size_t inlen)
++{
++ size_t i, n;
++ /* Any zero padding will have no effect on the result as we
++ * are XORing. So just process however much input we have.
++ */
++
++ if (!in || !inlen)
++ return;
++
++ if (inlen < cctx->keylen)
++ n = inlen;
++ else
++ n = cctx->keylen;
++
++ for (i = 0; i < n; i++)
++ cctx->K[i] ^= in[i];
++ if (inlen <= cctx->keylen)
++ return;
++
++ n = inlen - cctx->keylen;
++ /* Should never happen */
++ if (n > 16)
++ n = 16;
++ for (i = 0; i < 16; i++)
++ cctx->V[i] ^= in[i + cctx->keylen];
++}
++
++/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
++
++static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,
++ const unsigned char *in)
++{
++ int i;
++ for (i = 0; i < 16; i++)
++ out[i] ^= in[i];
++ AES_encrypt(out, out, &cctx->df_ks);
++#if 0
++ fprintf(stderr, "BCC in+out\n");
++ BIO_dump_fp(stderr, in, 16);
++ BIO_dump_fp(stderr, out, 16);
++#endif
++}
++
++/* Handle several BCC operations for as much data as we need for K and X */
++static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)
++{
++ ctr_BCC_block(cctx, cctx->KX, in);
++ ctr_BCC_block(cctx, cctx->KX + 16, in);
++ if (cctx->keylen != 16)
++ ctr_BCC_block(cctx, cctx->KX + 32, in);
++}
++
++/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
++ * see 10.4.2 stage 7.
++ */
++static void ctr_BCC_init(DRBG_CTR_CTX * cctx)
++{
++ memset(cctx->KX, 0, 48);
++ memset(cctx->bltmp, 0, 16);
++ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
++ cctx->bltmp[3] = 1;
++ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
++ if (cctx->keylen != 16) {
++ cctx->bltmp[3] = 2;
++ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
++ }
++}
++
++/* Process several blocks into BCC algorithm, some possibly partial */
++static void ctr_BCC_update(DRBG_CTR_CTX * cctx,
++ const unsigned char *in, size_t inlen)
++{
++ if (!in || !inlen)
++ return;
++ /* If we have partial block handle it first */
++ if (cctx->bltmp_pos) {
++ size_t left = 16 - cctx->bltmp_pos;
++ /* If we now have a complete block process it */
++ if (inlen >= left) {
++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
++ ctr_BCC_blocks(cctx, cctx->bltmp);
++ cctx->bltmp_pos = 0;
++ inlen -= left;
++ in += left;
++ }
++ }
++ /* Process zero or more complete blocks */
++ while (inlen >= 16) {
++ ctr_BCC_blocks(cctx, in);
++ in += 16;
++ inlen -= 16;
++ }
++ /* Copy any remaining partial block to the temporary buffer */
++ if (inlen > 0) {
++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
++ cctx->bltmp_pos += inlen;
++ }
++}
++
++static void ctr_BCC_final(DRBG_CTR_CTX * cctx)
++{
++ if (cctx->bltmp_pos) {
++ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
++ ctr_BCC_blocks(cctx, cctx->bltmp);
++ }
++}
++
++static void ctr_df(DRBG_CTR_CTX * cctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len)
++{
++ size_t inlen;
++ unsigned char *p = cctx->bltmp;
++ static unsigned char c80 = 0x80;
++
++ ctr_BCC_init(cctx);
++ if (!in1)
++ in1len = 0;
++ if (!in2)
++ in2len = 0;
++ if (!in3)
++ in3len = 0;
++ inlen = in1len + in2len + in3len;
++ /* Initialise L||N in temporary block */
++ *p++ = (inlen >> 24) & 0xff;
++ *p++ = (inlen >> 16) & 0xff;
++ *p++ = (inlen >> 8) & 0xff;
++ *p++ = inlen & 0xff;
++ /* NB keylen is at most 32 bytes */
++ *p++ = 0;
++ *p++ = 0;
++ *p++ = 0;
++ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
++ cctx->bltmp_pos = 8;
++ ctr_BCC_update(cctx, in1, in1len);
++ ctr_BCC_update(cctx, in2, in2len);
++ ctr_BCC_update(cctx, in3, in3len);
++ ctr_BCC_update(cctx, &c80, 1);
++ ctr_BCC_final(cctx);
++ /* Set up key K */
++ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
++ /* X follows key K */
++ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
++ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
++ if (cctx->keylen != 16)
++ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
++#if 0
++ fprintf(stderr, "Output of ctr_df:\n");
++ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
++#endif
++}
++
++/* NB the no-df Update in SP800-90 specifies a constant input length
++ * of seedlen, however other uses of this algorithm pad the input with
++ * zeroes if necessary and have up to two parameters XORed together,
++ * handle both cases in this function instead.
++ */
++
++static void ctr_Update(DRBG_CTX *dctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *nonce, size_t noncelen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ /* ks is already setup for correct key */
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++ /* If keylen longer than 128 bits need extra encrypt */
++ if (cctx->keylen != 16) {
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
++ }
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
++ /* If 192 bit key part of V is on end of K */
++ if (cctx->keylen == 24) {
++ memcpy(cctx->V + 8, cctx->V, 8);
++ memcpy(cctx->V, cctx->K + 24, 8);
++ }
++
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ /* If no input reuse existing derived value */
++ if (in1 || nonce || in2)
++ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
++ /* If this a reuse input in1len != 0 */
++ if (in1len)
++ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
++ } else {
++ ctr_XOR(cctx, in1, in1len);
++ ctr_XOR(cctx, in2, in2len);
++ }
++
++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++#if 0
++ fprintf(stderr, "K+V after update is:\n");
++ BIO_dump_fp(stderr, cctx->K, cctx->keylen);
++ BIO_dump_fp(stderr, cctx->V, 16);
++#endif
++}
++
++static int drbg_ctr_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *nonce, size_t noncelen,
++ const unsigned char *pers, size_t perslen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ memset(cctx->K, 0, sizeof(cctx->K));
++ memset(cctx->V, 0, sizeof(cctx->V));
++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
++ return 1;
++}
++
++static int drbg_ctr_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *adin, size_t adinlen)
++{
++ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
++ return 1;
++}
++
++static int drbg_ctr_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adinlen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ if (adin && adinlen) {
++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++ /* This means we reuse derived value */
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ adin = NULL;
++ adinlen = 1;
++ }
++ } else
++ adinlen = 0;
++
++ for (;;) {
++ inc_128(cctx);
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
++ dctx->lb_valid = 1;
++ continue;
++ }
++ if (outlen < 16) {
++ /* Use K as temp space as it will be updated */
++ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++ if (!fips_drbg_cprng_test(dctx, cctx->K))
++ return 0;
++ memcpy(out, cctx->K, outlen);
++ break;
++ }
++ AES_encrypt(cctx->V, out, &cctx->ks);
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ out += 16;
++ outlen -= 16;
++ if (outlen == 0)
++ break;
++ }
++
++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++
++ return 1;
++
++}
++
++static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
++{
++ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
++ return 1;
++}
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++
++ size_t keylen;
++
++ switch (dctx->type) {
++ case NID_aes_128_ctr:
++ keylen = 16;
++ break;
++
++ case NID_aes_192_ctr:
++ keylen = 24;
++ break;
++
++ case NID_aes_256_ctr:
++ keylen = 32;
++ break;
++
++ default:
++ return -2;
++ }
++
++ dctx->instantiate = drbg_ctr_instantiate;
++ dctx->reseed = drbg_ctr_reseed;
++ dctx->generate = drbg_ctr_generate;
++ dctx->uninstantiate = drbg_ctr_uninstantiate;
++
++ cctx->keylen = keylen;
++ dctx->strength = keylen * 8;
++ dctx->blocklength = 16;
++ dctx->seedlen = keylen + 16;
++
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ /* df initialisation */
++ static unsigned char df_key[32] = {
++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
++ };
++ /* Set key schedule for df_key */
++ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
++
++ dctx->min_entropy = cctx->keylen;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++ } else {
++ dctx->min_entropy = dctx->seedlen;
++ dctx->max_entropy = dctx->seedlen;
++ /* Nonce not used */
++ dctx->min_nonce = 0;
++ dctx->max_nonce = 0;
++ dctx->max_pers = dctx->seedlen;
++ dctx->max_adin = dctx->seedlen;
++ }
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c.fips 2018-07-25 17:26:58.406624728 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c 2018-07-25 17:26:58.406624728 +0200
+@@ -0,0 +1,361 @@
++/* fips/rand/fips_drbg_hash.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include "internal/fips_int.h"
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* This is Hash_df from SP 800-90 10.4.1 */
++
++static int hash_df(DRBG_CTX *dctx, unsigned char *out,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len,
++ const unsigned char *in4, size_t in4len)
++{
++ EVP_MD_CTX *mctx = dctx->d.hash.mctx;
++ unsigned char *vtmp = dctx->d.hash.vtmp;
++ unsigned char tmp[6];
++ /* Standard only ever needs seedlen bytes which is always less than
++ * maximum permitted so no need to check length.
++ */
++ size_t outlen = dctx->seedlen;
++ tmp[0] = 1;
++ tmp[1] = ((outlen * 8) >> 24) & 0xff;
++ tmp[2] = ((outlen * 8) >> 16) & 0xff;
++ tmp[3] = ((outlen * 8) >> 8) & 0xff;
++ tmp[4] = (outlen * 8) & 0xff;
++ if (!in1) {
++ tmp[5] = (unsigned char)in1len;
++ in1 = tmp + 5;
++ in1len = 1;
++ }
++ for (;;) {
++ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
++ return 0;
++ if (!FIPS_digestupdate(mctx, tmp, 5))
++ return 0;
++ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
++ return 0;
++ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
++ return 0;
++ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
++ return 0;
++ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
++ return 0;
++ if (outlen < dctx->blocklength) {
++ if (!FIPS_digestfinal(mctx, vtmp, NULL))
++ return 0;
++ memcpy(out, vtmp, outlen);
++ OPENSSL_cleanse(vtmp, dctx->blocklength);
++ return 1;
++ } else if (!FIPS_digestfinal(mctx, out, NULL))
++ return 0;
++
++ outlen -= dctx->blocklength;
++ if (outlen == 0)
++ return 1;
++ tmp[0]++;
++ out += dctx->blocklength;
++ }
++}
++
++/* Add an unsigned buffer to the buf value, storing the result in buf. For
++ * this algorithm the length of input never exceeds the seed length.
++ */
++
++static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
++ unsigned char *in, size_t inlen)
++{
++ size_t i = inlen;
++ const unsigned char *q;
++ unsigned char c, *p;
++ p = buf + dctx->seedlen;
++ q = in + inlen;
++
++ OPENSSL_assert(i <= dctx->seedlen);
++
++ /* Special case: zero length, just increment buffer */
++ if (i)
++ c = 0;
++ else
++ c = 1;
++
++ while (i) {
++ int r;
++ p--;
++ q--;
++ r = *p + *q + c;
++ /* Carry */
++ if (r > 0xff)
++ c = 1;
++ else
++ c = 0;
++ *p = r & 0xff;
++ i--;
++ }
++
++ i = dctx->seedlen - inlen;
++
++ /* If not adding whole buffer handle final carries */
++ if (c && i) {
++ do {
++ p--;
++ c = *p;
++ c++;
++ *p = c;
++ if (c)
++ return;
++ } while (i--);
++ }
++}
++
++/* Finalise and add hash to V */
++
++static int ctx_add_md(DRBG_CTX *dctx)
++{
++ if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
++ return 0;
++ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
++ return 1;
++}
++
++static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ if (outlen == 0)
++ return 1;
++ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
++ for (;;) {
++ FIPS_digestinit(hctx->mctx, hctx->md);
++ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen);
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ FIPS_digestfinal(hctx->mctx, dctx->lb, NULL);
++ dctx->lb_valid = 1;
++ } else if (outlen < dctx->blocklength) {
++ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL);
++ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
++ return 0;
++ memcpy(out, hctx->vtmp, outlen);
++ return 1;
++ } else {
++ FIPS_digestfinal(hctx->mctx, out, NULL);
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ outlen -= dctx->blocklength;
++ if (outlen == 0)
++ return 1;
++ out += dctx->blocklength;
++ }
++ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
++ }
++}
++
++static int drbg_hash_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *pstr, size_t pstr_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ if (!hash_df(dctx, hctx->V,
++ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))
++ return 0;
++ if (!hash_df(dctx, hctx->C,
++ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++ return 0;
++
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after instantiate:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ /* V about to be updated so use C as output instead */
++ if (!hash_df(dctx, hctx->C,
++ NULL, 1, hctx->V, dctx->seedlen,
++ ent, ent_len, adin, adin_len))
++ return 0;
++ memcpy(hctx->V, hctx->C, dctx->seedlen);
++ if (!hash_df(dctx, hctx->C, NULL, 0,
++ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++ return 0;
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after reseed:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ EVP_MD_CTX *mctx = hctx->mctx;
++ unsigned char tmp[4];
++ if (adin && adin_len) {
++ tmp[0] = 2;
++ if (!FIPS_digestinit(mctx, hctx->md))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, tmp, 1))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, adin, adin_len))
++ return 0;
++ if (!ctx_add_md(dctx))
++ return 0;
++ }
++ if (!hash_gen(dctx, out, outlen))
++ return 0;
++
++ tmp[0] = 3;
++ if (!FIPS_digestinit(mctx, hctx->md))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, tmp, 1))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++ return 0;
++
++ if (!ctx_add_md(dctx))
++ return 0;
++
++ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
++
++ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
++ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
++ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
++ tmp[3] = dctx->reseed_counter & 0xff;
++ ctx_add_buf(dctx, hctx->V, tmp, 4);
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after generate:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
++{
++ EVP_MD_CTX_free(dctx->d.hash.mctx);
++ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
++ return 1;
++}
++
++int fips_drbg_hash_init(DRBG_CTX *dctx)
++{
++ const EVP_MD *md;
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ md = FIPS_get_digestbynid(dctx->type);
++ if (!md)
++ return -2;
++ switch (dctx->type) {
++ case NID_sha1:
++ dctx->strength = 128;
++ break;
++
++ case NID_sha224:
++ dctx->strength = 192;
++ break;
++
++ default:
++ dctx->strength = 256;
++ break;
++ }
++
++ dctx->instantiate = drbg_hash_instantiate;
++ dctx->reseed = drbg_hash_reseed;
++ dctx->generate = drbg_hash_generate;
++ dctx->uninstantiate = drbg_hash_uninstantiate;
++
++ dctx->d.hash.md = md;
++ hctx->mctx = EVP_MD_CTX_new();
++ if (hctx->mctx == NULL)
++ return -1;
++
++ /* These are taken from SP 800-90 10.1 table 2 */
++
++ dctx->blocklength = EVP_MD_size(md);
++ if (dctx->blocklength > 32)
++ dctx->seedlen = 111;
++ else
++ dctx->seedlen = 55;
++
++ dctx->min_entropy = dctx->strength / 8;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c.fips 2018-07-25 17:26:58.407624752 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c 2018-07-25 17:26:58.407624752 +0200
+@@ -0,0 +1,272 @@
++/* fips/rand/fips_drbg_hmac.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#include <openssl/aes.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static int drbg_hmac_update(DRBG_CTX *dctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len)
++{
++ static unsigned char c0 = 0, c1 = 1;
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ HMAC_CTX *hctx = hmac->hctx;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++ if (!HMAC_Update(hctx, &c0, 1))
++ return 0;
++ if (in1len && !HMAC_Update(hctx, in1, in1len))
++ return 0;
++ if (in2len && !HMAC_Update(hctx, in2, in2len))
++ return 0;
++ if (in3len && !HMAC_Update(hctx, in3, in3len))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->K, NULL))
++ return 0;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++
++ if (!in1len && !in2len && !in3len)
++ return 1;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++ if (!HMAC_Update(hctx, &c1, 1))
++ return 0;
++ if (in1len && !HMAC_Update(hctx, in1, in1len))
++ return 0;
++ if (in2len && !HMAC_Update(hctx, in2, in2len))
++ return 0;
++ if (in3len && !HMAC_Update(hctx, in3, in3len))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->K, NULL))
++ return 0;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++
++ return 1;
++
++}
++
++static int drbg_hmac_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *pstr, size_t pstr_len)
++{
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ memset(hmac->K, 0, dctx->blocklength);
++ memset(hmac->V, 1, dctx->blocklength);
++ if (!drbg_hmac_update(dctx,
++ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
++ return 0;
++
++#ifdef HMAC_DRBG_TRACE
++ fprintf(stderr, "K+V after instantiate:\n");
++ hexprint(stderr, hmac->K, hmac->blocklength);
++ hexprint(stderr, hmac->V, hmac->blocklength);
++#endif
++ return 1;
++}
++
++static int drbg_hmac_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *adin, size_t adin_len)
++{
++ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))
++ return 0;
++
++#ifdef HMAC_DRBG_TRACE
++ {
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ fprintf(stderr, "K+V after reseed:\n");
++ hexprint(stderr, hmac->K, hmac->blocklength);
++ hexprint(stderr, hmac->V, hmac->blocklength);
++ }
++#endif
++ return 1;
++}
++
++static int drbg_hmac_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ HMAC_CTX *hctx = hmac->hctx;
++ const unsigned char *Vtmp = hmac->V;
++ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++ return 0;
++ for (;;) {
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
++ return 0;
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ if (!HMAC_Final(hctx, dctx->lb, NULL))
++ return 0;
++ dctx->lb_valid = 1;
++ Vtmp = dctx->lb;
++ continue;
++ } else if (outlen > dctx->blocklength) {
++ if (!HMAC_Final(hctx, out, NULL))
++ return 0;
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ Vtmp = out;
++ } else {
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++ if (!fips_drbg_cprng_test(dctx, hmac->V))
++ return 0;
++ memcpy(out, hmac->V, outlen);
++ break;
++ }
++ out += dctx->blocklength;
++ outlen -= dctx->blocklength;
++ }
++ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++ return 0;
++
++ return 1;
++}
++
++static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
++{
++ HMAC_CTX_free(dctx->d.hmac.hctx);
++ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
++ return 1;
++}
++
++int fips_drbg_hmac_init(DRBG_CTX *dctx)
++{
++ const EVP_MD *md = NULL;
++ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
++ dctx->strength = 256;
++ switch (dctx->type) {
++ case NID_hmacWithSHA1:
++ md = EVP_sha1();
++ dctx->strength = 128;
++ break;
++
++ case NID_hmacWithSHA224:
++ md = EVP_sha224();
++ dctx->strength = 192;
++ break;
++
++ case NID_hmacWithSHA256:
++ md = EVP_sha256();
++ break;
++
++ case NID_hmacWithSHA384:
++ md = EVP_sha384();
++ break;
++
++ case NID_hmacWithSHA512:
++ md = EVP_sha512();
++ break;
++
++ default:
++ dctx->strength = 0;
++ return -2;
++ }
++ dctx->instantiate = drbg_hmac_instantiate;
++ dctx->reseed = drbg_hmac_reseed;
++ dctx->generate = drbg_hmac_generate;
++ dctx->uninstantiate = drbg_hmac_uninstantiate;
++ hctx->hctx = HMAC_CTX_new();
++ if (hctx->hctx == NULL)
++ return -1;
++ hctx->md = md;
++ dctx->blocklength = M_EVP_MD_size(md);
++ dctx->seedlen = M_EVP_MD_size(md);
++
++ dctx->min_entropy = dctx->strength / 8;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c.fips 2018-07-25 17:26:58.407624752 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c 2018-07-25 17:26:58.407624752 +0200
+@@ -0,0 +1,555 @@
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include "internal/fips_int.h"
++#include <openssl/fips_rand.h>
++#include "fips_locl.h"
++#include "fips_rand_lcl.h"
++
++/* Support framework for SP800-90 DRBGs */
++
++int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
++{
++ int rv;
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ dctx->xflags = flags;
++ dctx->type = type;
++
++ dctx->iflags = 0;
++ dctx->entropy_blocklen = 0;
++ dctx->health_check_cnt = 0;
++ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
++
++ rv = fips_drbg_hash_init(dctx);
++
++ if (rv == -2)
++ rv = fips_drbg_ctr_init(dctx);
++ if (rv == -2)
++ rv = fips_drbg_hmac_init(dctx);
++
++ if (rv <= 0) {
++ if (rv == -2)
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
++ else
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
++ }
++
++ /* If not in test mode run selftests on DRBG of the same type */
++
++ if (!(dctx->xflags & DRBG_FLAG_TEST)) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
++ return 0;
++ }
++ }
++
++ return rv;
++}
++
++DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
++{
++ DRBG_CTX *dctx;
++ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
++ if (!dctx) {
++ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
++ return NULL;
++ }
++
++ if (type == 0) {
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->type = 0;
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ return dctx;
++ }
++
++ if (FIPS_drbg_init(dctx, type, flags) <= 0) {
++ OPENSSL_free(dctx);
++ return NULL;
++ }
++
++ return dctx;
++}
++
++void FIPS_drbg_free(DRBG_CTX *dctx)
++{
++ if (dctx->uninstantiate)
++ dctx->uninstantiate(dctx);
++ /* Don't free up default DRBG */
++ if (dctx == FIPS_get_default_drbg()) {
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->type = 0;
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ } else {
++ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
++ OPENSSL_free(dctx);
++ }
++}
++
++static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ unsigned char *tout, *p;
++ size_t bl = dctx->entropy_blocklen, rv;
++ if (!dctx->get_entropy)
++ return 0;
++ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
++ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
++ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
++ min_len + bl, max_len + bl);
++ if (tout == NULL)
++ return 0;
++ *pout = tout + bl;
++ if (rv < (min_len + bl) || (rv % bl))
++ return 0;
++ /* Compare consecutive blocks for continuous PRNG test */
++ for (p = tout; p < tout + rv - bl; p += bl) {
++ if (!memcmp(p, p + bl, bl)) {
++ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
++ return 0;
++ }
++ }
++ rv -= bl;
++ if (rv > max_len)
++ return max_len;
++ return rv;
++}
++
++static void fips_cleanup_entropy(DRBG_CTX *dctx,
++ unsigned char *out, size_t olen)
++{
++ size_t bl;
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ bl = 0;
++ else
++ bl = dctx->entropy_blocklen;
++ /* Call cleanup with original arguments */
++ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
++}
++
++int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++ const unsigned char *pers, size_t perslen)
++{
++ size_t entlen = 0, noncelen = 0;
++ unsigned char *nonce = NULL, *entropy = NULL;
++
++#if 0
++ /* Put here so error script picks them up */
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
++ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
++#endif
++
++ int r = 0;
++
++ if (perslen > dctx->max_pers) {
++ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
++ goto end;
++ }
++
++ if (!dctx->instantiate) {
++ r = FIPS_R_DRBG_NOT_INITIALISED;
++ goto end;
++ }
++
++ if (dctx->status != DRBG_STATUS_UNINITIALISED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else
++ r = FIPS_R_ALREADY_INSTANTIATED;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_ERROR;
++
++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++ dctx->min_entropy, dctx->max_entropy);
++
++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++ goto end;
++ }
++
++ if (dctx->max_nonce > 0 && dctx->get_nonce) {
++ noncelen = dctx->get_nonce(dctx, &nonce,
++ dctx->strength / 2,
++ dctx->min_nonce, dctx->max_nonce);
++
++ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
++ r = FIPS_R_ERROR_RETRIEVING_NONCE;
++ goto end;
++ }
++
++ }
++
++ if (!dctx->instantiate(dctx,
++ entropy, entlen, nonce, noncelen, pers, perslen)) {
++ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_READY;
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++ dctx->reseed_counter = 1;
++
++ end:
++
++ if (entropy && dctx->cleanup_entropy)
++ fips_cleanup_entropy(dctx, entropy, entlen);
++
++ if (nonce && dctx->cleanup_nonce)
++ dctx->cleanup_nonce(dctx, nonce, noncelen);
++
++ if (dctx->status == DRBG_STATUS_READY)
++ return 1;
++
++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
++
++ return 0;
++
++}
++
++static int drbg_reseed(DRBG_CTX *dctx,
++ const unsigned char *adin, size_t adinlen, int hcheck)
++{
++ unsigned char *entropy = NULL;
++ size_t entlen = 0;
++ int r = 0;
++
++#if 0
++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
++#endif
++ if (dctx->status != DRBG_STATUS_READY
++ && dctx->status != DRBG_STATUS_RESEED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++ r = FIPS_R_NOT_INSTANTIATED;
++ goto end;
++ }
++
++ if (!adin)
++ adinlen = 0;
++ else if (adinlen > dctx->max_adin) {
++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_ERROR;
++ /* Peform health check on all reseed operations if not a prediction
++ * resistance request and not in test mode.
++ */
++ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ r = FIPS_R_SELFTEST_FAILURE;
++ goto end;
++ }
++ }
++
++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++ dctx->min_entropy, dctx->max_entropy);
++
++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++ goto end;
++ }
++
++ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
++ goto end;
++
++ dctx->status = DRBG_STATUS_READY;
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++ dctx->reseed_counter = 1;
++ end:
++
++ if (entropy && dctx->cleanup_entropy)
++ fips_cleanup_entropy(dctx, entropy, entlen);
++
++ if (dctx->status == DRBG_STATUS_READY)
++ return 1;
++
++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_DRBG_RESEED, r);
++
++ return 0;
++}
++
++int FIPS_drbg_reseed(DRBG_CTX *dctx,
++ const unsigned char *adin, size_t adinlen)
++{
++ return drbg_reseed(dctx, adin, adinlen, 1);
++}
++
++static int fips_drbg_check(DRBG_CTX *dctx)
++{
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ return 1;
++ dctx->health_check_cnt++;
++ if (dctx->health_check_cnt >= dctx->health_check_interval) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
++ return 0;
++ }
++ }
++ return 1;
++}
++
++int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++ int prediction_resistance,
++ const unsigned char *adin, size_t adinlen)
++{
++ int r = 0;
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (!fips_drbg_check(dctx))
++ return 0;
++
++ if (dctx->status != DRBG_STATUS_READY
++ && dctx->status != DRBG_STATUS_RESEED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++ r = FIPS_R_NOT_INSTANTIATED;
++ goto end;
++ }
++
++ if (outlen > dctx->max_request) {
++ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
++ return 0;
++ }
++
++ if (adinlen > dctx->max_adin) {
++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++ goto end;
++ }
++
++ if (dctx->iflags & DRBG_CUSTOM_RESEED)
++ dctx->generate(dctx, NULL, outlen, NULL, 0);
++ else if (dctx->reseed_counter >= dctx->reseed_interval)
++ dctx->status = DRBG_STATUS_RESEED;
++
++ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
++ /* If prediction resistance request don't do health check */
++ int hcheck = prediction_resistance ? 0 : 1;
++
++ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {
++ r = FIPS_R_RESEED_ERROR;
++ goto end;
++ }
++ adin = NULL;
++ adinlen = 0;
++ }
++
++ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {
++ r = FIPS_R_GENERATE_ERROR;
++ dctx->status = DRBG_STATUS_ERROR;
++ goto end;
++ }
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {
++ if (dctx->reseed_counter >= dctx->reseed_interval)
++ dctx->status = DRBG_STATUS_RESEED;
++ else
++ dctx->reseed_counter++;
++ }
++
++ end:
++ if (r) {
++ if (!(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
++ return 0;
++ }
++
++ return 1;
++}
++
++int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
++{
++ int rv;
++ if (!dctx->uninstantiate)
++ rv = 1;
++ else
++ rv = dctx->uninstantiate(dctx);
++ /* Although we'd like to cleanse here we can't because we have to
++ * test the uninstantiate really zeroes the data.
++ */
++ memset(&dctx->d, 0, sizeof(dctx->d));
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ /* If method has problems uninstantiating, return error */
++ return rv;
++}
++
++int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++ size_t (*get_entropy) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_entropy) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ size_t entropy_blocklen,
++ size_t (*get_nonce) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy, size_t min_len,
++ size_t max_len),
++ void (*cleanup_nonce) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen))
++{
++ if (dctx->status != DRBG_STATUS_UNINITIALISED)
++ return 0;
++ dctx->entropy_blocklen = entropy_blocklen;
++ dctx->get_entropy = get_entropy;
++ dctx->cleanup_entropy = cleanup_entropy;
++ dctx->get_nonce = get_nonce;
++ dctx->cleanup_nonce = cleanup_nonce;
++ return 1;
++}
++
++int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++ size_t (*get_adin) (DRBG_CTX *ctx,
++ unsigned char **pout),
++ void (*cleanup_adin) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ int (*rand_seed_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num),
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf, int num,
++ double entropy))
++{
++ if (dctx->status != DRBG_STATUS_UNINITIALISED)
++ return 0;
++ dctx->get_adin = get_adin;
++ dctx->cleanup_adin = cleanup_adin;
++ dctx->rand_seed_cb = rand_seed_cb;
++ dctx->rand_add_cb = rand_add_cb;
++ return 1;
++}
++
++void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
++{
++ return dctx->app_data;
++}
++
++void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
++{
++ dctx->app_data = app_data;
++}
++
++size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
++{
++ return dctx->blocklength;
++}
++
++int FIPS_drbg_get_strength(DRBG_CTX *dctx)
++{
++ return dctx->strength;
++}
++
++void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
++{
++ dctx->health_check_interval = interval;
++}
++
++void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
++{
++ dctx->reseed_interval = interval;
++}
++
++static int drbg_stick = 0;
++
++void FIPS_drbg_stick(int onoff)
++{
++ drbg_stick = onoff;
++}
++
++/* Continuous DRBG utility function */
++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
++{
++ /* No CPRNG in test mode */
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ return 1;
++ /* Check block is valid: should never happen */
++ if (dctx->lb_valid == 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
++ fips_set_selftest_fail();
++ return 0;
++ }
++ if (drbg_stick)
++ memcpy(dctx->lb, out, dctx->blocklength);
++ /* Check against last block: fail if match */
++ if (!memcmp(dctx->lb, out, dctx->blocklength)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
++ fips_set_selftest_fail();
++ return 0;
++ }
++ /* Save last block for next comparison */
++ memcpy(dctx->lb, out, dctx->blocklength);
++ return 1;
++}
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c.fips 2018-07-25 17:26:58.407624752 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c 2018-07-25 17:26:58.407624752 +0200
+@@ -0,0 +1,183 @@
++/* fips/rand/fips_drbg_rand.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include "internal/thread_once.h"
++#include <openssl/err.h>
++#include <openssl/rand.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
++
++/* Since we only have one global PRNG used at any time in OpenSSL use a global
++ * variable to store context.
++ */
++
++static DRBG_CTX ossl_dctx;
++
++static CRYPTO_RWLOCK *fips_rand_lock = NULL;
++static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT;
++
++DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init)
++{
++ fips_rand_lock = CRYPTO_THREAD_lock_new();
++ return fips_rand_lock != NULL;
++}
++
++DRBG_CTX *FIPS_get_default_drbg(void)
++{
++ if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init))
++ return NULL;
++ return &ossl_dctx;
++}
++
++static int fips_drbg_bytes(unsigned char *out, int count)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ int rv = 0;
++ unsigned char *adin = NULL;
++ size_t adinlen = 0;
++ CRYPTO_THREAD_write_lock(fips_rand_lock);
++ do {
++ size_t rcnt;
++ if (count > (int)dctx->max_request)
++ rcnt = dctx->max_request;
++ else
++ rcnt = count;
++ if (dctx->get_adin) {
++ adinlen = dctx->get_adin(dctx, &adin);
++ if (adinlen && !adin) {
++ FIPSerr(FIPS_F_FIPS_DRBG_BYTES,
++ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
++ goto err;
++ }
++ }
++ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
++ if (adin) {
++ if (dctx->cleanup_adin)
++ dctx->cleanup_adin(dctx, adin, adinlen);
++ adin = NULL;
++ }
++ if (!rv)
++ goto err;
++ out += rcnt;
++ count -= rcnt;
++ }
++ while (count);
++ rv = 1;
++ err:
++ CRYPTO_THREAD_unlock(fips_rand_lock);
++ return rv;
++}
++
++static int fips_drbg_pseudo(unsigned char *out, int count)
++{
++ if (fips_drbg_bytes(out, count) <= 0)
++ return -1;
++ return 1;
++}
++
++static int fips_drbg_status(void)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ int rv;
++ CRYPTO_THREAD_read_lock(fips_rand_lock);
++ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
++ CRYPTO_THREAD_unlock(fips_rand_lock);
++ return rv;
++}
++
++static void fips_drbg_cleanup(void)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ CRYPTO_THREAD_write_lock(fips_rand_lock);
++ FIPS_drbg_uninstantiate(dctx);
++ CRYPTO_THREAD_unlock(fips_rand_lock);
++}
++
++static int fips_drbg_seed(const void *seed, int seedlen)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ CRYPTO_THREAD_write_lock(fips_rand_lock);
++ if (dctx->rand_seed_cb)
++ return dctx->rand_seed_cb(dctx, seed, seedlen);
++ CRYPTO_THREAD_unlock(fips_rand_lock);
++ return 1;
++}
++
++static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ CRYPTO_THREAD_write_lock(fips_rand_lock);
++ if (dctx->rand_add_cb)
++ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
++ CRYPTO_THREAD_unlock(fips_rand_lock);
++ return 1;
++}
++
++static const RAND_METHOD rand_drbg_meth = {
++ fips_drbg_seed,
++ fips_drbg_bytes,
++ fips_drbg_cleanup,
++ fips_drbg_add,
++ fips_drbg_pseudo,
++ fips_drbg_status
++};
++
++const RAND_METHOD *FIPS_drbg_method(void)
++{
++ return &rand_drbg_meth;
++}
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c.fips 2018-07-25 17:26:58.407624752 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c 2018-07-25 17:26:58.407624752 +0200
+@@ -0,0 +1,828 @@
++/* fips/rand/fips_drbg_selftest.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++#include "fips_locl.h"
++
++#include "fips_drbg_selftest.h"
++
++typedef struct {
++ int post;
++ int nid;
++ unsigned int flags;
++
++ /* KAT data for no PR */
++ const unsigned char *ent;
++ size_t entlen;
++ const unsigned char *nonce;
++ size_t noncelen;
++ const unsigned char *pers;
++ size_t perslen;
++ const unsigned char *adin;
++ size_t adinlen;
++ const unsigned char *entreseed;
++ size_t entreseedlen;
++ const unsigned char *adinreseed;
++ size_t adinreseedlen;
++ const unsigned char *adin2;
++ size_t adin2len;
++ const unsigned char *kat;
++ size_t katlen;
++ const unsigned char *kat2;
++ size_t kat2len;
++
++ /* KAT data for PR */
++ const unsigned char *ent_pr;
++ size_t entlen_pr;
++ const unsigned char *nonce_pr;
++ size_t noncelen_pr;
++ const unsigned char *pers_pr;
++ size_t perslen_pr;
++ const unsigned char *adin_pr;
++ size_t adinlen_pr;
++ const unsigned char *entpr_pr;
++ size_t entprlen_pr;
++ const unsigned char *ading_pr;
++ size_t adinglen_pr;
++ const unsigned char *entg_pr;
++ size_t entglen_pr;
++ const unsigned char *kat_pr;
++ size_t katlen_pr;
++ const unsigned char *kat2_pr;
++ size_t kat2len_pr;
++
++} DRBG_SELFTEST_DATA;
++
++#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
++ pr##_entropyinput, sizeof(pr##_entropyinput), \
++ pr##_nonce, sizeof(pr##_nonce), \
++ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
++ pr##_additionalinput, sizeof(pr##_additionalinput), \
++ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
++ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
++ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
++ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
++ pr##_returnedbits, sizeof(pr##_returnedbits), \
++ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
++ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
++ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
++ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
++ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
++ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
++ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
++ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
++ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
++ }
++
++#define make_drbg_test_data_df(nid, pr, p) \
++ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
++
++#define make_drbg_test_data_ec(curve, md, pr, p) \
++ make_drbg_test_data((curve << 16) | md , 0, pr, p)
++
++static DRBG_SELFTEST_DATA drbg_test[] = {
++ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
++ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
++ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
++ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
++ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
++ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
++ make_drbg_test_data(NID_sha1, 0, sha1, 0),
++ make_drbg_test_data(NID_sha224, 0, sha224, 0),
++ make_drbg_test_data(NID_sha256, 0, sha256, 1),
++ make_drbg_test_data(NID_sha384, 0, sha384, 0),
++ make_drbg_test_data(NID_sha512, 0, sha512, 0),
++ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
++ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
++ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
++ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
++ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
++ {0, 0, 0}
++};
++
++typedef struct {
++ const unsigned char *ent;
++ size_t entlen;
++ int entcnt;
++ const unsigned char *nonce;
++ size_t noncelen;
++ int noncecnt;
++} TEST_ENT;
++
++static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++ *pout = (unsigned char *)t->ent;
++ t->entcnt++;
++ return t->entlen;
++}
++
++static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++ *pout = (unsigned char *)t->nonce;
++ t->noncecnt++;
++ return t->noncelen;
++}
++
++static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++ int quick)
++{
++ TEST_ENT t;
++ int rv = 0;
++ size_t adinlen;
++ unsigned char randout[1024];
++
++ /* Initial test without PR */
++
++ /* Instantiate DRBG with test entropy, nonce and personalisation
++ * string.
++ */
++
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, &t);
++
++ t.ent = td->ent;
++ t.entlen = td->entlen;
++ t.nonce = td->nonce;
++ t.noncelen = td->noncelen;
++ t.entcnt = 0;
++ t.noncecnt = 0;
++
++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++ goto err;
++
++ /* Note for CTR without DF some additional input values
++ * ignore bytes after the keylength: so reduce adinlen
++ * to half to ensure invalid data is fed in.
++ */
++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++ adinlen = td->adinlen / 2;
++ else
++ adinlen = td->adinlen;
++
++ /* Generate with no PR and verify output matches expected data */
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))
++ goto err;
++
++ if (memcmp(randout, td->kat, td->katlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
++ goto err2;
++ }
++ /* If abbreviated POST end of test */
++ if (quick) {
++ rv = 1;
++ goto err;
++ }
++ /* Reseed DRBG with test entropy and additional input */
++ t.ent = td->entreseed;
++ t.entlen = td->entreseedlen;
++
++ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
++ goto err;
++
++ /* Generate with no PR and verify output matches expected data */
++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
++ td->adin2, td->adin2len))
++ goto err;
++
++ if (memcmp(randout, td->kat2, td->kat2len)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
++ goto err2;
++ }
++
++ FIPS_drbg_uninstantiate(dctx);
++
++ /* Now test with PR */
++
++ /* Instantiate DRBG with test entropy, nonce and personalisation
++ * string.
