Blame SOURCES/openssl-1.1.1-fips.patch

782d48
diff -up openssl-1.1.1b/apps/pkcs12.c.fips openssl-1.1.1b/apps/pkcs12.c
782d48
--- openssl-1.1.1b/apps/pkcs12.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/apps/pkcs12.c	2019-05-24 12:08:40.524523735 +0200
782d48
@@ -126,7 +126,7 @@ int pkcs12_main(int argc, char **argv)
782d48
     int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
782d48
     int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
782d48
 # ifndef OPENSSL_NO_RC2
782d48
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
782d48
+    int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC;
782d48
 # else
782d48
     int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
782d48
 # endif
782d48
diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
782d48
--- openssl-1.1.1b/apps/speed.c.fips	2019-05-07 11:52:35.887597899 +0200
782d48
+++ openssl-1.1.1b/apps/speed.c	2019-05-07 16:51:36.946350159 +0200
782d48
@@ -1592,7 +1592,8 @@ int speed_main(int argc, char **argv)
e4b8d1
             continue;
e4b8d1
         if (strcmp(*argv, "rsa") == 0) {
e4b8d1
             for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++)
e4b8d1
-                rsa_doit[loop] = 1;
e4b8d1
+		if (!FIPS_mode() || loop != R_RSA_512)
e4b8d1
+                    rsa_doit[loop] = 1;
e4b8d1
             continue;
e4b8d1
         }
e4b8d1
         if (found(*argv, rsa_choices, &i)) {
782d48
@@ -1602,7 +1603,9 @@ int speed_main(int argc, char **argv)
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_DSA
e4b8d1
         if (strcmp(*argv, "dsa") == 0) {
e4b8d1
-            dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] =
e4b8d1
+            if (!FIPS_mode())
e4b8d1
+                dsa_doit[R_DSA_512] = 1;
e4b8d1
+            dsa_doit[R_DSA_1024] =
e4b8d1
                 dsa_doit[R_DSA_2048] = 1;
e4b8d1
             continue;
e4b8d1
         }
782d48
@@ -1633,19 +1636,21 @@ int speed_main(int argc, char **argv)
782d48
         }
782d48
         if (strcmp(*argv, "ecdh") == 0) {
782d48
             for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
782d48
-                ecdh_doit[loop] = 1;
782d48
+                if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
782d48
+                    ecdh_doit[loop] = 1;
782d48
             continue;
782d48
         }
782d48
         if (found(*argv, ecdh_choices, &i)) {
782d48
-            ecdh_doit[i] = 2;
782d48
+            if(!FIPS_mode() || (i != R_EC_X25519 && i != R_EC_X448))
782d48
+                ecdh_doit[i] = 2;
782d48
             continue;
782d48
         }
782d48
-        if (strcmp(*argv, "eddsa") == 0) {
782d48
+        if (!FIPS_mode() && strcmp(*argv, "eddsa") == 0) {
782d48
             for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
782d48
                 eddsa_doit[loop] = 1;
782d48
             continue;
782d48
         }
782d48
-        if (found(*argv, eddsa_choices, &i)) {
782d48
+        if (!FIPS_mode() && found(*argv, eddsa_choices, &i)) {
782d48
             eddsa_doit[i] = 2;
782d48
             continue;
782d48
         }
782d48
@@ -1734,23 +1739,30 @@ int speed_main(int argc, char **argv)
e4b8d1
     /* No parameters; turn on everything. */
e4b8d1
     if ((argc == 0) && !doit[D_EVP]) {
e4b8d1
         for (i = 0; i < ALGOR_NUM; i++)
e4b8d1
-            if (i != D_EVP)
e4b8d1
+            if (i != D_EVP &&
e4b8d1
+                (!FIPS_mode() || (i != D_WHIRLPOOL &&
e4b8d1
+                                  i != D_MD2 && i != D_MD4 &&
e4b8d1
+                                  i != D_MD5 && i != D_MDC2 &&
e4b8d1
+                                  i != D_RMD160)))
e4b8d1
                 doit[i] = 1;
e4b8d1
 #ifndef OPENSSL_NO_RSA
e4b8d1
         for (i = 0; i < RSA_NUM; i++)
e4b8d1
-            rsa_doit[i] = 1;
e4b8d1
+            if (!FIPS_mode() || i != R_RSA_512)
e4b8d1
+                rsa_doit[i] = 1;
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_DSA
e4b8d1
         for (i = 0; i < DSA_NUM; i++)
e4b8d1
-            dsa_doit[i] = 1;
e4b8d1
+            if (!FIPS_mode() || i != R_DSA_512)
e4b8d1
+                dsa_doit[i] = 1;
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_EC
e4b8d1
         for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
782d48
             ecdsa_doit[loop] = 1;
782d48
         for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
782d48
             ecdh_doit[loop] = 1;
782d48
-        for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
782d48
-            eddsa_doit[loop] = 1;
782d48
+        if (!FIPS_mode())
782d48
+            for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
782d48
+                eddsa_doit[loop] = 1;
782d48
 #endif
782d48
     }
782d48
     for (i = 0; i < ALGOR_NUM; i++)
782d48
@@ -1798,30 +1810,46 @@ int speed_main(int argc, char **argv)
e4b8d1
     AES_set_encrypt_key(key24, 192, &aes_ks2);
e4b8d1
     AES_set_encrypt_key(key32, 256, &aes_ks3);
e4b8d1
 #ifndef OPENSSL_NO_CAMELLIA
e4b8d1
-    Camellia_set_key(key16, 128, &camellia_ks1);
e4b8d1
-    Camellia_set_key(ckey24, 192, &camellia_ks2);
e4b8d1
-    Camellia_set_key(ckey32, 256, &camellia_ks3);
e4b8d1
+    if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
e4b8d1
+        Camellia_set_key(key16, 128, &camellia_ks1);
e4b8d1
+        Camellia_set_key(ckey24, 192, &camellia_ks2);
e4b8d1
+        Camellia_set_key(ckey32, 256, &camellia_ks3);
e4b8d1
+    }
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_IDEA
e4b8d1
-    IDEA_set_encrypt_key(key16, &idea_ks);
e4b8d1
+    if (doit[D_CBC_IDEA]) {
e4b8d1
+        IDEA_set_encrypt_key(key16, &idea_ks);
e4b8d1
+    }
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_SEED
e4b8d1
-    SEED_set_key(key16, &seed_ks);
e4b8d1
+    if (doit[D_CBC_SEED]) {
e4b8d1
+        SEED_set_key(key16, &seed_ks);
e4b8d1
+    }
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_RC4
e4b8d1
-    RC4_set_key(&rc4_ks, 16, key16);
e4b8d1
+   if (doit[D_RC4]) {
e4b8d1
+        RC4_set_key(&rc4_ks, 16, key16);
e4b8d1
+    }
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_RC2
e4b8d1
-    RC2_set_key(&rc2_ks, 16, key16, 128);
e4b8d1
+    if (doit[D_CBC_RC2]) {
e4b8d1
+        RC2_set_key(&rc2_ks, 16, key16, 128);
e4b8d1
+    }
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_RC5
e4b8d1
-    RC5_32_set_key(&rc5_ks, 16, key16, 12);
e4b8d1
+    if (doit[D_CBC_RC5]) {
e4b8d1
+        RC5_32_set_key(&rc5_ks, 16, key16, 12);
e4b8d1
+    }
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_BF
e4b8d1
-    BF_set_key(&bf_ks, 16, key16);
e4b8d1
+    if (doit[D_CBC_BF]) {
e4b8d1
+        BF_set_key(&bf_ks, 16, key16);
e4b8d1
+    }
e4b8d1
 #endif
e4b8d1
 #ifndef OPENSSL_NO_CAST
e4b8d1
-    CAST_set_key(&cast_ks, 16, key16);
e4b8d1
+    if (doit[D_CBC_CAST]) {
e4b8d1
+        CAST_set_key(&cast_ks, 16, key16);
e4b8d1
+    }
e4b8d1
 #endif
e4b8d1
 #ifndef SIGALRM
e4b8d1
 # ifndef OPENSSL_NO_DES
782d48
@@ -2118,6 +2146,7 @@ int speed_main(int argc, char **argv)
e4b8d1
 