++ */
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, &t);
++
++ t.ent = td->ent_pr;
++ t.entlen = td->entlen_pr;
++ t.nonce = td->nonce_pr;
++ t.noncelen = td->noncelen_pr;
++ t.entcnt = 0;
++ t.noncecnt = 0;
++
++ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
++ goto err;
++
++ /* Now generate with PR: we need to supply entropy as this will
++ * perform a reseed operation. Check output matches expected value.
++ */
++
++ t.ent = td->entpr_pr;
++ t.entlen = td->entprlen_pr;
++
++ /* Note for CTR without DF some additional input values
++ * ignore bytes after the keylength: so reduce adinlen
++ * to half to ensure invalid data is fed in.
++ */
++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++ adinlen = td->adinlen_pr / 2;
++ else
++ adinlen = td->adinlen_pr;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
++ td->adin_pr, adinlen))
++ goto err;
++
++ if (memcmp(randout, td->kat_pr, td->katlen_pr)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
++ goto err2;
++ }
++
++ /* Now generate again with PR: supply new entropy again.
++ * Check output matches expected value.
++ */
++
++ t.ent = td->entg_pr;
++ t.entlen = td->entglen_pr;
++
++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
++ td->ading_pr, td->adinglen_pr))
++ goto err;
++
++ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
++ goto err2;
++ }
++ /* All OK, test complete */
++ rv = 1;
++
++ err:
++ if (rv == 0)
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
++ err2:
++ FIPS_drbg_uninstantiate(dctx);
++
++ return rv;
++
++}
++
++/* Initialise a DRBG based on selftest data */
++
++static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)
++{
++
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, t);
++
++ t->ent = td->ent;
++ t->entlen = td->entlen;
++ t->nonce = td->nonce;
++ t->noncelen = td->noncelen;
++ t->entcnt = 0;
++ t->noncecnt = 0;
++ return 1;
++}
++
++/* Initialise and instantiate DRBG based on selftest data */
++static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++ TEST_ENT * t)
++{
++ if (!do_drbg_init(dctx, td, t))
++ return 0;
++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++ return 0;
++
++ return 1;
++}
++
++/* This function performs extensive error checking as required by SP800-90.
++ * Induce several failure modes and check an error condition is set.
++ * This function along with fips_drbg_single_kat peforms the health checking
++ * operation.
++ */
++
++static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)
++{
++ unsigned char randout[1024];
++ TEST_ENT t;
++ size_t i;
++ unsigned int reseed_counter_tmp;
++ unsigned char *p = (unsigned char *)dctx;
++
++ /* Initialise DRBG */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ /* Don't report induced errors */
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Personalisation string tests */
++
++ /* Test detection of too large personlisation string */
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Entropy source tests */
++
++ /* Test entropy source failure detecion: i.e. returns no data */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Try to generate output from uninstantiated DRBG */
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_GENERATE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Test insufficient entropy */
++
++ t.entlen = dctx->min_entropy - 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test too much entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->max_entropy + 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Nonce tests */
++
++ /* Test too small nonce */
++
++ if (dctx->min_nonce) {
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.noncelen = dctx->min_nonce - 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_NONCE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ }
++
++ /* Test too large nonce */
++
++ if (dctx->max_nonce) {
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.noncelen = dctx->max_nonce + 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_NONCE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ }
++
++ /* Instantiate with valid data. */
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++
++ /* Check generation is now OK */
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Request too much data for one request */
++ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Try too large additional input */
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, dctx->max_adin + 1)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Check prediction resistance request fails if entropy source
++ * failure.
++ */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Instantiate again with valid data */
++
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++ /* Test reseed counter works */
++ /* Save initial reseed counter */
++ reseed_counter_tmp = dctx->reseed_counter;
++ /* Set reseed counter to beyond interval */
++ dctx->reseed_counter = dctx->reseed_interval;
++
++ /* Generate output and check entropy has been requested for reseed */
++ t.entcnt = 0;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++ if (t.entcnt != 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++ goto err;
++ }
++ /* Check reseed counter has been reset */
++ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Check prediction resistance request fails if entropy source
++ * failure.
++ */
++
++ t.entlen = 0;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++ /* Test reseed counter works */
++ /* Save initial reseed counter */
++ reseed_counter_tmp = dctx->reseed_counter;
++ /* Set reseed counter to beyond interval */
++ dctx->reseed_counter = dctx->reseed_interval;
++
++ /* Generate output and check entropy has been requested for reseed */
++ t.entcnt = 0;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++ if (t.entcnt != 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++ goto err;
++ }
++ /* Check reseed counter has been reset */
++ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Explicit reseed tests */
++
++ /* Test explicit reseed with too large additional input */
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Test explicit reseed with entropy source failure */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test explicit reseed with too much entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->max_entropy + 1;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test explicit reseed with too little entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->min_entropy - 1;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ p = (unsigned char *)&dctx->d;
++ /* Standard says we have to check uninstantiate really zeroes
++ * the data...
++ */
++ for (i = 0; i < sizeof(dctx->d); i++) {
++ if (*p != 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
++ goto err;
++ }
++ p++;
++ }
++
++ return 1;
++
++ err:
++ /* A real error as opposed to an induced one: underlying function will
++ * indicate the error.
++ */
++ if (!(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
++ FIPS_drbg_uninstantiate(dctx);
++ return 0;
++
++}
++
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
++{
++ DRBG_SELFTEST_DATA *td;
++ flags |= DRBG_FLAG_TEST;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (td->nid == nid && td->flags == flags) {
++ if (!fips_drbg_single_kat(dctx, td, 0))
++ return 0;
++ return fips_drbg_error_check(dctx, td);
++ }
++ }
++ return 0;
++}
++
++int FIPS_drbg_health_check(DRBG_CTX *dctx)
++{
++ int rv;
++ DRBG_CTX *tctx = NULL;
++ tctx = FIPS_drbg_new(0, 0);
++ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ if (!tctx)
++ return 0;
++ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
++ if (tctx)
++ FIPS_drbg_free(tctx);
++ if (rv)
++ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ else
++ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ if (!rv)
++ dctx->status = DRBG_STATUS_ERROR;
++ else
++ dctx->health_check_cnt = 0;
++ return rv;
++}
++
++int FIPS_selftest_drbg(void)
++{
++ DRBG_CTX *dctx;
++ DRBG_SELFTEST_DATA *td;
++ int rv = 1;
++ dctx = FIPS_drbg_new(0, 0);
++ if (!dctx)
++ return 0;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (td->post != 1)
++ continue;
++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 1;
++ if (!fips_drbg_single_kat(dctx, td, 1)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 0;
++ }
++ FIPS_drbg_free(dctx);
++ return rv;
++}
++
++int FIPS_selftest_drbg_all(void)
++{
++ DRBG_CTX *dctx;
++ DRBG_SELFTEST_DATA *td;
++ int rv = 1;
++ dctx = FIPS_drbg_new(0, 0);
++ if (!dctx)
++ return 0;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 1;
++ if (!fips_drbg_single_kat(dctx, td, 0)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_drbg_error_check(dctx, td)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 0;
++ }
++ FIPS_drbg_free(dctx);
++ return rv;
++}
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h
+--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h.fips 2018-07-25 17:26:58.408624776 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h 2018-07-25 17:26:58.408624776 +0200
+@@ -0,0 +1,1791 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/* Selftest and health check data for the SP800-90 DRBG */
++
++#define __fips_constseg
++
++/* AES-128 use df PR */
++__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {
++ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
++ 0xc8, 0xdb, 0xff, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {
++ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
++ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
++ 0xd7, 0xd7, 0x01, 0x67
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_additionalinput[] = {
++ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
++ 0x9a, 0x47, 0x08, 0x76
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
++ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
++ 0x09, 0xfb, 0xa3, 0xb6
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
++ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
++ 0x66, 0x1c, 0xea, 0x5b
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
++ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
++ 0x3f, 0x5e, 0x31, 0x06
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
++ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
++ 0xa7, 0xe3, 0xa8, 0x67
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {
++ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
++ 0x0f, 0x38, 0x43, 0xc6
++};
++
++/* AES-128 use df No PR */
++__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {
++ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
++ 0x9d, 0x7d, 0x1c, 0x9b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {
++ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_personalizationstring[] = {
++ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
++ 0x38, 0x66, 0xba, 0x1b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {
++ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
++ 0xb5, 0xe2, 0xb2, 0x41
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {
++ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
++ 0xe7, 0x57, 0x11, 0xb4
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_entropyinputreseed[] = {
++ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
++ 0xc7, 0xc4, 0x9e, 0x39
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_additionalinputreseed[] = {
++ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
++ 0xc8, 0x93, 0xfa, 0x84
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {
++ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
++ 0x06, 0x0c, 0x15, 0x2c
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {
++ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
++ 0x46, 0x81, 0xc7, 0x19
++};
++
++/* AES-192 use df PR */
++__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {
++ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
++ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {
++ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
++ 0xd1, 0x80, 0x78, 0xfa
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
++ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
++ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
++ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_additionalinput[] = {
++ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
++ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
++ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
++ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
++ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
++ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
++ 0x19, 0x30, 0x6b, 0x67
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
++ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
++ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
++ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
++ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
++ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {
++ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
++ 0x7e, 0x1a, 0x2b, 0x83
++};
++
++/* AES-192 use df No PR */
++__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {
++ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
++ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {
++ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
++ 0x77, 0xd7, 0x41, 0x0e
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_personalizationstring[] = {
++ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
++ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
++ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {
++ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
++ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
++ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {
++ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
++ 0xb7, 0xed, 0xe9, 0xea
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_entropyinputreseed[] = {
++ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
++ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_additionalinputreseed[] = {
++ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
++ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
++ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {
++ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
++ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
++ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {
++ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
++ 0x1a, 0xf9, 0x13, 0x28
++};
++
++/* AES-256 use df PR */
++__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {
++ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
++ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
++ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {
++ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
++ 0x2b, 0x36, 0xff, 0xa4
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
++ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
++ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
++ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_additionalinput[] = {
++ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
++ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
++ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
++ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
++ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
++ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
++ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
++ 0x17, 0xab, 0x3c, 0x7a
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
++ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
++ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
++ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
++ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
++ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
++ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {
++ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
++ 0xd9, 0xe2, 0x97, 0x00
++};
++
++/* AES-256 use df No PR */
++__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {
++ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
++ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
++ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {
++ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
++ 0x4c, 0x44, 0x84, 0x40
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_personalizationstring[] = {
++ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
++ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
++ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {
++ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
++ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
++ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {
++ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
++ 0x28, 0x0c, 0x3b, 0xc1
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_entropyinputreseed[] = {
++ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
++ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
++ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_additionalinputreseed[] = {
++ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
++ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
++ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {
++ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
++ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
++ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {
++ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
++ 0xfa, 0xfd, 0x35, 0x5e
++};
++
++/* AES-128 no df PR */
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {
++ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
++ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
++ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {
++ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
++ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
++ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
++ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_additionalinput[] = {
++ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
++ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
++ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
++ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
++ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
++ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
++ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
++ 0xaf, 0x19, 0x32, 0x16
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
++ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
++ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
++ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
++ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
++ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
++ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {
++ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
++ 0x57, 0x82, 0x33, 0xaf
++};
++
++/* AES-128 no df No PR */
++__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {
++ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
++ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
++ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {
++ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_personalizationstring[] = {
++ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
++ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
++ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {
++ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
++ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
++ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {
++ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
++ 0xed, 0x3e, 0x65, 0xc2
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_entropyinputreseed[] = {
++ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
++ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
++ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_additionalinputreseed[] = {
++ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
++ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
++ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {
++ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
++ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
++ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {
++ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
++ 0x81, 0x37, 0x19, 0xd4
++};
++
++/* AES-192 no df PR */
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {
++ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
++ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
++ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
++ 0x17, 0x1f, 0x8d, 0x9a
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {
++ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
++ 0x61, 0x5c, 0xee, 0x0f
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
++ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
++ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
++ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
++ 0x57, 0x2e, 0xe7, 0x55
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_additionalinput[] = {
++ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
++ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
++ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
++ 0xe2, 0xd0, 0x0c, 0x2f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
++ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
++ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
++ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
++ 0x1d, 0x30, 0xb3, 0x78
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
++ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
++ 0x7e, 0x3e, 0x0c, 0x26
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
++ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
++ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
++ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
++ 0x0c, 0x4b, 0xee, 0x6e
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
++ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
++ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
++ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
++ 0x8e, 0x0a, 0x83, 0xdf
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {
++ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
++ 0xb9, 0xa1, 0x21, 0x68
++};
++
++/* AES-192 no df No PR */
++__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {
++ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
++ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
++ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
++ 0x94, 0xc3, 0x59, 0x63
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {
++ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
++ 0x29, 0xfd, 0x45, 0x71
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_personalizationstring[] = {
++ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
++ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
++ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
++ 0x3b, 0x88, 0xce, 0x35
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {
++ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
++ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
++ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
++ 0x3e, 0xbe, 0xd4, 0x8e
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {
++ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
++ 0x45, 0xe7, 0x4a, 0xc5
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_entropyinputreseed[] = {
++ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
++ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
++ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
++ 0x9b, 0xcb, 0x7e, 0x75
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_additionalinputreseed[] = {
++ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
++ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
++ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
++ 0x5d, 0x7a, 0x25, 0x79
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {
++ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
++ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
++ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
++ 0x91, 0x6a, 0xe3, 0x5f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {
++ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
++ 0x66, 0x67, 0x2c, 0x92
++};
++
++/* AES-256 no df PR */
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {
++ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
++ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
++ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
++ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {
++ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
++ 0xcc, 0x4b, 0xee, 0x2e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
++ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
++ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
++ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
++ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_additionalinput[] = {
++ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
++ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
++ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
++ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
++ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
++ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
++ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
++ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
++ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
++ 0x79, 0x60, 0x93, 0xcf
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
++ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
++ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
++ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
++ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
++ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
++ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
++ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
++ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {
++ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
++ 0x2d, 0x5f, 0x4a, 0x46
++};
++
++/* AES-256 no df No PR */
++__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {
++ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
++ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
++ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
++ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {
++ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
++ 0x43, 0x96, 0xb9, 0xf0
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_personalizationstring[] = {
++ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
++ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
++ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
++ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {
++ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
++ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
++ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
++ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {
++ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
++ 0xd2, 0x25, 0x75, 0x0e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_entropyinputreseed[] = {
++ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
++ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
++ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
++ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_additionalinputreseed[] = {
++ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
++ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
++ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
++ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {
++ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
++ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
++ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
++ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {
++ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
++ 0xf6, 0x02, 0x32, 0xe2
++};
++
++/* SHA-1 PR */
++__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {
++ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,
++ 0x31, 0xa5, 0x91, 0x13
++};
++
++__fips_constseg static const unsigned char sha1_pr_nonce[] = {
++ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3
++};
++
++__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {
++ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,
++ 0xda, 0xea, 0x77, 0x52
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {
++ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,
++ 0x6a, 0x51, 0xe3, 0xf8
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {
++ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,
++ 0xcb, 0xa9, 0x36, 0x7a
++};
++
++__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {
++ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,
++ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {
++ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,
++ 0x16, 0x03, 0x19, 0x47
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {
++ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,
++ 0xae, 0xcd, 0x8c, 0xc4
++};
++
++__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {
++ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,
++ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87
++};
++
++/* SHA-1 No PR */
++__fips_constseg static const unsigned char sha1_entropyinput[] = {
++ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,
++ 0xe2, 0x7f, 0x4c, 0x7b
++};
++
++__fips_constseg static const unsigned char sha1_nonce[] = {
++ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14
++};
++
++__fips_constseg static const unsigned char sha1_personalizationstring[] = {
++ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,
++ 0x28, 0xec, 0x6d, 0xca
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput[] = {
++ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,
++ 0xc0, 0x72, 0xca, 0x28
++};
++
++__fips_constseg static const unsigned char sha1_int_returnedbits[] = {
++ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,
++ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea
++};
++
++__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {
++ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,
++ 0xd6, 0x99, 0x27, 0xed
++};
++
++__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {
++ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,
++ 0x84, 0x3d, 0xd4, 0xc0
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput2[] = {
++ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,
++ 0x52, 0x65, 0xcd, 0x96
++};
++
++__fips_constseg static const unsigned char sha1_returnedbits[] = {
++ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,
++ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7
++};
++
++/* SHA-224 PR */
++__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {
++ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,
++ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9
++};
++
++__fips_constseg static const unsigned char sha224_pr_nonce[] = {
++ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71
++};
++
++__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {
++ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,
++ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {
++ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,
++ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {
++ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,
++ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1
++};
++
++__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {
++ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,
++ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,
++ 0x54, 0x60, 0xee, 0x6a
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {
++ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,
++ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {
++ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,
++ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11
++};
++
++__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {
++ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,
++ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,
++ 0xdd, 0x11, 0x4c, 0xc4
++};
++
++/* SHA-224 No PR */
++__fips_constseg static const unsigned char sha224_entropyinput[] = {
++ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,
++ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb
++};
++
++__fips_constseg static const unsigned char sha224_nonce[] = {
++ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0
++};
++
++__fips_constseg static const unsigned char sha224_personalizationstring[] = {
++ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,
++ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput[] = {
++ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,
++ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f
++};
++
++__fips_constseg static const unsigned char sha224_int_returnedbits[] = {
++ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,
++ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,
++ 0x55, 0x22, 0x9a, 0xad
++};
++
++__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {
++ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,
++ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17
++};
++
++__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {
++ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,
++ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput2[] = {
++ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,
++ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6
++};
++
++__fips_constseg static const unsigned char sha224_returnedbits[] = {
++ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,
++ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,
++ 0x3b, 0xa7, 0x5c, 0x93
++};
++
++/* SHA-256 PR */
++__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {
++ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,
++ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,
++ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe
++};
++
++__fips_constseg static const unsigned char sha256_pr_nonce[] = {
++ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,
++ 0x2b, 0x91, 0x4d, 0x38
++};
++
++__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {
++ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,
++ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,
++ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {
++ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,
++ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,
++ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {
++ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,
++ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,
++ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78
++};
++
++__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {
++ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,
++ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,
++ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {
++ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,
++ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,
++ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {
++ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,
++ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,
++ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86
++};
++
++__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {
++ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,
++ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,
++ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2
++};
++
++/* SHA-256 No PR */
++__fips_constseg static const unsigned char sha256_entropyinput[] = {
++ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,
++ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,
++ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c
++};
++
++__fips_constseg static const unsigned char sha256_nonce[] = {
++ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,
++ 0x5d, 0x6f, 0x6d, 0x35
++};
++
++__fips_constseg static const unsigned char sha256_personalizationstring[] = {
++ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,
++ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,
++ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput[] = {
++ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,
++ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,
++ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87
++};
++
++__fips_constseg static const unsigned char sha256_int_returnedbits[] = {
++ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,
++ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,
++ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {
++ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,
++ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,
++ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d
++};
++
++__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {
++ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,
++ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,
++ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput2[] = {
++ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,
++ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,
++ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda
++};
++
++__fips_constseg static const unsigned char sha256_returnedbits[] = {
++ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,
++ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,
++ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3
++};
++
++/* SHA-384 PR */
++__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {
++ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,
++ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,
++ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e
++};
++
++__fips_constseg static const unsigned char sha384_pr_nonce[] = {
++ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,
++ 0x38, 0x3e, 0x2e, 0x56
++};
++
++__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {
++ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,
++ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,
++ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {
++ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,
++ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,
++ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {
++ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,
++ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,
++ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d
++};
++
++__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {
++ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,
++ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,
++ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,
++ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {
++ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,
++ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,
++ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {
++ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,
++ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,
++ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81
++};
++
++__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {
++ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,
++ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,
++ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,
++ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66
++};
++
++/* SHA-384 No PR */
++__fips_constseg static const unsigned char sha384_entropyinput[] = {
++ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,
++ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,
++ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4
++};
++
++__fips_constseg static const unsigned char sha384_nonce[] = {
++ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,
++ 0x44, 0xaf, 0x2f, 0x09
++};
++
++__fips_constseg static const unsigned char sha384_personalizationstring[] = {
++ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,
++ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,
++ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput[] = {
++ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,
++ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,
++ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48
++};
++
++__fips_constseg static const unsigned char sha384_int_returnedbits[] = {
++ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,
++ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,
++ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,
++ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a
++};
++
++__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {
++ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,
++ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,
++ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c
++};
++
++__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {
++ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,
++ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,
++ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput2[] = {
++ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,
++ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,
++ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94
++};
++
++__fips_constseg static const unsigned char sha384_returnedbits[] = {
++ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,
++ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,
++ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,
++ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7
++};
++
++/* SHA-512 PR */
++__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {
++ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,
++ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,
++ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28
++};
++
++__fips_constseg static const unsigned char sha512_pr_nonce[] = {
++ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,
++ 0x88, 0xc7, 0xa2, 0xc4
++};
++
++__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {
++ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,
++ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,
++ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {
++ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,
++ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,
++ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {
++ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,
++ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,
++ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08
++};
++
++__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {
++ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,
++ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,
++ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,
++ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,
++ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,
++ 0xe2, 0xc6, 0x8b, 0xc3
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {
++ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,
++ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,
++ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {
++ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,
++ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,
++ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99
++};
++
++__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {
++ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,
++ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,
++ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,
++ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,
++ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,
++ 0x67, 0xf7, 0x68, 0xdd
++};
++
++/* SHA-512 No PR */
++__fips_constseg static const unsigned char sha512_entropyinput[] = {
++ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,
++ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,
++ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd
++};
++
++__fips_constseg static const unsigned char sha512_nonce[] = {
++ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,
++ 0x5a, 0x64, 0xf0, 0xf7
++};
++
++__fips_constseg static const unsigned char sha512_personalizationstring[] = {
++ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,
++ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,
++ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput[] = {
++ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,
++ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,
++ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34
++};
++
++__fips_constseg static const unsigned char sha512_int_returnedbits[] = {
++ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,
++ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,
++ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,
++ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,
++ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,
++ 0x28, 0xd4, 0x39, 0x9a
++};
++
++__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {
++ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,
++ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,
++ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee
++};
++
++__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {
++ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,
++ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,
++ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput2[] = {
++ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,
++ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,
++ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92
++};
++
++__fips_constseg static const unsigned char sha512_returnedbits[] = {
++ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,
++ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,
++ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,
++ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,
++ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,
++ 0x68, 0xde, 0x42, 0xb5
++};
++
++/* HMAC SHA-1 PR */
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {
++ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,
++ 0x2c, 0x18, 0x17, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {
++ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha1_pr_personalizationstring[] = {
++ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,
++ 0x80, 0xe2, 0x7f, 0x2a
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {
++ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,
++ 0xd7, 0xbb, 0x42, 0x09
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {
++ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,
++ 0x23, 0x87, 0x2a, 0xed
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {
++ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,
++ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {
++ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,
++ 0xa0, 0x4b, 0x93, 0x6e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {
++ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,
++ 0x0f, 0xff, 0x2e, 0xaf
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {
++ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,
++ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8
++};
++
++/* HMAC SHA-1 No PR */
++__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {
++ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,
++ 0x17, 0xfe, 0x47, 0x70
++};
++
++__fips_constseg static const unsigned char hmac_sha1_nonce[] = {
++ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25
++};
++
++__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {
++ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,
++ 0x72, 0xf7, 0xd3, 0x5e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {
++ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,
++ 0xbb, 0xe3, 0xaa, 0xea
++};
++
++__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {
++ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,
++ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1
++};
++
++__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {
++ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,
++ 0x86, 0x52, 0x6d, 0x9c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {
++ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,
++ 0x79, 0xc5, 0x82, 0x28
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {
++ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,
++ 0x8a, 0xca, 0xa4, 0x7f
++};
++
++__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {
++ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,
++ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0
++};
++
++/* HMAC SHA-224 PR */
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {
++ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,
++ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {
++ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_pr_personalizationstring[] = {
++ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,
++ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {
++ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,
++ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {
++ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,
++ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {
++ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,
++ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,
++ 0x41, 0xfe, 0x99, 0xf2
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {
++ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,
++ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {
++ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,
++ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {
++ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,
++ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,
++ 0x6d, 0xd8, 0x9e, 0x72
++};
++
++/* HMAC SHA-224 No PR */
++__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {
++ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,
++ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d
++};
++
++__fips_constseg static const unsigned char hmac_sha224_nonce[] = {
++ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_personalizationstring[] = {
++ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,
++ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {
++ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,
++ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {
++ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,
++ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,
++ 0xcd, 0xd6, 0xa9, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {
++ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,
++ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_additionalinputreseed[] = {
++ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,
++ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {
++ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,
++ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96
++};
++
++__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {
++ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,
++ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,
++ 0x45, 0x84, 0xa8, 0x94
++};
++
++/* HMAC SHA-256 PR */
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {
++ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,
++ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,
++ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {
++ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,
++ 0xaa, 0xd3, 0x30, 0x9a
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_pr_personalizationstring[] = {
++ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,
++ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,
++ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {
++ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,
++ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,
++ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {
++ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,
++ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,
++ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {
++ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,
++ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,
++ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {
++ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,
++ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,
++ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {
++ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,
++ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,
++ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {
++ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,
++ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,
++ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e
++};
++
++/* HMAC SHA-256 No PR */
++__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {
++ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,
++ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,
++ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha256_nonce[] = {
++ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,
++ 0xc7, 0xfc, 0xc2, 0x01
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_personalizationstring[] = {
++ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,
++ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,
++ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {
++ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,
++ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,
++ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27
++};
++
++__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {
++ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,
++ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,
++ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {
++ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,
++ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,
++ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_additionalinputreseed[] = {
++ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,
++ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,
++ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {
++ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,
++ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,
++ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d
++};
++
++__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {
++ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,
++ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,
++ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0
++};
++
++/* HMAC SHA-384 PR */
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {
++ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,
++ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,
++ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {
++ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,
++ 0xee, 0x16, 0xc9, 0xde
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_pr_personalizationstring[] = {
++ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,
++ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,
++ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {
++ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,
++ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,
++ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {
++ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,
++ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,
++ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {
++ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,
++ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,
++ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,
++ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {
++ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,
++ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,
++ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {
++ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,
++ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,
++ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {
++ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,
++ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,
++ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,
++ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75
++};
++
++/* HMAC SHA-384 No PR */
++__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {
++ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,
++ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,
++ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f
++};
++
++__fips_constseg static const unsigned char hmac_sha384_nonce[] = {
++ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,
++ 0x38, 0xe3, 0xeb, 0x62
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_personalizationstring[] = {
++ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,
++ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,
++ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {
++ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,
++ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,
++ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce
++};
++
++__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {
++ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,
++ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,
++ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,
++ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {
++ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,
++ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,
++ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_additionalinputreseed[] = {
++ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,
++ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,
++ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {
++ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,
++ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,
++ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {
++ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,
++ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,
++ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,
++ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb
++};
++
++/* HMAC SHA-512 PR */
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {
++ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,
++ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,
++ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {
++ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,
++ 0x86, 0xea, 0xaf, 0xa2
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_pr_personalizationstring[] = {
++ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,
++ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,
++ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {
++ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,
++ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,
++ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {
++ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,
++ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,
++ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {
++ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,
++ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,
++ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,
++ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,
++ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,
++ 0x05, 0x17, 0xbe, 0x0d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {
++ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,
++ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,
++ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {
++ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,
++ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,
++ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {
++ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,
++ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,
++ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,
++ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,
++ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,
++ 0xb6, 0xaf, 0xbc, 0xd3
++};
++
++/* HMAC SHA-512 No PR */
++__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {
++ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,
++ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,
++ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95
++};
++
++__fips_constseg static const unsigned char hmac_sha512_nonce[] = {
++ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,
++ 0xd9, 0xaf, 0x43, 0x3c
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_personalizationstring[] = {
++ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,
++ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,
++ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {
++ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,
++ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,
++ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73
++};
++
++__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {
++ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,
++ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,
++ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,
++ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,
++ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,
++ 0xb1, 0x57, 0x69, 0xe8
++};
++
++__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {
++ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,
++ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,
++ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_additionalinputreseed[] = {
++ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,
++ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,
++ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {
++ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,
++ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,
++ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48
++};
++
++__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {
++ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,
++ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,
++ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,
++ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,
++ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
++ 0xc2, 0xd6, 0xfd, 0xa5
++};
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c.fips 2018-07-25 17:26:58.408624776 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c 2018-07-25 17:26:58.408624776 +0200
+@@ -0,0 +1,195 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dsa.h>
++#include <openssl/fips.h>
++#include "internal/fips_int.h"
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dsa_test_2048_p[] = {
++ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
++ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
++ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,
++ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,
++ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,
++ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,
++ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,
++ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,
++ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,
++ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,
++ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,
++ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,
++ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,
++ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,
++ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,
++ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,
++ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,
++ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,
++ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,
++ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,
++ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,
++ 0xdb, 0xa0, 0x69, 0xe9
++};
++
++static const unsigned char dsa_test_2048_q[] = {
++ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,
++ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,
++ 0x74, 0x41, 0xa0, 0xa5
++};
++
++static const unsigned char dsa_test_2048_g[] = {
++ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,
++ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,
++ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,
++ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,
++ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,
++ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,
++ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,
++ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,
++ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,
++ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,
++ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,
++ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,
++ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,
++ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,
++ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,
++ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,
++ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,
++ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,
++ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,
++ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,
++ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,
++ 0xb3, 0xc2, 0xa9, 0x66
++};
++
++static const unsigned char dsa_test_2048_pub_key[] = {
++ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,
++ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,
++ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,
++ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,
++ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,
++ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,
++ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,
++ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,
++ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,
++ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,
++ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,
++ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,
++ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,
++ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,
++ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,
++ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,
++ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,
++ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,
++ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,
++ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,
++ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,
++ 0xf7, 0xda, 0xb1, 0x4f
++};
++
++static const unsigned char dsa_test_2048_priv_key[] = {
++ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,
++ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,
++ 0xec, 0x55, 0xf6, 0xcc
++};
++
++int FIPS_selftest_dsa()
++{
++ DSA *dsa = NULL;
++ EVP_PKEY *pk = NULL;
++ int ret = -1;
++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL;
++
++ fips_load_key_component(p, dsa_test_2048);
++ fips_load_key_component(q, dsa_test_2048);
++ fips_load_key_component(g, dsa_test_2048);
++ fips_load_key_component(pub_key, dsa_test_2048);
++ fips_load_key_component(priv_key, dsa_test_2048);
++
++ dsa = DSA_new();
++
++ if (dsa == NULL)
++ goto err;
++
++ DSA_set0_pqg(dsa, p, q, g);
++
++ DSA_set0_key(dsa, pub_key, priv_key);
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_DSA(pk, dsa);
++
++ if (!fips_pkey_signature_test(pk, NULL, 0,
++ NULL, 0, EVP_sha256(), 0, "DSA SHA256"))
++ goto err;
++ ret = 1;
++
++ err:
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (dsa)
++ DSA_free(dsa);
++ else {
++ BN_free(p);
++ BN_free(q);
++ BN_free(g);
++ BN_free(pub_key);
++ BN_free(priv_key);
++ }
++ return ret;
++}
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c.fips 2018-07-25 17:26:58.408624776 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c 2018-07-25 17:26:58.408624776 +0200
+@@ -0,0 +1,242 @@
++/* fips/ecdh/fips_ecdh_selftest.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project 2011.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/ec.h>
++#include <openssl/ecdh.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifdef OPENSSL_FIPS
++
++# include "fips_locl.h"
++
++static const unsigned char p256_qcavsx[] = {
++ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62,
++ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13,
++ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50
++};
++
++static const unsigned char p256_qcavsy[] = {
++ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f,
++ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf,
++ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e
++};
++
++static const unsigned char p256_qiutx[] = {
++ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c,
++ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1,
++ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f
++};
++
++static const unsigned char p256_qiuty[] = {
++ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae,
++ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75,
++ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8
++};
++
++static const unsigned char p256_qiutd[] = {
++ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3,
++ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc,
++ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8
++};
++
++static const unsigned char p256_ziut[] = {
++ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a,
++ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77,
++ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f
++};
++
++typedef struct {
++ int curve;
++ const unsigned char *x1;
++ size_t x1len;
++ const unsigned char *y1;
++ size_t y1len;
++ const unsigned char *d1;
++ size_t d1len;
++ const unsigned char *x2;
++ size_t x2len;
++ const unsigned char *y2;
++ size_t y2len;
++ const unsigned char *z;
++ size_t zlen;
++} ECDH_SELFTEST_DATA;
++
++# define make_ecdh_test(nid, pr) { nid, \
++ pr##_qiutx, sizeof(pr##_qiutx), \
++ pr##_qiuty, sizeof(pr##_qiuty), \
++ pr##_qiutd, sizeof(pr##_qiutd), \
++ pr##_qcavsx, sizeof(pr##_qcavsx), \
++ pr##_qcavsy, sizeof(pr##_qcavsy), \
++ pr##_ziut, sizeof(pr##_ziut) }
++
++static ECDH_SELFTEST_DATA test_ecdh_data[] = {
++ make_ecdh_test(NID_X9_62_prime256v1, p256),
++};
++
++int FIPS_selftest_ecdh(void)
++{
++ EC_KEY *ec1 = NULL, *ec2 = NULL;
++ const EC_POINT *ecp = NULL;
++ BIGNUM *x = NULL, *y = NULL, *d = NULL;
++ unsigned char *ztmp = NULL;
++ int rv = 1;
++ size_t i;
++
++ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {
++ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
++ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
++ continue;
++ ztmp = OPENSSL_malloc(ecd->zlen);
++
++ x = BN_bin2bn(ecd->x1, ecd->x1len, x);
++ y = BN_bin2bn(ecd->y1, ecd->y1len, y);
++ d = BN_bin2bn(ecd->d1, ecd->d1len, d);
++
++ if (!x || !y || !d || !ztmp) {
++ rv = -1;
++ goto err;
++ }
++
++ ec1 = EC_KEY_new_by_curve_name(ecd->curve);
++ if (!ec1) {
++ rv = -1;
++ goto err;
++ }
++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
++
++ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!EC_KEY_set_private_key(ec1, d)) {
++ rv = -1;
++ goto err;
++ }
++
++ x = BN_bin2bn(ecd->x2, ecd->x2len, x);
++ y = BN_bin2bn(ecd->y2, ecd->y2len, y);
++
++ if (!x || !y) {
++ rv = -1;
++ goto err;
++ }
++
++ ec2 = EC_KEY_new_by_curve_name(ecd->curve);
++ if (!ec2) {
++ rv = -1;
++ goto err;
++ }
++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
++
++ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
++ rv = -1;
++ goto err;
++ }
++
++ ecp = EC_KEY_get0_public_key(ec2);
++ if (!ecp) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
++ ztmp[0] ^= 0x1;
++
++ if (memcmp(ztmp, ecd->z, ecd->zlen)) {
++ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
++ rv = 0;
++ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
++ goto err;
++
++ EC_KEY_free(ec1);
++ ec1 = NULL;
++ EC_KEY_free(ec2);
++ ec2 = NULL;
++ OPENSSL_free(ztmp);
++ ztmp = NULL;
++ }
++
++ err:
++
++ if (x)
++ BN_clear_free(x);
++ if (y)
++ BN_clear_free(y);
++ if (d)
++ BN_clear_free(d);
++ if (ec1)
++ EC_KEY_free(ec1);
++ if (ec2)
++ EC_KEY_free(ec2);
++ if (ztmp)
++ OPENSSL_free(ztmp);
++
++ return rv;
++
++}
++
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c.fips 2018-07-25 17:26:58.408624776 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c 2018-07-25 17:26:58.408624776 +0200
+@@ -0,0 +1,166 @@
++/* fips/ecdsa/fips_ecdsa_selftest.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project 2011.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/ec.h>
++#include <openssl/ecdsa.h>
++#include <openssl/fips.h>
++#include "internal/fips_int.h"
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifdef OPENSSL_FIPS
++
++static const char P_256_name[] = "ECDSA P-256";
++
++static const unsigned char P_256_d[] = {
++ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f,
++ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87,
++ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64
++};
++
++static const unsigned char P_256_qx[] = {
++ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e,
++ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31,
++ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07
++};
++
++static const unsigned char P_256_qy[] = {
++ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b,
++ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e,
++ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb
++};
++
++typedef struct {
++ int curve;
++ const char *name;
++ const unsigned char *x;
++ size_t xlen;
++ const unsigned char *y;
++ size_t ylen;
++ const unsigned char *d;
++ size_t dlen;
++} EC_SELFTEST_DATA;
++
++# define make_ecdsa_test(nid, pr) { nid, pr##_name, \
++ pr##_qx, sizeof(pr##_qx), \
++ pr##_qy, sizeof(pr##_qy), \
++ pr##_d, sizeof(pr##_d)}
++
++static EC_SELFTEST_DATA test_ec_data[] = {
++ make_ecdsa_test(NID_X9_62_prime256v1, P_256),
++};
++
++int FIPS_selftest_ecdsa()
++{
++ EC_KEY *ec = NULL;
++ BIGNUM *x = NULL, *y = NULL, *d = NULL;
++ EVP_PKEY *pk = NULL;
++ int rv = 0;
++ size_t i;
++
++ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) {
++ EC_SELFTEST_DATA *ecd = test_ec_data + i;
++
++ x = BN_bin2bn(ecd->x, ecd->xlen, x);
++ y = BN_bin2bn(ecd->y, ecd->ylen, y);
++ d = BN_bin2bn(ecd->d, ecd->dlen, d);
++
++ if (!x || !y || !d)
++ goto err;
++
++ ec = EC_KEY_new_by_curve_name(ecd->curve);
++ if (!ec)
++ goto err;
++
++ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
++ goto err;
++
++ if (!EC_KEY_set_private_key(ec, d))
++ goto err;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_EC_KEY(pk, ec);
++
++ if (!fips_pkey_signature_test(pk, NULL, 0,
++ NULL, 0, EVP_sha256(), 0, ecd->name))
++ goto err;
++ }
++
++ rv = 1;
++
++ err:
++
++ if (x)
++ BN_clear_free(x);
++ if (y)
++ BN_clear_free(y);
++ if (d)
++ BN_clear_free(d);
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (ec)
++ EC_KEY_free(ec);
++
++ return rv;
++
++}
++
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_enc.c.fips openssl-1.1.1-pre8/crypto/fips/fips_enc.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_enc.c.fips 2018-07-25 17:26:58.408624776 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_enc.c 2018-07-25 17:26:58.408624776 +0200
+@@ -0,0 +1,189 @@
++/* fipe/evp/fips_enc.c */
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay@cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
++{
++ switch (nid) {
++ case NID_aes_128_cbc:
++ return EVP_aes_128_cbc();
++
++ case NID_aes_128_ccm:
++ return EVP_aes_128_ccm();
++
++ case NID_aes_128_cfb1:
++ return EVP_aes_128_cfb1();
++
++ case NID_aes_128_cfb128:
++ return EVP_aes_128_cfb128();
++
++ case NID_aes_128_cfb8:
++ return EVP_aes_128_cfb8();
++
++ case NID_aes_128_ctr:
++ return EVP_aes_128_ctr();
++
++ case NID_aes_128_ecb:
++ return EVP_aes_128_ecb();
++
++ case NID_aes_128_gcm:
++ return EVP_aes_128_gcm();
++
++ case NID_aes_128_ofb128:
++ return EVP_aes_128_ofb();
++
++ case NID_aes_128_xts:
++ return EVP_aes_128_xts();
++
++ case NID_aes_192_cbc:
++ return EVP_aes_192_cbc();
++
++ case NID_aes_192_ccm:
++ return EVP_aes_192_ccm();
++
++ case NID_aes_192_cfb1:
++ return EVP_aes_192_cfb1();
++
++ case NID_aes_192_cfb128:
++ return EVP_aes_192_cfb128();
++
++ case NID_aes_192_cfb8:
++ return EVP_aes_192_cfb8();
++
++ case NID_aes_192_ctr:
++ return EVP_aes_192_ctr();
++
++ case NID_aes_192_ecb:
++ return EVP_aes_192_ecb();
++
++ case NID_aes_192_gcm:
++ return EVP_aes_192_gcm();
++
++ case NID_aes_192_ofb128:
++ return EVP_aes_192_ofb();
++
++ case NID_aes_256_cbc:
++ return EVP_aes_256_cbc();
++
++ case NID_aes_256_ccm:
++ return EVP_aes_256_ccm();
++
++ case NID_aes_256_cfb1:
++ return EVP_aes_256_cfb1();
++
++ case NID_aes_256_cfb128:
++ return EVP_aes_256_cfb128();
++
++ case NID_aes_256_cfb8:
++ return EVP_aes_256_cfb8();
++
++ case NID_aes_256_ctr:
++ return EVP_aes_256_ctr();
++
++ case NID_aes_256_ecb:
++ return EVP_aes_256_ecb();
++
++ case NID_aes_256_gcm:
++ return EVP_aes_256_gcm();
++
++ case NID_aes_256_ofb128:
++ return EVP_aes_256_ofb();
++
++ case NID_aes_256_xts:
++ return EVP_aes_256_xts();
++
++ case NID_des_ede_ecb:
++ return EVP_des_ede();
++
++ case NID_des_ede3_ecb:
++ return EVP_des_ede3();
++
++ case NID_des_ede3_cbc:
++ return EVP_des_ede3_cbc();
++
++ case NID_des_ede3_cfb1:
++ return EVP_des_ede3_cfb1();
++
++ case NID_des_ede3_cfb64:
++ return EVP_des_ede3_cfb64();
++
++ case NID_des_ede3_cfb8:
++ return EVP_des_ede3_cfb8();
++
++ case NID_des_ede3_ofb64:
++ return EVP_des_ede3_ofb();
++
++ case NID_des_ede_cbc:
++ return EVP_des_ede_cbc();
++
++ case NID_des_ede_cfb64:
++ return EVP_des_ede_cfb64();
++
++ case NID_des_ede_ofb64:
++ return EVP_des_ede_ofb();
++
++ default:
++ return NULL;
++
++ }
++}
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_err.h.fips openssl-1.1.1-pre8/crypto/fips/fips_err.h
+--- openssl-1.1.1-pre8/crypto/fips/fips_err.h.fips 2018-07-25 17:26:58.408624776 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_err.h 2018-07-25 17:26:58.408624776 +0200
+@@ -0,0 +1,196 @@
++/* crypto/fips_err.h */
++/* ====================================================================
++ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/*
++ * NOTE: this file was auto generated by the mkerr.pl script: any changes
++ * made to it will be overwritten when the script next updates this file,
++ * only reason strings will be preserved.
++ */
++
++#include <stdio.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++/* BEGIN ERROR CODES */
++#ifndef OPENSSL_NO_ERR
++
++# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0)
++# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason)
++
++static ERR_STRING_DATA FIPS_str_functs[] = {
++ {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"},
++ {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"},
++ {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"},
++ {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},
++ {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"},
++ {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},
++ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"},
++ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"},
++ {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"},
++ {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"},
++ {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"},
++ {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"},
++ {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"},
++ {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"},
++ {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"},
++ {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"},
++ {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"},
++ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"},
++ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"},
++ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
++ {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
++ {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"},
++ {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},
++ {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"},
++ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"},
++ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"},
++ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"},
++ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"},
++ {0, NULL}
++};
++
++static ERR_STRING_DATA FIPS_str_reasons[] = {
++ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED),
++ "additional input error undetected"},
++ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG),
++ "additional input too long"},
++ {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"},
++ {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"},
++ {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"},
++ {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"},
++ {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED),
++ "entropy not requested for reseed"},
++ {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"},
++ {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"},
++ {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"},
++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),
++ "error retrieving additional input"},
++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"},
++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"},
++ {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),
++ "fingerprint does not match"},
++ {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"},
++ {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"},
++ {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"},
++ {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"},
++ {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED),
++ "generate error undetected"},
++ {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"},
++ {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"},
++ {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"},
++ {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"},
++ {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"},
++ {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"},
++ {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"},
++ {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"},
++ {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"},
++ {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"},
++ {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"},
++ {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED),
++ "personalisation error undetected"},
++ {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG),
++ "personalisation string too long"},
++ {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"},
++ {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"},
++ {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),
++ "request length error undetected"},
++ {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),
++ "request too large for drbg"},
++ {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"},
++ {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"},
++ {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"},
++ {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"},
++ {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"},
++ {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"},
++ {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),
++ "uninstantiate zeroise error"},
++ {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"},
++ {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"},
++ {0, NULL}
++};
++
++#endif
++
++int ERR_load_FIPS_strings(void)
++{
++#ifndef OPENSSL_NO_ERR
++
++ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) {
++ ERR_load_strings(0, FIPS_str_functs);
++ ERR_load_strings(0, FIPS_str_reasons);
++ }
++#endif
++ return 1;
++}
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_ers.c.fips openssl-1.1.1-pre8/crypto/fips/fips_ers.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_ers.c.fips 2018-07-25 17:26:58.408624776 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_ers.c 2018-07-25 17:26:58.408624776 +0200
+@@ -0,0 +1,7 @@
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++# include "fips_err.h"
++#else
++static void *dummy = &dummy;
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c.fips 2018-07-25 17:26:58.409624800 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c 2018-07-25 17:26:58.409624800 +0200
+@@ -0,0 +1,134 @@
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/hmac.h>
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++ const EVP_MD *(*alg) (void);
++ const char *key, *iv;
++ unsigned char kaval[EVP_MAX_MD_SIZE];
++} HMAC_KAT;
++
++static const HMAC_KAT vector[] = {
++ {EVP_sha1,
++ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,
++ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,
++ 0xc6, 0xc7, 0x5d, 0x24}
++ },
++ {EVP_sha224,
++ /* just keep extending the above... */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,
++ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,
++ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,
++ 0x8c, 0x8d, 0x12, 0xc7}
++ },
++ {EVP_sha256,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,
++ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,
++ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,
++ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}
++ },
++ {EVP_sha384,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,
++ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,
++ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,
++ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,
++ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,
++ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}
++ },
++ {EVP_sha512,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,
++ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,
++ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,
++ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,
++ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,
++ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,
++ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,
++ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}
++ },
++};
++
++int FIPS_selftest_hmac()
++{
++ int n;
++ unsigned int outlen;
++ unsigned char out[EVP_MAX_MD_SIZE];
++ const EVP_MD *md;
++ const HMAC_KAT *t;
++
++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++ md = (*t->alg) ();
++ HMAC(md, t->key, strlen(t->key),
++ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);
++
++ if (memcmp(out, t->kaval, outlen)) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++}
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_locl.h.fips openssl-1.1.1-pre8/crypto/fips/fips_locl.h
+--- openssl-1.1.1-pre8/crypto/fips/fips_locl.h.fips 2018-07-25 17:26:58.409624800 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_locl.h 2018-07-25 17:26:58.409624800 +0200
+@@ -0,0 +1,71 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++# define FIPS_MAX_CIPHER_TEST_SIZE 32
++# define fips_load_key_component(comp, pre) \
++ comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \
++ if (!comp) \
++ goto err
++
++# define fips_post_started(id, subid, ex) 1
++# define fips_post_success(id, subid, ex) 1
++# define fips_post_failed(id, subid, ex) 1
++# define fips_post_corrupt(id, subid, ex) 1
++# define fips_post_status() 1
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_md.c.fips openssl-1.1.1-pre8/crypto/fips/fips_md.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_md.c.fips 2018-07-25 17:26:58.409624800 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_md.c 2018-07-25 17:26:58.409624800 +0200
+@@ -0,0 +1,144 @@
++/* fips/evp/fips_md.c */
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay@cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/* Minimal standalone FIPS versions of Digest operations */
++
++#define OPENSSL_FIPSAPI
++
++#include <stdio.h>
++#include <string.h>
++#include <openssl/objects.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++const EVP_MD *FIPS_get_digestbynid(int nid)
++{
++ switch (nid) {
++ case NID_sha1:
++ return EVP_sha1();
++
++ case NID_sha224:
++ return EVP_sha224();
++
++ case NID_sha256:
++ return EVP_sha256();
++
++ case NID_sha384:
++ return EVP_sha384();
++
++ case NID_sha512:
++ return EVP_sha512();
++
++ default:
++ return NULL;
++ }
++}
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_post.c.fips openssl-1.1.1-pre8/crypto/fips/fips_post.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_post.c.fips 2018-07-25 17:26:58.409624800 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_post.c 2018-07-25 17:26:58.409624800 +0200
+@@ -0,0 +1,222 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <openssl/evp.h>
++#include <string.h>
++#include <limits.h>
++
++#ifdef OPENSSL_FIPS
++
++/* Power on self test (POST) support functions */
++
++# include <openssl/fips.h>
++# include "internal/fips_int.h"
++# include "fips_locl.h"
++
++/* Run all selftests */
++int FIPS_selftest(void)
++{
++ int rv = 1;
++ if (!FIPS_selftest_drbg())
++ rv = 0;
++ if (!FIPS_selftest_sha1())
++ rv = 0;
++ if (!FIPS_selftest_sha2())
++ rv = 0;
++ if (!FIPS_selftest_hmac())
++ rv = 0;
++ if (!FIPS_selftest_cmac())
++ rv = 0;
++ if (!FIPS_selftest_aes())
++ rv = 0;
++ if (!FIPS_selftest_aes_ccm())
++ rv = 0;
++ if (!FIPS_selftest_aes_gcm())
++ rv = 0;
++ if (!FIPS_selftest_aes_xts())
++ rv = 0;
++ if (!FIPS_selftest_des())
++ rv = 0;
++ if (!FIPS_selftest_rsa())
++ rv = 0;
++ if (!FIPS_selftest_ecdsa())
++ rv = 0;
++ if (!FIPS_selftest_dsa())
++ rv = 0;
++ if (!FIPS_selftest_dh())
++ rv = 0;
++ if (!FIPS_selftest_ecdh())
++ rv = 0;
++ return rv;
++}
++
++/* Generalized public key test routine. Signs and verifies the data
++ * supplied in tbs using mesage digest md and setting option digest
++ * flags md_flags. If the 'kat' parameter is not NULL it will
++ * additionally check the signature matches it: a known answer test
++ * The string "fail_str" is used for identification purposes in case
++ * of failure. If "pkey" is NULL just perform a message digest check.
++ */
++
++int fips_pkey_signature_test(EVP_PKEY *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat, unsigned int katlen,
++ const EVP_MD *digest, unsigned int flags,
++ const char *fail_str)
++{
++ int ret = 0;
++ unsigned char sigtmp[256], *sig = sigtmp;
++ size_t siglen = sizeof(sigtmp);
++ EVP_MD_CTX *mctx;
++ EVP_PKEY_CTX *pctx;
++
++ if (digest == NULL)
++ digest = EVP_sha256();
++
++ mctx = EVP_MD_CTX_new();
++
++ if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
++ && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) {
++ sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey)));
++ siglen = RSA_size(EVP_PKEY_get0_RSA(pkey));
++ }
++ if (!sig || ! mctx) {
++ EVP_MD_CTX_free(mctx);
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++
++ if (tbslen == -1)
++ tbslen = strlen((char *)tbs);
++
++ if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0)
++ goto error;
++
++ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
++ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
++ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
++ }
++
++ if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0)
++ goto error;
++
++ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0)
++ goto error;
++
++ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
++ goto error;
++
++ if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0)
++ goto error;
++
++ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
++ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
++ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
++ }
++
++ if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0)
++ goto error;
++
++ ret = EVP_DigestVerifyFinal(mctx, sig, siglen);
++
++ error:
++ if (sig != sigtmp)
++ OPENSSL_free(sig);
++ EVP_MD_CTX_free(mctx);
++ if (ret <= 0) {
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
++ if (fail_str)
++ ERR_add_error_data(2, "Type=", fail_str);
++ return 0;
++ }
++ return 1;
++}
++
++/* Generalized symmetric cipher test routine. Encrypt data, verify result
++ * against known answer, decrypt and compare with original plaintext.
++ */
++
++int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext, int len)
++{
++ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
++ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
++
++ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
++ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
++ return 0;
++ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
++ return 0;
++ if (memcmp(citmp, ciphertext, len))
++ return 0;
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
++ return 0;
++ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
++ return 0;
++ if (memcmp(pltmp, plaintext, len))
++ return 0;
++ return 1;
++}
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h
+--- openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h.fips 2018-07-25 17:26:58.409624800 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h 2018-07-25 17:26:58.409624800 +0200
+@@ -0,0 +1,209 @@
++/* fips/rand/fips_rand_lcl.h */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
++typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
++typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
++
++/* 888 bits from 10.1 table 2 */
++#define HASH_PRNG_MAX_SEEDLEN 111
++
++struct drbg_hash_ctx_st {
++ const EVP_MD *md;
++ EVP_MD_CTX *mctx;
++ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
++ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
++ /* Temporary value storage: should always exceed max digest length */
++ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
++};
++
++struct drbg_hmac_ctx_st {
++ const EVP_MD *md;
++ HMAC_CTX *hctx;
++ unsigned char K[EVP_MAX_MD_SIZE];
++ unsigned char V[EVP_MAX_MD_SIZE];
++};
++
++struct drbg_ctr_ctx_st {
++ AES_KEY ks;
++ size_t keylen;
++ unsigned char K[32];
++ unsigned char V[16];
++ /* Temp variables used by derivation function */
++ AES_KEY df_ks;
++ AES_KEY df_kxks;
++ /* Temporary block storage used by ctr_df */
++ unsigned char bltmp[16];
++ size_t bltmp_pos;
++ unsigned char KX[48];
++};
++
++/* DRBG internal flags */
++
++/* Functions shouldn't call err library */
++#define DRBG_FLAG_NOERR 0x1
++/* Custom reseed checking */
++#define DRBG_CUSTOM_RESEED 0x2
++
++/* DRBG status values */
++/* not initialised */
++#define DRBG_STATUS_UNINITIALISED 0
++/* ok and ready to generate random bits */
++#define DRBG_STATUS_READY 1
++/* reseed required */
++#define DRBG_STATUS_RESEED 2
++/* fatal error condition */
++#define DRBG_STATUS_ERROR 3
++
++/* A default maximum length: larger than any reasonable value used in pratice */
++
++#define DRBG_MAX_LENGTH 0x7ffffff0
++/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
++ * so use max digest length.
++ */
++#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
++
++#define DRBG_HEALTH_INTERVAL (1 << 24)
++
++/* DRBG context structure */
++
++struct drbg_ctx_st {
++ /* First types common to all implementations */
++ /* DRBG type: a NID for the underlying algorithm */
++ int type;
++ /* Various external flags */
++ unsigned int xflags;
++ /* Various internal use only flags */
++ unsigned int iflags;
++ /* Used for periodic health checks */
++ int health_check_cnt, health_check_interval;
++
++ /* The following parameters are setup by mechanism drbg_init() call */
++ int strength;
++ size_t blocklength;
++ size_t max_request;
++
++ size_t min_entropy, max_entropy;
++ size_t min_nonce, max_nonce;
++ size_t max_pers, max_adin;
++ unsigned int reseed_counter;
++ unsigned int reseed_interval;
++ size_t seedlen;
++ int status;
++ /* Application data: typically used by test get_entropy */
++ void *app_data;
++ /* Implementation specific structures */
++ union {
++ DRBG_HASH_CTX hash;
++ DRBG_HMAC_CTX hmac;
++ DRBG_CTR_CTX ctr;
++ } d;
++ /* Initialiase PRNG and setup callbacks below */
++ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);
++ /* Intantiate PRNG */
++ int (*instantiate) (DRBG_CTX *ctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *nonce, size_t noncelen,
++ const unsigned char *pers, size_t perslen);
++ /* reseed */
++ int (*reseed) (DRBG_CTX *ctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *adin, size_t adinlen);
++ /* generat output */
++ int (*generate) (DRBG_CTX *ctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adinlen);
++ /* uninstantiate */
++ int (*uninstantiate) (DRBG_CTX *ctx);
++
++ /* Entropy source block length */
++ size_t entropy_blocklen;
++
++ /* entropy gathering function */
++ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len);
++ /* Indicates we have finished with entropy buffer */
++ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++ /* nonce gathering function */
++ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len);
++ /* Indicates we have finished with nonce buffer */
++ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++ /* Continuous random number test temporary area */
++ /* Last block */
++ unsigned char lb[EVP_MAX_MD_SIZE];
++ /* set if lb is valid */
++ int lb_valid;
++
++ /* Callbacks used when called through RAND interface */
++ /* Get any additional input for generate */
++ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
++ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++ /* Callback for RAND_seed(), RAND_add() */
++ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf, int num, double entropy);
++};
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx);
++int fips_drbg_hash_init(DRBG_CTX *dctx);
++int fips_drbg_hmac_init(DRBG_CTX *dctx);
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
++
++#define FIPS_digestinit EVP_DigestInit
++#define FIPS_digestupdate EVP_DigestUpdate
++#define FIPS_digestfinal EVP_DigestFinal
++#define M_EVP_MD_size EVP_MD_size
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c.fips 2018-07-25 17:26:58.409624800 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c 2018-07-25 17:26:58.409624800 +0200
+@@ -0,0 +1,234 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
++ be defined and gettimeofday() won't be declared with strict compilers
++ like DEC C in ANSI C mode. */
++#ifndef _XOPEN_SOURCE_EXTENDED
++# define _XOPEN_SOURCE_EXTENDED 1
++#endif
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include "internal/fips_int.h"
++#include <openssl/fips_rand.h>
++#include "e_os.h"
++
++#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
++# include <sys/time.h>
++#endif
++#if defined(OPENSSL_SYS_VXWORKS)
++# include <time.h>
++#endif
++#ifndef OPENSSL_SYS_WIN32
++# ifdef OPENSSL_UNISTD
++# include OPENSSL_UNISTD
++# else
++# include <unistd.h>
++# endif
++#endif
++
++/* FIPS API for PRNG use. Similar to RAND functionality but without
++ * ENGINE and additional checking for non-FIPS rand methods.
++ */
++
++static const RAND_METHOD *fips_rand_meth = NULL;
++static int fips_approved_rand_meth = 0;
++static int fips_rand_bits = 0;
++
++/* Allows application to override number of bits and uses non-FIPS methods */
++void FIPS_rand_set_bits(int nbits)
++{
++ fips_rand_bits = nbits;
++}
++
++int FIPS_rand_set_method(const RAND_METHOD *meth)
++{
++ if (!fips_rand_bits) {
++ if (meth == FIPS_drbg_method())
++ fips_approved_rand_meth = 1;
++ else {
++ fips_approved_rand_meth = 0;
++ if (FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ }
++ }
++ fips_rand_meth = meth;
++ return 1;
++}
++
++const RAND_METHOD *FIPS_rand_get_method(void)
++{
++ return fips_rand_meth;
++}
++
++void FIPS_rand_reset(void)
++{
++ if (fips_rand_meth && fips_rand_meth->cleanup)
++ fips_rand_meth->cleanup();
++}
++
++int FIPS_rand_seed(const void *buf, int num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->seed)
++ fips_rand_meth->seed(buf, num);
++ return 1;
++}
++
++int FIPS_rand_bytes(unsigned char *buf, int num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->bytes)
++ return fips_rand_meth->bytes(buf, num);
++ return 0;
++}
++
++int FIPS_rand_status(void)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->status)
++ return fips_rand_meth->status();
++ return 0;
++}
++
++/* Return instantiated strength of PRNG. For DRBG this is an internal
++ * parameter. Any other type of PRNG is not approved and returns 0 in
++ * FIPS mode and maximum 256 outside FIPS mode.
++ */
++
++int FIPS_rand_strength(void)
++{
++ if (fips_rand_bits)
++ return fips_rand_bits;
++ if (fips_approved_rand_meth == 1)
++ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
++ else if (fips_approved_rand_meth == 0) {
++ if (FIPS_module_mode())
++ return 0;
++ else
++ return 256;
++ }
++ return 0;
++}
++
++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
++{
++# ifdef OPENSSL_SYS_WIN32
++ FILETIME ft;
++# elif defined(OPENSSL_SYS_VXWORKS)
++ struct timespec ts;
++# else
++ struct timeval tv;
++# endif
++
++# ifndef GETPID_IS_MEANINGLESS
++ unsigned long pid;
++# endif
++
++# ifdef OPENSSL_SYS_WIN32
++ GetSystemTimeAsFileTime(&ft);
++ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);
++ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);
++ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);
++ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);
++ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);
++ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);
++ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);
++ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);
++# elif defined(OPENSSL_SYS_VXWORKS)
++ clock_gettime(CLOCK_REALTIME, &ts);
++ buf[0] = (unsigned char)(ts.tv_sec & 0xff);
++ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);
++ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);
++ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);
++ buf[4] = (unsigned char)(ts.tv_nsec & 0xff);
++ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);
++ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);
++ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);
++# else
++ gettimeofday(&tv, NULL);
++ buf[0] = (unsigned char)(tv.tv_sec & 0xff);
++ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);
++ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);
++ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);
++ buf[4] = (unsigned char)(tv.tv_usec & 0xff);
++ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);
++ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);
++ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);
++# endif
++ buf[8] = (unsigned char)(*pctr & 0xff);
++ buf[9] = (unsigned char)((*pctr >> 8) & 0xff);
++ buf[10] = (unsigned char)((*pctr >> 16) & 0xff);
++ buf[11] = (unsigned char)((*pctr >> 24) & 0xff);
++
++ (*pctr)++;
++
++# ifndef GETPID_IS_MEANINGLESS
++ pid = (unsigned long)getpid();
++ buf[12] = (unsigned char)(pid & 0xff);
++ buf[13] = (unsigned char)((pid >> 8) & 0xff);
++ buf[14] = (unsigned char)((pid >> 16) & 0xff);
++ buf[15] = (unsigned char)((pid >> 24) & 0xff);
++# endif
++}
++
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_randtest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_randtest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_randtest.c.fips 2018-07-25 17:26:58.409624800 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_randtest.c 2018-07-25 17:26:58.409624800 +0200
+@@ -0,0 +1,247 @@
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay@cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <ctype.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++
++#include "e_os.h"
++
++#ifndef OPENSSL_FIPS
++int main(int argc, char *argv[])
++{
++ printf("No FIPS RAND support\n");
++ return (0);
++}
++
++#else
++
++# include "fips_utl.h"
++# include <openssl/fips.h>
++
++typedef struct {
++ unsigned char DT[16];
++ unsigned char V[16];
++ unsigned char R[16];
++} AES_PRNG_MCT;
++
++static const unsigned char aes_128_mct_key[16] =
++ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5,
++ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48
++};
++
++static const AES_PRNG_MCT aes_128_mct_tv = {
++ /* DT */
++ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b,
++ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac},
++ /* V */
++ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97,
++ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1},
++ /* R */
++ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb,
++ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73}
++};
++
++static const unsigned char aes_192_mct_key[24] =
++ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73,
++ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91,
++ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a
++};
++
++static const AES_PRNG_MCT aes_192_mct_tv = {
++ /* DT */
++ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9,
++ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52},
++ /* V */
++ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64,
++ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d},
++ /* R */
++ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21,
++ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47}
++};
++
++static const unsigned char aes_256_mct_key[32] =
++ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a,
++ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0,
++ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d,
++ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50
++};
++
++static const AES_PRNG_MCT aes_256_mct_tv = {
++ /* DT */
++ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee,
++ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c},
++ /* V */
++ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1,
++ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca},
++ /* R */
++ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1,
++ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d}
++};
++
++static void dump(const unsigned char *b, int n)
++{
++ while (n-- > 0) {
++ printf(" %02x", *b++);
++ }
++}
++
++static void compare(const unsigned char *result,
++ const unsigned char *expected, int n)
++{
++ int i;
++
++ for (i = 0; i < n; ++i)
++ if (result[i] != expected[i]) {
++ puts("Random test failed, got:");
++ dump(result, n);
++ puts("\n expected:");
++ dump(expected, n);
++ putchar('\n');
++ EXIT(1);
++ }
++}
++
++static void run_test(const unsigned char *key, int keylen,
++ const AES_PRNG_MCT * tv)
++{
++ unsigned char buf[16], dt[16];
++ int i, j;
++ FIPS_x931_reset();
++ FIPS_x931_test_mode();
++ FIPS_x931_set_key(key, keylen);
++ FIPS_x931_seed(tv->V, 16);
++ memcpy(dt, tv->DT, 16);
++ for (i = 0; i < 10000; i++) {
++ FIPS_x931_set_dt(dt);
++ FIPS_x931_bytes(buf, 16);
++ /* Increment DT */
++ for (j = 15; j >= 0; j--) {
++ dt[j]++;
++ if (dt[j])
++ break;
++ }
++ }
++
++ compare(buf, tv->R, 16);
++}
++
++int main()
++{
++ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
++ printf("FIPS PRNG test 1 done\n");
++ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
++ printf("FIPS PRNG test 2 done\n");
++ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
++ printf("FIPS PRNG test 3 done\n");
++ return 0;
++}
++
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips 2018-07-25 17:26:58.410624824 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c 2018-07-25 17:26:58.410624824 +0200
+@@ -0,0 +1,578 @@
++/* ====================================================================
++ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "internal/fips_int.h"
++#endif
++#include <openssl/rsa.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include <openssl/opensslconf.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static int setrsakey(RSA *key)
++{
++ static const unsigned char keydata_n[] = {
++ 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a,
++ 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00,
++ 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca,
++ 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a,
++ 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba,
++ 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe,
++ 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1,
++ 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75,
++ 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f,
++ 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc,
++ 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e,
++ 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1,
++ 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9,
++ 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4,
++ 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40,
++ 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4,
++ 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e,
++ 0x03, 0x71
++ };
++
++ static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 };
++
++ static const unsigned char keydata_d[] = {
++ 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23,
++ 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58,
++ 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06,
++ 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4,
++ 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53,
++ 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde,
++ 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe,
++ 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b,
++ 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3,
++ 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76,
++ 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6,
++ 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c,
++ 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44,
++ 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34,
++ 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32,
++ 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20,
++ 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d,
++ 0x01
++ };
++
++ static const unsigned char keydata_p[] = {
++ 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f,
++ 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43,
++ 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec,
++ 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66,
++ 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3,
++ 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1,
++ 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3,
++ 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c,
++ 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad
++ };
++
++ static const unsigned char keydata_q[] = {
++ 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8,
++ 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e,
++ 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c,
++ 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e,
++ 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c,
++ 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f,
++ 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7,
++ 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b,
++ 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55
++ };
++
++ static const unsigned char keydata_dmp1[] = {
++ 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e,
++ 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16,
++ 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74,
++ 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34,
++ 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7,
++ 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3,
++ 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff,
++ 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6,
++ 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1
++ };
++
++ static const unsigned char keydata_dmq1[] = {
++ 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75,
++ 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f,
++ 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1,
++ 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b,
++ 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c,
++ 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e,
++ 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78,
++ 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab,
++ 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61
++ };
++
++ static const unsigned char keydata_iqmp[] = {
++ 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d,
++ 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38,
++ 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91,
++ 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80,
++ 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b,
++ 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b,
++ 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6,
++ 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf,
++ 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf
++ };
++
++ int rv = 0;
++ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
++
++ fips_load_key_component(n, keydata);
++ fips_load_key_component(e, keydata);
++ fips_load_key_component(d, keydata);
++ fips_load_key_component(p, keydata);
++ fips_load_key_component(q, keydata);
++ fips_load_key_component(dmp1, keydata);
++ fips_load_key_component(dmq1, keydata);
++ fips_load_key_component(iqmp, keydata);
++
++ RSA_set0_key(key, n, e, d);
++ RSA_set0_factors(key, p, q);
++ RSA_set0_crt_params(key, dmp1, dmq1, iqmp);
++
++ rv = 1;
++err:
++ if (!rv) {
++ BN_free(n);
++ BN_free(e);
++ BN_free(d);
++ BN_free(p);
++ BN_free(q);
++ BN_free(dmp1);
++ BN_free(dmq1);
++ BN_free(iqmp);
++ }
++ return rv;
++}
++
++/* Known Answer Test (KAT) data for the above RSA private key signing
++ * kat_tbs.
++ */
++
++static const unsigned char kat_tbs[] =
++ "OpenSSL FIPS 140-2 Public Key RSA KAT";
++
++static const unsigned char kat_RSA_PSS_SHA1[] = {
++ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3,
++ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B,
++ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84,
++ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B,
++ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9,
++ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19,
++ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98,
++ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5,
++ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4,
++ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A,
++ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70,
++ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1,
++ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C,
++ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF,
++ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99,
++ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45,
++ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF,
++ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F,
++ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01,
++ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC,
++ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05,
++ 0xCE, 0x08, 0x1D, 0x89
++};
++
++static const unsigned char kat_RSA_PSS_SHA224[] = {
++ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA,
++ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3,
++ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3,
++ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3,
++ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7,
++ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53,
++ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A,
++ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE,
++ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06,
++ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08,
++ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D,
++ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07,
++ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70,
++ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64,
++ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17,
++ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69,
++ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97,
++ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D,
++ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5,
++ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B,
++ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD,
++ 0x2D, 0x84, 0x03, 0xB7
++};
++
++static const unsigned char kat_RSA_PSS_SHA256[] = {
++ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
++ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
++ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,
++ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,
++ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,
++ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,
++ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,
++ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,
++ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,
++ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,
++ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,
++ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,
++ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,
++ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,
++ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,
++ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,
++ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,
++ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,
++ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,
++ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,
++ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,
++ 0x2B, 0x31, 0xB9, 0x7D
++};
++
++static const unsigned char kat_RSA_PSS_SHA384[] = {
++ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D,
++ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03,
++ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27,
++ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC,
++ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1,
++ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6,
++ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA,
++ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB,
++ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3,
++ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5,
++ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70,
++ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E,
++ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C,
++ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0,
++ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62,
++ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07,
++ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88,
++ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7,
++ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5,
++ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D,
++ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF,
++ 0x90, 0xD2, 0xA6, 0x2B
++};
++
++static const unsigned char kat_RSA_PSS_SHA512[] = {
++ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32,
++ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06,
++ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D,
++ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B,
++ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D,
++ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44,
++ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B,
++ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D,
++ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD,
++ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C,
++ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1,
++ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A,
++ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE,
++ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D,
++ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F,
++ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF,
++ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F,
++ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94,
++ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE,
++ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A,
++ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0,
++ 0x17, 0x2C, 0x13, 0xE0
++};
++
++static const unsigned char kat_RSA_SHA1[] = {
++ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA,
++ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C,
++ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE,
++ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94,
++ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08,
++ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC,
++ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0,
++ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54,
++ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F,
++ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A,
++ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF,
++ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD,
++ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8,
++ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5,
++ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F,
++ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF,
++ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60,
++ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9,
++ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC,
++ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37,
++ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF,
++ 0x27, 0x90, 0xE2, 0x01
++};
++
++static const unsigned char kat_RSA_SHA224[] = {
++ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86,
++ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8,
++ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89,
++ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39,
++ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3,
++ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E,
++ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8,
++ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4,
++ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66,
++ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6,
++ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC,
++ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9,
++ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53,
++ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA,
++ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45,
++ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC,
++ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33,
++ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5,
++ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8,
++ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83,
++ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B,
++ 0xDB, 0x70, 0x00, 0xF6
++};
++
++static const unsigned char kat_RSA_SHA256[] = {
++ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
++ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
++ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,
++ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,
++ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,
++ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,
++ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,
++ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,
++ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,
++ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,
++ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,
++ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,
++ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,
++ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,
++ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,
++ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,
++ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,
++ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,
++ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,
++ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,
++ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,
++ 0x47, 0x9D, 0x18, 0xD7
++};
++
++static const unsigned char kat_RSA_SHA384[] = {
++ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00,
++ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D,
++ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2,
++ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B,
++ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF,
++ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1,
++ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C,
++ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E,
++ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76,
++ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4,
++ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9,
++ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4,
++ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56,
++ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39,
++ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00,
++ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F,
++ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D,
++ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26,
++ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9,
++ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD,
++ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4,
++ 0x7E, 0x37, 0x1D, 0x96
++};
++
++static const unsigned char kat_RSA_SHA512[] = {
++ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3,
++ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F,
++ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02,
++ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B,
++ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3,
++ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1,
++ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79,
++ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1,
++ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E,
++ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1,
++ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED,
++ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE,
++ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69,
++ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2,
++ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F,
++ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3,
++ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B,
++ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86,
++ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F,
++ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A,
++ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E,
++ 0x43, 0xA8, 0x34, 0x0A
++};
++
++static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext,
++ int ptlen)
++{
++ unsigned char *ctbuf = NULL, *ptbuf = NULL;
++ int ret = 0;
++ int len;
++
++ ctbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ctbuf)
++ goto err;
++
++ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);
++ if (len <= 0)
++ goto err;
++ /* Check ciphertext doesn't match plaintext */
++ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))
++ goto err;
++
++ ptbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ptbuf)
++ goto err;
++
++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++ if (len != ptlen)
++ goto err;
++ if (memcmp(ptbuf, plaintext, len))
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (ctbuf)
++ OPENSSL_free(ctbuf);
++ if (ptbuf)
++ OPENSSL_free(ptbuf);
++ return ret;
++}
++
++int FIPS_selftest_rsa()
++{
++ int ret = 0;
++ RSA *key;
++ EVP_PKEY *pk = NULL;
++
++ if ((key = RSA_new()) == NULL)
++ goto err;
++
++ if (!setrsakey(key))
++ goto err;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_RSA(pk, key);
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA1 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
++ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA224 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA256 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA384 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA512 PKCS#1"))
++ goto err;
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
++ "RSA SHA1 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA224,
++ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA256,
++ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA384,
++ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA512,
++ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
++ goto err;
++
++ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (pk)
++ EVP_PKEY_free(pk);
++ if (key)
++ RSA_free(key);
++ return ret;
++}
++
++#endif /* def OPENSSL_FIPS */
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c.fips 2018-07-25 17:26:58.410624824 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c 2018-07-25 17:26:58.410624824 +0200
+@@ -0,0 +1,138 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++
++#ifdef OPENSSL_FIPS
++static const char test[][60] = {
++ "",
++ "abc",
++ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
++};
++
++static const unsigned char ret[][SHA_DIGEST_LENGTH] = {
++ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
++ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},
++ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,
++ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},
++ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,
++ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},
++};
++
++int FIPS_selftest_sha1()
++{
++ int n;
++
++ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {
++ unsigned char md[SHA_DIGEST_LENGTH];
++
++ EVP_Digest(test[n], strlen(test[n]), md, NULL,
++ EVP_sha1(), NULL);
++ if (memcmp(md, ret[n], sizeof md)) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++}
++
++static const unsigned char msg_sha256[] =
++ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
++ 0xfc
++};
++
++static const unsigned char dig_sha256[] =
++ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
++ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
++ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
++ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a
++};
++
++static const unsigned char msg_sha512[] =
++ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
++ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd
++};
++
++static const unsigned char dig_sha512[] =
++ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
++ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
++ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
++ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
++ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
++ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
++ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
++ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43
++};
++
++int FIPS_selftest_sha2(void)
++{
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
++ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
++ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ return 1;
++}
++
++#endif
+diff -up openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c
+--- openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c.fips 2018-07-25 17:26:58.410624824 +0200
++++ openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c 2018-07-25 17:26:58.410624824 +0200
+@@ -0,0 +1,127 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++#include <openssl/hmac.h>
++#include <openssl/sha.h>
++
++int main(int argc, char **argv)
++{
++#ifdef OPENSSL_FIPS
++ static char key[] = "orboDeJITITejsirpADONivirpUkvarP";
++ int n, binary = 0;
++
++ if (argc < 2) {
++ fprintf(stderr, "%s [<file>]+\n", argv[0]);
++ exit(1);
++ }
++
++ n = 1;
++ if (!strcmp(argv[n], "-binary")) {
++ n++;
++ binary = 1; /* emit binary fingerprint... */
++ }
++
++ for (; n < argc; ++n) {
++ FILE *f = fopen(argv[n], "rb");
++ HMAC_CTX *hmac_ctx;
++ unsigned char mac[EVP_MAX_MD_SIZE];
++ unsigned int len;
++ unsigned int i;
++
++ if (!f) {
++ perror(argv[n]);
++ exit(2);
++ }
++ hmac_ctx = HMAC_CTX_new();
++ if (!hmac_ctx)
++ exit(3);
++
++ if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) {
++ fprintf(stderr, "HMAC SHA256 initialization failed.\n");
++ exit(4);
++ }
++
++ for (;;) {
++ char buf[1024];
++ size_t l = fread(buf, 1, sizeof buf, f);
++
++ if (l == 0) {
++ if (ferror(f)) {
++ perror(argv[n]);
++ exit(3);
++ } else
++ break;
++ }
++ if (HMAC_Update(hmac_ctx, buf, l) <= 0) {
++ fprintf(stderr, "HMAC_Update() failed.\n");
++ exit(4);
++ }
++ }
++ if (HMAC_Final(hmac_ctx, mac, &len) <= 0) {
++ fprintf(stderr, "HMAC_Final() failed.\n");
++ exit(4);
++ }
++
++ if (binary) {
++ fwrite(mac, len, 1, stdout);
++ break; /* ... for single(!) file */
++ }
++
++/* printf("HMAC-SHA1(%s)= ",argv[n]); */
++ for (i = 0; i < len; ++i)
++ printf("%02x", mac[i]);
++ printf("\n");
++ }
++#endif
++ return 0;
++}
+diff -up openssl-1.1.1-pre8/crypto/hmac/hmac.c.fips openssl-1.1.1-pre8/crypto/hmac/hmac.c
+--- openssl-1.1.1-pre8/crypto/hmac/hmac.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/hmac/hmac.c 2018-07-25 17:26:58.410624824 +0200
+@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+ }
+
+ if (key != NULL) {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS)
++ && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
++ goto err;
++#endif
+ reset = 1;
+ j = EVP_MD_block_size(md);
+ if (!ossl_assert(j <= (int)sizeof(ctx->key)))
+diff -up openssl-1.1.1-pre8/crypto/include/internal/fips_int.h.fips openssl-1.1.1-pre8/crypto/include/internal/fips_int.h
+--- openssl-1.1.1-pre8/crypto/include/internal/fips_int.h.fips 2018-07-25 17:26:58.410624824 +0200
++++ openssl-1.1.1-pre8/crypto/include/internal/fips_int.h 2018-07-25 17:26:58.410624824 +0200
+@@ -0,0 +1,101 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/opensslconf.h>
++#include <openssl/evp.h>
++
++#ifndef OPENSSL_FIPS
++# error FIPS is disabled.