e4b8d1
         for (i = 0; i < loopargs_len; i++) {
e4b8d1
             loopargs[i].hctx = HMAC_CTX_new();
e4b8d1
+            HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
e4b8d1
             if (loopargs[i].hctx == NULL) {
e4b8d1
                 BIO_printf(bio_err, "HMAC malloc failure, exiting...");
e4b8d1
                 exit(1);
782d48
diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure
782d48
--- openssl-1.1.1b/Configure.fips	2019-02-28 11:30:06.775746246 +0100
782d48
+++ openssl-1.1.1b/Configure	2019-02-28 11:30:06.779746172 +0100
782d48
@@ -313,7 +313,7 @@ $config{sdirs} = [
e4b8d1
     "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3",
e4b8d1
     "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes",
e4b8d1
     "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine",
e4b8d1
-    "buffer", "bio", "stack", "lhash", "rand", "err",
e4b8d1
+    "buffer", "bio", "stack", "lhash", "rand", "err", "fips",
e4b8d1
     "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
e4b8d1
     "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
e4b8d1
     ];
782d48
diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/cm_pmeth.c
782d48
--- openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/cmac/cm_pmeth.c	2019-05-06 14:55:32.866749109 +0200
782d48
@@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C
782d48
 
782d48
 const EVP_PKEY_METHOD cmac_pkey_meth = {
782d48
     EVP_PKEY_CMAC,
782d48
-    EVP_PKEY_FLAG_SIGCTX_CUSTOM,
782d48
+    EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS,
782d48
     pkey_cmac_init,
782d48
     pkey_cmac_copy,
782d48
     pkey_cmac_cleanup,
782d48
diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err.c
782d48
--- openssl-1.1.1b/crypto/dh/dh_err.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/dh/dh_err.c	2019-02-28 11:30:06.779746172 +0100
e4b8d1
@@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func
e4b8d1
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0),
e4b8d1
      "dh_cms_set_shared_info"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"},
e4b8d1
@@ -72,12 +75,14 @@ static const ERR_STRING_DATA DH_str_reas
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR),
e4b8d1
     "not suitable generator"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
e4b8d1
     "parameter encoding error"},
e4b8d1
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
782d48
diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen.c
782d48
--- openssl-1.1.1b/crypto/dh/dh_gen.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/dh/dh_gen.c	2019-02-28 11:30:06.780746153 +0100
e4b8d1
@@ -16,6 +16,9 @@
e4b8d1
 #include "internal/cryptlib.h"
e4b8d1
 #include <openssl/bn.h>
e4b8d1
 #include "dh_locl.h"
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+#endif
e4b8d1
 
e4b8d1
 static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
e4b8d1
                                 BN_GENCB *cb);
e4b8d1
@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret,
e4b8d1
 int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
e4b8d1
                               BN_GENCB *cb)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
e4b8d1
+        && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
e4b8d1
+        DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
     if (ret->meth->generate_params)
e4b8d1
         return ret->meth->generate_params(ret, prime_len, generator, cb);
e4b8d1
     return dh_builtin_genparams(ret, prime_len, generator, cb);
e4b8d1
@@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret,
e4b8d1
     int g, ok = -1;
e4b8d1
     BN_CTX *ctx = NULL;
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+
e4b8d1
+    if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
e4b8d1
+        DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
e4b8d1
+        goto err;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
+
e4b8d1
     ctx = BN_CTX_new();
e4b8d1
     if (ctx == NULL)
e4b8d1
         goto err;
782d48
diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key.c
782d48
--- openssl-1.1.1b/crypto/dh/dh_key.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/dh/dh_key.c	2019-02-28 11:30:06.780746153 +0100
e4b8d1
@@ -11,6 +11,9 @@
e4b8d1
 #include "internal/cryptlib.h"
e4b8d1
 #include "dh_locl.h"
e4b8d1
 #include "internal/bn_int.h"
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+#endif
e4b8d1
 
e4b8d1
 static int generate_key(DH *dh);
e4b8d1
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
e4b8d1
@@ -22,18 +25,32 @@ static int dh_finish(DH *dh);
e4b8d1
 
e4b8d1
 int DH_generate_key(DH *dh)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
e4b8d1
+        && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
e4b8d1
+        DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
     return dh->meth->generate_key(dh);
e4b8d1
 }
e4b8d1
 
e4b8d1
 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
e4b8d1
+        && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
e4b8d1
+        DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
     return dh->meth->compute_key(key, pub_key, dh);
e4b8d1
 }
e4b8d1
 
e4b8d1
 int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
e4b8d1
 {
e4b8d1
     int rv, pad;
e4b8d1
-    rv = dh->meth->compute_key(key, pub_key, dh);
e4b8d1
+    rv = DH_compute_key(key, pub_key, dh);
e4b8d1
     if (rv <= 0)
e4b8d1
         return rv;
e4b8d1
     pad = BN_num_bytes(dh->p) - rv;
e4b8d1
@@ -82,6 +99,14 @@ static int generate_key(DH *dh)
e4b8d1
     BN_MONT_CTX *mont = NULL;
e4b8d1
     BIGNUM *pub_key = NULL, *priv_key = NULL;
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_mode()
e4b8d1
+        && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
e4b8d1
+        DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
+
e4b8d1
     if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
e4b8d1
         DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
e4b8d1
         return 0;
e4b8d1
@@ -170,6 +195,13 @@ static int compute_key(unsigned char *ke
e4b8d1
         DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
e4b8d1
         goto err;
e4b8d1
     }
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_mode()
e4b8d1
+        && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
e4b8d1
+        DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
e4b8d1
+        goto err;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
 
e4b8d1
     ctx = BN_CTX_new();
e4b8d1
     if (ctx == NULL)
e4b8d1
@@ -221,6 +253,9 @@ static int dh_bn_mod_exp(const DH *dh, B
e4b8d1
 
e4b8d1
 static int dh_init(DH *dh)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    FIPS_selftest_check();
e4b8d1
+#endif
e4b8d1
     dh->flags |= DH_FLAG_CACHE_MONT_P;
e4b8d1
     return 1;
e4b8d1
 }
782d48
diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pmeth.c
782d48
--- openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/dh/dh_pmeth.c	2019-05-06 14:57:29.184723430 +0200
782d48
@@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *
782d48
 
782d48
 const EVP_PKEY_METHOD dh_pkey_meth = {
782d48
     EVP_PKEY_DH,
782d48
-    0,
782d48
+    EVP_PKEY_FLAG_FIPS,
782d48
     pkey_dh_init,
782d48
     pkey_dh_copy,
782d48
     pkey_dh_cleanup,
782d48
@@ -514,7 +514,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
782d48
 
782d48
 const EVP_PKEY_METHOD dhx_pkey_meth = {
782d48
     EVP_PKEY_DHX,
782d48
-    0,
782d48
+    EVP_PKEY_FLAG_FIPS,
782d48
     pkey_dh_init,
782d48
     pkey_dh_copy,
782d48
     pkey_dh_cleanup,
782d48
diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_err.c
782d48
--- openssl-1.1.1b/crypto/dsa/dsa_err.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/dsa/dsa_err.c	2019-02-28 11:30:06.798745819 +0100
e4b8d1
@@ -16,12 +16,15 @@
e4b8d1
 static const ERR_STRING_DATA DSA_str_functs[] = {
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_KEYGEN, 0), "dsa_builtin_keygen"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0),
e4b8d1
      "dsa_builtin_paramgen"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0),
e4b8d1
      "dsa_builtin_paramgen2"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"},
e4b8d1
@@ -51,9 +54,12 @@ static const ERR_STRING_DATA DSA_str_rea
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE),
e4b8d1
     "invalid digest type"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},
e4b8d1
+    {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
e4b8d1
     "parameter encoding error"},
e4b8d1
     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
782d48
diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_gen.c
782d48
--- openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/dsa/dsa_gen.c	2019-02-28 11:30:06.799745800 +0100
e4b8d1
@@ -22,12 +22,22 @@
e4b8d1
 #include <openssl/rand.h>
e4b8d1
 #include <openssl/sha.h>
e4b8d1
 #include "dsa_locl.h"
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+#endif
e4b8d1
 