++#endif
++
++#ifdef OPENSSL_FIPS
++
++int FIPS_module_mode_set(int onoff);
++int FIPS_module_mode(void);
++int FIPS_module_installed(void);
++int FIPS_selftest_sha1(void);
++int FIPS_selftest_sha2(void);
++int FIPS_selftest_aes_ccm(void);
++int FIPS_selftest_aes_gcm(void);
++int FIPS_selftest_aes_xts(void);
++int FIPS_selftest_aes(void);
++int FIPS_selftest_des(void);
++int FIPS_selftest_rsa(void);
++int FIPS_selftest_dsa(void);
++int FIPS_selftest_ecdsa(void);
++int FIPS_selftest_ecdh(void);
++int FIPS_selftest_dh(void);
++void FIPS_drbg_stick(int onoff);
++int FIPS_selftest_hmac(void);
++int FIPS_selftest_drbg(void);
++int FIPS_selftest_cmac(void);
++
++int fips_pkey_signature_test(EVP_PKEY *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat,
++ unsigned int katlen,
++ const EVP_MD *digest,
++ unsigned int md_flags, const char *fail_str);
++
++int fips_cipher_test(EVP_CIPHER_CTX *ctx,
++ const EVP_CIPHER *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext, int len);
++
++void fips_set_selftest_fail(void);
++
++const EVP_MD *FIPS_get_digestbynid(int nid);
++
++const EVP_CIPHER *FIPS_get_cipherbynid(int nid);
++
++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
++
++#endif
+diff -up openssl-1.1.1-pre8/crypto/o_fips.c.fips openssl-1.1.1-pre8/crypto/o_fips.c
+--- openssl-1.1.1-pre8/crypto/o_fips.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/o_fips.c 2018-07-25 17:26:58.410624824 +0200
+@@ -11,14 +11,25 @@
+
+ int FIPS_mode(void)
+ {
++#ifdef OPENSSL_FIPS
++ return FIPS_module_mode();
++#else
+ /* This version of the library does not support FIPS mode. */
+ return 0;
++#endif
+ }
+
+ int FIPS_mode_set(int r)
+ {
++#ifdef OPENSSL_FIPS
++ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
++ return 1;
++ if (!FIPS_module_mode_set(r))
++ return 0;
++#else
+ if (r == 0)
+ return 1;
+ CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
+ return 0;
++#endif
+ }
+diff -up openssl-1.1.1-pre8/crypto/o_init.c.fips openssl-1.1.1-pre8/crypto/o_init.c
+--- openssl-1.1.1-pre8/crypto/o_init.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/o_init.c 2018-07-25 17:26:58.410624824 +0200
+@@ -7,8 +7,68 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "e_os.h"
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <sys/types.h>
++# include <sys/stat.h>
++# include <fcntl.h>
++# include <unistd.h>
++# include <errno.h>
++# include <stdlib.h>
++# include <openssl/rand.h>
++# include <openssl/fips.h>
++# include "internal/fips_int.h"
++
++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++{
++ char buf[2] = "0";
++ int fd;
++
++ /* Ensure the selftests always run */
++ /* XXX: TO SOLVE - premature initialization due to selftests */
++ FIPS_mode_set(1);
++
++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++ buf[0] = '1';
++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
++ close(fd);
++ }
++ /* Failure reading the fips mode switch file means just not
++ * switching into FIPS mode. We would break too many things
++ * otherwise..
++ */
++
++ if (buf[0] != '1') {
++ /* drop down to non-FIPS mode if it is not requested */
++ FIPS_mode_set(0);
++ } else {
++ /* abort if selftest failed */
++ FIPS_selftest_check();
++ }
++}
++
++/*
++ * Perform FIPS module power on selftest and automatic FIPS mode switch.
++ */
++
++void __attribute__ ((constructor)) OPENSSL_init_library(void)
++{
++ static int done = 0;
++ if (done)
++ return;
++ done = 1;
++ if (!FIPS_module_installed()) {
++ return;
++ }
++ init_fips_mode();
++}
++#endif
+
+ /*
+ * Perform any essential OpenSSL initialization operations. Currently does
+diff -up openssl-1.1.1-pre8/crypto/rand/rand_lib.c.fips openssl-1.1.1-pre8/crypto/rand/rand_lib.c
+--- openssl-1.1.1-pre8/crypto/rand/rand_lib.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/rand/rand_lib.c 2018-07-25 17:26:58.410624824 +0200
+@@ -16,6 +16,10 @@
+ #include "internal/thread_once.h"
+ #include "rand_lcl.h"
+ #include "e_os.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include <openssl/fips_rand.h>
++#endif
+
+ #ifndef OPENSSL_NO_ENGINE
+ /* non-NULL if default_RAND_meth is ENGINE-provided */
+@@ -778,3 +782,15 @@ int RAND_status(void)
+ return meth->status();
+ return 0;
+ }
++
++#ifdef OPENSSL_FIPS
++void RAND_set_fips_drbg_type(int type, int flags)
++{ /* just a stub for ABI compatibility */
++}
++
++int RAND_init_fips(void)
++{
++ /* just a stub for ABI compatibility */
++ return 1;
++}
++#endif
+diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c
+--- openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c 2018-07-25 17:26:58.411624848 +0200
+@@ -27,24 +27,52 @@ int RSA_size(const RSA *r)
+ int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
+ RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++ return -1;
++ }
++#endif
+ return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
+ }
+
+ int RSA_private_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,
++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
++ return -1;
++ }
++#endif
+ return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
+ }
+
+ int RSA_private_decrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++ return -1;
++ }
++#endif
+ return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
+ }
+
+ int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
+ RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
++ return -1;
++ }
++#endif
+ return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
+ }
+
+diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_err.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_err.c
+--- openssl-1.1.1-pre8/crypto/rsa/rsa_err.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/rsa/rsa_err.c 2018-07-25 17:26:58.411624848 +0200
+@@ -16,6 +16,8 @@
+ static const ERR_STRING_DATA RSA_str_functs[] = {
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_ENCODE_PKCS1, 0), "encode_pkcs1"},
++ {ERR_PACK(ERR_LIB_RSA, RSA_F_FIPS_RSA_BUILTIN_KEYGEN, 0),
++ "fips_rsa_builtin_keygen"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_INT_RSA_VERIFY, 0), "int_rsa_verify"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_OLD_RSA_PRIV_DECODE, 0),
+ "old_rsa_priv_decode"},
+@@ -32,6 +34,9 @@ static const ERR_STRING_DATA RSA_str_fun
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"},
++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"},
++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0),
++ "RSA_generate_multi_prime_key"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_DUP, 0), "RSA_meth_dup"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_NEW, 0), "RSA_meth_new"},
+@@ -90,9 +95,13 @@ static const ERR_STRING_DATA RSA_str_fun
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"},
++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"},
++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"},
++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"},
++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0),
+@@ -102,6 +111,8 @@ static const ERR_STRING_DATA RSA_str_fun
+ "RSA_verify_ASN1_OCTET_STRING"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0),
+ "RSA_verify_PKCS1_PSS_mgf1"},
++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"},
++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"},
+ {0, NULL}
+ };
+@@ -181,6 +192,7 @@ static const ERR_STRING_DATA RSA_str_rea
+ "mp exponent not congruent to d"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"},
++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING),
+ "null before block missing"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES),
+@@ -189,6 +201,8 @@ static const ERR_STRING_DATA RSA_str_rea
+ "n does not equal p q"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR),
+ "oaep decoding error"},
++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),
++ "operation not allowed in FIPS mode"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
+ "operation not supported for this keytype"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED),
+@@ -224,6 +238,8 @@ static const ERR_STRING_DATA RSA_str_rea
+ "unsupported mask algorithm"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER),
+ "unsupported mask parameter"},
++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_PARAMETERS),
++ "unsupported parameters"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE),
+ "unsupported signature type"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"},
+diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c
+--- openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c 2018-07-25 17:26:58.411624848 +0200
+@@ -18,6 +18,78 @@
+ #include "internal/cryptlib.h"
+ #include <openssl/bn.h>
+ #include "rsa_locl.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "internal/fips_int.h"
++
++int fips_check_rsa(RSA *rsa)
++{
++ const unsigned char tbs[] = "RSA Pairwise Check Data";
++ unsigned char *ctbuf = NULL, *ptbuf = NULL;
++ int len, ret = 0;
++ EVP_PKEY *pk;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_RSA(pk, rsa);
++
++ /* Perform pairwise consistency signature test */
++ if (!fips_pkey_signature_test(pk, tbs, -1,
++ NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_X931, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_PSS, NULL))
++ goto err;
++ /* Now perform pairwise consistency encrypt/decrypt test */
++ ctbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ctbuf)
++ goto err;
++
++ len =
++ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,
++ RSA_PKCS1_PADDING);
++ if (len <= 0)
++ goto err;
++ /* Check ciphertext doesn't match plaintext */
++ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
++ goto err;
++ ptbuf = OPENSSL_malloc(RSA_size(rsa));
++
++ if (!ptbuf)
++ goto err;
++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++ if (len != (sizeof(tbs) - 1))
++ goto err;
++ if (memcmp(ptbuf, tbs, len))
++ goto err;
++
++ ret = 1;
++
++ if (!ptbuf)
++ goto err;
++
++ err:
++ if (ret == 0) {
++ fips_set_selftest_fail();
++ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);
++ }
++
++ if (ctbuf)
++ OPENSSL_free(ctbuf);
++ if (ptbuf)
++ OPENSSL_free(ptbuf);
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++}
++
++static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
++ BN_GENCB *cb);
++#endif
+
+ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
+ BN_GENCB *cb);
+@@ -31,6 +103,13 @@ static int rsa_builtin_keygen(RSA *rsa,
+ */
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
++ return 0;
++ }
++#endif
+ if (rsa->meth->rsa_keygen != NULL)
+ return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+
+@@ -41,6 +120,13 @@ int RSA_generate_key_ex(RSA *rsa, int bi
+ int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
+ BIGNUM *e_value, BN_GENCB *cb)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_NON_FIPS_RSA_METHOD);
++ return 0;
++ }
++#endif
+ /* multi-prime is only supported with the builtin key generation */
+ if (rsa->meth->rsa_multi_prime_keygen != NULL) {
+ return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,
+@@ -57,10 +143,285 @@ int RSA_generate_multi_prime_key(RSA *rs
+ else
+ return 0;
+ }
+-
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (primes != 2) {
++ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_UNSUPPORTED_PARAMETERS);
++ return 0;
++ }
++ return fips_rsa_builtin_keygen(rsa, bits, e_value, cb);
++ }
++#endif
+ return rsa_builtin_keygen(rsa, bits, primes, e_value, cb);
+ }
+
++#ifdef OPENSSL_FIPS
++static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
++ BN_GENCB *cb)
++{
++ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
++ BN_CTX *ctx = NULL;
++ int ok = -1;
++ int i;
++ int n = 0;
++ int test = 0;
++ int pbits = bits / 2;
++ unsigned long error = 0;
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS
++ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) {
++ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
++ return 0;
++ }
++ if ((pbits & 0xFF) != 0) {
++ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
++
++ ctx = BN_CTX_new();
++ if (ctx == NULL)
++ goto err;
++ BN_CTX_start(ctx);
++ r0 = BN_CTX_get(ctx);
++ r1 = BN_CTX_get(ctx);
++ r2 = BN_CTX_get(ctx);
++ r3 = BN_CTX_get(ctx);
++
++ if (r3 == NULL)
++ goto err;
++
++ /* We need the RSA components non-NULL */
++ if (!rsa->n && ((rsa->n = BN_new()) == NULL))
++ goto err;
++ if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
++ goto err;
++ if (!rsa->e && ((rsa->e = BN_new()) == NULL))
++ goto err;
++ if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
++ goto err;
++ if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
++ goto err;
++ if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
++ goto err;
++ if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
++ goto err;
++ if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
++ goto err;
++
++ if (!BN_set_word(r0, RSA_F4))
++ goto err;
++ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) {
++ ok = 0; /* we set our own err */
++ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE);
++ goto err;
++ }
++
++ /* prepare approximate minimum p and q */
++ if (!BN_set_word(r0, 0xB504F334))
++ goto err;
++ if (!BN_lshift(r0, r0, pbits - 32))
++ goto err;
++
++ /* prepare minimum p and q difference */
++ if (!BN_one(r3))
++ goto err;
++ if (!BN_lshift(r3, r3, pbits - 100))
++ goto err;
++
++ BN_copy(rsa->e, e_value);
++
++ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
++ test = 1;
++
++ BN_set_flags(r0, BN_FLG_CONSTTIME);
++ BN_set_flags(r1, BN_FLG_CONSTTIME);
++ BN_set_flags(r2, BN_FLG_CONSTTIME);
++ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
++ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
++
++ retry:
++ /* generate p and q */
++ for (i = 0; i < 5 * pbits; i++) {
++ ploop:
++ if (!test)
++ if (!BN_rand(rsa->p, pbits, 0, 1))
++ goto err;
++ if (BN_cmp(rsa->p, r0) < 0) {
++ if (test)
++ goto err;
++ goto ploop;
++ }
++
++ if (!BN_sub(r2, rsa->p, BN_value_one()))
++ goto err;
++ ERR_set_mark();
++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
++ /* GCD == 1 since inverse exists */
++ int r;
++ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,
++ cb);
++ if (r == -1 || (test && r <= 0))
++ goto err;
++ if (r > 0)
++ break;
++ } else {
++ error = ERR_peek_last_error();
++ if (ERR_GET_LIB(error) == ERR_LIB_BN
++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
++ /* GCD != 1 */
++ ERR_pop_to_mark();
++ } else {
++ goto err;
++ }
++ }
++ if (!BN_GENCB_call(cb, 2, n++))
++ goto err;
++ }
++
++ if (!BN_GENCB_call(cb, 3, 0))
++ goto err;
++
++ if (i >= 5 * pbits)
++ /* prime not found */
++ goto err;
++
++ for (i = 0; i < 5 * pbits; i++) {
++ qloop:
++ if (!test)
++ if (!BN_rand(rsa->q, pbits, 0, 1))
++ goto err;
++ if (BN_cmp(rsa->q, r0) < 0) {
++ if (test)
++ goto err;
++ goto qloop;
++ }
++ if (!BN_sub(r2, rsa->q, rsa->p))
++ goto err;
++ if (BN_ucmp(r2, r3) <= 0) {
++ if (test)
++ goto err;
++ goto qloop;
++ }
++
++ if (!BN_sub(r2, rsa->q, BN_value_one()))
++ goto err;
++ ERR_set_mark();
++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
++ /* GCD == 1 since inverse exists */
++ int r;
++ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,
++ cb);
++ if (r == -1 || (test && r <= 0))
++ goto err;
++ if (r > 0)
++ break;
++ } else {
++ error = ERR_peek_last_error();
++ if (ERR_GET_LIB(error) == ERR_LIB_BN
++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
++ /* GCD != 1 */
++ ERR_pop_to_mark();
++ } else {
++ goto err;
++ }
++ }
++ if (!BN_GENCB_call(cb, 2, n++))
++ goto err;
++ }
++
++ if (!BN_GENCB_call(cb, 3, 1))
++ goto err;
++
++ if (i >= 5 * pbits)
++ /* prime not found */
++ goto err;
++
++ if (test) {
++ /* do not try to calculate the remaining key values */
++ BN_clear(rsa->n);
++ ok = 1;
++ goto err;
++ }
++
++ if (BN_cmp(rsa->p, rsa->q) < 0) {
++ tmp = rsa->p;
++ rsa->p = rsa->q;
++ rsa->q = tmp;
++ }
++
++ /* calculate n */
++ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
++ goto err;
++
++ /* calculate d */
++ if (!BN_sub(r1, rsa->p, BN_value_one()))
++ goto err; /* p-1 */
++ if (!BN_sub(r2, rsa->q, BN_value_one()))
++ goto err; /* q-1 */
++
++ /* note that computing gcd is not safe to timing attacks */
++ if (!BN_gcd(r0, r1, r2, ctx))
++ goto err;
++
++ {
++ if (!BN_div(r0, NULL, r1, r0, ctx))
++ goto err;
++
++ if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */
++ goto err;
++
++ if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */
++ goto err;
++ }
++
++ if (BN_num_bits(rsa->d) < pbits)
++ goto retry; /* d is too small */
++
++ {
++ BIGNUM *d = BN_new();
++
++ if (d == NULL)
++ goto err;
++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
++
++ if (/* calculate d mod (p-1) */
++ !BN_mod(rsa->dmp1, d, r1, ctx)
++ /* calculate d mod (q-1) */
++ || !BN_mod(rsa->dmq1, d, r2, ctx)) {
++ BN_free(d);
++ goto err;
++ }
++ /* We MUST free d before any further use of rsa->d */
++ BN_free(d);
++ }
++
++ /* calculate inverse of q mod p */
++ if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx))
++ goto err;
++
++ if (!fips_check_rsa(rsa))
++ goto err;
++
++ ok = 1;
++ err:
++ if (ok == -1) {
++ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
++ ok = 0;
++ }
++ if (ctx != NULL) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++
++ return ok;
++}
++#endif
++
+ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
+ BN_GENCB *cb)
+ {
+diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c
+--- openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c 2018-07-25 17:26:58.411624848 +0200
+@@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
+ * to deal with which ENGINE it comes from.
+ */
+ const RSA_METHOD *mtmp;
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
++ return 0;
++ }
++#endif
+ mtmp = rsa->meth;
+ if (mtmp->finish)
+ mtmp->finish(rsa);
+@@ -66,7 +72,6 @@ RSA *RSA_new_method(ENGINE *engine)
+
+ ret->meth = RSA_get_default_method();
+ #ifndef OPENSSL_NO_ENGINE
+- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
+ if (engine) {
+ if (!ENGINE_init(engine)) {
+ RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
+@@ -84,8 +89,19 @@ RSA *RSA_new_method(ENGINE *engine)
+ }
+ }
+ #endif
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
++# ifndef OPENSSL_NO_ENGINE
++ if (ret->engine)
++ ENGINE_finish(ret->engine);
++# endif
++ OPENSSL_free(ret);
++ return NULL;
++ }
++#endif
+
+- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
++ ret->flags = ret->meth->flags;
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
+ goto err;
+ }
+diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c
+--- openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c 2018-07-25 17:26:58.411624848 +0200
+@@ -11,6 +11,10 @@
+ #include "internal/bn_int.h"
+ #include "rsa_locl.h"
+
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding);
+ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
+@@ -46,6 +50,12 @@ static const RSA_METHOD *default_RSA_met
+
+ void RSA_set_default_method(const RSA_METHOD *meth)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
++ return;
++ }
++#endif
+ default_RSA_meth = meth;
+ }
+
+@@ -72,6 +82,22 @@ static int rsa_ossl_public_encrypt(int f
+ unsigned char *buf = NULL;
+ BN_CTX *ctx = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
+ return -1;
+@@ -251,6 +277,22 @@ static int rsa_ossl_private_encrypt(int
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+@@ -388,6 +430,22 @@ static int rsa_ossl_private_decrypt(int
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+@@ -513,6 +571,22 @@ static int rsa_ossl_public_decrypt(int f
+ unsigned char *buf = NULL;
+ BN_CTX *ctx = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
+ return -1;
+diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c
+--- openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c 2018-07-25 17:26:58.411624848 +0200
+@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch
+ unsigned char *tmps = NULL;
+ const unsigned char *encoded = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
++ return 0;
++ }
++#endif
+ if (rsa->meth->rsa_sign) {
+ return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
+ }
+@@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch
+ RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
+ goto err;
+ }
+- encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa,
+- RSA_PKCS1_PADDING);
++ /* NB: call underlying method directly to avoid FIPS blocking */
++ encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa,
++ RSA_PKCS1_PADDING) : 0;
+ if (encrypt_len <= 0)
+ goto err;
+
+diff -up openssl-1.1.1-pre8/crypto/sha/sha_locl.h.fips openssl-1.1.1-pre8/crypto/sha/sha_locl.h
+--- openssl-1.1.1-pre8/crypto/sha/sha_locl.h.fips 2018-07-25 17:26:57.885612242 +0200
++++ openssl-1.1.1-pre8/crypto/sha/sha_locl.h 2018-07-25 17:26:58.412624872 +0200
+@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c
+
+ int HASH_INIT(SHA_CTX *c)
+ {
++#if defined(OPENSSL_FIPS)
++ FIPS_selftest_check();
++#endif
+ memset(c, 0, sizeof(*c));
+ c->h0 = INIT_DATA_h0;
+ c->h1 = INIT_DATA_h1;
+diff -up openssl-1.1.1-pre8/crypto/sha/sha256.c.fips openssl-1.1.1-pre8/crypto/sha/sha256.c
+--- openssl-1.1.1-pre8/crypto/sha/sha256.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/sha/sha256.c 2018-07-25 17:26:58.412624872 +0200
+@@ -18,6 +18,9 @@
+
+ int SHA224_Init(SHA256_CTX *c)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ memset(c, 0, sizeof(*c));
+ c->h[0] = 0xc1059ed8UL;
+ c->h[1] = 0x367cd507UL;
+@@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c)
+
+ int SHA256_Init(SHA256_CTX *c)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ memset(c, 0, sizeof(*c));
+ c->h[0] = 0x6a09e667UL;
+ c->h[1] = 0xbb67ae85UL;
+diff -up openssl-1.1.1-pre8/crypto/sha/sha512.c.fips openssl-1.1.1-pre8/crypto/sha/sha512.c
+--- openssl-1.1.1-pre8/crypto/sha/sha512.c.fips 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/sha/sha512.c 2018-07-25 17:26:58.412624872 +0200
+@@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c)
+
+ int SHA384_Init(SHA512_CTX *c)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ c->h[0] = U64(0xcbbb9d5dc1059ed8);
+ c->h[1] = U64(0x629a292a367cd507);
+ c->h[2] = U64(0x9159015a3070dd17);
+@@ -116,6 +119,9 @@ int SHA384_Init(SHA512_CTX *c)
+
+ int SHA512_Init(SHA512_CTX *c)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ c->h[0] = U64(0x6a09e667f3bcc908);
+ c->h[1] = U64(0xbb67ae8584caa73b);
+ c->h[2] = U64(0x3c6ef372fe94f82b);
+diff -up openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod
+--- openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod.fips 2018-06-20 16:48:12.000000000 +0200
++++ openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod 2018-07-25 17:26:58.412624872 +0200
+@@ -30,8 +30,10 @@ B<bits> is the length of the prime p to
+ For lengths under 2048 bits, the length of q is 160 bits; for lengths
+ greater than or equal to 2048 bits, the length of q is set to 256 bits.
+
+-If B<seed> is NULL, the primes will be generated at random.
+-If B<seed_len> is less than the length of q, an error is returned.
++If B<seed> is NULL, or it does not generate primes, the primes will be
++generated at random.
++If B<seed_len> is less than the length of q, an error is returned
++if old DSA parameter generation method is used as a backend.
+
+ DSA_generate_parameters_ex() places the iteration count in
+ *B<counter_ret> and a counter used for finding a generator in
+diff -up openssl-1.1.1-pre8/include/openssl/crypto.h.fips openssl-1.1.1-pre8/include/openssl/crypto.h
+--- openssl-1.1.1-pre8/include/openssl/crypto.h.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/crypto.h 2018-07-25 17:26:58.412624872 +0200
+@@ -338,6 +338,11 @@ int OPENSSL_isservice(void);
+ int FIPS_mode(void);
+ int FIPS_mode_set(int r);
+
++# ifdef OPENSSL_FIPS
++/* die if FIPS selftest failed */
++void FIPS_selftest_check(void);
++# endif
++
+ void OPENSSL_init(void);
+ # ifdef OPENSSL_SYS_UNIX
+ void OPENSSL_fork_prepare(void);
+diff -up openssl-1.1.1-pre8/include/openssl/dherr.h.fips openssl-1.1.1-pre8/include/openssl/dherr.h
+--- openssl-1.1.1-pre8/include/openssl/dherr.h.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/dherr.h 2018-07-25 17:26:58.412624872 +0200
+@@ -32,6 +32,9 @@ int ERR_load_DH_strings(void);
+ # define DH_F_DH_CMS_DECRYPT 114
+ # define DH_F_DH_CMS_SET_PEERKEY 115
+ # define DH_F_DH_CMS_SET_SHARED_INFO 116
++# define DH_F_DH_COMPUTE_KEY 203
++# define DH_F_DH_GENERATE_KEY 202
++# define DH_F_DH_GENERATE_PARAMETERS_EX 201
+ # define DH_F_DH_METH_DUP 117
+ # define DH_F_DH_METH_NEW 118
+ # define DH_F_DH_METH_SET1_NAME 119
+@@ -69,12 +72,14 @@ int ERR_load_DH_strings(void);
+ # define DH_R_INVALID_PARAMETER_NID 114
+ # define DH_R_INVALID_PUBKEY 102
+ # define DH_R_KDF_PARAMETER_ERROR 112
++# define DH_R_KEY_SIZE_TOO_SMALL 201
+ # define DH_R_KEYS_NOT_SET 108
+ # define DH_R_MISSING_PUBKEY 125
+ # define DH_R_MODULUS_TOO_LARGE 103
+ # define DH_R_NOT_SUITABLE_GENERATOR 120
+ # define DH_R_NO_PARAMETERS_SET 107
+ # define DH_R_NO_PRIVATE_VALUE 100
++# define DH_R_NON_FIPS_METHOD 202
+ # define DH_R_PARAMETER_ENCODING_ERROR 105
+ # define DH_R_PEER_KEY_ERROR 111
+ # define DH_R_SHARED_INFO_ERROR 113
+diff -up openssl-1.1.1-pre8/include/openssl/dh.h.fips openssl-1.1.1-pre8/include/openssl/dh.h
+--- openssl-1.1.1-pre8/include/openssl/dh.h.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/dh.h 2018-07-25 17:26:58.412624872 +0200
+@@ -31,6 +31,7 @@ extern "C" {
+ # endif
+
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
+
+ # define DH_FLAG_CACHE_MONT_P 0x01
+
+diff -up openssl-1.1.1-pre8/include/openssl/dsaerr.h.fips openssl-1.1.1-pre8/include/openssl/dsaerr.h
+--- openssl-1.1.1-pre8/include/openssl/dsaerr.h.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/dsaerr.h 2018-07-25 17:26:58.412624872 +0200
+@@ -25,8 +25,11 @@ int ERR_load_DSA_strings(void);
+ */
+ # define DSA_F_DSAPARAMS_PRINT 100
+ # define DSA_F_DSAPARAMS_PRINT_FP 101
++# define DSA_F_DSA_BUILTIN_KEYGEN 202
+ # define DSA_F_DSA_BUILTIN_PARAMGEN 125
+ # define DSA_F_DSA_BUILTIN_PARAMGEN2 126
++# define DSA_F_DSA_GENERATE_KEY 201
++# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200
+ # define DSA_F_DSA_DO_SIGN 112
+ # define DSA_F_DSA_DO_VERIFY 113
+ # define DSA_F_DSA_METH_DUP 127
+@@ -56,9 +59,12 @@ int ERR_load_DSA_strings(void);
+ # define DSA_R_DECODE_ERROR 104
+ # define DSA_R_INVALID_DIGEST_TYPE 106
+ # define DSA_R_INVALID_PARAMETERS 112
++# define DSA_R_KEY_SIZE_INVALID 201
++# define DSA_R_KEY_SIZE_TOO_SMALL 202
+ # define DSA_R_MISSING_PARAMETERS 101
+ # define DSA_R_MODULUS_TOO_LARGE 103
+ # define DSA_R_NO_PARAMETERS_SET 107
++# define DSA_R_NON_FIPS_DSA_METHOD 200
+ # define DSA_R_PARAMETER_ENCODING_ERROR 105
+ # define DSA_R_Q_NOT_PRIME 113
+ # define DSA_R_SEED_LEN_SMALL 110
+diff -up openssl-1.1.1-pre8/include/openssl/dsa.h.fips openssl-1.1.1-pre8/include/openssl/dsa.h
+--- openssl-1.1.1-pre8/include/openssl/dsa.h.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/dsa.h 2018-07-25 17:26:58.413624895 +0200
+@@ -31,6 +31,7 @@ extern "C" {
+ # endif
+
+ # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048
+
+ # define DSA_FLAG_CACHE_MONT_P 0x01
+ # if OPENSSL_API_COMPAT < 0x10100000L
+@@ -141,9 +142,9 @@ int DSAparams_print_fp(FILE *fp, const D
+ int DSA_print_fp(FILE *bp, const DSA *x, int off);
+ # endif
+
+-# define DSS_prime_checks 50
++# define DSS_prime_checks 64
+ /*
+- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
++ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of
+ * Rabin-Miller
+ */
+ # define DSA_is_prime(n, callback, cb_arg) \
+diff -up openssl-1.1.1-pre8/include/openssl/evperr.h.fips openssl-1.1.1-pre8/include/openssl/evperr.h
+--- openssl-1.1.1-pre8/include/openssl/evperr.h.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/evperr.h 2018-07-25 17:26:58.413624895 +0200
+@@ -25,6 +25,7 @@ int ERR_load_EVP_strings(void);
+ # define EVP_F_AES_OCB_CIPHER 169
+ # define EVP_F_AES_T4_INIT_KEY 178
+ # define EVP_F_AES_WRAP_CIPHER 170
++# define EVP_F_AES_XTS_CIPHER 300
+ # define EVP_F_ALG_MODULE_INIT 177
+ # define EVP_F_ARIA_CCM_INIT_KEY 175
+ # define EVP_F_ARIA_GCM_CTRL 197
+@@ -132,6 +133,7 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133
+ # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138
+ # define EVP_R_DECODE_ERROR 114
++# define EVP_R_DISABLED_FOR_FIPS 200
+ # define EVP_R_DIFFERENT_KEY_TYPES 101
+ # define EVP_R_DIFFERENT_PARAMETERS 153
+ # define EVP_R_ERROR_LOADING_SECTION 165
+@@ -174,6 +176,7 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
+ # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
+ # define EVP_R_PUBLIC_KEY_NOT_RSA 106
++# define EVP_R_TOO_LARGE 201
+ # define EVP_R_UNKNOWN_CIPHER 160
+ # define EVP_R_UNKNOWN_DIGEST 161
+ # define EVP_R_UNKNOWN_OPTION 169
+diff -up openssl-1.1.1-pre8/include/openssl/fips.h.fips openssl-1.1.1-pre8/include/openssl/fips.h
+--- openssl-1.1.1-pre8/include/openssl/fips.h.fips 2018-07-25 17:26:58.413624895 +0200
++++ openssl-1.1.1-pre8/include/openssl/fips.h 2018-07-25 17:26:58.413624895 +0200
+@@ -0,0 +1,186 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/opensslconf.h>
++#include <openssl/dsa.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifndef OPENSSL_FIPS
++# error FIPS is disabled.
++#endif
++
++#ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++ int FIPS_selftest(void);
++ int FIPS_selftest_failed(void);
++ int FIPS_selftest_drbg_all(void);
++
++ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
++ const EVP_MD *evpmd, const unsigned char *seed_in,
++ size_t seed_len, int idx, unsigned char *seed_out,
++ int *counter_ret, unsigned long *h_ret,
++ BN_GENCB *cb);
++ int FIPS_dsa_paramgen_check_g(DSA *dsa);
++
++/* BEGIN ERROR CODES */
++/* The following lines are auto generated by the script mkerr.pl. Any changes
++ * made after this point may be overwritten when the script is next run.
++ */
++ int ERR_load_FIPS_strings(void);
++
++/* Error codes for the FIPS functions. */
++
++/* Function codes. */
++# define FIPS_F_DH_BUILTIN_GENPARAMS 100
++# define FIPS_F_DRBG_RESEED 121
++# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
++# define FIPS_F_DSA_DO_SIGN 102
++# define FIPS_F_DSA_DO_VERIFY 103
++# define FIPS_F_EVP_CIPHER_CTX_NEW 137
++# define FIPS_F_EVP_CIPHER_CTX_RESET 122
++# define FIPS_F_ECDH_COMPUTE_KEY 123
++# define FIPS_F_EVP_CIPHERINIT_EX 124
++# define FIPS_F_EVP_DIGESTINIT_EX 125
++# define FIPS_F_FIPS_CHECK_DSA 104
++# define FIPS_F_FIPS_CHECK_EC 142
++# define FIPS_F_FIPS_CHECK_RSA 106
++# define FIPS_F_FIPS_DRBG_BYTES 131
++# define FIPS_F_FIPS_DRBG_CHECK 146
++# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
++# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
++# define FIPS_F_FIPS_DRBG_GENERATE 134
++# define FIPS_F_FIPS_DRBG_INIT 135
++# define FIPS_F_FIPS_DRBG_INSTANTIATE 138
++# define FIPS_F_FIPS_DRBG_NEW 139
++# define FIPS_F_FIPS_DRBG_RESEED 140
++# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
++# define FIPS_F_FIPS_GET_ENTROPY 147
++# define FIPS_F_FIPS_MODULE_MODE_SET 108
++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
++# define FIPS_F_FIPS_RAND_BYTES 114
++# define FIPS_F_FIPS_RAND_SEED 128
++# define FIPS_F_FIPS_RAND_SET_METHOD 126
++# define FIPS_F_FIPS_RAND_STATUS 127
++# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101
++# define FIPS_F_FIPS_SELFTEST_AES 110
++# define FIPS_F_FIPS_SELFTEST_AES_CCM 145
++# define FIPS_F_FIPS_SELFTEST_AES_GCM 129
++# define FIPS_F_FIPS_SELFTEST_AES_XTS 144
++# define FIPS_F_FIPS_SELFTEST_CMAC 130
++# define FIPS_F_FIPS_SELFTEST_DES 111
++# define FIPS_F_FIPS_SELFTEST_DSA 112
++# define FIPS_F_FIPS_SELFTEST_ECDSA 133
++# define FIPS_F_FIPS_SELFTEST_HMAC 113
++# define FIPS_F_FIPS_SELFTEST_SHA1 115
++# define FIPS_F_FIPS_SELFTEST_SHA2 105
++# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
++# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148
++# define FIPS_F_RSA_BUILTIN_KEYGEN 116
++# define FIPS_F_RSA_OSSL_INIT 149
++# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117
++# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118
++# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119
++# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120
++
++/* Reason codes. */
++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
++# define FIPS_R_ALREADY_INSTANTIATED 134
++# define FIPS_R_DRBG_NOT_INITIALISED 152
++# define FIPS_R_DRBG_STUCK 103
++# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
++# define FIPS_R_ENTROPY_SOURCE_STUCK 142
++# define FIPS_R_ERROR_INITIALISING_DRBG 115
++# define FIPS_R_ERROR_INSTANTIATING_DRBG 127
++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
++# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
++# define FIPS_R_ERROR_RETRIEVING_NONCE 140
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
++# define FIPS_R_FIPS_MODE_ALREADY_SET 102
++# define FIPS_R_FIPS_SELFTEST_FAILED 106
++# define FIPS_R_FUNCTION_ERROR 116
++# define FIPS_R_GENERATE_ERROR 137
++# define FIPS_R_GENERATE_ERROR_UNDETECTED 118
++# define FIPS_R_INSTANTIATE_ERROR 119
++# define FIPS_R_INTERNAL_ERROR 121
++# define FIPS_R_INVALID_KEY_LENGTH 109
++# define FIPS_R_IN_ERROR_STATE 123
++# define FIPS_R_KEY_TOO_SHORT 108
++# define FIPS_R_NONCE_ERROR_UNDETECTED 149
++# define FIPS_R_NON_FIPS_METHOD 100
++# define FIPS_R_NOPR_TEST1_FAILURE 145
++# define FIPS_R_NOPR_TEST2_FAILURE 146
++# define FIPS_R_NOT_INSTANTIATED 126
++# define FIPS_R_PAIRWISE_TEST_FAILED 107
++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
++# define FIPS_R_PR_TEST1_FAILURE 147
++# define FIPS_R_PR_TEST2_FAILURE 148
++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
++# define FIPS_R_RESEED_COUNTER_ERROR 132
++# define FIPS_R_RESEED_ERROR 133
++# define FIPS_R_SELFTEST_FAILED 101
++# define FIPS_R_SELFTEST_FAILURE 135
++# define FIPS_R_TEST_FAILURE 117
++# define FIPS_R_UNINSTANTIATE_ERROR 141
++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
++# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
++# define FIPS_R_UNSUPPORTED_PLATFORM 113
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.1.1-pre8/include/openssl/fips_rand.h.fips openssl-1.1.1-pre8/include/openssl/fips_rand.h
+--- openssl-1.1.1-pre8/include/openssl/fips_rand.h.fips 2018-07-25 17:26:58.413624895 +0200
++++ openssl-1.1.1-pre8/include/openssl/fips_rand.h 2018-07-25 17:26:58.413624895 +0200
+@@ -0,0 +1,145 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifndef HEADER_FIPS_RAND_H
++# define HEADER_FIPS_RAND_H
++
++# include <openssl/aes.h>
++# include <openssl/evp.h>
++# include <openssl/hmac.h>
++# include <openssl/rand.h>
++
++# ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++ typedef struct drbg_ctx_st DRBG_CTX;
++/* DRBG external flags */
++/* Flag for CTR mode only: use derivation function ctr_df */
++# define DRBG_FLAG_CTR_USE_DF 0x1
++/* PRNG is in test state */
++# define DRBG_FLAG_TEST 0x2
++
++ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
++ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
++ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++ const unsigned char *pers, size_t perslen);
++ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
++ size_t adinlen);
++ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++ int prediction_resistance,
++ const unsigned char *adin, size_t adinlen);
++
++ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
++ void FIPS_drbg_free(DRBG_CTX *dctx);
++
++ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++ size_t (*get_entropy) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_entropy) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ size_t entropy_blocklen,
++ size_t (*get_nonce) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_nonce) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen));
++
++ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++ size_t (*get_adin) (DRBG_CTX *ctx,
++ unsigned char
++ **pout),
++ void (*cleanup_adin) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ int (*rand_seed_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num),
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num,
++ double entropy));
++
++ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
++ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
++ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
++ int FIPS_drbg_get_strength(DRBG_CTX *dctx);
++ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
++ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
++
++ int FIPS_drbg_health_check(DRBG_CTX *dctx);
++
++ DRBG_CTX *FIPS_get_default_drbg(void);
++ const RAND_METHOD *FIPS_drbg_method(void);
++
++ int FIPS_rand_set_method(const RAND_METHOD *meth);
++ const RAND_METHOD *FIPS_rand_get_method(void);
++
++ void FIPS_rand_set_bits(int nbits);
++
++ int FIPS_rand_strength(void);
++
++/* 1.0.0 compat functions */
++ int FIPS_rand_seed(const void *buf, int num);
++ int FIPS_rand_bytes(unsigned char *out, int outlen);
++ void FIPS_rand_reset(void);
++ int FIPS_rand_status(void);
++# ifdef __cplusplus
++}
++# endif
++# endif
++#endif
+diff -up openssl-1.1.1-pre8/include/openssl/opensslconf.h.in.fips openssl-1.1.1-pre8/include/openssl/opensslconf.h.in
+--- openssl-1.1.1-pre8/include/openssl/opensslconf.h.in.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/opensslconf.h.in 2018-07-25 17:26:58.413624895 +0200
+@@ -138,6 +138,11 @@ extern "C" {
+
+ #define RC4_INT {- $config{rc4_int} -}
+
++/* Always build FIPS module */
++#ifndef OPENSSL_FIPS
++# define OPENSSL_FIPS
++#endif
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff -up openssl-1.1.1-pre8/include/openssl/randerr.h.fips openssl-1.1.1-pre8/include/openssl/randerr.h
+--- openssl-1.1.1-pre8/include/openssl/randerr.h.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/randerr.h 2018-07-25 17:26:58.413624895 +0200
+@@ -35,6 +35,7 @@ int ERR_load_RAND_strings(void);
+ # define RAND_F_RAND_DRBG_SET 104
+ # define RAND_F_RAND_DRBG_SET_DEFAULTS 121
+ # define RAND_F_RAND_DRBG_UNINSTANTIATE 118
++# define RAND_F_RAND_INIT_FIPS 200
+ # define RAND_F_RAND_LOAD_FILE 111
+ # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122
+ # define RAND_F_RAND_POOL_ADD 103
+diff -up openssl-1.1.1-pre8/include/openssl/rand.h.fips openssl-1.1.1-pre8/include/openssl/rand.h
+--- openssl-1.1.1-pre8/include/openssl/rand.h.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/rand.h 2018-07-25 17:26:58.413624895 +0200
+@@ -68,6 +68,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void
+ DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
+ # endif
+
++# ifdef OPENSSL_FIPS
++/* just stubs for API compatibility */
++void RAND_set_fips_drbg_type(int type, int flags);
++int RAND_init_fips(void);
++# endif
+
+ #ifdef __cplusplus
+ }
+diff -up openssl-1.1.1-pre8/include/openssl/rsaerr.h.fips openssl-1.1.1-pre8/include/openssl/rsaerr.h
+--- openssl-1.1.1-pre8/include/openssl/rsaerr.h.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/rsaerr.h 2018-07-25 17:26:58.413624895 +0200
+@@ -21,6 +21,7 @@ int ERR_load_RSA_strings(void);
+ */
+ # define RSA_F_CHECK_PADDING_MD 140
+ # define RSA_F_ENCODE_PKCS1 146
++# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206
+ # define RSA_F_INT_RSA_VERIFY 145
+ # define RSA_F_OLD_RSA_PRIV_DECODE 147
+ # define RSA_F_PKEY_PSS_INIT 165
+@@ -35,6 +36,8 @@ int ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_CHECK_KEY_EX 160
+ # define RSA_F_RSA_CMS_DECRYPT 159
+ # define RSA_F_RSA_CMS_VERIFY 158
++# define RSA_F_RSA_GENERATE_KEY_EX 204
++# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 207
+ # define RSA_F_RSA_ITEM_VERIFY 148
+ # define RSA_F_RSA_METH_DUP 161
+ # define RSA_F_RSA_METH_NEW 162
+@@ -72,10 +75,16 @@ int ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_PRINT_FP 116
+ # define RSA_F_RSA_PRIV_DECODE 150
+ # define RSA_F_RSA_PRIV_ENCODE 138
++# define RSA_F_RSA_PRIVATE_DECRYPT 200
++# define RSA_F_RSA_PRIVATE_ENCRYPT 201
+ # define RSA_F_RSA_PSS_GET_PARAM 151
+ # define RSA_F_RSA_PSS_TO_CTX 155
+ # define RSA_F_RSA_PUB_DECODE 139
++# define RSA_F_RSA_PUBLIC_DECRYPT 202
++# define RSA_F_RSA_PUBLIC_ENCRYPT 203
+ # define RSA_F_RSA_SETUP_BLINDING 136
++# define RSA_F_RSA_SET_DEFAULT_METHOD 205
++# define RSA_F_RSA_SET_METHOD 204
+ # define RSA_F_RSA_SIGN 117
+ # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
+ # define RSA_F_RSA_VERIFY 119
+@@ -132,10 +141,12 @@ int ERR_load_RSA_strings(void);
+ # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169
+ # define RSA_R_MP_R_NOT_PRIME 170
+ # define RSA_R_NO_PUBLIC_EXPONENT 140
++# define RSA_R_NON_FIPS_RSA_METHOD 200
+ # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
+ # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 172
+ # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
+ # define RSA_R_OAEP_DECODING_ERROR 121
++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201
+ # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
+ # define RSA_R_PADDING_CHECK_FAILED 114
+ # define RSA_R_PKCS_DECODING_ERROR 159
+@@ -155,6 +166,7 @@ int ERR_load_RSA_strings(void);
+ # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163
+ # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
+ # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
++# define RSA_R_UNSUPPORTED_PARAMETERS 202
+ # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
+ # define RSA_R_VALUE_MISSING 147
+ # define RSA_R_WRONG_SIGNATURE_LENGTH 119
+diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips openssl-1.1.1-pre8/ssl/ssl_ciph.c
+--- openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips 2018-07-25 17:26:58.400624584 +0200
++++ openssl-1.1.1-pre8/ssl/ssl_ciph.c 2018-07-25 17:26:58.414624919 +0200
+@@ -385,7 +385,7 @@ int ssl_load_ciphers(void)
+ }
+ }
+ /* Make sure we can access MD5 and SHA1 */
+- if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))
++ if (!FIPS_mode() && !ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))
+ return 0;
+ if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL))
+ return 0;
+@@ -560,6 +560,9 @@ int ssl_cipher_get_evp(const SSL_SESSION
+ s->ssl_version < TLS1_VERSION)
+ return 1;
+
++ if (FIPS_mode())
++ return 1;
++
+ if (c->algorithm_enc == SSL_RC4 &&
+ c->algorithm_mac == SSL_MD5 &&
+ (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
+@@ -668,6 +671,8 @@ static void ssl_cipher_collect_ciphers(c
+ /* drop those that use any of that is not available */
+ if (c == NULL || !c->valid)
+ continue;
++ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS))
++ continue;
+ if ((c->algorithm_mkey & disabled_mkey) ||
+ (c->algorithm_auth & disabled_auth) ||
+ (c->algorithm_enc & disabled_enc) ||
+@@ -1671,7 +1676,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ * to the resulting precedence to the STACK_OF(SSL_CIPHER).