e4b8d1
 int DSA_generate_parameters_ex(DSA *ret, int bits,
e4b8d1
                                const unsigned char *seed_in, int seed_len,
e4b8d1
                                int *counter_ret, unsigned long *h_ret,
e4b8d1
                                BN_GENCB *cb)
e4b8d1
 {
e4b8d1
+# ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
e4b8d1
+        && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
e4b8d1
+        DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+# endif
e4b8d1
     if (ret->meth->dsa_paramgen)
e4b8d1
         return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
e4b8d1
                                        counter_ret, h_ret, cb);
e4b8d1
@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret,
e4b8d1
         const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
e4b8d1
         size_t qbits = EVP_MD_size(evpmd) * 8;
e4b8d1
 
e4b8d1
+# ifdef OPENSSL_FIPS
e4b8d1
+        return dsa_builtin_paramgen2(ret, bits, qbits, evpmd,
e4b8d1
+                          seed_in, seed_len, -1, NULL, counter_ret,
e4b8d1
+                          h_ret, cb);
e4b8d1
+# else
e4b8d1
         return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
e4b8d1
                                     seed_in, seed_len, NULL, counter_ret,
e4b8d1
                                     h_ret, cb);
e4b8d1
+# endif
e4b8d1
     }
e4b8d1
 }
e4b8d1
 
e4b8d1
@@ -310,7 +326,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
e4b8d1
                           int *counter_ret, unsigned long *h_ret,
e4b8d1
                           BN_GENCB *cb)
e4b8d1
 {
e4b8d1
-    int ok = -1;
e4b8d1
+    int ok = 0;
e4b8d1
     unsigned char *seed = NULL, *seed_tmp = NULL;
e4b8d1
     unsigned char md[EVP_MAX_MD_SIZE];
e4b8d1
     int mdsize;
782d48
@@ -333,6 +349,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
e4b8d1
         goto err;
782d48
     }
e4b8d1
 
e4b8d1
+# ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        goto err;
e4b8d1
+    }
e4b8d1
+
e4b8d1
+    if (FIPS_mode() && (L != 1024 || N != 160) &&
e4b8d1
+        (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
e4b8d1
+        (L != 3072 || N != 256)) {
e4b8d1
+        DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
e4b8d1
+        goto err;
e4b8d1
+    }
e4b8d1
+# endif
e4b8d1
+
e4b8d1
     if (evpmd == NULL) {
e4b8d1
         if (N == 160)
e4b8d1
             evpmd = EVP_sha1();
782d48
@@ -433,9 +463,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
e4b8d1
                 goto err;
e4b8d1
             /* Provided seed didn't produce a prime: error */
e4b8d1
             if (seed_in) {
e4b8d1
-                ok = 0;
e4b8d1
-                DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME);
e4b8d1
-                goto err;
e4b8d1
+                /* Different seed_out will indicate that seed_in
e4b8d1
+                 * did not generate primes.
e4b8d1
+                 */
e4b8d1
+                seed_in = NULL;
e4b8d1
             }
e4b8d1
 
e4b8d1
             /* do a callback call */
782d48
@@ -521,11 +552,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
e4b8d1
             if (counter >= (int)(4 * L))
e4b8d1
                 break;
e4b8d1
         }
e4b8d1
+#if 0
e4b8d1
+        /* Cannot happen */
e4b8d1
         if (seed_in) {
e4b8d1
             ok = 0;
e4b8d1
             DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
e4b8d1
             goto err;
e4b8d1
         }
e4b8d1
+#endif
e4b8d1
     }
e4b8d1
  end:
e4b8d1
     if (!BN_GENCB_call(cb, 2, 1))
782d48
@@ -596,7 +630,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
e4b8d1
         BN_free(ret->g);
e4b8d1
         ret->g = BN_dup(g);
e4b8d1
         if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
e4b8d1
-            ok = -1;
e4b8d1
+            ok = 0;
e4b8d1
             goto err;
e4b8d1
         }
e4b8d1
         if (counter_ret != NULL)
782d48
@@ -614,3 +648,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
e4b8d1
     EVP_MD_CTX_free(mctx);
e4b8d1
     return ok;
e4b8d1
 }
e4b8d1
+
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+
e4b8d1
+int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
e4b8d1
+                               const EVP_MD *evpmd, const unsigned char *seed_in,
e4b8d1
+                               size_t seed_len, int idx, unsigned char *seed_out,
e4b8d1
+                               int *counter_ret, unsigned long *h_ret,
e4b8d1
+                               BN_GENCB *cb)
e4b8d1
+{
e4b8d1
+    return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len,
e4b8d1
+        idx, seed_out, counter_ret, h_ret, cb);
e4b8d1
+}
e4b8d1
+
e4b8d1
+int FIPS_dsa_paramgen_check_g(DSA *dsa)
e4b8d1
+{
e4b8d1
+    BN_CTX *ctx;
e4b8d1
+    BIGNUM *tmp;
e4b8d1
+    BN_MONT_CTX *mont = NULL;
e4b8d1
+    int rv = -1;
e4b8d1
+
e4b8d1
+    ctx = BN_CTX_new();
e4b8d1
+    if (ctx == NULL)
e4b8d1
+        return -1;
e4b8d1
+    if (BN_cmp(dsa->g, BN_value_one()) <= 0)
e4b8d1
+        return 0;
e4b8d1
+    if (BN_cmp(dsa->g, dsa->p) >= 0)
e4b8d1
+        return 0;
e4b8d1
+    BN_CTX_start(ctx);
e4b8d1
+    tmp = BN_CTX_get(ctx);
e4b8d1
+    if (tmp == NULL)
e4b8d1
+        goto err;
e4b8d1
+    if ((mont=BN_MONT_CTX_new()) == NULL)
e4b8d1
+        goto err;
e4b8d1
+    if (!BN_MONT_CTX_set(mont,dsa->p,ctx))
e4b8d1
+        goto err;
e4b8d1
+    /* Work out g^q mod p */
e4b8d1
+    if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont))
e4b8d1
+        goto err;
e4b8d1
+    if (!BN_cmp(tmp, BN_value_one()))
e4b8d1
+        rv = 1;
e4b8d1
+    else
e4b8d1
+        rv = 0;
e4b8d1
+ err:
e4b8d1
+    BN_CTX_end(ctx);
e4b8d1
+    BN_MONT_CTX_free(mont);
e4b8d1
+    BN_CTX_free(ctx);
e4b8d1
+    return rv;
e4b8d1
+}
e4b8d1
+
e4b8d1
+#endif
782d48
diff -up openssl-1.1.1b/crypto/dsa/dsa_key.c.fips openssl-1.1.1b/crypto/dsa/dsa_key.c
782d48
--- openssl-1.1.1b/crypto/dsa/dsa_key.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/dsa/dsa_key.c	2019-02-28 11:30:06.799745800 +0100
e4b8d1
@@ -13,10 +13,49 @@
e4b8d1
 #include <openssl/bn.h>
e4b8d1
 #include "dsa_locl.h"
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+# include "internal/fips_int.h"
e4b8d1
+
e4b8d1
+static int fips_check_dsa(DSA *dsa)
e4b8d1
+{
e4b8d1
+    EVP_PKEY *pk;
e4b8d1
+    unsigned char tbs[] = "DSA Pairwise Check Data";
e4b8d1
+    int ret = 0;
e4b8d1
+
e4b8d1
+    if ((pk = EVP_PKEY_new()) == NULL)
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    EVP_PKEY_set1_DSA(pk, dsa);
e4b8d1
+
e4b8d1
+    if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
e4b8d1
+        ret = 1;
e4b8d1
+
e4b8d1
+ err:
e4b8d1
+    if (ret == 0) {
e4b8d1
+        FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
e4b8d1
+        fips_set_selftest_fail();
e4b8d1
+    }
e4b8d1
+
e4b8d1
+    if (pk)
e4b8d1
+        EVP_PKEY_free(pk);
e4b8d1
+
e4b8d1
+    return ret;
e4b8d1
+}
e4b8d1
+
e4b8d1
+#endif
e4b8d1
+
e4b8d1
 static int dsa_builtin_keygen(DSA *dsa);
e4b8d1
 
e4b8d1
 int DSA_generate_key(DSA *dsa)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
e4b8d1
+        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
e4b8d1
+        DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
     if (dsa->meth->dsa_keygen)
e4b8d1
         return dsa->meth->dsa_keygen(dsa);
e4b8d1
     return dsa_builtin_keygen(dsa);
e4b8d1
@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa)
e4b8d1
     BN_CTX *ctx = NULL;
e4b8d1
     BIGNUM *pub_key = NULL, *priv_key = NULL;
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
e4b8d1
+        && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {
e4b8d1
+        DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
e4b8d1
+        goto err;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
+
e4b8d1
     if ((ctx = BN_CTX_new()) == NULL)
e4b8d1
         goto err;
e4b8d1
 
e4b8d1
@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa)
e4b8d1
 
e4b8d1
     dsa->priv_key = priv_key;
e4b8d1
     dsa->pub_key = pub_key;
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_mode() && !fips_check_dsa(dsa)) {
e4b8d1
+        dsa->pub_key = NULL;
e4b8d1
+        dsa->priv_key = NULL;
e4b8d1
+        goto err;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
     ok = 1;
e4b8d1
 
e4b8d1
  err:
782d48
diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa_ossl.c
782d48
--- openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/dsa/dsa_ossl.c	2019-02-28 11:30:06.800745781 +0100
782d48
@@ -14,6 +14,9 @@
e4b8d1
 #include <openssl/sha.h>
e4b8d1
 #include "dsa_locl.h"
e4b8d1
 #include <openssl/asn1.h>
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+#endif
e4b8d1
 
e4b8d1
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
e4b8d1
 static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
782d48
@@ -73,6 +76,19 @@ static DSA_SIG *dsa_do_sign(const unsign
e4b8d1
         goto err;
e4b8d1
     }
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return NULL;
e4b8d1
+    }
e4b8d1
+
e4b8d1
+    if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
e4b8d1
+        && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
e4b8d1
+        DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
e4b8d1
+        return NULL;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
+
e4b8d1
     ret = DSA_SIG_new();
e4b8d1
     if (ret == NULL)
e4b8d1
         goto err;
782d48
@@ -301,6 +317,18 @@ static int dsa_do_verify(const unsigned
e4b8d1
         DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
e4b8d1
         return -1;
e4b8d1
     }
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return -1;
e4b8d1
+    }
e4b8d1
+
e4b8d1
+    if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
e4b8d1
+        && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
e4b8d1
+        DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
e4b8d1
+        return -1;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
 
e4b8d1
     if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
e4b8d1
         DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
782d48
@@ -389,6 +417,9 @@ static int dsa_do_verify(const unsigned
e4b8d1
 
e4b8d1
 static int dsa_init(DSA *dsa)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    FIPS_selftest_check();
e4b8d1
+#endif
e4b8d1
     dsa->flags |= DSA_FLAG_CACHE_MONT_P;
e4b8d1
     return 1;
e4b8d1
 }
782d48
diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/dsa_pmeth.c
782d48
--- openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/dsa/dsa_pmeth.c	2019-02-28 11:30:06.800745781 +0100
e4b8d1
@@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
e4b8d1
         BN_GENCB_free(pcb);
e4b8d1
         return 0;
e4b8d1
     }
e4b8d1
-    ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
e4b8d1
-                               NULL, 0, NULL, NULL, NULL, pcb);
e4b8d1
+    ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
e4b8d1
+                               NULL, 0, -1, NULL, NULL, NULL, pcb);
e4b8d1
     BN_GENCB_free(pcb);
e4b8d1
     if (ret)
e4b8d1
         EVP_PKEY_assign_DSA(pkey, dsa);
782d48
@@ -241,7 +241,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX
782d48
 
782d48
 const EVP_PKEY_METHOD dsa_pkey_meth = {
782d48
     EVP_PKEY_DSA,
782d48
-    EVP_PKEY_FLAG_AUTOARGLEN,
782d48
+    EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
782d48
     pkey_dsa_init,
782d48
     pkey_dsa_copy,
782d48
     pkey_dsa_cleanup,
782d48
diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh_ossl.c
782d48
--- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c	2019-02-28 11:30:06.801745763 +0100
e4b8d1
@@ -19,9 +19,20 @@
e4b8d1
 #include <openssl/ec.h>
e4b8d1
 #include "ec_lcl.h"
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+#endif
e4b8d1
+
e4b8d1
 int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
e4b8d1
                           const EC_POINT *pub_key, const EC_KEY *ecdh)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return -1;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
+
e4b8d1
     if (ecdh->group->meth->ecdh_compute_key == NULL) {
e4b8d1
         ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
e4b8d1
         return 0;
782d48
diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdsa_ossl.c
782d48
--- openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/ec/ecdsa_ossl.c	2019-02-28 11:30:06.801745763 +0100
e4b8d1
@@ -14,6 +14,10 @@
e4b8d1
 #include "internal/bn_int.h"
e4b8d1
 #include "ec_lcl.h"
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+#endif
e4b8d1
+
e4b8d1
 int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
e4b8d1
                     unsigned char *sig, unsigned int *siglen,
e4b8d1
                     const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
e4b8d1
@@ -159,6 +163,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
e4b8d1
     ECDSA_SIG *ret;
e4b8d1
     const BIGNUM *priv_key;
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return NULL;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
+
e4b8d1
     group = EC_KEY_get0_group(eckey);
e4b8d1
     priv_key = EC_KEY_get0_private_key(eckey);
e4b8d1
 
e4b8d1
@@ -317,6 +328,13 @@ int ossl_ecdsa_verify_sig(const unsigned
e4b8d1
     const EC_GROUP *group;
e4b8d1
     const EC_POINT *pub_key;
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return -1;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
+
e4b8d1
     /* check input values */
e4b8d1
     if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
e4b8d1
         (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
782d48
diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key.c
782d48
--- openssl-1.1.1b/crypto/ec/ec_key.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/ec/ec_key.c	2019-02-28 11:30:06.802745744 +0100
e4b8d1
@@ -178,14 +178,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY
e4b8d1
     return eckey->engine;
e4b8d1
 }
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+# include "internal/fips_int.h"
e4b8d1
+
e4b8d1
+static int fips_check_ec(EC_KEY *key)
e4b8d1
+{
e4b8d1
+    EVP_PKEY *pk;
e4b8d1
+    unsigned char tbs[] = "ECDSA Pairwise Check Data";
e4b8d1
+    int ret = 0;
e4b8d1
+
e4b8d1
+    if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */
e4b8d1
+        return 1;
e4b8d1
+
e4b8d1
+    if ((pk = EVP_PKEY_new()) == NULL)
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    EVP_PKEY_set1_EC_KEY(pk, key);
e4b8d1
+
e4b8d1
+    if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
e4b8d1
+        ret = 1;
e4b8d1
+
e4b8d1
+ err:
e4b8d1
+    if (ret == 0) {
e4b8d1
+        FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED);
e4b8d1
+        fips_set_selftest_fail();
e4b8d1
+    }
e4b8d1
+    if (pk)
e4b8d1
+        EVP_PKEY_free(pk);
e4b8d1
+    return ret;
e4b8d1
+}
e4b8d1
+
e4b8d1
+#endif
e4b8d1
+
e4b8d1
 int EC_KEY_generate_key(EC_KEY *eckey)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_NOT_INITIALIZED);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
     if (eckey == NULL || eckey->group == NULL) {
e4b8d1
         ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
e4b8d1
         return 0;
e4b8d1
     }
e4b8d1
-    if (eckey->meth->keygen != NULL)
e4b8d1
-        return eckey->meth->keygen(eckey);
e4b8d1
+    if (eckey->meth->keygen != NULL) {
e4b8d1
+        int rv = eckey->meth->keygen(eckey);
e4b8d1
+
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+        if (rv > 0 && FIPS_mode()) {
e4b8d1
+            rv = fips_check_ec(eckey);
e4b8d1
+        }
e4b8d1
+#endif
e4b8d1
+        return rv;
e4b8d1
+    }
e4b8d1
     ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
e4b8d1
     return 0;
e4b8d1
 }
782d48
diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pmeth.c
782d48
--- openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/ec/ec_pmeth.c	2019-05-06 14:47:34.651077251 +0200
782d48
@@ -434,7 +434,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
782d48
 