+ */
+ for (curr = head; curr != NULL; curr = curr->next) {
+- if (curr->active) {
++ if (curr->active
++ && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
+ if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
+ OPENSSL_free(co_list);
+ sk_SSL_CIPHER_free(cipherstack);
+diff -up openssl-1.1.1-pre8/ssl/ssl_init.c.fips openssl-1.1.1-pre8/ssl/ssl_init.c
+--- openssl-1.1.1-pre8/ssl/ssl_init.c.fips 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/ssl/ssl_init.c 2018-07-25 17:26:58.414624919 +0200
+@@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
+ fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
+ "Adding SSL ciphers and digests\n");
+ #endif
++#ifdef OPENSSL_FIPS
++ if (!FIPS_mode()) {
++#endif
++
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cbc());
+ EVP_add_cipher(EVP_des_ede3_cbc());
+@@ -87,6 +91,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
+ EVP_add_digest(EVP_sha256());
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
++#ifdef OPENSSL_FIPS
++ } else {
++# ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede3_cbc());
++# endif
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_128_gcm());
++ EVP_add_cipher(EVP_aes_256_gcm());
++ EVP_add_cipher(EVP_aes_128_ccm());
++ EVP_add_cipher(EVP_aes_256_ccm());
++# ifndef OPENSSL_NO_MD5
++ /* needed even in the FIPS mode for TLS-1.0 */
++ EVP_add_digest(EVP_md5_sha1());
++# endif
++ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++ }
++#endif
+ #ifndef OPENSSL_NO_COMP
+ # ifdef OPENSSL_INIT_DEBUG
+ fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
+diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.fips openssl-1.1.1-pre8/ssl/ssl_lib.c
+--- openssl-1.1.1-pre8/ssl/ssl_lib.c.fips 2018-07-25 17:26:58.400624584 +0200
++++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-25 17:26:58.414624919 +0200
+@@ -2885,6 +2885,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
+ return NULL;
+
++ if (FIPS_mode() && (meth->version < TLS1_VERSION)) {
++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE);
++ return NULL;
++ }
++
+ if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
+ goto err;
+@@ -2941,13 +2946,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ if (ret->param == NULL)
+ goto err;
+
+- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
+- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+- goto err2;
+- }
+- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
+- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+- goto err2;
++ if (!FIPS_mode()) {
++ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
++ goto err2;
++ }
++ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
++ goto err2;
++ }
++ } else {
++ ret->min_proto_version = TLS1_VERSION;
+ }
+
+ if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
+diff -up openssl-1.1.1-pre8/test/dsatest.c.fips openssl-1.1.1-pre8/test/dsatest.c
+--- openssl-1.1.1-pre8/test/dsatest.c.fips 2018-06-20 16:48:14.000000000 +0200
++++ openssl-1.1.1-pre8/test/dsatest.c 2018-07-25 17:26:58.415624943 +0200
+@@ -24,41 +24,42 @@
+ #ifndef OPENSSL_NO_DSA
+ static int dsa_cb(int p, int n, BN_GENCB *arg);
+
+-/*
+- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS
+- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1
+- */
+ static unsigned char seed[20] = {
+- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,
+- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,
++ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,
++ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,
+ };
+
+ static unsigned char out_p[] = {
+- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
+- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
+- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
+- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
+- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
+- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
+- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
+- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
++ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,
++ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,
++ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,
++ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,
++ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,
++ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,
++ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,
++ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,
++ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,
++ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,
++ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,
+ };
+
+ static unsigned char out_q[] = {
+- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
+- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
+- 0xda, 0xce, 0x91, 0x5f,
++ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,
++ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,
+ };
+
+ static unsigned char out_g[] = {
+- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
+- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
+- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
+- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
+- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
+- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
+- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
+- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
++ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,
++ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,
++ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,
++ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,
++ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,
++ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,
++ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,
++ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,
++ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,
++ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,
++ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,
+ };
+
+ static const unsigned char str1[] = "12345678901234567890";
+@@ -79,11 +80,11 @@ static int dsa_test(void)
+
+ BN_GENCB_set(cb, dsa_cb, NULL);
+ if (!TEST_ptr(dsa = DSA_new())
+- || !TEST_true(DSA_generate_parameters_ex(dsa, 512, seed, 20,
++ || !TEST_true(DSA_generate_parameters_ex(dsa, 1024, seed, 20,
+ &counter, &h, cb)))
+ goto end;
+
+- if (!TEST_int_eq(counter, 105))
++ if (!TEST_int_eq(counter, 239))
+ goto end;
+ if (!TEST_int_eq(h, 2))
+ goto end;
+diff -up openssl-1.1.1-pre8/util/libcrypto.num.fips openssl-1.1.1-pre8/util/libcrypto.num
+--- openssl-1.1.1-pre8/util/libcrypto.num.fips 2018-06-20 16:48:15.000000000 +0200
++++ openssl-1.1.1-pre8/util/libcrypto.num 2018-07-25 17:49:31.909043049 +0200
+@@ -4568,3 +4568,38 @@ EVP_PKEY_get_raw_private_key
+ EVP_PKEY_asn1_set_get_priv_key 4520 1_1_1 EXIST::FUNCTION:
+ EVP_PKEY_asn1_set_get_pub_key 4521 1_1_1 EXIST::FUNCTION:
+ EVP_PKEY_set_alias_type 4522 1_1_1 EXIST::FUNCTION:
++FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
++FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
++FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:
++FIPS_get_default_drbg 6351 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_set_reseed_interval 6352 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_set_app_data 6353 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_method 6354 1_1_0g EXIST::FUNCTION:
++FIPS_rand_status 6355 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_instantiate 6356 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_set_callbacks 6357 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_new 6358 1_1_0g EXIST::FUNCTION:
++FIPS_dsa_paramgen_check_g 6359 1_1_0g EXIST::FUNCTION:
++FIPS_selftest 6360 1_1_0g EXIST::FUNCTION:
++FIPS_rand_set_bits 6361 1_1_0g EXIST::FUNCTION:
++FIPS_rand_bytes 6362 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_get_app_data 6363 1_1_0g EXIST::FUNCTION:
++FIPS_selftest_failed 6364 1_1_0g EXIST::FUNCTION:
++FIPS_dsa_builtin_paramgen2 6365 1_1_0g EXIST::FUNCTION:
++FIPS_rand_reset 6366 1_1_0g EXIST::FUNCTION:
++ERR_load_FIPS_strings 6367 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_generate 6368 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_uninstantiate 6369 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_set_check_interval 6370 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_free 6371 1_1_0g EXIST::FUNCTION:
++FIPS_selftest_drbg_all 6372 1_1_0g EXIST::FUNCTION:
++FIPS_rand_get_method 6373 1_1_0g EXIST::FUNCTION:
++RAND_set_fips_drbg_type 6374 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_health_check 6375 1_1_0g EXIST::FUNCTION:
++RAND_init_fips 6376 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_set_rand_callbacks 6377 1_1_0g EXIST::FUNCTION:
++FIPS_rand_seed 6378 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION:
++FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
++FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
diff --git a/openssl-1.1.1-man-rename.patch b/openssl-1.1.1-man-rename.patch
new file mode 100644
index 0000000..6aef549
--- /dev/null
+++ b/openssl-1.1.1-man-rename.patch
@@ -0,0 +1,37 @@
+diff -up openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre2/doc/man1/openssl.pod
+--- openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename 2018-02-27 14:40:43.000000000 +0100
++++ openssl-1.1.1-pre2/doc/man1/openssl.pod 2018-03-06 15:32:44.737652939 +0100
+@@ -170,7 +170,7 @@ Create or examine a Netscape certificate
+
+ Online Certificate Status Protocol utility.
+
+-=item L<B<passwd>|passwd(1)>
++=item L<B<passwd>|sslpasswd(1)>
+
+ Generation of hashed passwords.
+
+@@ -202,7 +202,7 @@ Public key algorithm cryptographic opera
+
+ Compute prime numbers.
+
+-=item L<B<rand>|rand(1)>
++=item L<B<rand>|sslrand(1)>
+
+ Generate pseudo-random bytes.
+
+@@ -444,13 +444,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
+ L<ec(1)>, L<ecparam(1)>,
+ L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
+ L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
+-L<passwd(1)>,
+ L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
+ L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>, L<prime(1)>,
+-L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
++L<rehash(1)>, L<req(1)>, L<rsa(1)>,
+ L<rsautl(1)>, L<s_client(1)>,
+ L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
+ L<smime(1)>, L<speed(1)>, L<spkac(1)>, L<srp(1)>, L<storeutl(1)>,
++L<sslpasswd(1)>, L<sslrand(1)>,
+ L<ts(1)>,
+ L<verify(1)>, L<version(1)>, L<x509(1)>,
+ L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
diff --git a/openssl-1.1.1-secure-getenv.patch b/openssl-1.1.1-secure-getenv.patch
new file mode 100644
index 0000000..c3d14a1
--- /dev/null
+++ b/openssl-1.1.1-secure-getenv.patch
@@ -0,0 +1,173 @@
+diff -up openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_api.c
+--- openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/conf/conf_api.c 2018-07-16 18:01:11.708359766 +0200
+@@ -9,6 +9,8 @@
+
+ /* Part of the code in here was originally in conf.c, which is now removed */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "e_os.h"
+ #include <stdlib.h>
+ #include <string.h>
+@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf,
+ if (v != NULL)
+ return v->value;
+ if (strcmp(section, "ENV") == 0) {
+- p = getenv(name);
++ p = secure_getenv(name);
+ if (p != NULL)
+ return p;
+ }
+diff -up openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_mod.c
+--- openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/conf/conf_mod.c 2018-07-16 18:02:37.308383955 +0200
+@@ -7,6 +7,8 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "internal/cryptlib.h"
+ #include <stdio.h>
+ #include <ctype.h>
+@@ -481,7 +483,7 @@ char *CONF_get1_default_config_file(void
+ int len;
+
+ if (!OPENSSL_issetugid()) {
+- file = getenv("OPENSSL_CONF");
++ file = secure_getenv("OPENSSL_CONF");
+ if (file)
+ return OPENSSL_strdup(file);
+ }
+diff -up openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv openssl-1.1.1-pre8/crypto/ct/ct_log.c
+--- openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/ct/ct_log.c 2018-07-16 18:01:11.708359766 +0200
+@@ -7,6 +7,8 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdlib.h>
+ #include <string.h>
+
+@@ -137,7 +139,7 @@ static int ctlog_new_from_conf(CTLOG **c
+
+ int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
+ {
+- const char *fpath = getenv(CTLOG_FILE_EVP);
++ const char *fpath = secure_getenv(CTLOG_FILE_EVP);
+
+ if (fpath == NULL)
+ fpath = CTLOG_FILE;
+diff -up openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv openssl-1.1.1-pre8/crypto/engine/eng_list.c
+--- openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/engine/eng_list.c 2018-07-16 18:03:03.190996004 +0200
+@@ -8,6 +8,8 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "eng_int.h"
+
+ /*
+@@ -318,7 +320,7 @@ ENGINE *ENGINE_by_id(const char *id)
+ */
+ if (strcmp(id, "dynamic")) {
+ if (OPENSSL_issetugid()
+- || (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
++ || (load_dir = secure_getenv("OPENSSL_ENGINES")) == NULL)
+ load_dir = ENGINESDIR;
+ iterator = ENGINE_by_id("dynamic");
+ if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
+diff -up openssl-1.1.1-pre8/crypto/mem.c.secure-getenv openssl-1.1.1-pre8/crypto/mem.c
+--- openssl-1.1.1-pre8/crypto/mem.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/mem.c 2018-07-16 18:01:11.709359790 +0200
+@@ -7,6 +7,8 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "e_os.h"
+ #include "internal/cryptlib.h"
+ #include "internal/cryptlib_int.h"
+@@ -180,11 +182,11 @@ static int shouldfail(void)
+
+ void ossl_malloc_setup_failures(void)
+ {
+- const char *cp = getenv("OPENSSL_MALLOC_FAILURES");
++ const char *cp = secure_getenv("OPENSSL_MALLOC_FAILURES");
+
+ if (cp != NULL && (md_failstring = strdup(cp)) != NULL)
+ parseit();
+- if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL)
++ if ((cp = secure_getenv("OPENSSL_MALLOC_FD")) != NULL)
+ md_tracefd = atoi(cp);
+ }
+ #endif
+diff -up openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv openssl-1.1.1-pre8/crypto/rand/randfile.c
+--- openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/rand/randfile.c 2018-07-16 18:01:11.709359790 +0200
+@@ -7,6 +7,8 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "internal/cryptlib.h"
+
+ #include <errno.h>
+@@ -264,7 +266,7 @@ const char *RAND_file_name(char *buf, si
+ #else
+ if (OPENSSL_issetugid() != 0) {
+ use_randfile = 0;
+- } else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') {
++ } else if ((s = secure_getenv("RANDFILE")) == NULL || *s == '\0') {
+ use_randfile = 0;
+ s = getenv("HOME");
+ }
+diff -up openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_dir.c
+--- openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/x509/by_dir.c 2018-07-16 18:03:43.355945786 +0200
+@@ -7,6 +7,8 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "e_os.h"
+ #include "internal/cryptlib.h"
+ #include <stdio.h>
+@@ -73,7 +75,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
+ switch (cmd) {
+ case X509_L_ADD_DIR:
+ if (argl == X509_FILETYPE_DEFAULT) {
+- const char *dir = getenv(X509_get_default_cert_dir_env());
++ const char *dir = secure_getenv(X509_get_default_cert_dir_env());
+
+ if (dir)
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
+diff -up openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_file.c
+--- openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200
++++ openssl-1.1.1-pre8/crypto/x509/by_file.c 2018-07-16 18:01:11.709359790 +0200
+@@ -7,6 +7,8 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -46,7 +48,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
+ switch (cmd) {
+ case X509_L_FILE_LOAD:
+ if (argl == X509_FILETYPE_DEFAULT) {
+- file = getenv(X509_get_default_cert_file_env());
++ file = secure_getenv(X509_get_default_cert_file_env());
+ if (file)
+ ok = (X509_load_cert_crl_file(ctx, file,
+ X509_FILETYPE_PEM) != 0);
diff --git a/openssl-1.1.1-system-cipherlist.patch b/openssl-1.1.1-system-cipherlist.patch
new file mode 100644
index 0000000..98c0851
--- /dev/null
+++ b/openssl-1.1.1-system-cipherlist.patch
@@ -0,0 +1,310 @@
+diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-07-25 10:13:06.325232356 +0200
++++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-25 10:18:27.067863251 +0200
+@@ -176,6 +176,10 @@ MANDIR=$(INSTALLTOP)/share/man
+ DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
+ HTMLDIR=$(DOCDIR)/html
+
++{- output_off() if $config{system_ciphers_file} eq ""; "" -}
++SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
++{- output_on() if $config{system_ciphers_file} eq ""; "" -}
++
+ # MANSUFFIX is for the benefit of anyone who may want to have a suffix
+ # appended after the manpage file section number. "ssl" is popular,
+ # resulting in files such as config.5ssl rather than config.5.
+@@ -199,6 +203,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
+ CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
+ CPPFLAGS={- our $cppflags1 = join(" ",
+ (map { "-D".$_} @{$config{CPPDEFINES}}),
++ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
+ (map { "-I".$_} @{$config{CPPINCLUDES}}),
+ @{$config{CPPFLAGS}}) -}
+ CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
+diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Configure
+--- openssl-1.1.1-pre8/Configure.system-cipherlist 2018-06-20 16:48:09.000000000 +0200
++++ openssl-1.1.1-pre8/Configure 2018-07-25 10:13:06.346232856 +0200
+@@ -21,7 +21,7 @@ use OpenSSL::Glob;
+
+ # see INSTALL for instructions.
+
+-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
++my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+
+ # Options:
+ #
+@@ -38,6 +38,9 @@ my $usage="Usage: Configure [no-<cipher>
+ # This becomes the value of OPENSSLDIR in Makefile and in C.
+ # (Default: PREFIX/ssl)
+ #
++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
++# cipher is specified (default).
++#
+ # --cross-compile-prefix Add specified prefix to binutils components.
+ #
+ # --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
+@@ -291,6 +294,7 @@ $config{prefix}="";
+ $config{openssldir}="";
+ $config{processor}="";
+ $config{libdir}="";
++$config{system_ciphers_file}="";
+ my $auto_threads=1; # enable threads automatically? true by default
+ my $default_ranlib;
+
+@@ -814,6 +818,10 @@ while (@argvcopy)
+ push @seed_sources, $x;
+ }
+ }
++ elsif (/^--system-ciphers-file=(.*)$/)
++ {
++ $config{system_ciphers_file}=$1;
++ }
+ elsif (/^--cross-compile-prefix=(.*)$/)
+ {
+ $user{CROSS_COMPILE}=$1;
+@@ -1000,6 +1008,8 @@ if ($target eq "HASH") {
+ exit 0;
+ }
+
++chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/;
++
+ print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
+ print "for $target\n";
+
+diff -up openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre8/doc/man1/ciphers.pod
+--- openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist 2018-06-20 16:48:12.000000000 +0200
++++ openssl-1.1.1-pre8/doc/man1/ciphers.pod 2018-07-25 10:13:06.346232856 +0200
+@@ -200,6 +200,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
+
+ The cipher suites not enabled by B<ALL>, currently B<eNULL>.
+
++=item B<PROFILE=SYSTEM>
++
++The list of enabled cipher suites will be loaded from the system crypto policy
++configuration file B</etc/crypto-policies/back-ends/openssl.config>.
++See also L<update-crypto-policies(8)>.
++This is the default behavior unless an application explicitly sets a cipher
++list. If used in a cipher list configuration value this string must be at the
++beginning of the cipher list, otherwise it will not be recognized.
++
+ =item B<HIGH>
+
+ "High" encryption cipher suites. This currently means those with key lengths
+diff -up openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre8/include/openssl/ssl.h
+--- openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/ssl.h 2018-07-25 10:13:06.346232856 +0200
+@@ -186,6 +186,11 @@ extern "C" {
+ * throwing out anonymous and unencrypted ciphersuites! (The latter are not
+ * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
+ */
++# ifdef SYSTEM_CIPHERS_FILE
++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
++# else
++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
++# endif
+
+ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
+ # define SSL_SENT_SHUTDOWN 1
+diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_ciph.c
+--- openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/ssl/ssl_ciph.c 2018-07-25 10:36:36.475896866 +0200
+@@ -9,6 +9,8 @@
+ * https://www.openssl.org/source/license.html
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <openssl/objects.h>
+@@ -1400,6 +1402,53 @@ int SSL_set_ciphersuites(SSL *s, const c
+ return ret;
+ }
+
++#ifdef SYSTEM_CIPHERS_FILE
++static char *load_system_str(const char *suffix)
++{
++ FILE *fp;
++ char buf[1024];
++ char *new_rules;
++ const char *ciphers_path;
++ unsigned len, slen;
++
++ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
++ ciphers_path = SYSTEM_CIPHERS_FILE;
++ fp = fopen(ciphers_path, "r");
++ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
++ /* cannot open or file is empty */
++ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
++ }
++
++ if (fp)
++ fclose(fp);
++
++ slen = strlen(suffix);
++ len = strlen(buf);
++
++ if (buf[len - 1] == '\n') {
++ len--;
++ buf[len] = 0;
++ }
++ if (buf[len - 1] == '\r') {
++ len--;
++ buf[len] = 0;
++ }
++
++ new_rules = OPENSSL_malloc(len + slen + 1);
++ if (new_rules == 0)
++ return NULL;
++
++ memcpy(new_rules, buf, len);
++ if (slen > 0) {
++ memcpy(&new_rules[len], suffix, slen);
++ len += slen;
++ }
++ new_rules[len] = 0;
++
++ return new_rules;
++}
++#endif
++
+ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+ STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
+ STACK_OF(SSL_CIPHER) **cipher_list,
+@@ -1413,15 +1462,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ const char *rule_p;
+ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
+ const SSL_CIPHER **ca_list = NULL;
++#ifdef SYSTEM_CIPHERS_FILE
++ char *new_rules = NULL;
++
++ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
++ char *p = rule_str + 14;
++
++ new_rules = load_system_str(p);
++ rule_str = new_rules;
++ }
++#endif
+
+ /*
+ * Return with error if nothing to do.
+ */
+ if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+- return NULL;
++ goto err;
+ #ifndef OPENSSL_NO_EC
+ if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
+- return NULL;
++ goto err;
+ #endif
+
+ /*
+@@ -1444,7 +1503,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
+ if (co_list == NULL) {
+ SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+- return NULL; /* Failure */
++ goto err;
+ }
+
+ ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
+@@ -1510,8 +1569,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ * in force within each class
+ */
+ if (!ssl_cipher_strength_sort(&head, &tail)) {
+- OPENSSL_free(co_list);
+- return NULL;
++ goto err;
+ }
+
+ /*
+@@ -1556,9 +1614,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
+ ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
+ if (ca_list == NULL) {
+- OPENSSL_free(co_list);
+ SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+- return NULL; /* Failure */
++ goto err;
+ }
+ ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
+ disabled_mkey, disabled_auth, disabled_enc,
+@@ -1584,8 +1641,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ OPENSSL_free(ca_list); /* Not needed anymore */
+
+ if (!ok) { /* Rule processing failure */
+- OPENSSL_free(co_list);
+- return NULL;
++ goto err;
+ }
+
+ /*
+@@ -1593,14 +1649,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ * if we cannot get one.
+ */
+ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
+- OPENSSL_free(co_list);
+- return NULL;
++ goto err;
+ }
+
++#ifdef SYSTEM_CIPHERS_FILE
++ OPENSSL_free(new_rules); /* Not needed anymore */
++#endif
++
+ /* Add TLSv1.3 ciphers first - we always prefer those if possible */
+ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
+ if (!sk_SSL_CIPHER_push(cipherstack,
+ sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
++ OPENSSL_free(co_list);
+ sk_SSL_CIPHER_free(cipherstack);
+ return NULL;
+ }
+@@ -1632,6 +1692,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ *cipher_list = cipherstack;
+
+ return cipherstack;
++
++err:
++ OPENSSL_free(co_list);
++#ifdef SYSTEM_CIPHERS_FILE
++ OPENSSL_free(new_rules);
++#endif
++ return NULL;
++
+ }
+
+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
+diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_lib.c
+--- openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist 2018-07-25 10:13:06.347232880 +0200
++++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-25 10:37:38.715394989 +0200
+@@ -658,7 +658,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
+ ctx->tls13_ciphersuites,
+ &(ctx->cipher_list),
+ &(ctx->cipher_list_by_id),
+- SSL_DEFAULT_CIPHER_LIST, ctx->cert);
++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
+ if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
+ SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+ return 0;
+@@ -2931,7 +2931,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ if (!ssl_create_cipher_list(ret->method,
+ ret->tls13_ciphersuites,
+ &ret->cipher_list, &ret->cipher_list_by_id,
+- SSL_DEFAULT_CIPHER_LIST, ret->cert)
++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
+ || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
+ goto err2;
+diff -up openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist openssl-1.1.1-pre8/test/cipherlist_test.c
+--- openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist 2018-07-25 10:13:06.348232903 +0200
++++ openssl-1.1.1-pre8/test/cipherlist_test.c 2018-07-25 10:39:08.887552814 +0200
+@@ -217,7 +217,9 @@ static int test_default_cipherlist_expli
+
+ int setup_tests(void)
+ {
++#ifndef SYSTEM_CIPHERS_FILE
+ ADD_TEST(test_default_cipherlist_implicit);
++#endif
+ ADD_TEST(test_default_cipherlist_explicit);
+ return 1;
+ }
diff --git a/openssl-1.1.1-version-add-engines.patch b/openssl-1.1.1-version-add-engines.patch
new file mode 100644
index 0000000..3c3f58e
--- /dev/null
+++ b/openssl-1.1.1-version-add-engines.patch
@@ -0,0 +1,38 @@
+diff -up openssl-1.1.1-pre8/apps/version.c.version-add-engines openssl-1.1.1-pre8/apps/version.c
+--- openssl-1.1.1-pre8/apps/version.c.version-add-engines 2018-06-20 16:48:09.000000000 +0200
++++ openssl-1.1.1-pre8/apps/version.c 2018-07-16 18:00:40.608624346 +0200
+@@ -64,7 +64,7 @@ int version_main(int argc, char **argv)
+ {
+ int ret = 1, dirty = 0, seed = 0;
+ int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
+- int engdir = 0;
++ int engdir = 0, engines = 0;
+ char *prog;
+ OPTION_CHOICE o;
+
+@@ -106,7 +106,7 @@ opthelp:
+ break;
+ case OPT_A:
+ seed = options = cflags = version = date = platform = dir = engdir
+- = 1;
++ = engines = 1;
+ break;
+ }
+ }
+@@ -188,6 +188,16 @@ opthelp:
+ #endif
+ printf("\n");
+ }
++ if (engines) {
++ ENGINE *e;
++ printf("engines: ");
++ e = ENGINE_get_first();
++ while (e) {
++ printf("%s ", ENGINE_get_id(e));
++ e = ENGINE_get_next(e);
++ }
++ printf("\n");
++ }
+ ret = 0;
+ end:
+ return ret;
diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch
new file mode 100644
index 0000000..dae63f9
--- /dev/null
+++ b/openssl-1.1.1-version-override.patch
@@ -0,0 +1,14 @@
+diff -up openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override openssl-1.1.1-pre8/include/openssl/opensslv.h
+--- openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override 2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/include/openssl/opensslv.h 2018-07-25 11:03:29.297543392 +0200
+@@ -39,8 +39,8 @@ extern "C" {
+ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
+ * major minor fix final patch/beta)
+ */
+-# define OPENSSL_VERSION_NUMBER 0x10101008L
+-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018"
++# define OPENSSL_VERSION_NUMBER 0x1010100fL
++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018"
+
+ /*-
+ * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/openssl.spec b/openssl.spec
index 827f727..ff9e2f4 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -19,15 +19,17 @@
%global _performance_build 1
+%global prerelease pre8
+
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.1.0h
-Release: 6%{?dist}
+Version: 1.1.1
+Release: 0.%{prerelease}%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
-Source: openssl-%{version}-hobbled.tar.xz
+Source: openssl-%{version}-%{prerelease}-hobbled.tar.xz
Source1: hobble-openssl
Source2: Makefile.certificate
Source6: make-dummy-cert
@@ -38,30 +40,25 @@ Source11: README.FIPS
Source12: ec_curve.c
Source13: ectest.c
# Build changes
-Patch1: openssl-1.1.0-build.patch
+Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.0-defaults.patch
Patch3: openssl-1.1.0-no-html.patch
+Patch4: openssl-1.1.1-man-rename.patch
# Bug fixes
Patch21: openssl-1.1.0-issuer-hash.patch
-Patch22: openssl-1.1.0-algo-doc.patch
-Patch23: openssl-1.1.0-manfix.patch
# Functionality changes
Patch31: openssl-1.1.0-ca-dir.patch
-Patch32: openssl-1.1.0-version-add-engines.patch
+Patch32: openssl-1.1.1-version-add-engines.patch
Patch33: openssl-1.1.0-apps-dgst.patch
-Patch35: openssl-1.1.0-chil-fixes.patch
-Patch36: openssl-1.1.0-secure-getenv.patch
-Patch37: openssl-1.1.0-ec-curves.patch
+Patch36: openssl-1.1.1-secure-getenv.patch
+Patch37: openssl-1.1.1-ec-curves.patch
Patch38: openssl-1.1.0-no-weak-verify.patch
-Patch39: openssl-1.1.0-cc-reqs.patch
-Patch40: openssl-1.1.0-disable-ssl3.patch
-Patch41: openssl-1.1.0-system-cipherlist.patch
-Patch42: openssl-1.1.0-fips.patch
-Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
+Patch40: openssl-1.1.1-disable-ssl3.patch
+Patch41: openssl-1.1.1-system-cipherlist.patch
+Patch42: openssl-1.1.1-fips.patch
+Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.0-weak-ciphers.patch
-Patch46: openssl-1.1.0-silent-rnd-write.patch
# Backported fixes including security fixes
-Patch70: openssl-1.1.0-missing-quotes.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -71,6 +68,7 @@ BuildRequires: coreutils, krb5-devel, perl-interpreter, sed, zlib-devel, /usr/bi
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename
BuildRequires: /usr/bin/pod2man
+BuildRequires: /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes)
@@ -134,7 +132,7 @@ package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.
%prep
-%setup -q -n %{name}-%{version}
+%setup -q -n %{name}-%{version}-%{prerelease}
# The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed.
@@ -146,27 +144,22 @@ cp %{SOURCE13} test/
%patch1 -p1 -b .build %{?_rawbuild}
%patch2 -p1 -b .defaults
%patch3 -p1 -b .no-html %{?_rawbuild}
+%patch4 -p1 -b .man-rename
%patch21 -p1 -b .issuer-hash
-%patch22 -p1 -b .algo-doc
-%patch23 -p1 -b .manfix
%patch31 -p1 -b .ca-dir
%patch32 -p1 -b .version-add-engines
%patch33 -p1 -b .dgst
-%patch35 -p1 -b .chil
%patch36 -p1 -b .secure-getenv
%patch37 -p1 -b .curves
%patch38 -p1 -b .no-weak-verify
-%patch39 -p1 -b .cc-reqs
%patch40 -p1 -b .disable-ssl3
%patch41 -p1 -b .system-cipherlist
%patch42 -p1 -b .fips
-%patch44 -p1 -b .preserve-nl
+%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
-%patch46 -p1 -b .silent-rnd-write
-%patch70 -p1 -b .missing-quotes
%build
# Figure out which flags we want to use.
@@ -246,7 +239,7 @@ export HASHBANGPERL=/usr/bin/perl
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
enable-weak-ssl-ciphers \
- no-mdc2 no-ec2m \
+ no-mdc2 no-ec2m no-sm2 \
shared ${sslarch} $RPM_OPT_FLAGS
# Do not run this in a production package the FIPS symbols must be patched-in
@@ -265,6 +258,13 @@ done
%check
# Verify that what was compiled actually works.
+# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
+(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
+(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
+ sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
+ touch -r configdata.pm configdata.pm.new && \
+ mv -f configdata.pm.new configdata.pm)
+
# We must revert patch31 before tests otherwise they will fail
patch -p1 -R < %{PATCH31}
@@ -276,6 +276,8 @@ crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}
ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
+OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
+export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
make test
# Add generation of HMAC checksum of the final stripped library
@@ -344,11 +346,13 @@ mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
-# Ensure the openssl.cnf timestamp is identical across builds to avoid
+# Ensure the config file timestamps are identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
+touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
# Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch}
@@ -399,6 +403,7 @@ export LD_LIBRARY_PATH
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
+%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
@@ -435,6 +440,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Wed Jul 25 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.1
+- update to the latest 1.1.1 beta version
+
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0h-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
diff --git a/sources b/sources
index b8fb121..1e0d81a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-1.1.0h-hobbled.tar.xz) = cba4641956d6593f5cf5164bed12fb3acfaa9c24a69d5642cc0267d0918555450a12ddeac6e02b246afa64e7019f35baa0d9302d1f06e3be5555d8340319c5e4
+SHA512 (openssl-1.1.1-pre8-hobbled.tar.xz) = eca0c8843c69fc3dcd1a27d56107368548f5674a64decc62ff48196d30485f287550bb671ca8bc48aeef482a8419462638bf152850c741e4554219230f4c4582
^ permalink raw reply related [flat|nested] 2+ messages in thread* [rpms/openssl] rebase_40beta: update to the latest 1.1.1 beta version
@ 2026-06-09 12:44 Tomas Mraz
0 siblings, 0 replies; 2+ messages in thread
From: Tomas Mraz @ 2026-06-09 12:44 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 62ec0f1fa920e67f41f5784975a5419a29f24bfa
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2018-08-22T12:41:26+02:00
Stats : +414/-1326 in 11 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/62ec0f1fa920e67f41f5784975a5419a29f24bfa?branch=rebase_40beta
Log:
update to the latest 1.1.1 beta version
---
diff --git a/.gitignore b/.gitignore
index 8bacadc..9223d8f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.0g-hobbled.tar.xz
/openssl-1.1.0h-hobbled.tar.xz
/openssl-1.1.1-pre8-hobbled.tar.xz
+/openssl-1.1.1-pre9-hobbled.tar.xz
diff --git a/ec_curve.c b/ec_curve.c
index 7303fe9..58f8f3f 100644
--- a/ec_curve.c
+++ b/ec_curve.c
@@ -349,7 +349,7 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
goto err;
}
- if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
+ if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
goto err;
}
diff --git a/ectest.c b/ectest.c
index c3ac7c6..5c20ac3 100644
--- a/ectest.c
+++ b/ectest.c
@@ -31,6 +31,7 @@ static int group_order_tests(EC_GROUP *group)
{
BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL;
EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL;
+ const EC_POINT *G = NULL;
BN_CTX *ctx = NULL;
int i = 0, r = 0;
@@ -38,6 +39,7 @@ static int group_order_tests(EC_GROUP *group)
|| !TEST_ptr(n2 = BN_new())
|| !TEST_ptr(order = BN_new())
|| !TEST_ptr(ctx = BN_CTX_new())
+ || !TEST_ptr(G = EC_GROUP_get0_generator(group))
|| !TEST_ptr(P = EC_POINT_new(group))
|| !TEST_ptr(Q = EC_POINT_new(group))
|| !TEST_ptr(R = EC_POINT_new(group))
@@ -49,7 +51,15 @@ static int group_order_tests(EC_GROUP *group)
|| !TEST_true(EC_POINT_is_at_infinity(group, Q))
|| !TEST_true(EC_GROUP_precompute_mult(group, ctx))
|| !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
- || !TEST_true(EC_POINT_is_at_infinity(group, Q)))
+ || !TEST_true(EC_POINT_is_at_infinity(group, Q))
+ || !TEST_true(EC_POINT_copy(P, G))
+ || !TEST_true(BN_one(n1))
+ || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
+ || !TEST_true(BN_sub(n1, order, n1))
+ || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
+ || !TEST_true(EC_POINT_invert(group, Q, ctx))
+ || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
goto err;
for (i = 1; i <= 2; i++) {
@@ -62,6 +72,7 @@ static int group_order_tests(EC_GROUP *group)
* EC_GROUP_precompute_mult has set up precomputation.