782d48
 const EVP_PKEY_METHOD ec_pkey_meth = {
782d48
     EVP_PKEY_EC,
782d48
-    0,
782d48
+    EVP_PKEY_FLAG_FIPS,
782d48
     pkey_ec_init,
782d48
     pkey_ec_copy,
782d48
     pkey_ec_cleanup,
782d48
diff -up openssl-1.1.1b/crypto/evp/c_allc.c.fips openssl-1.1.1b/crypto/evp/c_allc.c
782d48
--- openssl-1.1.1b/crypto/evp/c_allc.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/c_allc.c	2019-02-28 11:30:06.802745744 +0100
e4b8d1
@@ -17,6 +17,9 @@
e4b8d1
 void openssl_add_all_ciphers_int(void)
e4b8d1
 {
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (!FIPS_mode()) {
e4b8d1
+#endif
e4b8d1
 #ifndef OPENSSL_NO_DES
e4b8d1
     EVP_add_cipher(EVP_des_cfb());
e4b8d1
     EVP_add_cipher(EVP_des_cfb1());
e4b8d1
@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void)
e4b8d1
     EVP_add_cipher(EVP_chacha20_poly1305());
e4b8d1
 # endif
e4b8d1
 #endif
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    } else {
e4b8d1
+# ifndef OPENSSL_NO_DES
e4b8d1
+        EVP_add_cipher(EVP_des_ede3_cfb());
e4b8d1
+
e4b8d1
+        EVP_add_cipher(EVP_des_ede3_ofb());
e4b8d1
+
e4b8d1
+        EVP_add_cipher(EVP_des_ede3_cbc());
e4b8d1
+        EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
e4b8d1
+        EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
e4b8d1
+
e4b8d1
+        EVP_add_cipher(EVP_des_ede3());
e4b8d1
+        EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB");
e4b8d1
+        EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb");
e4b8d1
+        EVP_add_cipher(EVP_des_ede3_wrap());
e4b8d1
+        EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap");
e4b8d1
+# endif
e4b8d1
+
e4b8d1
+# ifndef OPENSSL_NO_AES
e4b8d1
+        EVP_add_cipher(EVP_aes_128_ecb());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_cbc());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_cfb());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_cfb1());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_cfb8());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_ofb());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_ctr());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_gcm());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_xts());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_ccm());
e4b8d1
+        EVP_add_cipher(EVP_aes_128_wrap());
e4b8d1
+        EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
e4b8d1
+        EVP_add_cipher(EVP_aes_128_wrap_pad());
e4b8d1
+        EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
e4b8d1
+        EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
e4b8d1
+        EVP_add_cipher(EVP_aes_192_ecb());
e4b8d1
+        EVP_add_cipher(EVP_aes_192_cbc());
e4b8d1
+        EVP_add_cipher(EVP_aes_192_cfb());
e4b8d1
+        EVP_add_cipher(EVP_aes_192_cfb1());
e4b8d1
+        EVP_add_cipher(EVP_aes_192_cfb8());
e4b8d1
+        EVP_add_cipher(EVP_aes_192_ofb());
e4b8d1
+        EVP_add_cipher(EVP_aes_192_ctr());
e4b8d1
+        EVP_add_cipher(EVP_aes_192_gcm());
e4b8d1
+        EVP_add_cipher(EVP_aes_192_ccm());
e4b8d1
+        EVP_add_cipher(EVP_aes_192_wrap());
e4b8d1
+        EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
e4b8d1
+        EVP_add_cipher(EVP_aes_192_wrap_pad());
e4b8d1
+        EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
e4b8d1
+        EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
e4b8d1
+        EVP_add_cipher(EVP_aes_256_ecb());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_cbc());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_cfb());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_cfb1());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_cfb8());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_ofb());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_ctr());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_gcm());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_xts());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_ccm());
e4b8d1
+        EVP_add_cipher(EVP_aes_256_wrap());
e4b8d1
+        EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
e4b8d1
+        EVP_add_cipher(EVP_aes_256_wrap_pad());
e4b8d1
+        EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
e4b8d1
+        EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
e4b8d1
+# endif
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
 }
782d48
diff -up openssl-1.1.1b/crypto/evp/c_alld.c.fips openssl-1.1.1b/crypto/evp/c_alld.c
782d48
--- openssl-1.1.1b/crypto/evp/c_alld.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/c_alld.c	2019-02-28 11:30:06.803745726 +0100
e4b8d1
@@ -16,6 +16,9 @@
e4b8d1
 
e4b8d1
 void openssl_add_all_digests_int(void)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (!FIPS_mode()) {
e4b8d1
+#endif
e4b8d1
 #ifndef OPENSSL_NO_MD4
e4b8d1
     EVP_add_digest(EVP_md4());
e4b8d1
 #endif
e4b8d1
@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void)
e4b8d1
     EVP_add_digest(EVP_sha3_512());
e4b8d1
     EVP_add_digest(EVP_shake128());
e4b8d1
     EVP_add_digest(EVP_shake256());
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    } else {
e4b8d1
+        EVP_add_digest(EVP_md5_sha1());
e4b8d1
+        EVP_add_digest(EVP_sha1());
e4b8d1
+        EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
e4b8d1
+        EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
e4b8d1
+        EVP_add_digest(EVP_sha224());
e4b8d1
+        EVP_add_digest(EVP_sha256());
e4b8d1
+        EVP_add_digest(EVP_sha384());
e4b8d1
+        EVP_add_digest(EVP_sha512());
e4b8d1
+        EVP_add_digest(EVP_sha512_224());
e4b8d1
+        EVP_add_digest(EVP_sha512_256());
e4b8d1
+        EVP_add_digest(EVP_sha3_224());
e4b8d1
+        EVP_add_digest(EVP_sha3_256());
e4b8d1
+        EVP_add_digest(EVP_sha3_384());
e4b8d1
+        EVP_add_digest(EVP_sha3_512());
e4b8d1
+        EVP_add_digest(EVP_shake128());
e4b8d1
+        EVP_add_digest(EVP_shake256());
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
 }
782d48
diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/digest.c
782d48
--- openssl-1.1.1c/crypto/evp/digest.c.fips	2019-05-28 15:12:21.000000000 +0200
782d48
+++ openssl-1.1.1c/crypto/evp/digest.c	2019-05-29 15:47:59.220499971 +0200
e4b8d1
@@ -14,6 +14,9 @@
e4b8d1
 #include <openssl/engine.h>
e4b8d1
 #include "internal/evp_int.h"
e4b8d1
 #include "evp_locl.h"
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+#endif
e4b8d1
 
e4b8d1
 /* This call frees resources associated with the context */
e4b8d1
 int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
e4b8d1
@@ -66,6 +69,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
e4b8d1
 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
e4b8d1
 {
e4b8d1
     EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
 #ifndef OPENSSL_NO_ENGINE
e4b8d1
     /*
e4b8d1
      * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
e4b8d1
@@ -119,6 +128,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
e4b8d1
     }
e4b8d1
 #endif
e4b8d1
     if (ctx->digest != type) {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+        if (FIPS_mode()) {
e4b8d1
+            if (!(type->flags & EVP_MD_FLAG_FIPS)
e4b8d1
+                && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
e4b8d1
+                EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
e4b8d1
+                return 0;
e4b8d1
+            }
e4b8d1
+        }
e4b8d1
+#endif
e4b8d1
         if (ctx->digest && ctx->digest->ctx_size) {
e4b8d1
             OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
e4b8d1
             ctx->md_data = NULL;
782d48
@@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
e4b8d1
 
e4b8d1
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    FIPS_selftest_check();
e4b8d1
+#endif
782d48
+
782d48
     if (count == 0)
782d48
         return 1;
e4b8d1
 
782d48
@@ -170,6 +192,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
e4b8d1
 {
e4b8d1
     int ret;
e4b8d1
 
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    FIPS_selftest_check();
e4b8d1
+#endif
e4b8d1
     OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
e4b8d1
     ret = ctx->digest->final(ctx, md);
e4b8d1
     if (size != NULL)
782d48
diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.c
782d48
--- openssl-1.1.1b/crypto/evp/e_aes.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/e_aes.c	2019-05-06 16:32:41.631668333 +0200
782d48
@@ -387,22 +387,33 @@ static int aesni_xts_init_key(EVP_CIPHER
782d48
         return 1;
782d48
 
782d48
     if (key) {
782d48
+        /* The key is two half length keys in reality */
782d48
+        const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
782d48
+        const int bits = bytes * 8;
782d48
+
782d48
+        /*
782d48
+         * Verify that the two keys are different.
782d48
+         * 
782d48
+         * This addresses Rogaway's vulnerability.
782d48
+         * See comment in aes_xts_init_key() below.
782d48
+         */
782d48
+        if (memcmp(key, key + bytes, bytes) == 0) {
782d48
+            EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
782d48
+            return 0;
782d48
+        }
782d48
+
782d48
         /* key_len is two AES keys */
782d48
         if (enc) {
782d48
-            aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                  &xctx->ks1.ks);
782d48
+            aesni_set_encrypt_key(key, bits, &xctx->ks1.ks);
782d48
             xctx->xts.block1 = (block128_f) aesni_encrypt;
782d48
             xctx->stream = aesni_xts_encrypt;
782d48
         } else {
782d48
-            aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                  &xctx->ks1.ks);
782d48
+            aesni_set_decrypt_key(key, bits, &xctx->ks1.ks);
782d48
             xctx->xts.block1 = (block128_f) aesni_decrypt;
782d48
             xctx->stream = aesni_xts_decrypt;
782d48
         }
782d48
 
782d48
-        aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
782d48
-                              EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                              &xctx->ks2.ks);
782d48
+        aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
782d48
         xctx->xts.block2 = (block128_f) aesni_encrypt;
782d48
 
782d48
         xctx->xts.key1 = &xctx->ks1;
782d48
@@ -791,7 +802,21 @@ static int aes_t4_xts_init_key(EVP_CIPHE
782d48
         return 1;
782d48
 
782d48
     if (key) {
782d48
-        int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
782d48
+        /* The key is two half length keys in reality */
782d48
+        const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
782d48
+        const int bits = bytes * 8;
782d48
+
782d48
+        /*
782d48
+         * Verify that the two keys are different.
782d48
+         * 
782d48
+         * This addresses Rogaway's vulnerability.
782d48
+         * See comment in aes_xts_init_key() below.
782d48
+         */
782d48
+        if (memcmp(key, key + bytes, bytes) == 0) {
782d48
+            EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
782d48
+            return 0;
782d48
+        }
782d48
+
782d48
         xctx->stream = NULL;
782d48
         /* key_len is two AES keys */
782d48
         if (enc) {
782d48
@@ -808,8 +833,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE
782d48
                 return 0;
782d48
             }
782d48
         } else {
782d48
-            aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                   &xctx->ks1.ks);
782d48
+            aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks);
782d48
             xctx->xts.block1 = (block128_f) aes_t4_decrypt;
782d48
             switch (bits) {
782d48
             case 128:
782d48
@@ -823,9 +847,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE
782d48
             }
782d48
         }
782d48
 
782d48
-        aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
782d48
-                               EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                               &xctx->ks2.ks);
782d48
+        aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
782d48
         xctx->xts.block2 = (block128_f) aes_t4_encrypt;
782d48
 
782d48
         xctx->xts.key1 = &xctx->ks1;
782d48
@@ -2794,9 +2816,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
e4b8d1
     return 1;
e4b8d1
 }
e4b8d1
 
e4b8d1
-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
e4b8d1
-    BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
e4b8d1
-    BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
e4b8d1
+BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
e4b8d1
+    BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
e4b8d1
+    BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
e4b8d1
 
e4b8d1
 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
e4b8d1
 {
782d48
@@ -2826,6 +2848,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
e4b8d1
     case EVP_CTRL_AEAD_SET_IVLEN:
e4b8d1
         if (arg <= 0)
e4b8d1
             return 0;
e4b8d1
+# ifdef OPENSSL_FIPS
e4b8d1
+        if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
e4b8d1
+            && arg < 12)
e4b8d1
+            return 0;
e4b8d1
+# endif
e4b8d1
         /* Allocate memory for IV if needed */
e4b8d1
         if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
e4b8d1
             if (gctx->iv != c->iv)
782d48
@@ -3275,11 +3302,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
e4b8d1
                 | EVP_CIPH_CUSTOM_COPY)
e4b8d1
 
e4b8d1
 BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
e4b8d1
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
e4b8d1
+                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
e4b8d1
+                    CUSTOM_FLAGS)
e4b8d1
     BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
e4b8d1
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
e4b8d1
+                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
e4b8d1
+                    CUSTOM_FLAGS)
e4b8d1
     BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
e4b8d1
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
e4b8d1
+                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
e4b8d1
+                    CUSTOM_FLAGS)
e4b8d1
 
e4b8d1
 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
e4b8d1
 {
782d48
@@ -3313,8 +3343,33 @@ static int aes_xts_init_key(EVP_CIPHER_C
782d48
     if (!iv && !key)
782d48
         return 1;
782d48
 
782d48
-    if (key)
782d48
+    if (key) {
782d48
         do {
782d48
+            /* The key is two half length keys in reality */
782d48
+            const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
782d48
+            const int bits = bytes * 8;
782d48
+
782d48
+            /*
782d48
+             * Verify that the two keys are different.
782d48
+             *
782d48
+             * This addresses the vulnerability described in Rogaway's
782d48
+             * September 2004 paper:
782d48
+             *
782d48
+             *      "Efficient Instantiations of Tweakable Blockciphers and
782d48
+             *       Refinements to Modes OCB and PMAC".
782d48
+             *      (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
782d48
+             *
782d48
+             * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
782d48
+             * that:
782d48
+             *      "The check for Key_1 != Key_2 shall be done at any place
782d48
+             *       BEFORE using the keys in the XTS-AES algorithm to process
782d48
+             *       data with them."
782d48
+             */
782d48
+            if (memcmp(key, key + bytes, bytes) == 0) {
782d48
+                EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
782d48
+                return 0;
782d48
+            }
782d48
+
782d48
 #ifdef AES_XTS_ASM
782d48
             xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
782d48
 #else
782d48
@@ -3324,26 +3379,20 @@ static int aes_xts_init_key(EVP_CIPHER_C
782d48
 #ifdef HWAES_CAPABLE
782d48
             if (HWAES_CAPABLE) {
782d48
                 if (enc) {
782d48
-                    HWAES_set_encrypt_key(key,
782d48
-                                          EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                          &xctx->ks1.ks);
782d48
+                    HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks);
782d48
                     xctx->xts.block1 = (block128_f) HWAES_encrypt;
782d48
 # ifdef HWAES_xts_encrypt
782d48
                     xctx->stream = HWAES_xts_encrypt;
782d48
 # endif
782d48
                 } else {
782d48
-                    HWAES_set_decrypt_key(key,
782d48
-                                          EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                          &xctx->ks1.ks);
782d48
+                    HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks);
782d48
                     xctx->xts.block1 = (block128_f) HWAES_decrypt;
782d48
 # ifdef HWAES_xts_decrypt
782d48
                     xctx->stream = HWAES_xts_decrypt;
782d48
 #endif
782d48
                 }
782d48
 
782d48
-                HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
782d48
-                                      EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                      &xctx->ks2.ks);
782d48
+                HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
782d48
                 xctx->xts.block2 = (block128_f) HWAES_encrypt;
782d48
 
782d48
                 xctx->xts.key1 = &xctx->ks1;
782d48
@@ -3358,20 +3407,14 @@ static int aes_xts_init_key(EVP_CIPHER_C
782d48
 #ifdef VPAES_CAPABLE
782d48
             if (VPAES_CAPABLE) {
782d48
                 if (enc) {
782d48
-                    vpaes_set_encrypt_key(key,
782d48
-                                          EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                          &xctx->ks1.ks);
782d48
+                    vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks);
782d48
                     xctx->xts.block1 = (block128_f) vpaes_encrypt;
782d48
                 } else {
782d48
-                    vpaes_set_decrypt_key(key,
782d48
-                                          EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                          &xctx->ks1.ks);
782d48
+                    vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks);
782d48
                     xctx->xts.block1 = (block128_f) vpaes_decrypt;
782d48
                 }
782d48
 