*/
|| !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
+ || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx)))
|| !TEST_true(BN_one(n1))
/* n1 = 1 - order */
|| !TEST_true(BN_sub(n1, n1, order))
@@ -181,16 +192,15 @@ static int prime_field_tests(void)
"FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
|| !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256"
"5044B0B7D7BFD8BA270B39432355FFB4"))
- || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
|| !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9"
"4A03C1D356C21122343280D6115C1D21"))
- || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0,
- ctx))
+ || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
|| !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
|| !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF"
"FFFF16A2E0B8F03E13DD29455C5C2A3D"))
|| !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
- || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
+ || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
goto err;
TEST_info("NIST curve P-224 -- Generator");
@@ -205,8 +215,8 @@ static int prime_field_tests(void)
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
- yplusone, ctx))
+ || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
+ ctx))
|| !TEST_int_eq(EC_GROUP_get_degree(group), 224)
|| !group_order_tests(group)
|| !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))
@@ -221,17 +231,16 @@ static int prime_field_tests(void)
"00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
|| !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
"651D06B0CC53B0F63BCE3C3E27D2604B"))
- || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
|| !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2"
"77037D812DEB33A0F4A13945D898C296"))
- || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1,
- ctx))
+ || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
|| !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
|| !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
"BCE6FAADA7179E84F3B9CAC2FC632551"))
|| !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
- || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
+ || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
goto err;
TEST_info("NIST curve P-256 -- Generator");
@@ -246,8 +255,8 @@ static int prime_field_tests(void)
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
- yplusone, ctx))
+ || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
+ ctx))
|| !TEST_int_eq(EC_GROUP_get_degree(group), 256)
|| !group_order_tests(group)
|| !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))
@@ -265,19 +274,18 @@ static int prime_field_tests(void)
|| !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19"
"181D9C6EFE8141120314088F5013875A"
"C656398D8A2ED19D2A85C8EDD3EC2AEF"))
- || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
|| !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74"
"6E1D3B628BA79B9859F741E082542A38"
"5502F25DBF55296C3A545E3872760AB7"))
- || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1,
- ctx))
+ || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
|| !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
|| !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFC7634D81F4372DDF"
"581A0DB248B0A77AECEC196ACCC52973"))
|| !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
- || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
+ || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
goto err;
TEST_info("NIST curve P-384 -- Generator");
@@ -293,8 +301,8 @@ static int prime_field_tests(void)
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
- yplusone, ctx))
+ || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
+ ctx))
|| !TEST_int_eq(EC_GROUP_get_degree(group), 384)
|| !group_order_tests(group)
|| !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))
@@ -317,14 +325,13 @@ static int prime_field_tests(void)
"A2DA725B99B315F3B8B489918EF109E1"
"56193951EC7E937B1652C0BD3BB1BF07"
"3573DF883D2C34F1EF451FD46B503F00"))
- || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
|| !TEST_true(BN_hex2bn(&x, "C6"
"858E06B70404E9CD9E3ECB662395B442"
"9C648139053FB521F828AF606B4D3DBA"
"A14B5E77EFE75928FE1DC127A2FFA8DE"
"3348B3C1856A429BF97E7E31C2E5BD66"))
- || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0,
- ctx))
+ || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
|| !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
|| !TEST_true(BN_hex2bn(&z, "1FF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
@@ -332,7 +339,7 @@ static int prime_field_tests(void)
"51868783BF2F966B7FCC0148F709A5D0"
"3BB5C9B8899C47AEBB6FB71E91386409"))
|| !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
- || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
+ || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
goto err;
TEST_info("NIST curve P-521 -- Generator");
@@ -350,8 +357,8 @@ static int prime_field_tests(void)
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
- yplusone, ctx))
+ || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
+ ctx))
|| !TEST_int_eq(EC_GROUP_get_degree(group), 521)
|| !group_order_tests(group)
|| !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))
@@ -360,7 +367,7 @@ static int prime_field_tests(void)
/* more tests using the last curve */
/* Restore the point that got mangled in the (x, y + 1) test. */
- || !TEST_true(EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
+ || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
|| !TEST_true(EC_POINT_copy(Q, P))
|| !TEST_false(EC_POINT_is_at_infinity(group, Q))
|| !TEST_true(EC_POINT_dbl(group, P, P, ctx))
@@ -483,7 +490,7 @@ static int internal_curve_test_method(int n)
* implementations of several NIST curves with characteristic > 3.
*/
struct nistp_test_params {
- const EC_METHOD *(*meth) ();
+ const EC_METHOD *(*meth) (void);
int degree;
/*
* Qx, Qy and D are taken from
@@ -611,7 +618,7 @@ static int nistp_single_test(int idx)
|| !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, test->a))
|| !TEST_true(BN_hex2bn(&b, test->b))
- || !TEST_true(EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx))
+ || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx))
|| !TEST_ptr(G = EC_POINT_new(NISTP))
|| !TEST_ptr(P = EC_POINT_new(NISTP))
|| !TEST_ptr(Q = EC_POINT_new(NISTP))
@@ -623,13 +630,13 @@ static int nistp_single_test(int idx)
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
* and therefore setting the coordinates should fail.
*/
- || !TEST_false(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x,
- yplusone, ctx))
- || !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y,
- ctx))
+ || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x,
+ yplusone, ctx))
+ || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y,
+ ctx))
|| !TEST_true(BN_hex2bn(&x, test->Gx))
|| !TEST_true(BN_hex2bn(&y, test->Gy))
- || !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx))
+ || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx))
|| !TEST_true(BN_hex2bn(&order, test->order))
|| !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
|| !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree))
diff --git a/openssl-1.1.1-bidi-shutdown.patch b/openssl-1.1.1-bidi-shutdown.patch
deleted file mode 100644
index 14f21f8..0000000
--- a/openssl-1.1.1-bidi-shutdown.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-diff -up openssl-1.1.1-pre8/crypto/err/openssl.txt.bidi-shutdown openssl-1.1.1-pre8/crypto/err/openssl.txt
---- openssl-1.1.1-pre8/crypto/err/openssl.txt.bidi-shutdown 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/err/openssl.txt 2018-08-13 15:43:07.248438031 +0200
-@@ -2541,6 +2541,8 @@ SM2_R_INVALID_ENCODING:104:invalid encod
- SM2_R_INVALID_FIELD:105:invalid field
- SM2_R_NO_PARAMETERS_SET:109:no parameters set
- SM2_R_USER_ID_TOO_LARGE:106:user id too large
-+SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
-+ application data after close notify
- SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake
- SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT:272:\
- attempt to reuse session in different context
-diff -up openssl-1.1.1-pre8/include/openssl/sslerr.h.bidi-shutdown openssl-1.1.1-pre8/include/openssl/sslerr.h
---- openssl-1.1.1-pre8/include/openssl/sslerr.h.bidi-shutdown 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/sslerr.h 2018-08-13 15:43:07.250438079 +0200
-@@ -446,6 +446,7 @@ int ERR_load_SSL_strings(void);
- /*
- * SSL reason codes.
- */
-+# define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291
- # define SSL_R_APP_DATA_IN_HANDSHAKE 100
- # define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
- # define SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE 143
-diff -up openssl-1.1.1-pre8/ssl/record/rec_layer_s3.c.bidi-shutdown openssl-1.1.1-pre8/ssl/record/rec_layer_s3.c
---- openssl-1.1.1-pre8/ssl/record/rec_layer_s3.c.bidi-shutdown 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/ssl/record/rec_layer_s3.c 2018-08-13 15:43:07.250438079 +0200
-@@ -1457,40 +1457,6 @@ int ssl3_read_bytes(SSL *s, int type, in
- return -1;
- }
-
-- /*
-- * In case of record types for which we have 'fragment' storage, fill
-- * that so that we can process the data at a fixed place.
-- */
-- {
-- size_t dest_maxlen = 0;
-- unsigned char *dest = NULL;
-- size_t *dest_len = NULL;
--
-- if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
-- dest_maxlen = sizeof(s->rlayer.handshake_fragment);
-- dest = s->rlayer.handshake_fragment;
-- dest_len = &s->rlayer.handshake_fragment_len;
-- }
--
-- if (dest_maxlen > 0) {
-- n = dest_maxlen - *dest_len; /* available space in 'dest' */
-- if (SSL3_RECORD_get_length(rr) < n)
-- n = SSL3_RECORD_get_length(rr); /* available bytes */
--
-- /* now move 'n' bytes: */
-- memcpy(dest + *dest_len,
-- SSL3_RECORD_get_data(rr) + SSL3_RECORD_get_off(rr), n);
-- SSL3_RECORD_add_off(rr, n);
-- SSL3_RECORD_sub_length(rr, n);
-- *dest_len += n;
-- if (SSL3_RECORD_get_length(rr) == 0)
-- SSL3_RECORD_set_read(rr);
--
-- if (*dest_len < dest_maxlen)
-- goto start; /* fragment was too small */
-- }
-- }
--
- /*-
- * s->rlayer.handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
- * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
-@@ -1583,12 +1549,70 @@ int ssl3_read_bytes(SSL *s, int type, in
- return -1;
- }
-
-- if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a
-- * shutdown */
-- s->rwstate = SSL_NOTHING;
-+ /*
-+ * If we've sent a close_notify but not yet received one back then ditch
-+ * anything we read.
-+ */
-+ if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
-+ /*
-+ * In TLSv1.3 this could get problematic if we receive a KeyUpdate
-+ * message after we sent a close_notify because we're about to ditch it,
-+ * so we won't be able to read a close_notify sent afterwards! We don't
-+ * support that.
-+ */
- SSL3_RECORD_set_length(rr, 0);
- SSL3_RECORD_set_read(rr);
-- return 0;
-+
-+ if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
-+ BIO *rbio;
-+
-+ if ((s->mode & SSL_MODE_AUTO_RETRY) != 0)
-+ goto start;
-+
-+ s->rwstate = SSL_READING;
-+ rbio = SSL_get_rbio(s);
-+ BIO_clear_retry_flags(rbio);
-+ BIO_set_retry_read(rbio);
-+ } else {
-+ /*
-+ * The peer is continuing to send application data, but we have
-+ * already sent close_notify. If this was expected we should have
-+ * been called via SSL_read() and this would have been handled
-+ * above.
-+ * No alert sent because we already sent close_notify
-+ */
-+ SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES,
-+ SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY);
-+ }
-+ return -1;
-+ }
-+
-+ /*
-+ * For handshake data we have 'fragment' storage, so fill that so that we
-+ * can process the header at a fixed place. This is done after the
-+ * "SHUTDOWN" code above to avoid filling the fragment storage with data
-+ * that we're just going to discard.
-+ */
-+ if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
-+ size_t dest_maxlen = sizeof(s->rlayer.handshake_fragment);
-+ unsigned char *dest = s->rlayer.handshake_fragment;
-+ size_t *dest_len = &s->rlayer.handshake_fragment_len;
-+
-+ n = dest_maxlen - *dest_len; /* available space in 'dest' */
-+ if (SSL3_RECORD_get_length(rr) < n)
-+ n = SSL3_RECORD_get_length(rr); /* available bytes */
-+
-+ /* now move 'n' bytes: */
-+ memcpy(dest + *dest_len,
-+ SSL3_RECORD_get_data(rr) + SSL3_RECORD_get_off(rr), n);
-+ SSL3_RECORD_add_off(rr, n);
-+ SSL3_RECORD_sub_length(rr, n);
-+ *dest_len += n;
-+ if (SSL3_RECORD_get_length(rr) == 0)
-+ SSL3_RECORD_set_read(rr);
-+
-+ if (*dest_len < dest_maxlen)
-+ goto start; /* fragment was too small */
- }
-
- if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) {
-diff -up openssl-1.1.1-pre8/ssl/ssl_err.c.bidi-shutdown openssl-1.1.1-pre8/ssl/ssl_err.c
---- openssl-1.1.1-pre8/ssl/ssl_err.c.bidi-shutdown 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/ssl/ssl_err.c 2018-08-13 15:43:07.251438103 +0200
-@@ -720,6 +720,8 @@ static const ERR_STRING_DATA SSL_str_fun
- };
-
- static const ERR_STRING_DATA SSL_str_reasons[] = {
-+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY),
-+ "application data after close notify"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE),
- "app data in handshake"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),
-diff -up openssl-1.1.1-pre8/test/sslapitest.c.bidi-shutdown openssl-1.1.1-pre8/test/sslapitest.c
---- openssl-1.1.1-pre8/test/sslapitest.c.bidi-shutdown 2018-06-20 16:48:15.000000000 +0200
-+++ openssl-1.1.1-pre8/test/sslapitest.c 2018-08-13 15:43:07.252438127 +0200
-@@ -4971,6 +4971,135 @@ static int test_ticket_callbacks(int tst
- return testresult;
- }
-
-+/*
-+ * Test bi-directional shutdown.
-+ * Test 0: TLSv1.2
-+ * Test 1: TLSv1.2, server continues to read/write after client shutdown
-+ * Test 2: TLSv1.3, no pending NewSessionTicket messages
-+ * Test 3: TLSv1.3, pending NewSessionTicket messages
-+ * Test 4: TLSv1.3, server continues to read/write after client shutdown, client
-+ * reads it
-+ * Test 5: TLSv1.3, server continues to read/write after client shutdown, client
-+ * doesn't read it
-+ */
-+static int test_shutdown(int tst)
-+{
-+ SSL_CTX *cctx = NULL, *sctx = NULL;
-+ SSL *clientssl = NULL, *serverssl = NULL;
-+ int testresult = 0;
-+ char msg[] = "A test message";
-+ char buf[80];
-+ size_t written, readbytes;
-+
-+#ifdef OPENSSL_NO_TLS1_2
-+ if (tst == 0)
-+ return 1;
-+#endif
-+#ifdef OPENSSL_NO_TLS1_3
-+ if (tst != 0)
-+ return 1;
-+#endif
-+
-+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
-+ TLS_client_method(),
-+ TLS1_VERSION,
-+ (tst <= 1) ? TLS1_2_VERSION
-+ : TLS1_3_VERSION,
-+ &sctx, &cctx, cert, privkey))
-+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
-+ NULL, NULL)))
-+ goto end;
-+
-+ if (tst == 3) {
-+ if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE)))
-+ goto end;
-+ } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-+ SSL_ERROR_NONE))) {
-+ goto end;
-+ }
-+
-+ if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
-+ goto end;
-+
-+ if (tst >= 4) {
-+ /*
-+ * Reading on the server after the client has sent close_notify should
-+ * fail and provide SSL_ERROR_ZERO_RETURN
-+ */
-+ if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
-+ || !TEST_int_eq(SSL_get_error(serverssl, 0),
-+ SSL_ERROR_ZERO_RETURN)
-+ || !TEST_int_eq(SSL_get_shutdown(serverssl),
-+ SSL_RECEIVED_SHUTDOWN)
-+ /*
-+ * Even though we're shutdown on receive we should still be
-+ * able to write.
-+ */
-+ || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))
-+ || !TEST_int_eq(SSL_shutdown(serverssl), 1))
-+ goto end;
-+ if (tst == 4) {
-+ /* Should still be able to read data from server */
-+ if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
-+ &readbytes))
-+ || !TEST_size_t_eq(readbytes, sizeof(msg))
-+ || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
-+ goto end;
-+ }
-+ }
-+
-+ /* Writing on the client after sending close_notify shouldn't be possible */
-+ if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
-+ goto end;
-+
-+ if (tst < 4) {
-+ /*
-+ * For these tests the client has sent close_notify but it has not yet
-+ * been received by the server. The server has not sent close_notify
-+ * yet.
-+ */
-+ if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
-+ /*
-+ * Writing on the server after sending close_notify shouldn't
-+ * be possible.
-+ */
-+ || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
-+ || !TEST_int_eq(SSL_shutdown(clientssl), 1)
-+ || !TEST_int_eq(SSL_shutdown(serverssl), 1))
-+ goto end;
-+ } else if (tst == 4) {
-+ /*
-+ * In this test the client has sent close_notify and it has been
-+ * received by the server which has responded with a close_notify. The
-+ * client needs to read the close_notify sent by the server.
-+ */
-+ if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
-+ goto end;
-+ } else {
-+ /*
-+ * tst == 5
-+ *
-+ * The client has sent close_notify and is expecting a close_notify
-+ * back, but instead there is application data first. The shutdown
-+ * should fail with a fatal error.
-+ */
-+ if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
-+ || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
-+ goto end;
-+ }
-+
-+ testresult = 1;
-+
-+ end:
-+ SSL_free(serverssl);
-+ SSL_free(clientssl);
-+ SSL_CTX_free(sctx);
-+ SSL_CTX_free(cctx);
-+
-+ return testresult;
-+}
-+
- int setup_tests(void)
- {
- if (!TEST_ptr(cert = test_get_argument(0))
-@@ -5068,6 +5197,7 @@ int setup_tests(void)
- ADD_ALL_TESTS(test_ssl_pending, 2);
- ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
- ADD_ALL_TESTS(test_ticket_callbacks, 12);
-+ ADD_ALL_TESTS(test_shutdown, 6);
- return 1;
- }
-
-diff -up openssl-1.1.1-pre8/test/ssltestlib.c.bidi-shutdown openssl-1.1.1-pre8/test/ssltestlib.c
---- openssl-1.1.1-pre8/test/ssltestlib.c.bidi-shutdown 2018-06-20 16:48:15.000000000 +0200
-+++ openssl-1.1.1-pre8/test/ssltestlib.c 2018-08-13 15:42:22.250355791 +0200
-@@ -680,12 +680,14 @@ int create_ssl_objects(SSL_CTX *serverct
- return 0;
- }
-
--int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
-+/*
-+ * Create an SSL connection, but does not ready any post-handshake
-+ * NewSessionTicket messages.
-+ */
-+int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
- {
-- int retc = -1, rets = -1, err, abortctr = 0, i;
-+ int retc = -1, rets = -1, err, abortctr = 0;
- int clienterr = 0, servererr = 0;
-- unsigned char buf;
-- size_t readbytes;
- int isdtls = SSL_is_dtls(serverssl);
-
- do {
-@@ -738,6 +740,22 @@ int create_ssl_connection(SSL *serverssl
- }
- } while (retc <=0 || rets <= 0);
-
-+ return 1;
-+}
-+
-+/*
-+ * Create an SSL connection including any post handshake NewSessionTicket
-+ * messages.
-+ */
-+int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
-+{
-+ int i;
-+ unsigned char buf;
-+ size_t readbytes;
-+
-+ if (!create_bare_ssl_connection(serverssl, clientssl, want))
-+ return 0;
-+
- /*
- * We attempt to read some data on the client side which we expect to fail.
- * This will ensure we have received the NewSessionTicket in TLSv1.3 where
-diff -up openssl-1.1.1-pre8/test/ssltestlib.h.bidi-shutdown openssl-1.1.1-pre8/test/ssltestlib.h
---- openssl-1.1.1-pre8/test/ssltestlib.h.bidi-shutdown 2018-07-26 12:03:48.143770413 +0200
-+++ openssl-1.1.1-pre8/test/ssltestlib.h 2018-08-13 15:42:22.250355791 +0200
-@@ -18,6 +18,7 @@ int create_ssl_ctx_pair(const SSL_METHOD
- char *privkeyfile);
- int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
- SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio);
-+int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want);
- int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want);
- void shutdown_ssl_connection(SSL *serverssl, SSL *clientssl);
-
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index 9f32b03..9b34b7e 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.1.1-pre8/apps/speed.c.fips openssl-1.1.1-pre8/apps/speed.c
---- openssl-1.1.1-pre8/apps/speed.c.fips 2018-07-25 17:26:58.393624416 +0200
-+++ openssl-1.1.1-pre8/apps/speed.c 2018-07-25 17:26:58.402624632 +0200
-@@ -1550,7 +1550,8 @@ int speed_main(int argc, char **argv)
+diff -up openssl-1.1.1-pre9/apps/speed.c.fips openssl-1.1.1-pre9/apps/speed.c
+--- openssl-1.1.1-pre9/apps/speed.c.fips 2018-08-22 12:17:53.399654580 +0200
++++ openssl-1.1.1-pre9/apps/speed.c 2018-08-22 12:17:53.418655045 +0200
+@@ -1558,7 +1558,8 @@ int speed_main(int argc, char **argv)
continue;
if (strcmp(*argv, "rsa") == 0) {
for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++)
@@ -11,7 +11,7 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.fips openssl-1.1.1-pre8/apps/speed.c
continue;
}
if (found(*argv, rsa_choices, &i)) {
-@@ -1560,7 +1561,9 @@ int speed_main(int argc, char **argv)
+@@ -1568,7 +1569,9 @@ int speed_main(int argc, char **argv)
#endif
#ifndef OPENSSL_NO_DSA
if (strcmp(*argv, "dsa") == 0) {
@@ -22,7 +22,7 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.fips openssl-1.1.1-pre8/apps/speed.c
dsa_doit[R_DSA_2048] = 1;
continue;
}
-@@ -1683,15 +1686,21 @@ int speed_main(int argc, char **argv)
+@@ -1691,15 +1694,21 @@ int speed_main(int argc, char **argv)
/* No parameters; turn on everything. */
if ((argc == 0) && !doit[D_EVP]) {
for (i = 0; i < ALGOR_NUM; i++)
@@ -47,7 +47,7 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.fips openssl-1.1.1-pre8/apps/speed.c
#endif
#ifndef OPENSSL_NO_EC
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
-@@ -1745,30 +1754,46 @@ int speed_main(int argc, char **argv)
+@@ -1753,30 +1762,46 @@ int speed_main(int argc, char **argv)
AES_set_encrypt_key(key24, 192, &aes_ks2);
AES_set_encrypt_key(key32, 256, &aes_ks3);
#ifndef OPENSSL_NO_CAMELLIA
@@ -104,7 +104,7 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.fips openssl-1.1.1-pre8/apps/speed.c
#endif
#ifndef SIGALRM
# ifndef OPENSSL_NO_DES
-@@ -2059,6 +2084,7 @@ int speed_main(int argc, char **argv)
+@@ -2067,6 +2092,7 @@ int speed_main(int argc, char **argv)
for (i = 0; i < loopargs_len; i++) {
loopargs[i].hctx = HMAC_CTX_new();
@@ -112,10 +112,10 @@ diff -up openssl-1.1.1-pre8/apps/speed.c.fips openssl-1.1.1-pre8/apps/speed.c
if (loopargs[i].hctx == NULL) {
BIO_printf(bio_err, "HMAC malloc failure, exiting...");
exit(1);
-diff -up openssl-1.1.1-pre8/Configure.fips openssl-1.1.1-pre8/Configure
---- openssl-1.1.1-pre8/Configure.fips 2018-07-25 17:26:58.399624560 +0200
-+++ openssl-1.1.1-pre8/Configure 2018-07-25 17:26:58.402624632 +0200
-@@ -306,7 +306,7 @@ $config{sdirs} = [
+diff -up openssl-1.1.1-pre9/Configure.fips openssl-1.1.1-pre9/Configure
+--- openssl-1.1.1-pre9/Configure.fips 2018-08-22 12:17:53.412654898 +0200
++++ openssl-1.1.1-pre9/Configure 2018-08-22 12:17:53.418655045 +0200
+@@ -310,7 +310,7 @@ $config{sdirs} = [
"md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3",
"des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes",
"bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine",
@@ -124,9 +124,9 @@ diff -up openssl-1.1.1-pre8/Configure.fips openssl-1.1.1-pre8/Configure
"evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
];
-diff -up openssl-1.1.1-pre8/crypto/dh/dh_err.c.fips openssl-1.1.1-pre8/crypto/dh/dh_err.c
---- openssl-1.1.1-pre8/crypto/dh/dh_err.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/dh/dh_err.c 2018-07-25 17:26:58.402624632 +0200
+diff -up openssl-1.1.1-pre9/crypto/dh/dh_err.c.fips openssl-1.1.1-pre9/crypto/dh/dh_err.c
+--- openssl-1.1.1-pre9/crypto/dh/dh_err.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/dh/dh_err.c 2018-08-22 12:17:53.419655070 +0200
@@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0),
@@ -152,9 +152,9 @@ diff -up openssl-1.1.1-pre8/crypto/dh/dh_err.c.fips openssl-1.1.1-pre8/crypto/dh
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
-diff -up openssl-1.1.1-pre8/crypto/dh/dh_gen.c.fips openssl-1.1.1-pre8/crypto/dh/dh_gen.c
---- openssl-1.1.1-pre8/crypto/dh/dh_gen.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/dh/dh_gen.c 2018-07-25 17:26:58.402624632 +0200
+diff -up openssl-1.1.1-pre9/crypto/dh/dh_gen.c.fips openssl-1.1.1-pre9/crypto/dh/dh_gen.c
+--- openssl-1.1.1-pre9/crypto/dh/dh_gen.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/dh/dh_gen.c 2018-08-22 12:17:53.419655070 +0200
@@ -16,6 +16,9 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
@@ -198,9 +198,9 @@ diff -up openssl-1.1.1-pre8/crypto/dh/dh_gen.c.fips openssl-1.1.1-pre8/crypto/dh
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
-diff -up openssl-1.1.1-pre8/crypto/dh/dh_key.c.fips openssl-1.1.1-pre8/crypto/dh/dh_key.c
---- openssl-1.1.1-pre8/crypto/dh/dh_key.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/dh/dh_key.c 2018-07-25 17:26:58.402624632 +0200
+diff -up openssl-1.1.1-pre9/crypto/dh/dh_key.c.fips openssl-1.1.1-pre9/crypto/dh/dh_key.c
+--- openssl-1.1.1-pre9/crypto/dh/dh_key.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/dh/dh_key.c 2018-08-22 12:17:53.419655070 +0200
@@ -11,6 +11,9 @@
#include "internal/cryptlib.h"
#include "dh_locl.h"
@@ -284,9 +284,9 @@ diff -up openssl-1.1.1-pre8/crypto/dh/dh_key.c.fips openssl-1.1.1-pre8/crypto/dh
dh->flags |= DH_FLAG_CACHE_MONT_P;
return 1;
}
-diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_err.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_err.c
---- openssl-1.1.1-pre8/crypto/dsa/dsa_err.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/dsa/dsa_err.c 2018-07-25 17:26:58.402624632 +0200
+diff -up openssl-1.1.1-pre9/crypto/dsa/dsa_err.c.fips openssl-1.1.1-pre9/crypto/dsa/dsa_err.c
+--- openssl-1.1.1-pre9/crypto/dsa/dsa_err.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/dsa/dsa_err.c 2018-08-22 12:17:53.419655070 +0200
@@ -16,12 +16,15 @@
static const ERR_STRING_DATA DSA_str_functs[] = {
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"},
@@ -316,9 +316,9 @@ diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_err.c.fips openssl-1.1.1-pre8/crypto/
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
-diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c
---- openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c 2018-07-25 17:26:58.403624656 +0200
+diff -up openssl-1.1.1-pre9/crypto/dsa/dsa_gen.c.fips openssl-1.1.1-pre9/crypto/dsa/dsa_gen.c
+--- openssl-1.1.1-pre9/crypto/dsa/dsa_gen.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/dsa/dsa_gen.c 2018-08-22 12:17:53.419655070 +0200
@@ -22,12 +22,22 @@
#include <openssl/rand.h>
#include <openssl/sha.h>
@@ -480,9 +480,9 @@ diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c.fips openssl-1.1.1-pre8/crypto/
+}
+
+#endif
-diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_key.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_key.c
---- openssl-1.1.1-pre8/crypto/dsa/dsa_key.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/dsa/dsa_key.c 2018-07-25 17:26:58.403624656 +0200
+diff -up openssl-1.1.1-pre9/crypto/dsa/dsa_key.c.fips openssl-1.1.1-pre9/crypto/dsa/dsa_key.c
+--- openssl-1.1.1-pre9/crypto/dsa/dsa_key.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/dsa/dsa_key.c 2018-08-22 12:17:53.419655070 +0200
@@ -13,10 +13,49 @@
#include <openssl/bn.h>
#include "dsa_locl.h"
@@ -562,9 +562,9 @@ diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_key.c.fips openssl-1.1.1-pre8/crypto/
ok = 1;
err:
-diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c
---- openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c 2018-07-25 17:26:58.403624656 +0200
+diff -up openssl-1.1.1-pre9/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1-pre9/crypto/dsa/dsa_ossl.c
+--- openssl-1.1.1-pre9/crypto/dsa/dsa_ossl.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/dsa/dsa_ossl.c 2018-08-22 12:20:54.839098914 +0200
@@ -13,6 +13,9 @@
#include <openssl/sha.h>
#include "dsa_locl.h"
@@ -575,9 +575,9 @@ diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1-pre8/crypto
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-@@ -66,6 +69,19 @@ static DSA_SIG *dsa_do_sign(const unsign
- DSA_SIG *ret = NULL;
- int rv = 0;
+@@ -70,6 +73,19 @@ static DSA_SIG *dsa_do_sign(const unsign
+ goto err;
+ }
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
@@ -592,10 +592,10 @@ diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1-pre8/crypto
+ }
+#endif
+
- m = BN_new();
- xr = BN_new();
- if (m == NULL || xr == NULL)
-@@ -264,6 +280,18 @@ static int dsa_do_verify(const unsigned
+ ret = DSA_SIG_new();
+ if (ret == NULL)
+ goto err;
+@@ -296,6 +312,18 @@ static int dsa_do_verify(const unsigned
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
return -1;
}
@@ -614,7 +614,7 @@ diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1-pre8/crypto
if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
-@@ -352,6 +380,9 @@ static int dsa_do_verify(const unsigned
+@@ -384,6 +412,9 @@ static int dsa_do_verify(const unsigned
static int dsa_init(DSA *dsa)
{
@@ -624,10 +624,10 @@ diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1-pre8/crypto
dsa->flags |= DSA_FLAG_CACHE_MONT_P;
return 1;
}
-diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c
---- openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c 2018-07-25 17:26:58.403624656 +0200
-@@ -221,8 +221,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
+diff -up openssl-1.1.1-pre9/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1-pre9/crypto/dsa/dsa_pmeth.c
+--- openssl-1.1.1-pre9/crypto/dsa/dsa_pmeth.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/dsa/dsa_pmeth.c 2018-08-22 12:17:53.420655094 +0200
+@@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
BN_GENCB_free(pcb);
return 0;
}
@@ -638,9 +638,9 @@ diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1-pre8/crypt
BN_GENCB_free(pcb);
if (ret)
EVP_PKEY_assign_DSA(pkey, dsa);
-diff -up openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c
---- openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c 2018-07-25 17:26:58.403624656 +0200
+diff -up openssl-1.1.1-pre9/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1-pre9/crypto/ec/ecdh_ossl.c
+--- openssl-1.1.1-pre9/crypto/ec/ecdh_ossl.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/ec/ecdh_ossl.c 2018-08-22 12:17:53.420655094 +0200
@@ -19,9 +19,20 @@
#include <openssl/ec.h>
#include "ec_lcl.h"
@@ -662,11 +662,11 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1-pre8/crypto
if (ecdh->group->meth->ecdh_compute_key == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
return 0;
-diff -up openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c
---- openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c 2018-07-25 17:26:58.403624656 +0200
-@@ -15,6 +15,10 @@
- #include <openssl/ec.h>
+diff -up openssl-1.1.1-pre9/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1-pre9/crypto/ec/ecdsa_ossl.c
+--- openssl-1.1.1-pre9/crypto/ec/ecdsa_ossl.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/ec/ecdsa_ossl.c 2018-08-22 12:21:45.828347887 +0200
+@@ -14,6 +14,10 @@
+ #include "internal/bn_int.h"
#include "ec_lcl.h"
+#ifdef OPENSSL_FIPS
@@ -676,7 +676,7 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1-pre8/crypt
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
-@@ -204,6 +208,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+@@ -159,6 +163,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
ECDSA_SIG *ret;
const BIGNUM *priv_key;
@@ -690,7 +690,7 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1-pre8/crypt
group = EC_KEY_get0_group(eckey);
priv_key = EC_KEY_get0_private_key(eckey);
-@@ -408,6 +419,13 @@ int ossl_ecdsa_verify_sig(const unsigned
+@@ -317,6 +328,13 @@ int ossl_ecdsa_verify_sig(const unsigned
const EC_GROUP *group;
const EC_POINT *pub_key;
@@ -704,9 +704,9 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1-pre8/crypt
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
-diff -up openssl-1.1.1-pre8/crypto/ec/ec_key.c.fips openssl-1.1.1-pre8/crypto/ec/ec_key.c
---- openssl-1.1.1-pre8/crypto/ec/ec_key.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/ec/ec_key.c 2018-07-25 17:26:58.403624656 +0200
+diff -up openssl-1.1.1-pre9/crypto/ec/ec_key.c.fips openssl-1.1.1-pre9/crypto/ec/ec_key.c
+--- openssl-1.1.1-pre9/crypto/ec/ec_key.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/ec/ec_key.c 2018-08-22 12:17:53.422655143 +0200
@@ -178,14 +178,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY
return eckey->engine;
}
@@ -772,9 +772,9 @@ diff -up openssl-1.1.1-pre8/crypto/ec/ec_key.c.fips openssl-1.1.1-pre8/crypto/ec
ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
return 0;
}
-diff -up openssl-1.1.1-pre8/crypto/evp/c_allc.c.fips openssl-1.1.1-pre8/crypto/evp/c_allc.c
---- openssl-1.1.1-pre8/crypto/evp/c_allc.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/c_allc.c 2018-07-25 17:26:58.404624680 +0200
+diff -up openssl-1.1.1-pre9/crypto/evp/c_allc.c.fips openssl-1.1.1-pre9/crypto/evp/c_allc.c
+--- openssl-1.1.1-pre9/crypto/evp/c_allc.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/c_allc.c 2018-08-22 12:17:53.422655143 +0200
@@ -17,6 +17,9 @@
void openssl_add_all_ciphers_int(void)
{
@@ -856,9 +856,9 @@ diff -up openssl-1.1.1-pre8/crypto/evp/c_allc.c.fips openssl-1.1.1-pre8/crypto/e
+ }
+#endif
}
-diff -up openssl-1.1.1-pre8/crypto/evp/c_alld.c.fips openssl-1.1.1-pre8/crypto/evp/c_alld.c
---- openssl-1.1.1-pre8/crypto/evp/c_alld.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/c_alld.c 2018-07-25 17:26:58.404624680 +0200
+diff -up openssl-1.1.1-pre9/crypto/evp/c_alld.c.fips openssl-1.1.1-pre9/crypto/evp/c_alld.c
+--- openssl-1.1.1-pre9/crypto/evp/c_alld.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/c_alld.c 2018-08-22 12:17:53.422655143 +0200
@@ -16,6 +16,9 @@
void openssl_add_all_digests_int(void)
@@ -894,9 +894,9 @@ diff -up openssl-1.1.1-pre8/crypto/evp/c_alld.c.fips openssl-1.1.1-pre8/crypto/e
+ }
+#endif
}
-diff -up openssl-1.1.1-pre8/crypto/evp/digest.c.fips openssl-1.1.1-pre8/crypto/evp/digest.c
---- openssl-1.1.1-pre8/crypto/evp/digest.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/digest.c 2018-07-25 17:26:58.404624680 +0200
+diff -up openssl-1.1.1-pre9/crypto/evp/digest.c.fips openssl-1.1.1-pre9/crypto/evp/digest.c
+--- openssl-1.1.1-pre9/crypto/evp/digest.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/digest.c 2018-08-22 12:17:53.423655168 +0200
@@ -14,6 +14,9 @@
#include <openssl/engine.h>
#include "internal/evp_int.h"
@@ -956,10 +956,10 @@ diff -up openssl-1.1.1-pre8/crypto/evp/digest.c.fips openssl-1.1.1-pre8/crypto/e
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
ret = ctx->digest->final(ctx, md);
if (size != NULL)
-diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/evp/e_aes.c
---- openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/e_aes.c 2018-07-25 17:26:58.404624680 +0200
-@@ -2776,9 +2776,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
+diff -up openssl-1.1.1-pre9/crypto/evp/e_aes.c.fips openssl-1.1.1-pre9/crypto/evp/e_aes.c
+--- openssl-1.1.1-pre9/crypto/evp/e_aes.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/e_aes.c 2018-08-22 12:17:53.423655168 +0200
+@@ -2794,9 +2794,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
return 1;
}
@@ -972,7 +972,7 @@ diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/ev
static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
{
-@@ -2824,6 +2824,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
+@@ -2826,6 +2826,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
@@ -984,7 +984,7 @@ diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/ev
/* Allocate memory for IV if needed */
if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
if (gctx->iv != c->iv)
-@@ -3273,11 +3278,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+@@ -3275,11 +3280,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
| EVP_CIPH_CUSTOM_COPY)
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
@@ -1002,7 +1002,7 @@ diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/ev
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
-@@ -3412,6 +3420,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+@@ -3414,6 +3422,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
return 0;
if (!out || !in || len < AES_BLOCK_SIZE)
return 0;
@@ -1017,7 +1017,7 @@ diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/ev
if (xctx->stream)
(*xctx->stream) (in, out, len,
xctx->xts.key1, xctx->xts.key2,
-@@ -3429,8 +3445,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+@@ -3431,8 +3447,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
| EVP_CIPH_CUSTOM_COPY)
@@ -1030,7 +1030,7 @@ diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/ev
static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
-@@ -3695,11 +3713,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
+@@ -3697,11 +3715,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
#define aes_ccm_cleanup NULL
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
@@ -1045,7 +1045,7 @@ diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/ev
typedef struct {
union {
-@@ -3792,7 +3810,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
+@@ -3794,7 +3812,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
return rv ? (int)rv : -1;
}
@@ -1054,9 +1054,9 @@ diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/ev
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
-diff -up openssl-1.1.1-pre8/crypto/evp/e_des3.c.fips openssl-1.1.1-pre8/crypto/evp/e_des3.c
---- openssl-1.1.1-pre8/crypto/evp/e_des3.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/e_des3.c 2018-07-25 17:26:58.405624704 +0200
+diff -up openssl-1.1.1-pre9/crypto/evp/e_des3.c.fips openssl-1.1.1-pre9/crypto/evp/e_des3.c
+--- openssl-1.1.1-pre9/crypto/evp/e_des3.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/e_des3.c 2018-08-22 12:17:53.424655192 +0200
@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
# define des_ede3_cbc_cipher des_ede_cbc_cipher
# define des_ede3_ecb_cipher des_ede_ecb_cipher
@@ -1083,9 +1083,9 @@ diff -up openssl-1.1.1-pre8/crypto/evp/e_des3.c.fips openssl-1.1.1-pre8/crypto/e
static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
-diff -up openssl-1.1.1-pre8/crypto/evp/e_null.c.fips openssl-1.1.1-pre8/crypto/evp/e_null.c
---- openssl-1.1.1-pre8/crypto/evp/e_null.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/e_null.c 2018-07-25 17:26:58.405624704 +0200
+diff -up openssl-1.1.1-pre9/crypto/evp/e_null.c.fips openssl-1.1.1-pre9/crypto/evp/e_null.c
+--- openssl-1.1.1-pre9/crypto/evp/e_null.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/e_null.c 2018-08-22 12:17:53.424655192 +0200
@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c
const unsigned char *in, size_t inl);
static const EVP_CIPHER n_cipher = {
@@ -1096,9 +1096,9 @@ diff -up openssl-1.1.1-pre8/crypto/evp/e_null.c.fips openssl-1.1.1-pre8/crypto/e
null_init_key,
null_cipher,
NULL,
-diff -up openssl-1.1.1-pre8/crypto/evp/evp_enc.c.fips openssl-1.1.1-pre8/crypto/evp/evp_enc.c
---- openssl-1.1.1-pre8/crypto/evp/evp_enc.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/evp_enc.c 2018-07-25 17:26:58.405624704 +0200
+diff -up openssl-1.1.1-pre9/crypto/evp/evp_enc.c.fips openssl-1.1.1-pre9/crypto/evp/evp_enc.c
+--- openssl-1.1.1-pre9/crypto/evp/evp_enc.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/evp_enc.c 2018-08-22 12:17:53.424655192 +0200
@@ -17,10 +17,19 @@
#include <openssl/engine.h>
#include "internal/evp_int.h"
@@ -1174,9 +1174,9 @@ diff -up openssl-1.1.1-pre8/crypto/evp/evp_enc.c.fips openssl-1.1.1-pre8/crypto/
if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
if (!ctx->cipher->init(ctx, key, iv, enc))
-diff -up openssl-1.1.1-pre8/crypto/evp/evp_err.c.fips openssl-1.1.1-pre8/crypto/evp/evp_err.c
---- openssl-1.1.1-pre8/crypto/evp/evp_err.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/evp_err.c 2018-07-25 17:26:58.405624704 +0200
+diff -up openssl-1.1.1-pre9/crypto/evp/evp_err.c.fips openssl-1.1.1-pre9/crypto/evp/evp_err.c
+--- openssl-1.1.1-pre9/crypto/evp/evp_err.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/evp_err.c 2018-08-22 12:17:53.424655192 +0200
@@ -20,6 +20,7 @@ static const ERR_STRING_DATA EVP_str_fun
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
@@ -1201,9 +1201,9 @@ diff -up openssl-1.1.1-pre8/crypto/evp/evp_err.c.fips openssl-1.1.1-pre8/crypto/
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},
-diff -up openssl-1.1.1-pre8/crypto/evp/evp_lib.c.fips openssl-1.1.1-pre8/crypto/evp/evp_lib.c
---- openssl-1.1.1-pre8/crypto/evp/evp_lib.c.fips 2018-06-20 16:48:10.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/evp_lib.c 2018-07-25 17:26:58.405624704 +0200
+diff -up openssl-1.1.1-pre9/crypto/evp/evp_lib.c.fips openssl-1.1.1-pre9/crypto/evp/evp_lib.c
+--- openssl-1.1.1-pre9/crypto/evp/evp_lib.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/evp_lib.c 2018-08-22 12:17:53.424655192 +0200
@@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C
int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl)
@@ -1214,9 +1214,9 @@ diff -up openssl-1.1.1-pre8/crypto/evp/evp_lib.c.fips openssl-1.1.1-pre8/crypto/
return ctx->cipher->do_cipher(ctx, out, in, inl);
}
-diff -up openssl-1.1.1-pre8/crypto/evp/m_sha1.c.fips openssl-1.1.1-pre8/crypto/evp/m_sha1.c