782d48
-                vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
782d48
-                                      EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                      &xctx->ks2.ks);
782d48
+                vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
782d48
                 xctx->xts.block2 = (block128_f) vpaes_encrypt;
782d48
 
782d48
                 xctx->xts.key1 = &xctx->ks1;
782d48
@@ -3381,22 +3424,19 @@ static int aes_xts_init_key(EVP_CIPHER_C
782d48
                 (void)0;        /* terminate potentially open 'else' */
782d48
 
782d48
             if (enc) {
782d48
-                AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                    &xctx->ks1.ks);
782d48
+                AES_set_encrypt_key(key, bits, &xctx->ks1.ks);
782d48
                 xctx->xts.block1 = (block128_f) AES_encrypt;
782d48
             } else {
782d48
-                AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                    &xctx->ks1.ks);
782d48
+                AES_set_decrypt_key(key, bits, &xctx->ks1.ks);
782d48
                 xctx->xts.block1 = (block128_f) AES_decrypt;
782d48
             }
782d48
 
782d48
-            AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
782d48
-                                EVP_CIPHER_CTX_key_length(ctx) * 4,
782d48
-                                &xctx->ks2.ks);
782d48
+            AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
782d48
             xctx->xts.block2 = (block128_f) AES_encrypt;
782d48
 
782d48
             xctx->xts.key1 = &xctx->ks1;
782d48
         } while (0);
782d48
+    }
782d48
 
782d48
     if (iv) {
782d48
         xctx->xts.key2 = &xctx->ks2;
782d48
@@ -3414,6 +3454,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
e4b8d1
         return 0;
e4b8d1
     if (!out || !in || len < AES_BLOCK_SIZE)
e4b8d1
         return 0;
e4b8d1
+# ifdef OPENSSL_FIPS
e4b8d1
+    /* Requirement of SP800-38E */
e4b8d1
+    if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
e4b8d1
+        (len > (1UL << 20) * 16)) {
e4b8d1
+        EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+# endif
e4b8d1
     if (xctx->stream)
e4b8d1
         (*xctx->stream) (in, out, len,
e4b8d1
                          xctx->xts.key1, xctx->xts.key2,
782d48
@@ -3431,8 +3479,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
e4b8d1
                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
e4b8d1
                          | EVP_CIPH_CUSTOM_COPY)
e4b8d1
 
e4b8d1
-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
e4b8d1
-    BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
e4b8d1
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
e4b8d1
+                    EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
e4b8d1
+    BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
e4b8d1
+                    EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
e4b8d1
 
e4b8d1
 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
e4b8d1
 {
782d48
@@ -3697,11 +3747,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
e4b8d1
 #define aes_ccm_cleanup NULL
e4b8d1
 
e4b8d1
 BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
e4b8d1
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
e4b8d1
+                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
e4b8d1
     BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
e4b8d1
-                        EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
e4b8d1
+                        EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
e4b8d1
     BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
e4b8d1
-                        EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
e4b8d1
+                        EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
e4b8d1
 
e4b8d1
 typedef struct {
e4b8d1
     union {
782d48
@@ -3794,7 +3844,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
e4b8d1
     return rv ? (int)rv : -1;
e4b8d1
 }
e4b8d1
 
e4b8d1
-#define WRAP_FLAGS      (EVP_CIPH_WRAP_MODE \
e4b8d1
+#define WRAP_FLAGS      (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
e4b8d1
                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
e4b8d1
                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
e4b8d1
 
782d48
diff -up openssl-1.1.1b/crypto/evp/e_des3.c.fips openssl-1.1.1b/crypto/evp/e_des3.c
782d48
--- openssl-1.1.1b/crypto/evp/e_des3.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/e_des3.c	2019-02-28 11:30:06.804745707 +0100
e4b8d1
@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
e4b8d1
 # define des_ede3_cbc_cipher des_ede_cbc_cipher
e4b8d1
 # define des_ede3_ecb_cipher des_ede_ecb_cipher
e4b8d1
     BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
e4b8d1
-                  EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
e4b8d1
-                  des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
e4b8d1
+                  EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
e4b8d1
+                  EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL,
e4b8d1
+                  des3_ctrl)
e4b8d1
 
e4b8d1
     BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,
e4b8d1
-                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
e4b8d1
-                     des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
e4b8d1
+                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
e4b8d1
+                     EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
e4b8d1
+                     NULL, des3_ctrl)
e4b8d1
 
e4b8d1
     BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,
e4b8d1
-                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
e4b8d1
-                     des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
e4b8d1
+                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
e4b8d1
+                     EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
e4b8d1
+                     NULL, des3_ctrl)
e4b8d1
 
e4b8d1
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
e4b8d1
                             const unsigned char *iv, int enc)
782d48
diff -up openssl-1.1.1b/crypto/evp/e_null.c.fips openssl-1.1.1b/crypto/evp/e_null.c
782d48
--- openssl-1.1.1b/crypto/evp/e_null.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/e_null.c	2019-02-28 11:30:06.805745688 +0100
e4b8d1
@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c
e4b8d1
                        const unsigned char *in, size_t inl);
e4b8d1
 static const EVP_CIPHER n_cipher = {
e4b8d1
     NID_undef,
e4b8d1
-    1, 0, 0, 0,
e4b8d1
+    1, 0, 0,
e4b8d1
+    EVP_CIPH_FLAG_FIPS,
e4b8d1
     null_init_key,
e4b8d1
     null_cipher,
e4b8d1
     NULL,
782d48
diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_enc.c
782d48
--- openssl-1.1.1b/crypto/evp/evp_enc.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/evp_enc.c	2019-02-28 11:30:06.805745688 +0100
e4b8d1
@@ -17,10 +17,19 @@
e4b8d1
 #include <openssl/engine.h>
e4b8d1
 #include "internal/evp_int.h"
e4b8d1
 #include "evp_locl.h"
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+#endif
e4b8d1
 
e4b8d1
 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
e4b8d1
 {
e4b8d1
-    if (c == NULL)
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
+   if (c == NULL)
e4b8d1
         return 1;
e4b8d1
     if (c->cipher != NULL) {
e4b8d1
         if (c->cipher->cleanup && !c->cipher->cleanup(c))
e4b8d1
@@ -39,6 +48,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX
e4b8d1
 
e4b8d1
 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return NULL;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
     return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
e4b8d1
 }
e4b8d1
 
e4b8d1
@@ -67,6 +82,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
e4b8d1
             enc = 1;
e4b8d1
         ctx->encrypt = enc;
e4b8d1
     }
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    if (FIPS_selftest_failed()) {
e4b8d1
+        FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
e4b8d1
+        return 0;
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
 #ifndef OPENSSL_NO_ENGINE
e4b8d1
     /*
e4b8d1
      * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
e4b8d1
@@ -136,7 +157,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
e4b8d1
         }
e4b8d1
         ctx->key_len = cipher->key_len;
e4b8d1
         /* Preserve wrap enable flag, zero everything else */
e4b8d1
-        ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
e4b8d1
+        ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW;
e4b8d1
         if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
e4b8d1
             if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
e4b8d1
                 ctx->cipher = NULL;
e4b8d1
@@ -195,6 +216,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
e4b8d1
             return 0;
e4b8d1
         }
e4b8d1
     }
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    /* After 'key' is set no further parameters changes are permissible.
e4b8d1
+     * So only check for non FIPS enabling at this point.
e4b8d1
+     */
e4b8d1
+    if (key && FIPS_mode()) {
e4b8d1
+        if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
e4b8d1
+            & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
e4b8d1
+            EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
e4b8d1
+            return 0;
e4b8d1
+        }
e4b8d1
+    }
e4b8d1
+#endif
e4b8d1
 
e4b8d1
     if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
e4b8d1
         if (!ctx->cipher->init(ctx, key, iv, enc))
782d48
diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_err.c
782d48
--- openssl-1.1.1b/crypto/evp/evp_err.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/evp_err.c	2019-05-06 16:41:08.565739361 +0200
782d48
@@ -15,11 +15,16 @@
782d48
 
782d48
 static const ERR_STRING_DATA EVP_str_functs[] = {
782d48
     {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"},
782d48
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"},
782d48
     {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"},
782d48
     {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
782d48
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0),
782d48
+     "aes_t4_xts_init_key"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
e4b8d1
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"},
782d48
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"},
782d48
@@ -179,6 +180,7 @@ static const ERR_STRING_DATA EVP_str_rea
e4b8d1
     "different key types"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS),
e4b8d1
     "different parameters"},
e4b8d1
+    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION),
e4b8d1
     "error loading section"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE),
782d48
@@ -241,6 +243,7 @@ static const ERR_STRING_DATA EVP_str_rea
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR),
e4b8d1
     "private key encode error"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
e4b8d1
+    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_LARGE), "too large"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},
e4b8d1
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},
782d48
@@ -266,6 +269,10 @@ static const ERR_STRING_DATA EVP_str_rea
782d48
     "wrap mode not allowed"},
782d48
     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
782d48
     "wrong final block length"},
782d48
+    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE),
782d48
+    "xts data unit is too large"},
782d48
+    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),
782d48
+    "xts duplicated keys"},
782d48
     {0, NULL}
782d48
 };
782d48
 
782d48
diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_lib.c
782d48
--- openssl-1.1.1b/crypto/evp/evp_lib.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/evp_lib.c	2019-02-28 11:30:06.806745670 +0100
e4b8d1
@@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C
e4b8d1
 int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
e4b8d1
                const unsigned char *in, unsigned int inl)
e4b8d1
 {
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+    FIPS_selftest_check();
e4b8d1
+#endif
e4b8d1
     return ctx->cipher->do_cipher(ctx, out, in, inl);
e4b8d1
 }
e4b8d1
 
782d48
diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha1.c
782d48
--- openssl-1.1.1b/crypto/evp/m_sha1.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/m_sha1.c	2019-02-28 11:30:06.806745670 +0100
e4b8d1
@@ -95,7 +95,7 @@ static const EVP_MD sha1_md = {
e4b8d1
     NID_sha1,
e4b8d1
     NID_sha1WithRSAEncryption,
e4b8d1
     SHA_DIGEST_LENGTH,
e4b8d1
-    EVP_MD_FLAG_DIGALGID_ABSENT,
e4b8d1
+    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
e4b8d1
     init,
e4b8d1
     update,
e4b8d1
     final,
e4b8d1
@@ -145,7 +145,7 @@ static const EVP_MD sha224_md = {
e4b8d1
     NID_sha224,
e4b8d1
     NID_sha224WithRSAEncryption,
e4b8d1
     SHA224_DIGEST_LENGTH,
e4b8d1
-    EVP_MD_FLAG_DIGALGID_ABSENT,
e4b8d1
+    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
e4b8d1
     init224,
e4b8d1
     update224,
e4b8d1
     final224,
e4b8d1
@@ -164,7 +164,7 @@ static const EVP_MD sha256_md = {
e4b8d1
     NID_sha256,
e4b8d1
     NID_sha256WithRSAEncryption,
e4b8d1
     SHA256_DIGEST_LENGTH,
e4b8d1
-    EVP_MD_FLAG_DIGALGID_ABSENT,
e4b8d1
+    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
e4b8d1
     init256,
e4b8d1
     update256,
e4b8d1
     final256,
e4b8d1
@@ -224,7 +224,7 @@ static const EVP_MD sha512_224_md = {
e4b8d1
     NID_sha512_224,
e4b8d1
     NID_sha512_224WithRSAEncryption,
e4b8d1
     SHA224_DIGEST_LENGTH,
e4b8d1
-    EVP_MD_FLAG_DIGALGID_ABSENT,
e4b8d1
+    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
e4b8d1
     init512_224,
e4b8d1
     update512,
e4b8d1
     final512,
e4b8d1
@@ -243,7 +243,7 @@ static const EVP_MD sha512_256_md = {
e4b8d1
     NID_sha512_256,
e4b8d1
     NID_sha512_256WithRSAEncryption,
e4b8d1
     SHA256_DIGEST_LENGTH,
e4b8d1
-    EVP_MD_FLAG_DIGALGID_ABSENT,
e4b8d1
+    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
e4b8d1
     init512_256,
e4b8d1
     update512,
e4b8d1
     final512,
e4b8d1
@@ -262,7 +262,7 @@ static const EVP_MD sha384_md = {
e4b8d1
     NID_sha384,
e4b8d1
     NID_sha384WithRSAEncryption,
e4b8d1
     SHA384_DIGEST_LENGTH,
e4b8d1
-    EVP_MD_FLAG_DIGALGID_ABSENT,
e4b8d1
+    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
e4b8d1
     init384,
e4b8d1
     update384,
e4b8d1
     final384,
e4b8d1
@@ -281,7 +281,7 @@ static const EVP_MD sha512_md = {
e4b8d1
     NID_sha512,
e4b8d1
     NID_sha512WithRSAEncryption,
e4b8d1
     SHA512_DIGEST_LENGTH,
e4b8d1
-    EVP_MD_FLAG_DIGALGID_ABSENT,
e4b8d1
+    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
e4b8d1
     init512,
e4b8d1
     update512,
e4b8d1
     final512,
782d48
diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha3.c
782d48
--- openssl-1.1.1b/crypto/evp/m_sha3.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/m_sha3.c	2019-05-06 16:12:23.012851747 +0200
782d48
@@ -292,7 +292,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
782d48
         NID_sha3_##bitlen,                           \
782d48
         NID_RSA_SHA3_##bitlen,                       \
782d48
         bitlen / 8,                                  \
782d48
-        EVP_MD_FLAG_DIGALGID_ABSENT,                 \
782d48
+        EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
782d48
         s390x_sha3_init,                             \
782d48
         s390x_sha3_update,                           \
782d48
         s390x_sha3_final,                            \
782d48
@@ -305,7 +305,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
782d48
         NID_sha3_##bitlen,                           \
782d48
         NID_RSA_SHA3_##bitlen,                       \
782d48
         bitlen / 8,                                  \
782d48
-        EVP_MD_FLAG_DIGALGID_ABSENT,                 \
782d48
+        EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
782d48
         sha3_init,                                   \
782d48
         sha3_update,                                 \
782d48
         sha3_final,                                  \
782d48
@@ -326,7 +326,7 @@ const EVP_MD *EVP_shake##bitlen(void)
782d48
         NID_shake##bitlen,                           \
782d48
         0,                                           \
782d48
         bitlen / 8,                                  \
782d48
-        EVP_MD_FLAG_XOF,                             \
782d48
+        EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS,          \
782d48
         s390x_shake_init,                            \
782d48
         s390x_sha3_update,                           \
782d48
         s390x_shake_final,                           \
782d48
@@ -340,7 +340,7 @@ const EVP_MD *EVP_shake##bitlen(void)
782d48
         NID_shake##bitlen,                           \
782d48
         0,                                           \
782d48
         bitlen / 8,                                  \
782d48
-        EVP_MD_FLAG_XOF,                             \
782d48
+        EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS,          \
782d48
         shake_init,                                  \
782d48
         sha3_update,                                 \
782d48
         sha3_final,                                  \
782d48
@@ -364,7 +364,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
782d48
         NID_sha3_##bitlen,                      \
782d48
         NID_RSA_SHA3_##bitlen,                  \
782d48
         bitlen / 8,                             \
782d48
-        EVP_MD_FLAG_DIGALGID_ABSENT,            \
782d48
+        EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
782d48
         sha3_init,                              \
782d48
         sha3_update,                            \
782d48
         sha3_final,                             \
782d48
@@ -383,7 +383,7 @@ const EVP_MD *EVP_shake##bitlen(void)
782d48
         NID_shake##bitlen,                      \
782d48
         0,                                      \
782d48
         bitlen / 8,                             \
782d48
-        EVP_MD_FLAG_XOF,                        \
782d48
+        EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS,     \
782d48
         shake_init,                             \
782d48
         sha3_update,                            \
782d48
         sha3_final,                             \
782d48
diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pmeth_lib.c
782d48
--- openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips	2019-02-26 15:15:30.000000000 +0100
782d48
+++ openssl-1.1.1b/crypto/evp/pmeth_lib.c	2019-05-06 15:11:33.207095