---- openssl-1.1.1-pre8/crypto/evp/m_sha1.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/evp/m_sha1.c 2018-07-25 17:26:58.405624704 +0200
+diff -up openssl-1.1.1-pre9/crypto/evp/m_sha1.c.fips openssl-1.1.1-pre9/crypto/evp/m_sha1.c
+--- openssl-1.1.1-pre9/crypto/evp/m_sha1.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/evp/m_sha1.c 2018-08-22 12:17:53.424655192 +0200
@@ -95,7 +95,7 @@ static const EVP_MD sha1_md = {
NID_sha1,
NID_sha1WithRSAEncryption,
@@ -1280,9 +1280,9 @@ diff -up openssl-1.1.1-pre8/crypto/evp/m_sha1.c.fips openssl-1.1.1-pre8/crypto/e
init512,
update512,
final512,
-diff -up openssl-1.1.1-pre8/crypto/fips/build.info.fips openssl-1.1.1-pre8/crypto/fips/build.info
---- openssl-1.1.1-pre8/crypto/fips/build.info.fips 2018-07-25 17:26:58.405624704 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/build.info 2018-07-25 17:26:58.405624704 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/build.info.fips openssl-1.1.1-pre9/crypto/fips/build.info
+--- openssl-1.1.1-pre9/crypto/fips/build.info.fips 2018-08-22 12:17:53.425655217 +0200
++++ openssl-1.1.1-pre9/crypto/fips/build.info 2018-08-22 12:17:53.425655217 +0200
@@ -0,0 +1,15 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]=\
@@ -1299,9 +1299,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/build.info.fips openssl-1.1.1-pre8/crypt
+SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
+INCLUDE[fips_standalone_hmac]=../../include
+DEPEND[fips_standalone_hmac]=../../libcrypto
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c 2018-07-25 17:26:58.405624704 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_aes_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_aes_selftest.c.fips 2018-08-22 12:17:53.425655217 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_aes_selftest.c 2018-08-22 12:17:53.425655217 +0200
@@ -0,0 +1,372 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -1675,9 +1675,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1-p
+}
+
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips.c.fips openssl-1.1.1-pre8/crypto/fips/fips.c
---- openssl-1.1.1-pre8/crypto/fips/fips.c.fips 2018-07-25 17:26:58.406624728 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips.c 2018-07-25 17:26:58.406624728 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips.c.fips openssl-1.1.1-pre9/crypto/fips/fips.c
+--- openssl-1.1.1-pre9/crypto/fips/fips.c.fips 2018-08-22 12:17:53.425655217 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips.c 2018-08-22 12:17:53.425655217 +0200
@@ -0,0 +1,526 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -2205,9 +2205,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips.c.fips openssl-1.1.1-pre8/crypto/fi
+}
+
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c 2018-07-25 17:26:58.406624728 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_cmac_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_cmac_selftest.c.fips 2018-08-22 12:17:53.425655217 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_cmac_selftest.c 2018-08-22 12:17:53.425655217 +0200
@@ -0,0 +1,156 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -2365,9 +2365,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1-
+ return rv;
+}
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c 2018-07-25 17:26:58.406624728 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_des_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_des_selftest.c.fips 2018-08-22 12:17:53.425655217 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_des_selftest.c 2018-08-22 12:17:53.425655217 +0200
@@ -0,0 +1,133 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -2502,9 +2502,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1-p
+ return ret;
+}
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c 2018-07-25 17:26:58.406624728 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_dh_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_dh_selftest.c.fips 2018-08-22 12:17:53.426655241 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_dh_selftest.c 2018-08-22 12:17:53.426655241 +0200
@@ -0,0 +1,180 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -2686,10 +2686,10 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1-pr
+ return ret;
+}
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c
---- openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c.fips 2018-07-25 17:26:58.406624728 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c 2018-07-25 17:26:58.406624728 +0200
-@@ -0,0 +1,415 @@
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1-pre9/crypto/fips/fips_drbg_ctr.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_drbg_ctr.c.fips 2018-08-22 12:17:53.426655241 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_drbg_ctr.c 2018-08-22 12:17:53.426655241 +0200
+@@ -0,0 +1,406 @@
+/* fips/rand/fips_drbg_ctr.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
@@ -3006,22 +3006,13 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1-pre8/
+
+ for (;;) {
+ inc_128(cctx);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
-+ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
-+ dctx->lb_valid = 1;
-+ continue;
-+ }
+ if (outlen < 16) {
+ /* Use K as temp space as it will be updated */
+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, cctx->K))
-+ return 0;
+ memcpy(out, cctx->K, outlen);
+ break;
+ }
+ AES_encrypt(cctx->V, out, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
+ out += 16;
+ outlen -= 16;
+ if (outlen == 0)
@@ -3105,10 +3096,10 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1-pre8/
+
+ return 1;
+}
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c
---- openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c.fips 2018-07-25 17:26:58.406624728 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c 2018-07-25 17:26:58.406624728 +0200
-@@ -0,0 +1,361 @@
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1-pre9/crypto/fips/fips_drbg_hash.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_drbg_hash.c.fips 2018-08-22 12:17:53.430655339 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_drbg_hash.c 2018-08-22 12:17:53.430655339 +0200
+@@ -0,0 +1,354 @@
+/* fips/rand/fips_drbg_hash.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
@@ -3296,19 +3287,12 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1-pre8
+ for (;;) {
+ FIPS_digestinit(hctx->mctx, hctx->md);
+ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
-+ FIPS_digestfinal(hctx->mctx, dctx->lb, NULL);
-+ dctx->lb_valid = 1;
-+ } else if (outlen < dctx->blocklength) {
++ if (outlen < dctx->blocklength) {
+ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL);
-+ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
-+ return 0;
+ memcpy(out, hctx->vtmp, outlen);
+ return 1;
+ } else {
+ FIPS_digestfinal(hctx->mctx, out, NULL);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
+ outlen -= dctx->blocklength;
+ if (outlen == 0)
+ return 1;
@@ -3470,10 +3454,10 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1-pre8
+
+ return 1;
+}
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c
---- openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c.fips 2018-07-25 17:26:58.407624752 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c 2018-07-25 17:26:58.407624752 +0200
-@@ -0,0 +1,272 @@
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1-pre9/crypto/fips/fips_drbg_hmac.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_drbg_hmac.c.fips 2018-08-22 12:17:53.431655364 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_drbg_hmac.c 2018-08-22 12:17:53.431655364 +0200
+@@ -0,0 +1,262 @@
+/* fips/rand/fips_drbg_hmac.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
@@ -3653,23 +3637,13 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1-pre8
+ return 0;
+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
+ return 0;
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
-+ if (!HMAC_Final(hctx, dctx->lb, NULL))
-+ return 0;
-+ dctx->lb_valid = 1;
-+ Vtmp = dctx->lb;
-+ continue;
-+ } else if (outlen > dctx->blocklength) {
++ if (outlen > dctx->blocklength) {
+ if (!HMAC_Final(hctx, out, NULL))
+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
+ Vtmp = out;
+ } else {
+ if (!HMAC_Final(hctx, hmac->V, NULL))
+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, hmac->V))
-+ return 0;
+ memcpy(out, hmac->V, outlen);
+ break;
+ }
@@ -3746,10 +3720,10 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1-pre8
+
+ return 1;
+}
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c
---- openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c.fips 2018-07-25 17:26:58.407624752 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c 2018-07-25 17:26:58.407624752 +0200
-@@ -0,0 +1,555 @@
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1-pre9/crypto/fips/fips_drbg_lib.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_drbg_lib.c.fips 2018-08-22 12:17:53.431655364 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_drbg_lib.c 2018-08-22 12:17:53.431655364 +0200
+@@ -0,0 +1,528 @@
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
@@ -4274,40 +4248,13 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1-pre8/
+ dctx->reseed_interval = interval;
+}
+
-+static int drbg_stick = 0;
-+
+void FIPS_drbg_stick(int onoff)
+{
-+ drbg_stick = onoff;
++ /* Just backwards compatibility API call with no effect. */
+}
-+
-+/* Continuous DRBG utility function */
-+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
-+{
-+ /* No CPRNG in test mode */
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ return 1;
-+ /* Check block is valid: should never happen */
-+ if (dctx->lb_valid == 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ if (drbg_stick)
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ /* Check against last block: fail if match */
-+ if (!memcmp(dctx->lb, out, dctx->blocklength)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ /* Save last block for next comparison */
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ return 1;
-+}
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c
---- openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c.fips 2018-07-25 17:26:58.407624752 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c 2018-07-25 17:26:58.407624752 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1-pre9/crypto/fips/fips_drbg_rand.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_drbg_rand.c.fips 2018-08-22 12:17:53.431655364 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_drbg_rand.c 2018-08-22 12:17:53.431655364 +0200
@@ -0,0 +1,183 @@
+/* fips/rand/fips_drbg_rand.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -4492,9 +4439,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1-pre8
+{
+ return &rand_drbg_meth;
+}
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c.fips 2018-07-25 17:26:58.407624752 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c 2018-07-25 17:26:58.407624752 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_drbg_selftest.c.fips 2018-08-22 12:17:53.431655364 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_drbg_selftest.c 2018-08-22 12:17:53.431655364 +0200
@@ -0,0 +1,828 @@
+/* fips/rand/fips_drbg_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -5324,9 +5271,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1-
+ FIPS_drbg_free(dctx);
+ return rv;
+}
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h
---- openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h.fips 2018-07-25 17:26:58.408624776 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h 2018-07-25 17:26:58.408624776 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1-pre9/crypto/fips/fips_drbg_selftest.h
+--- openssl-1.1.1-pre9/crypto/fips/fips_drbg_selftest.h.fips 2018-08-22 12:17:53.438655535 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_drbg_selftest.h 2018-08-22 12:17:53.438655535 +0200
@@ -0,0 +1,1791 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -7119,9 +7066,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1-
+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
+ 0xc2, 0xd6, 0xfd, 0xa5
+};
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c.fips 2018-07-25 17:26:58.408624776 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c 2018-07-25 17:26:58.408624776 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_dsa_selftest.c.fips 2018-08-22 12:17:53.438655535 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_dsa_selftest.c 2018-08-22 12:17:53.438655535 +0200
@@ -0,0 +1,195 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -7318,9 +7265,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1-p
+ return ret;
+}
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c.fips 2018-07-25 17:26:58.408624776 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c 2018-07-25 17:26:58.408624776 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_ecdh_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_ecdh_selftest.c.fips 2018-08-22 12:17:53.438655535 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_ecdh_selftest.c 2018-08-22 12:17:53.438655535 +0200
@@ -0,0 +1,242 @@
+/* fips/ecdh/fips_ecdh_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -7564,9 +7511,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1-
+}
+
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c.fips 2018-07-25 17:26:58.408624776 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c 2018-07-25 17:26:58.408624776 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_ecdsa_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_ecdsa_selftest.c.fips 2018-08-22 12:17:53.439655560 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_ecdsa_selftest.c 2018-08-22 12:17:53.438655535 +0200
@@ -0,0 +1,166 @@
+/* fips/ecdsa/fips_ecdsa_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@@ -7734,9 +7681,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1
+}
+
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_enc.c.fips openssl-1.1.1-pre8/crypto/fips/fips_enc.c
---- openssl-1.1.1-pre8/crypto/fips/fips_enc.c.fips 2018-07-25 17:26:58.408624776 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_enc.c 2018-07-25 17:26:58.408624776 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_enc.c.fips openssl-1.1.1-pre9/crypto/fips/fips_enc.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_enc.c.fips 2018-08-22 12:17:53.439655560 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_enc.c 2018-08-22 12:17:53.439655560 +0200
@@ -0,0 +1,189 @@
+/* fipe/evp/fips_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
@@ -7927,9 +7874,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_enc.c.fips openssl-1.1.1-pre8/crypt
+
+ }
+}
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_err.h.fips openssl-1.1.1-pre8/crypto/fips/fips_err.h
---- openssl-1.1.1-pre8/crypto/fips/fips_err.h.fips 2018-07-25 17:26:58.408624776 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_err.h 2018-07-25 17:26:58.408624776 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_err.h.fips openssl-1.1.1-pre9/crypto/fips/fips_err.h
+--- openssl-1.1.1-pre9/crypto/fips/fips_err.h.fips 2018-08-22 12:17:53.439655560 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_err.h 2018-08-22 12:17:53.439655560 +0200
@@ -0,0 +1,196 @@
+/* crypto/fips_err.h */
+/* ====================================================================
@@ -8127,9 +8074,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_err.h.fips openssl-1.1.1-pre8/crypt
+#endif
+ return 1;
+}
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_ers.c.fips openssl-1.1.1-pre8/crypto/fips/fips_ers.c
---- openssl-1.1.1-pre8/crypto/fips/fips_ers.c.fips 2018-07-25 17:26:58.408624776 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_ers.c 2018-07-25 17:26:58.408624776 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_ers.c.fips openssl-1.1.1-pre9/crypto/fips/fips_ers.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_ers.c.fips 2018-08-22 12:17:53.439655560 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_ers.c 2018-08-22 12:17:53.439655560 +0200
@@ -0,0 +1,7 @@
+#include <openssl/opensslconf.h>
+
@@ -8138,9 +8085,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_ers.c.fips openssl-1.1.1-pre8/crypt
+#else
+static void *dummy = &dummy;
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c.fips 2018-07-25 17:26:58.409624800 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c 2018-07-25 17:26:58.409624800 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_hmac_selftest.c.fips 2018-08-22 12:17:53.439655560 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_hmac_selftest.c 2018-08-22 12:17:53.439655560 +0200
@@ -0,0 +1,134 @@
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
@@ -8276,9 +8223,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1-
+ return 1;
+}
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_locl.h.fips openssl-1.1.1-pre8/crypto/fips/fips_locl.h
---- openssl-1.1.1-pre8/crypto/fips/fips_locl.h.fips 2018-07-25 17:26:58.409624800 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_locl.h 2018-07-25 17:26:58.409624800 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_locl.h.fips openssl-1.1.1-pre9/crypto/fips/fips_locl.h
+--- openssl-1.1.1-pre9/crypto/fips/fips_locl.h.fips 2018-08-22 12:17:53.439655560 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_locl.h 2018-08-22 12:17:53.439655560 +0200
@@ -0,0 +1,71 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -8351,9 +8298,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_locl.h.fips openssl-1.1.1-pre8/cryp
+}
+# endif
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_md.c.fips openssl-1.1.1-pre8/crypto/fips/fips_md.c
---- openssl-1.1.1-pre8/crypto/fips/fips_md.c.fips 2018-07-25 17:26:58.409624800 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_md.c 2018-07-25 17:26:58.409624800 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_md.c.fips openssl-1.1.1-pre9/crypto/fips/fips_md.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_md.c.fips 2018-08-22 12:17:53.439655560 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_md.c 2018-08-22 12:17:53.439655560 +0200
@@ -0,0 +1,144 @@
+/* fips/evp/fips_md.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
@@ -8499,9 +8446,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_md.c.fips openssl-1.1.1-pre8/crypto
+ return NULL;
+ }
+}
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_post.c.fips openssl-1.1.1-pre8/crypto/fips/fips_post.c
---- openssl-1.1.1-pre8/crypto/fips/fips_post.c.fips 2018-07-25 17:26:58.409624800 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_post.c 2018-07-25 17:26:58.409624800 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_post.c.fips openssl-1.1.1-pre9/crypto/fips/fips_post.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_post.c.fips 2018-08-22 12:17:53.439655560 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_post.c 2018-08-22 12:17:53.439655560 +0200
@@ -0,0 +1,222 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -8725,10 +8672,10 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_post.c.fips openssl-1.1.1-pre8/cryp
+ return 1;
+}
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h
---- openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h.fips 2018-07-25 17:26:58.409624800 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h 2018-07-25 17:26:58.409624800 +0200
-@@ -0,0 +1,209 @@
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1-pre9/crypto/fips/fips_rand_lcl.h
+--- openssl-1.1.1-pre9/crypto/fips/fips_rand_lcl.h.fips 2018-08-22 12:17:53.439655560 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_rand_lcl.h 2018-08-22 12:17:53.439655560 +0200
+@@ -0,0 +1,203 @@
+/* fips/rand/fips_rand_lcl.h */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
@@ -8912,12 +8859,6 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1-pre8/
+ /* Indicates we have finished with nonce buffer */
+ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
+
-+ /* Continuous random number test temporary area */
-+ /* Last block */
-+ unsigned char lb[EVP_MAX_MD_SIZE];
-+ /* set if lb is valid */
-+ int lb_valid;
-+
+ /* Callbacks used when called through RAND interface */
+ /* Get any additional input for generate */
+ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
@@ -8938,9 +8879,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1-pre8/
+#define FIPS_digestupdate EVP_DigestUpdate
+#define FIPS_digestfinal EVP_DigestFinal
+#define M_EVP_MD_size EVP_MD_size
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c
---- openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c.fips 2018-07-25 17:26:58.409624800 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c 2018-07-25 17:26:58.409624800 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1-pre9/crypto/fips/fips_rand_lib.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_rand_lib.c.fips 2018-08-22 12:17:53.440655584 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_rand_lib.c 2018-08-22 12:17:53.440655584 +0200
@@ -0,0 +1,234 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -9176,261 +9117,10 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1-pre8/
+# endif
+}
+
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_randtest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_randtest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_randtest.c.fips 2018-07-25 17:26:58.409624800 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_randtest.c 2018-07-25 17:26:58.409624800 +0200
-@@ -0,0 +1,247 @@
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <ctype.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+
-+#include "e_os.h"
-+
-+#ifndef OPENSSL_FIPS
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RAND support\n");
-+ return (0);
-+}
-+
-+#else
-+
-+# include "fips_utl.h"
-+# include <openssl/fips.h>
-+
-+typedef struct {
-+ unsigned char DT[16];
-+ unsigned char V[16];
-+ unsigned char R[16];
-+} AES_PRNG_MCT;
-+
-+static const unsigned char aes_128_mct_key[16] =
-+ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5,
-+ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48
-+};
-+
-+static const AES_PRNG_MCT aes_128_mct_tv = {
-+ /* DT */
-+ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b,
-+ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac},
-+ /* V */
-+ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97,
-+ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1},
-+ /* R */
-+ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb,
-+ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73}
-+};
-+
-+static const unsigned char aes_192_mct_key[24] =
-+ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73,
-+ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91,
-+ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a
-+};
-+
-+static const AES_PRNG_MCT aes_192_mct_tv = {
-+ /* DT */
-+ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9,
-+ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52},
-+ /* V */
-+ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64,
-+ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d},
-+ /* R */
-+ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21,
-+ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47}
-+};
-+
-+static const unsigned char aes_256_mct_key[32] =
-+ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a,
-+ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0,
-+ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d,
-+ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50
-+};
-+
-+static const AES_PRNG_MCT aes_256_mct_tv = {
-+ /* DT */
-+ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee,
-+ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c},
-+ /* V */
-+ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1,
-+ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca},
-+ /* R */
-+ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1,
-+ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d}
-+};
-+
-+static void dump(const unsigned char *b, int n)
-+{
-+ while (n-- > 0) {
-+ printf(" %02x", *b++);
-+ }
-+}
-+
-+static void compare(const unsigned char *result,
-+ const unsigned char *expected, int n)
-+{
-+ int i;
-+
-+ for (i = 0; i < n; ++i)
-+ if (result[i] != expected[i]) {
-+ puts("Random test failed, got:");
-+ dump(result, n);
-+ puts("\n expected:");
-+ dump(expected, n);
-+ putchar('\n');
-+ EXIT(1);
-+ }
-+}
-+
-+static void run_test(const unsigned char *key, int keylen,
-+ const AES_PRNG_MCT * tv)
-+{
-+ unsigned char buf[16], dt[16];
-+ int i, j;
-+ FIPS_x931_reset();
-+ FIPS_x931_test_mode();
-+ FIPS_x931_set_key(key, keylen);
-+ FIPS_x931_seed(tv->V, 16);
-+ memcpy(dt, tv->DT, 16);
-+ for (i = 0; i < 10000; i++) {
-+ FIPS_x931_set_dt(dt);
-+ FIPS_x931_bytes(buf, 16);
-+ /* Increment DT */
-+ for (j = 15; j >= 0; j--) {
-+ dt[j]++;
-+ if (dt[j])
-+ break;
-+ }
-+ }
-+
-+ compare(buf, tv->R, 16);
-+}
-+
-+int main()
-+{
-+ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
-+ printf("FIPS PRNG test 1 done\n");
-+ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
-+ printf("FIPS PRNG test 2 done\n");
-+ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
-+ printf("FIPS PRNG test 3 done\n");
-+ return 0;
-+}
-+
-+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips 2018-07-25 17:26:58.410624824 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c 2018-07-25 17:26:58.410624824 +0200
-@@ -0,0 +1,578 @@
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_rsa_selftest.c.fips 2018-08-22 12:17:53.440655584 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_rsa_selftest.c 2018-08-22 12:17:53.440655584 +0200
+@@ -0,0 +1,338 @@
+/* ====================================================================
+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
+ *
@@ -9638,56 +9328,6 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1-p
+static const unsigned char kat_tbs[] =
+ "OpenSSL FIPS 140-2 Public Key RSA KAT";
+
-+static const unsigned char kat_RSA_PSS_SHA1[] = {
-+ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3,
-+ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B,
-+ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84,
-+ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B,
-+ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9,
-+ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19,
-+ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98,
-+ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5,
-+ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4,
-+ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A,
-+ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70,
-+ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1,
-+ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C,
-+ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF,
-+ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99,
-+ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45,
-+ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF,
-+ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F,
-+ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01,
-+ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC,
-+ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05,
-+ 0xCE, 0x08, 0x1D, 0x89
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA224[] = {
-+ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA,
-+ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3,
-+ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3,
-+ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3,
-+ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7,
-+ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53,
-+ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A,
-+ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE,
-+ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06,
-+ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08,
-+ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D,
-+ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07,
-+ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70,
-+ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64,
-+ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17,
-+ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69,
-+ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97,
-+ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D,
-+ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5,
-+ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B,
-+ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD,
-+ 0x2D, 0x84, 0x03, 0xB7
-+};
-+
+static const unsigned char kat_RSA_PSS_SHA256[] = {
+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
@@ -9713,106 +9353,6 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1-p
+ 0x2B, 0x31, 0xB9, 0x7D
+};
+
-+static const unsigned char kat_RSA_PSS_SHA384[] = {
-+ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D,
-+ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03,
-+ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27,
-+ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC,
-+ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1,
-+ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6,
-+ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA,
-+ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB,
-+ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3,
-+ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5,
-+ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70,
-+ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E,
-+ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C,
-+ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0,
-+ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62,
-+ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07,
-+ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88,
-+ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7,
-+ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5,
-+ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D,
-+ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF,
-+ 0x90, 0xD2, 0xA6, 0x2B
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA512[] = {
-+ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32,
-+ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06,
-+ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D,
-+ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B,
-+ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D,
-+ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44,
-+ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B,
-+ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D,
-+ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD,
-+ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C,
-+ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1,
-+ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A,
-+ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE,
-+ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D,
-+ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F,
-+ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF,
-+ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F,
-+ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94,
-+ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE,
-+ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A,
-+ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0,
-+ 0x17, 0x2C, 0x13, 0xE0
-+};
-+
-+static const unsigned char kat_RSA_SHA1[] = {
-+ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA,
-+ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C,
-+ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE,
-+ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94,
-+ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08,
-+ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC,
-+ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0,
-+ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54,
-+ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F,
-+ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A,
-+ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF,
-+ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD,
-+ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8,
-+ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5,
-+ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F,
-+ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF,
-+ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60,
-+ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9,
-+ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC,
-+ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37,
-+ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF,
-+ 0x27, 0x90, 0xE2, 0x01
-+};
-+
-+static const unsigned char kat_RSA_SHA224[] = {
-+ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86,
-+ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8,
-+ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89,
-+ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39,
-+ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3,
-+ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E,
-+ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8,
-+ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4,
-+ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66,
-+ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6,
-+ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC,
-+ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9,
-+ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53,
-+ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA,
-+ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45,
-+ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC,
-+ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33,
-+ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5,
-+ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8,
-+ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83,
-+ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B,
-+ 0xDB, 0x70, 0x00, 0xF6
-+};
-+
+static const unsigned char kat_RSA_SHA256[] = {
+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
@@ -9838,56 +9378,6 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1-p
+ 0x47, 0x9D, 0x18, 0xD7
+};
+
-+static const unsigned char kat_RSA_SHA384[] = {
-+ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00,
-+ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D,
-+ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2,
-+ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B,
-+ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF,
-+ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1,
-+ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C,
-+ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E,
-+ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76,
-+ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4,
-+ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9,
-+ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4,
-+ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56,
-+ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39,
-+ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00,
-+ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F,
-+ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D,
-+ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26,
-+ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9,
-+ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD,
-+ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4,
-+ 0x7E, 0x37, 0x1D, 0x96
-+};
-+
-+static const unsigned char kat_RSA_SHA512[] = {
-+ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3,
-+ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F,
-+ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02,
-+ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B,
-+ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3,
-+ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1,
-+ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79,
-+ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1,
-+ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E,
-+ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1,
-+ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED,
-+ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE,
-+ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69,
-+ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2,
-+ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F,
-+ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3,
-+ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B,
-+ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86,
-+ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F,
-+ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A,
-+ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E,
-+ 0x43, 0xA8, 0x34, 0x0A
-+};
-+
+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext,
+ int ptlen)
+{
@@ -9944,56 +9434,16 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1-p
+ EVP_PKEY_set1_RSA(pk, key);
+
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA1 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
-+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA224 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA256 PKCS#1"))
+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
-+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA384 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
-+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA512 PKCS#1"))
-+ goto err;
+
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA1 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA224,
-+ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA256,
+ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA384,
-+ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA512,
-+ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
-+ goto err;
+
+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
+ goto err;
@@ -10009,9 +9459,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1-p
+}
+
+#endif /* def OPENSSL_FIPS */
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c
---- openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c.fips 2018-07-25 17:26:58.410624824 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c 2018-07-25 17:26:58.410624824 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1-pre9/crypto/fips/fips_sha_selftest.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_sha_selftest.c.fips 2018-08-22 12:17:53.440655584 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_sha_selftest.c 2018-08-22 12:17:53.440655584 +0200
@@ -0,0 +1,138 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -10151,9 +9601,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1-p
+}
+
+#endif
-diff -up openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c
---- openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c.fips 2018-07-25 17:26:58.410624824 +0200
-+++ openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c 2018-07-25 17:26:58.410624824 +0200
+diff -up openssl-1.1.1-pre9/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1-pre9/crypto/fips/fips_standalone_hmac.c
+--- openssl-1.1.1-pre9/crypto/fips/fips_standalone_hmac.c.fips 2018-08-22 12:17:53.440655584 +0200
++++ openssl-1.1.1-pre9/crypto/fips/fips_standalone_hmac.c 2018-08-22 12:17:53.440655584 +0200
@@ -0,0 +1,127 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -10282,9 +9732,9 @@ diff -up openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.
+#endif
+ return 0;
+}
-diff -up openssl-1.1.1-pre8/crypto/hmac/hmac.c.fips openssl-1.1.1-pre8/crypto/hmac/hmac.c
---- openssl-1.1.1-pre8/crypto/hmac/hmac.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/hmac/hmac.c 2018-07-25 17:26:58.410624824 +0200
+diff -up openssl-1.1.1-pre9/crypto/hmac/hmac.c.fips openssl-1.1.1-pre9/crypto/hmac/hmac.c
+--- openssl-1.1.1-pre9/crypto/hmac/hmac.c.fips 2018-08-21 14:14:12.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/hmac/hmac.c 2018-08-22 12:17:53.440655584 +0200
@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
}
@@ -10299,9 +9749,9 @@ diff -up openssl-1.1.1-pre8/crypto/hmac/hmac.c.fips openssl-1.1.1-pre8/crypto/hm
reset = 1;
j = EVP_MD_block_size(md);
if (!ossl_assert(j <= (int)sizeof(ctx->key)))
-diff -up openssl-1.1.1-pre8/crypto/include/internal/fips_int.h.fips openssl-1.1.1-pre8/crypto/include/internal/fips_int.h
---- openssl-1.1.1-pre8/crypto/include/internal/fips_int.h.fips 2018-07-25 17:26:58.410624824 +0200
-+++ openssl-1.1.1-pre8/crypto/include/internal/fips_int.h 2018-07-25 17:26:58.410624824 +0200
+diff -up openssl-1.1.1-pre9/crypto/include/internal/fips_int.h.fips openssl-1.1.1-pre9/crypto/include/internal/fips_int.h
+--- openssl-1.1.1-pre9/crypto/include/internal/fips_int.h.fips 2018-08-22 12:17:53.440655584 +0200
++++ openssl-1.1.1-pre9/crypto/include/internal/fips_int.h 2018-08-22 12:17:53.440655584 +0200
@@ -0,0 +1,101 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -10404,9 +9854,9 @@ diff -up openssl-1.1.1-pre8/crypto/include/internal/fips_int.h.fips openssl-1.1.
+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+
+#endif
-diff -up openssl-1.1.1-pre8/crypto/o_fips.c.fips openssl-1.1.1-pre8/crypto/o_fips.c
---- openssl-1.1.1-pre8/crypto/o_fips.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/o_fips.c 2018-07-25 17:26:58.410624824 +0200
+diff -up openssl-1.1.1-pre9/crypto/o_fips.c.fips openssl-1.1.1-pre9/crypto/o_fips.c
+--- openssl-1.1.1-pre9/crypto/o_fips.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/o_fips.c 2018-08-22 12:17:53.440655584 +0200
@@ -11,14 +11,25 @@
int FIPS_mode(void)
@@ -10433,9 +9883,9 @@ diff -up openssl-1.1.1-pre8/crypto/o_fips.c.fips openssl-1.1.1-pre8/crypto/o_fip
return 0;
+#endif
}
-diff -up openssl-1.1.1-pre8/crypto/o_init.c.fips openssl-1.1.1-pre8/crypto/o_init.c
---- openssl-1.1.1-pre8/crypto/o_init.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/o_init.c 2018-07-25 17:26:58.410624824 +0200
+diff -up openssl-1.1.1-pre9/crypto/o_init.c.fips openssl-1.1.1-pre9/crypto/o_init.c
+--- openssl-1.1.1-pre9/crypto/o_init.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/o_init.c 2018-08-22 12:17:53.441655609 +0200
@@ -7,8 +7,68 @@
* https://www.openssl.org/source/license.html
*/
@@ -10505,9 +9955,9 @@ diff -up openssl-1.1.1-pre8/crypto/o_init.c.fips openssl-1.1.1-pre8/crypto/o_ini
/*
* Perform any essential OpenSSL initialization operations. Currently does
-diff -up openssl-1.1.1-pre8/crypto/rand/rand_lib.c.fips openssl-1.1.1-pre8/crypto/rand/rand_lib.c
---- openssl-1.1.1-pre8/crypto/rand/rand_lib.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/rand/rand_lib.c 2018-07-25 17:26:58.410624824 +0200
+diff -up openssl-1.1.1-pre9/crypto/rand/rand_lib.c.fips openssl-1.1.1-pre9/crypto/rand/rand_lib.c
+--- openssl-1.1.1-pre9/crypto/rand/rand_lib.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/rand/rand_lib.c 2018-08-22 12:17:53.441655609 +0200
@@ -16,6 +16,10 @@
#include "internal/thread_once.h"
#include "rand_lcl.h"
@@ -10519,7 +9969,7 @@ diff -up openssl-1.1.1-pre8/crypto/rand/rand_lib.c.fips openssl-1.1.1-pre8/crypt
#ifndef OPENSSL_NO_ENGINE
/* non-NULL if default_RAND_meth is ENGINE-provided */
-@@ -778,3 +782,15 @@ int RAND_status(void)
+@@ -793,3 +797,15 @@ int RAND_status(void)
return meth->status();
return 0;
}
@@ -10535,9 +9985,9 @@ diff -up openssl-1.1.1-pre8/crypto/rand/rand_lib.c.fips openssl-1.1.1-pre8/crypt
+ return 1;
+}
+#endif
-diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c
---- openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c 2018-07-25 17:26:58.411624848 +0200
+diff -up openssl-1.1.1-pre9/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1-pre9/crypto/rsa/rsa_crpt.c
+--- openssl-1.1.1-pre9/crypto/rsa/rsa_crpt.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/rsa/rsa_crpt.c 2018-08-22 12:17:53.441655609 +0200
@@ -27,24 +27,52 @@ int RSA_size(const RSA *r)
int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
@@ -10591,9 +10041,9 @@ diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1-pre8/crypto
return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
}
-diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_err.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_err.c
---- openssl-1.1.1-pre8/crypto/rsa/rsa_err.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/rsa/rsa_err.c 2018-07-25 17:26:58.411624848 +0200
+diff -up openssl-1.1.1-pre9/crypto/rsa/rsa_err.c.fips openssl-1.1.1-pre9/crypto/rsa/rsa_err.c
+--- openssl-1.1.1-pre9/crypto/rsa/rsa_err.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/rsa/rsa_err.c 2018-08-22 12:17:53.441655609 +0200
@@ -16,6 +16,8 @@
static const ERR_STRING_DATA RSA_str_functs[] = {
{ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"},
@@ -10662,9 +10112,9 @@ diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_err.c.fips openssl-1.1.1-pre8/crypto/
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE),
"unsupported signature type"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"},
-diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c
---- openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c 2018-07-25 17:26:58.411624848 +0200
+diff -up openssl-1.1.1-pre9/crypto/rsa/rsa_gen.c.fips openssl-1.1.1-pre9/crypto/rsa/rsa_gen.c
+--- openssl-1.1.1-pre9/crypto/rsa/rsa_gen.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/rsa/rsa_gen.c 2018-08-22 12:17:53.441655609 +0200
@@ -18,6 +18,78 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
@@ -11059,9 +10509,9 @@ diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c.fips openssl-1.1.1-pre8/crypto/
static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
BN_GENCB *cb)
{
-diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c
---- openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c 2018-07-25 17:26:58.411624848 +0200
+diff -up openssl-1.1.1-pre9/crypto/rsa/rsa_lib.c.fips openssl-1.1.1-pre9/crypto/rsa/rsa_lib.c
+--- openssl-1.1.1-pre9/crypto/rsa/rsa_lib.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/rsa/rsa_lib.c 2018-08-22 12:17:53.442655633 +0200
@@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
* to deal with which ENGINE it comes from.
*/
@@ -11104,9 +10554,9 @@ diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c.fips openssl-1.1.1-pre8/crypto/
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
goto err;
}
-diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c
---- openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c 2018-07-25 17:26:58.411624848 +0200
+diff -up openssl-1.1.1-pre9/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1-pre9/crypto/rsa/rsa_ossl.c
+--- openssl-1.1.1-pre9/crypto/rsa/rsa_ossl.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/rsa/rsa_ossl.c 2018-08-22 12:17:53.442655633 +0200
@@ -11,6 +11,10 @@
#include "internal/bn_int.h"
#include "rsa_locl.h"
@@ -11154,7 +10604,7 @@ diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1-pre8/crypto
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
return -1;
-@@ -251,6 +277,22 @@ static int rsa_ossl_private_encrypt(int
+@@ -246,6 +272,22 @@ static int rsa_ossl_private_encrypt(int
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
@@ -11177,7 +10627,7 @@ diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1-pre8/crypto
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
-@@ -388,6 +430,22 @@ static int rsa_ossl_private_decrypt(int
+@@ -378,6 +420,22 @@ static int rsa_ossl_private_decrypt(int
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
@@ -11200,7 +10650,7 @@ diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1-pre8/crypto
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
-@@ -513,6 +571,22 @@ static int rsa_ossl_public_decrypt(int f
+@@ -501,6 +559,22 @@ static int rsa_ossl_public_decrypt(int f
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
@@ -11223,9 +10673,9 @@ diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1-pre8/crypto
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
return -1;
-diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c
---- openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c 2018-07-25 17:26:58.411624848 +0200
+diff -up openssl-1.1.1-pre9/crypto/rsa/rsa_sign.c.fips openssl-1.1.1-pre9/crypto/rsa/rsa_sign.c
+--- openssl-1.1.1-pre9/crypto/rsa/rsa_sign.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/rsa/rsa_sign.c 2018-08-22 12:17:53.442655633 +0200
@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch
unsigned char *tmps = NULL;
const unsigned char *encoded = NULL;
@@ -11252,9 +10702,9 @@ diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c.fips openssl-1.1.1-pre8/crypto
if (encrypt_len <= 0)
goto err;
-diff -up openssl-1.1.1-pre8/crypto/sha/sha_locl.h.fips openssl-1.1.1-pre8/crypto/sha/sha_locl.h
---- openssl-1.1.1-pre8/crypto/sha/sha_locl.h.fips 2018-07-25 17:26:57.885612242 +0200
-+++ openssl-1.1.1-pre8/crypto/sha/sha_locl.h 2018-07-25 17:26:58.412624872 +0200
+diff -up openssl-1.1.1-pre9/crypto/sha/sha_locl.h.fips openssl-1.1.1-pre9/crypto/sha/sha_locl.h
+--- openssl-1.1.1-pre9/crypto/sha/sha_locl.h.fips 2018-08-22 12:17:52.546633685 +0200
++++ openssl-1.1.1-pre9/crypto/sha/sha_locl.h 2018-08-22 12:17:53.442655633 +0200
@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c
int HASH_INIT(SHA_CTX *c)
@@ -11265,9 +10715,9 @@ diff -up openssl-1.1.1-pre8/crypto/sha/sha_locl.h.fips openssl-1.1.1-pre8/crypto
memset(c, 0, sizeof(*c));
c->h0 = INIT_DATA_h0;
c->h1 = INIT_DATA_h1;
-diff -up openssl-1.1.1-pre8/crypto/sha/sha256.c.fips openssl-1.1.1-pre8/crypto/sha/sha256.c
---- openssl-1.1.1-pre8/crypto/sha/sha256.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/sha/sha256.c 2018-07-25 17:26:58.412624872 +0200
+diff -up openssl-1.1.1-pre9/crypto/sha/sha256.c.fips openssl-1.1.1-pre9/crypto/sha/sha256.c
+--- openssl-1.1.1-pre9/crypto/sha/sha256.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/sha/sha256.c 2018-08-22 12:17:53.663661047 +0200
@@ -18,6 +18,9 @@
int SHA224_Init(SHA256_CTX *c)
@@ -11288,9 +10738,9 @@ diff -up openssl-1.1.1-pre8/crypto/sha/sha256.c.fips openssl-1.1.1-pre8/crypto/s
memset(c, 0, sizeof(*c));
c->h[0] = 0x6a09e667UL;
c->h[1] = 0xbb67ae85UL;
-diff -up openssl-1.1.1-pre8/crypto/sha/sha512.c.fips openssl-1.1.1-pre8/crypto/sha/sha512.c
---- openssl-1.1.1-pre8/crypto/sha/sha512.c.fips 2018-06-20 16:48:11.000000000 +0200
-+++ openssl-1.1.1-pre8/crypto/sha/sha512.c 2018-07-25 17:26:58.412624872 +0200
+diff -up openssl-1.1.1-pre9/crypto/sha/sha512.c.fips openssl-1.1.1-pre9/crypto/sha/sha512.c
+--- openssl-1.1.1-pre9/crypto/sha/sha512.c.fips 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/crypto/sha/sha512.c 2018-08-22 12:17:53.666661121 +0200
@@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c)
int SHA384_Init(SHA512_CTX *c)
@@ -11311,9 +10761,9 @@ diff -up openssl-1.1.1-pre8/crypto/sha/sha512.c.fips openssl-1.1.1-pre8/crypto/s
c->h[0] = U64(0x6a09e667f3bcc908);
c->h[1] = U64(0xbb67ae8584caa73b);
c->h[2] = U64(0x3c6ef372fe94f82b);
-diff -up openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod
---- openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod.fips 2018-06-20 16:48:12.000000000 +0200
-+++ openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod 2018-07-25 17:26:58.412624872 +0200
+diff -up openssl-1.1.1-pre9/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1-pre9/doc/man3/DSA_generate_parameters.pod
+--- openssl-1.1.1-pre9/doc/man3/DSA_generate_parameters.pod.fips 2018-08-21 14:14:14.000000000 +0200
++++ openssl-1.1.1-pre9/doc/man3/DSA_generate_parameters.pod 2018-08-22 12:17:53.666661121 +0200
@@ -30,8 +30,10 @@ B<bits> is the length of the prime p to
For lengths under 2048 bits, the length of q is 160 bits; for lengths
greater than or equal to 2048 bits, the length of q is set to 256 bits.
@@ -11327,10 +10777,10 @@ diff -up openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod.fips openssl-1.
DSA_generate_parameters_ex() places the iteration count in
*B<counter_ret> and a counter used for finding a generator in
-diff -up openssl-1.1.1-pre8/include/openssl/crypto.h.fips openssl-1.1.1-pre8/include/openssl/crypto.h
---- openssl-1.1.1-pre8/include/openssl/crypto.h.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/crypto.h 2018-07-25 17:26:58.412624872 +0200
-@@ -338,6 +338,11 @@ int OPENSSL_isservice(void);
+diff -up openssl-1.1.1-pre9/include/openssl/crypto.h.fips openssl-1.1.1-pre9/include/openssl/crypto.h
+--- openssl-1.1.1-pre9/include/openssl/crypto.h.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/crypto.h 2018-08-22 12:17:53.673661292 +0200
+@@ -336,6 +336,11 @@ int OPENSSL_isservice(void);
int FIPS_mode(void);
int FIPS_mode_set(int r);
@@ -11342,9 +10792,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/crypto.h.fips openssl-1.1.1-pre8/inc
void OPENSSL_init(void);
# ifdef OPENSSL_SYS_UNIX
void OPENSSL_fork_prepare(void);
-diff -up openssl-1.1.1-pre8/include/openssl/dherr.h.fips openssl-1.1.1-pre8/include/openssl/dherr.h
---- openssl-1.1.1-pre8/include/openssl/dherr.h.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/dherr.h 2018-07-25 17:26:58.412624872 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/dherr.h.fips openssl-1.1.1-pre9/include/openssl/dherr.h
+--- openssl-1.1.1-pre9/include/openssl/dherr.h.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/dherr.h 2018-08-22 12:17:53.674661316 +0200
@@ -32,6 +32,9 @@ int ERR_load_DH_strings(void);
# define DH_F_DH_CMS_DECRYPT 114
# define DH_F_DH_CMS_SET_PEERKEY 115
@@ -11370,9 +10820,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/dherr.h.fips openssl-1.1.1-pre8/incl
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
# define DH_R_SHARED_INFO_ERROR 113
-diff -up openssl-1.1.1-pre8/include/openssl/dh.h.fips openssl-1.1.1-pre8/include/openssl/dh.h
---- openssl-1.1.1-pre8/include/openssl/dh.h.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/dh.h 2018-07-25 17:26:58.412624872 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/dh.h.fips openssl-1.1.1-pre9/include/openssl/dh.h
+--- openssl-1.1.1-pre9/include/openssl/dh.h.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/dh.h 2018-08-22 12:17:53.677661390 +0200
@@ -31,6 +31,7 @@ extern "C" {
# endif
@@ -11381,9 +10831,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/dh.h.fips openssl-1.1.1-pre8/include
# define DH_FLAG_CACHE_MONT_P 0x01
-diff -up openssl-1.1.1-pre8/include/openssl/dsaerr.h.fips openssl-1.1.1-pre8/include/openssl/dsaerr.h
---- openssl-1.1.1-pre8/include/openssl/dsaerr.h.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/dsaerr.h 2018-07-25 17:26:58.412624872 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/dsaerr.h.fips openssl-1.1.1-pre9/include/openssl/dsaerr.h
+--- openssl-1.1.1-pre9/include/openssl/dsaerr.h.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/dsaerr.h 2018-08-22 12:17:53.685661586 +0200
@@ -25,8 +25,11 @@ int ERR_load_DSA_strings(void);
*/
# define DSA_F_DSAPARAMS_PRINT 100
@@ -11409,9 +10859,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/dsaerr.h.fips openssl-1.1.1-pre8/inc
# define DSA_R_PARAMETER_ENCODING_ERROR 105
# define DSA_R_Q_NOT_PRIME 113
# define DSA_R_SEED_LEN_SMALL 110
-diff -up openssl-1.1.1-pre8/include/openssl/dsa.h.fips openssl-1.1.1-pre8/include/openssl/dsa.h
---- openssl-1.1.1-pre8/include/openssl/dsa.h.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/dsa.h 2018-07-25 17:26:58.413624895 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/dsa.h.fips openssl-1.1.1-pre9/include/openssl/dsa.h
+--- openssl-1.1.1-pre9/include/openssl/dsa.h.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/dsa.h 2018-08-22 12:17:53.686661611 +0200
@@ -31,6 +31,7 @@ extern "C" {
# endif
@@ -11420,21 +10870,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/dsa.h.fips openssl-1.1.1-pre8/includ
# define DSA_FLAG_CACHE_MONT_P 0x01
# if OPENSSL_API_COMPAT < 0x10100000L
-@@ -141,9 +142,9 @@ int DSAparams_print_fp(FILE *fp, const D
- int DSA_print_fp(FILE *bp, const DSA *x, int off);
- # endif
-
--# define DSS_prime_checks 50
-+# define DSS_prime_checks 64
- /*
-- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
-+ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of
- * Rabin-Miller
- */
- # define DSA_is_prime(n, callback, cb_arg) \
-diff -up openssl-1.1.1-pre8/include/openssl/evperr.h.fips openssl-1.1.1-pre8/include/openssl/evperr.h
---- openssl-1.1.1-pre8/include/openssl/evperr.h.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/evperr.h 2018-07-25 17:26:58.413624895 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/evperr.h.fips openssl-1.1.1-pre9/include/openssl/evperr.h
+--- openssl-1.1.1-pre9/include/openssl/evperr.h.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/evperr.h 2018-08-22 12:17:53.687661635 +0200
@@ -25,6 +25,7 @@ int ERR_load_EVP_strings(void);
# define EVP_F_AES_OCB_CIPHER 169
# define EVP_F_AES_T4_INIT_KEY 178
@@ -11459,9 +10897,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/evperr.h.fips openssl-1.1.1-pre8/inc
# define EVP_R_UNKNOWN_CIPHER 160
# define EVP_R_UNKNOWN_DIGEST 161
# define EVP_R_UNKNOWN_OPTION 169
-diff -up openssl-1.1.1-pre8/include/openssl/fips.h.fips openssl-1.1.1-pre8/include/openssl/fips.h
---- openssl-1.1.1-pre8/include/openssl/fips.h.fips 2018-07-25 17:26:58.413624895 +0200
-+++ openssl-1.1.1-pre8/include/openssl/fips.h 2018-07-25 17:26:58.413624895 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/fips.h.fips openssl-1.1.1-pre9/include/openssl/fips.h
+--- openssl-1.1.1-pre9/include/openssl/fips.h.fips 2018-08-22 12:17:53.687661635 +0200
++++ openssl-1.1.1-pre9/include/openssl/fips.h 2018-08-22 12:17:53.687661635 +0200
@@ -0,0 +1,186 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -11649,9 +11087,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/fips.h.fips openssl-1.1.1-pre8/inclu
+}
+# endif
+#endif
-diff -up openssl-1.1.1-pre8/include/openssl/fips_rand.h.fips openssl-1.1.1-pre8/include/openssl/fips_rand.h
---- openssl-1.1.1-pre8/include/openssl/fips_rand.h.fips 2018-07-25 17:26:58.413624895 +0200
-+++ openssl-1.1.1-pre8/include/openssl/fips_rand.h 2018-07-25 17:26:58.413624895 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/fips_rand.h.fips openssl-1.1.1-pre9/include/openssl/fips_rand.h
+--- openssl-1.1.1-pre9/include/openssl/fips_rand.h.fips 2018-08-22 12:17:53.688661659 +0200
++++ openssl-1.1.1-pre9/include/openssl/fips_rand.h 2018-08-22 12:17:53.688661659 +0200
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
@@ -11798,10 +11236,10 @@ diff -up openssl-1.1.1-pre8/include/openssl/fips_rand.h.fips openssl-1.1.1-pre8/
+# endif
+# endif
+#endif
-diff -up openssl-1.1.1-pre8/include/openssl/opensslconf.h.in.fips openssl-1.1.1-pre8/include/openssl/opensslconf.h.in
---- openssl-1.1.1-pre8/include/openssl/opensslconf.h.in.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/opensslconf.h.in 2018-07-25 17:26:58.413624895 +0200
-@@ -138,6 +138,11 @@ extern "C" {
+diff -up openssl-1.1.1-pre9/include/openssl/opensslconf.h.in.fips openssl-1.1.1-pre9/include/openssl/opensslconf.h.in
+--- openssl-1.1.1-pre9/include/openssl/opensslconf.h.in.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/opensslconf.h.in 2018-08-22 12:17:53.688661659 +0200
+@@ -150,6 +150,11 @@ extern "C" {
#define RC4_INT {- $config{rc4_int} -}
@@ -11813,9 +11251,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/opensslconf.h.in.fips openssl-1.1.1-
#ifdef __cplusplus
}
#endif
-diff -up openssl-1.1.1-pre8/include/openssl/randerr.h.fips openssl-1.1.1-pre8/include/openssl/randerr.h
---- openssl-1.1.1-pre8/include/openssl/randerr.h.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/randerr.h 2018-07-25 17:26:58.413624895 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/randerr.h.fips openssl-1.1.1-pre9/include/openssl/randerr.h
+--- openssl-1.1.1-pre9/include/openssl/randerr.h.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/randerr.h 2018-08-22 12:17:53.689661684 +0200
@@ -35,6 +35,7 @@ int ERR_load_RAND_strings(void);
# define RAND_F_RAND_DRBG_SET 104
# define RAND_F_RAND_DRBG_SET_DEFAULTS 121
@@ -11824,10 +11262,10 @@ diff -up openssl-1.1.1-pre8/include/openssl/randerr.h.fips openssl-1.1.1-pre8/in
# define RAND_F_RAND_LOAD_FILE 111
# define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122
# define RAND_F_RAND_POOL_ADD 103
-diff -up openssl-1.1.1-pre8/include/openssl/rand.h.fips openssl-1.1.1-pre8/include/openssl/rand.h
---- openssl-1.1.1-pre8/include/openssl/rand.h.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/rand.h 2018-07-25 17:26:58.413624895 +0200
-@@ -68,6 +68,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void
+diff -up openssl-1.1.1-pre9/include/openssl/rand.h.fips openssl-1.1.1-pre9/include/openssl/rand.h
+--- openssl-1.1.1-pre9/include/openssl/rand.h.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/rand.h 2018-08-22 12:17:53.689661684 +0200
+@@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void
DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
# endif
@@ -11839,9 +11277,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/rand.h.fips openssl-1.1.1-pre8/inclu
#ifdef __cplusplus
}
-diff -up openssl-1.1.1-pre8/include/openssl/rsaerr.h.fips openssl-1.1.1-pre8/include/openssl/rsaerr.h
---- openssl-1.1.1-pre8/include/openssl/rsaerr.h.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/rsaerr.h 2018-07-25 17:26:58.413624895 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/rsaerr.h.fips openssl-1.1.1-pre9/include/openssl/rsaerr.h
+--- openssl-1.1.1-pre9/include/openssl/rsaerr.h.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/rsaerr.h 2018-08-22 12:17:53.691661733 +0200
@@ -21,6 +21,7 @@ int ERR_load_RSA_strings(void);
*/
# define RSA_F_CHECK_PADDING_MD 140
@@ -11897,9 +11335,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/rsaerr.h.fips openssl-1.1.1-pre8/inc
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
# define RSA_R_VALUE_MISSING 147
# define RSA_R_WRONG_SIGNATURE_LENGTH 119
-diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips openssl-1.1.1-pre8/ssl/ssl_ciph.c
---- openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips 2018-07-25 17:26:58.400624584 +0200
-+++ openssl-1.1.1-pre8/ssl/ssl_ciph.c 2018-07-25 17:26:58.414624919 +0200
+diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.fips openssl-1.1.1-pre9/ssl/ssl_ciph.c
+--- openssl-1.1.1-pre9/ssl/ssl_ciph.c.fips 2018-08-22 12:17:53.414654947 +0200
++++ openssl-1.1.1-pre9/ssl/ssl_ciph.c 2018-08-22 12:17:53.691661733 +0200
@@ -385,7 +385,7 @@ int ssl_load_ciphers(void)
}
}
@@ -11909,7 +11347,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips openssl-1.1.1-pre8/ssl/ssl_ciph.
return 0;
if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL))
return 0;
-@@ -560,6 +560,9 @@ int ssl_cipher_get_evp(const SSL_SESSION
+@@ -557,6 +557,9 @@ int ssl_cipher_get_evp(const SSL_SESSION
s->ssl_version < TLS1_VERSION)
return 1;
@@ -11919,7 +11357,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips openssl-1.1.1-pre8/ssl/ssl_ciph.
if (c->algorithm_enc == SSL_RC4 &&
c->algorithm_mac == SSL_MD5 &&
(evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
-@@ -668,6 +671,8 @@ static void ssl_cipher_collect_ciphers(c
+@@ -665,6 +668,8 @@ static void ssl_cipher_collect_ciphers(c
/* drop those that use any of that is not available */
if (c == NULL || !c->valid)
continue;
@@ -11928,7 +11366,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips openssl-1.1.1-pre8/ssl/ssl_ciph.
if ((c->algorithm_mkey & disabled_mkey) ||
(c->algorithm_auth & disabled_auth) ||
(c->algorithm_enc & disabled_enc) ||
-@@ -1671,7 +1676,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1668,7 +1673,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* to the resulting precedence to the STACK_OF(SSL_CIPHER).
*/
for (curr = head; curr != NULL; curr = curr->next) {
@@ -11938,9 +11376,9 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips openssl-1.1.1-pre8/ssl/ssl_ciph.
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
-diff -up openssl-1.1.1-pre8/ssl/ssl_init.c.fips openssl-1.1.1-pre8/ssl/ssl_init.c
---- openssl-1.1.1-pre8/ssl/ssl_init.c.fips 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/ssl/ssl_init.c 2018-07-25 17:26:58.414624919 +0200
+diff -up openssl-1.1.1-pre9/ssl/ssl_init.c.fips openssl-1.1.1-pre9/ssl/ssl_init.c
+--- openssl-1.1.1-pre9/ssl/ssl_init.c.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/ssl/ssl_init.c 2018-08-22 12:17:53.691661733 +0200
@@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
"Adding SSL ciphers and digests\n");
@@ -11984,10 +11422,10 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_init.c.fips openssl-1.1.1-pre8/ssl/ssl_init.
#ifndef OPENSSL_NO_COMP
# ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
-diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.fips openssl-1.1.1-pre8/ssl/ssl_lib.c
---- openssl-1.1.1-pre8/ssl/ssl_lib.c.fips 2018-07-25 17:26:58.400624584 +0200
-+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-25 17:26:58.414624919 +0200
-@@ -2885,6 +2885,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.fips openssl-1.1.1-pre9/ssl/ssl_lib.c
+--- openssl-1.1.1-pre9/ssl/ssl_lib.c.fips 2018-08-22 12:17:53.415654972 +0200
++++ openssl-1.1.1-pre9/ssl/ssl_lib.c 2018-08-22 12:17:53.692661757 +0200
+@@ -2887,6 +2887,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
return NULL;
@@ -11999,7 +11437,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.fips openssl-1.1.1-pre8/ssl/ssl_lib.c
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
goto err;
-@@ -2941,13 +2946,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+@@ -2943,13 +2948,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
if (ret->param == NULL)
goto err;
@@ -12024,9 +11462,9 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.fips openssl-1.1.1-pre8/ssl/ssl_lib.c
}
if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
-diff -up openssl-1.1.1-pre8/test/dsatest.c.fips openssl-1.1.1-pre8/test/dsatest.c
---- openssl-1.1.1-pre8/test/dsatest.c.fips 2018-06-20 16:48:14.000000000 +0200
-+++ openssl-1.1.1-pre8/test/dsatest.c 2018-07-25 17:26:58.415624943 +0200
+diff -up openssl-1.1.1-pre9/test/dsatest.c.fips openssl-1.1.1-pre9/test/dsatest.c
+--- openssl-1.1.1-pre9/test/dsatest.c.fips 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/test/dsatest.c 2018-08-22 12:17:53.692661757 +0200
@@ -24,41 +24,42 @@
#ifndef OPENSSL_NO_DSA
static int dsa_cb(int p, int n, BN_GENCB *arg);
@@ -12109,13 +11547,13 @@ diff -up openssl-1.1.1-pre8/test/dsatest.c.fips openssl-1.1.1-pre8/test/dsatest.
goto end;
if (!TEST_int_eq(h, 2))
goto end;
-diff -up openssl-1.1.1-pre8/util/libcrypto.num.fips openssl-1.1.1-pre8/util/libcrypto.num
---- openssl-1.1.1-pre8/util/libcrypto.num.fips 2018-06-20 16:48:15.000000000 +0200
-+++ openssl-1.1.1-pre8/util/libcrypto.num 2018-07-25 17:49:31.909043049 +0200
-@@ -4568,3 +4568,38 @@ EVP_PKEY_get_raw_private_key
- EVP_PKEY_asn1_set_get_priv_key 4520 1_1_1 EXIST::FUNCTION:
- EVP_PKEY_asn1_set_get_pub_key 4521 1_1_1 EXIST::FUNCTION:
- EVP_PKEY_set_alias_type 4522 1_1_1 EXIST::FUNCTION:
+diff -up openssl-1.1.1-pre9/util/libcrypto.num.fips openssl-1.1.1-pre9/util/libcrypto.num
+--- openssl-1.1.1-pre9/util/libcrypto.num.fips 2018-08-22 12:17:53.693661782 +0200
++++ openssl-1.1.1-pre9/util/libcrypto.num 2018-08-22 12:24:43.162691652 +0200
+@@ -4572,3 +4572,38 @@ EC_POINT_set_affine_coordinates
+ EC_POINT_get_affine_coordinates 4526 1_1_1 EXIST::FUNCTION:EC
+ EC_GROUP_set_curve 4527 1_1_1 EXIST::FUNCTION:EC
+ EC_GROUP_get_curve 4528 1_1_1 EXIST::FUNCTION:EC
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:
diff --git a/openssl-1.1.1-man-rename.patch b/openssl-1.1.1-man-rename.patch
index 6aef549..4e504b4 100644
--- a/openssl-1.1.1-man-rename.patch
+++ b/openssl-1.1.1-man-rename.patch
@@ -1,25 +1,7 @@
-diff -up openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre2/doc/man1/openssl.pod
---- openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename 2018-02-27 14:40:43.000000000 +0100
-+++ openssl-1.1.1-pre2/doc/man1/openssl.pod 2018-03-06 15:32:44.737652939 +0100
-@@ -170,7 +170,7 @@ Create or examine a Netscape certificate
-
- Online Certificate Status Protocol utility.
-
--=item L<B<passwd>|passwd(1)>
-+=item L<B<passwd>|sslpasswd(1)>
-
- Generation of hashed passwords.
-
-@@ -202,7 +202,7 @@ Public key algorithm cryptographic opera
-
- Compute prime numbers.
-
--=item L<B<rand>|rand(1)>
-+=item L<B<rand>|sslrand(1)>
-
- Generate pseudo-random bytes.
-
-@@ -444,13 +444,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
+diff -up openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre9/doc/man1/openssl.pod
+--- openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/doc/man1/openssl.pod 2018-08-22 12:13:04.092568064 +0200
+@@ -482,13 +482,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
L<ec(1)>, L<ecparam(1)>,
L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
diff --git a/openssl-1.1.1-seclevel-check.patch b/openssl-1.1.1-seclevel-check.patch
new file mode 100644
index 0000000..e023c6e
--- /dev/null
+++ b/openssl-1.1.1-seclevel-check.patch
@@ -0,0 +1,14 @@
+diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
+index df5cff79c9..e740a8c25d 100644
+--- a/ssl/ssl_cert.c
++++ b/ssl/ssl_cert.c
+@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
+ if (level >= 2 && c->algorithm_enc == SSL_RC4)
+ return 0;
+ /* Level 3: forward secure ciphersuites only */
+- if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
++ if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
++ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
+ return 0;
+ break;
+ }
diff --git a/openssl-1.1.1-system-cipherlist.patch b/openssl-1.1.1-system-cipherlist.patch
index 98c0851..b83c29b 100644
--- a/openssl-1.1.1-system-cipherlist.patch
+++ b/openssl-1.1.1-system-cipherlist.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-07-25 10:13:06.325232356 +0200
-+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-25 10:18:27.067863251 +0200
-@@ -176,6 +176,10 @@ MANDIR=$(INSTALLTOP)/share/man
+diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-08-22 12:15:54.520742678 +0200
++++ openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl 2018-08-22 12:15:54.554743511 +0200
+@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@@ -12,7 +12,7 @@ diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
-@@ -199,6 +203,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
+@@ -203,6 +207,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
CPPFLAGS={- our $cppflags1 = join(" ",
(map { "-D".$_} @{$config{CPPDEFINES}}),
@@ -20,19 +20,19 @@ diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist
(map { "-I".$_} @{$config{CPPINCLUDES}}),
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
-diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Configure
---- openssl-1.1.1-pre8/Configure.system-cipherlist 2018-06-20 16:48:09.000000000 +0200
-+++ openssl-1.1.1-pre8/Configure 2018-07-25 10:13:06.346232856 +0200
-@@ -21,7 +21,7 @@ use OpenSSL::Glob;
-
- # see INSTALL for instructions.
+diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Configure
+--- openssl-1.1.1-pre9/Configure.system-cipherlist 2018-08-21 14:14:11.000000000 +0200
++++ openssl-1.1.1-pre9/Configure 2018-08-22 12:16:46.600018343 +0200
+@@ -24,7 +24,7 @@ use OpenSSL::Glob;
+ my $orig_death_handler = $SIG{__DIE__};
+ $SIG{__DIE__} = \&death_handler;
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
# Options:
#
-@@ -38,6 +38,9 @@ my $usage="Usage: Configure [no-<cipher>
+@@ -41,6 +41,9 @@ my $usage="Usage: Configure [no-<cipher>
# This becomes the value of OPENSSLDIR in Makefile and in C.
# (Default: PREFIX/ssl)
#
@@ -42,7 +42,7 @@ diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Confi
# --cross-compile-prefix Add specified prefix to binutils components.
#
# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
-@@ -291,6 +294,7 @@ $config{prefix}="";
+@@ -295,6 +298,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
@@ -50,7 +50,7 @@ diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Confi
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
-@@ -814,6 +818,10 @@ while (@argvcopy)
+@@ -817,6 +821,10 @@ while (@argvcopy)
push @seed_sources, $x;
}
}
@@ -61,7 +61,7 @@ diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Confi
elsif (/^--cross-compile-prefix=(.*)$/)
{
$user{CROSS_COMPILE}=$1;
-@@ -1000,6 +1008,8 @@ if ($target eq "HASH") {
+@@ -1003,6 +1011,8 @@ if ($target eq "HASH") {
exit 0;
}
@@ -70,10 +70,10 @@ diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Confi
print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
print "for $target\n";
-diff -up openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre8/doc/man1/ciphers.pod
---- openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist 2018-06-20 16:48:12.000000000 +0200
-+++ openssl-1.1.1-pre8/doc/man1/ciphers.pod 2018-07-25 10:13:06.346232856 +0200
-@@ -200,6 +200,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
+diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre9/doc/man1/ciphers.pod
+--- openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist 2018-08-21 14:14:13.000000000 +0200
++++ openssl-1.1.1-pre9/doc/man1/ciphers.pod 2018-08-22 12:15:54.555743536 +0200
+@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@@ -89,9 +89,9 @@ diff -up openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1
=item B<HIGH>
"High" encryption cipher suites. This currently means those with key lengths
-diff -up openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre8/include/openssl/ssl.h
---- openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/ssl.h 2018-07-25 10:13:06.346232856 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre9/include/openssl/ssl.h
+--- openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/include/openssl/ssl.h 2018-08-22 12:15:54.557743585 +0200
@@ -186,6 +186,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@@ -104,9 +104,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist openssl-1.1.
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
-diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_ciph.c
---- openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/ssl/ssl_ciph.c 2018-07-25 10:36:36.475896866 +0200
+diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_ciph.c
+--- openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/ssl/ssl_ciph.c 2018-08-22 12:15:54.557743585 +0200
@@ -9,6 +9,8 @@
* https://www.openssl.org/source/license.html
*/
@@ -116,7 +116,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
#include <stdio.h>
#include <ctype.h>
#include <openssl/objects.h>
-@@ -1400,6 +1402,53 @@ int SSL_set_ciphersuites(SSL *s, const c
+@@ -1397,6 +1399,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret;
}
@@ -170,7 +170,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
-@@ -1413,15 +1462,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1410,15 +1459,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
@@ -198,7 +198,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
#endif
/*
-@@ -1444,7 +1503,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1441,7 +1500,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) {
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
@@ -207,7 +207,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1510,8 +1569,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1507,8 +1566,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@@ -217,7 +217,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
}
/*
-@@ -1556,9 +1614,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1553,9 +1611,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
@@ -228,7 +228,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
-@@ -1584,8 +1641,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1581,8 +1638,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
@@ -238,7 +238,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
}
/*
-@@ -1593,14 +1649,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1590,14 +1646,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@@ -259,7 +259,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
sk_SSL_CIPHER_free(cipherstack);
return NULL;
}
-@@ -1632,6 +1692,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1629,6 +1689,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack;
return cipherstack;
@@ -274,9 +274,9 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
}
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
-diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_lib.c
---- openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist 2018-07-25 10:13:06.347232880 +0200
-+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-25 10:37:38.715394989 +0200
+diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_lib.c
+--- openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist 2018-08-22 12:15:54.552743462 +0200
++++ openssl-1.1.1-pre9/ssl/ssl_lib.c 2018-08-22 12:15:54.558743609 +0200
@@ -658,7 +658,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
@@ -286,7 +286,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre8/s
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
-@@ -2931,7 +2931,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+@@ -2933,7 +2933,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
if (!ssl_create_cipher_list(ret->method,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@@ -295,9 +295,9 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre8/s
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
-diff -up openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist openssl-1.1.1-pre8/test/cipherlist_test.c
---- openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist 2018-07-25 10:13:06.348232903 +0200
-+++ openssl-1.1.1-pre8/test/cipherlist_test.c 2018-07-25 10:39:08.887552814 +0200
+diff -up openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist openssl-1.1.1-pre9/test/cipherlist_test.c
+--- openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist 2018-08-21 14:14:15.000000000 +0200
++++ openssl-1.1.1-pre9/test/cipherlist_test.c 2018-08-22 12:15:54.558743609 +0200
@@ -217,7 +217,9 @@ static int test_default_cipherlist_expli
int setup_tests(void)
diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch
index dae63f9..20a6762 100644
--- a/openssl-1.1.1-version-override.patch
+++ b/openssl-1.1.1-version-override.patch
@@ -1,14 +1,14 @@
-diff -up openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override openssl-1.1.1-pre8/include/openssl/opensslv.h
---- openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override 2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/include/openssl/opensslv.h 2018-07-25 11:03:29.297543392 +0200
+diff -up openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override openssl-1.1.1-pre9/include/openssl/opensslv.h
+--- openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override 2018-08-22 12:25:31.959886929 +0200
++++ openssl-1.1.1-pre9/include/openssl/opensslv.h 2018-08-22 12:26:17.997014595 +0200
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
--# define OPENSSL_VERSION_NUMBER 0x10101008L
--# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018"
+-# define OPENSSL_VERSION_NUMBER 0x10101009L
+-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018"
+# define OPENSSL_VERSION_NUMBER 0x1010100fL
-+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018"
++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/openssl.spec b/openssl.spec
index 7581cfa..5b2d171 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -19,12 +19,12 @@
%global _performance_build 1
-%global prerelease pre8
+%global prerelease pre9
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1
-Release: 0.%{prerelease}.4%{?dist}
+Release: 0.%{prerelease}.1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -60,7 +60,7 @@ Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.0-weak-ciphers.patch
# Backported fixes including security fixes
-Patch70: openssl-1.1.1-bidi-shutdown.patch
+Patch70: openssl-1.1.1-seclevel-check.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -163,7 +163,7 @@ cp %{SOURCE13} test/
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
-%patch70 -p1 -b .bidi-shutdown
+%patch70 -p1 -b .seclevel-check
%build
# Figure out which flags we want to use.
@@ -444,6 +444,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Wed Aug 22 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.1
+- update to the latest 1.1.1 beta version
+
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.4
- bidirectional shutdown fixes from upstream
diff --git a/sources b/sources
index 1e0d81a..9c121ab 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-1.1.1-pre8-hobbled.tar.xz) = eca0c8843c69fc3dcd1a27d56107368548f5674a64decc62ff48196d30485f287550bb671ca8bc48aeef482a8419462638bf152850c741e4554219230f4c4582
+SHA512 (openssl-1.1.1-pre9-hobbled.tar.xz) = 0f723cdb1789a8ea893bb6f194321e586d70ce1d19b9832072ab90c02805f4ab11fd762b5d7b4433063432c91a1904f9fac202e64f22b89f3df6cd6e2ef25401
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-09 12:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:44 [rpms/openssl] rebase_40beta: update to the latest 1.1.1 beta version Tomas Mraz
2026-06-09 12:44 Tomas Mraz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox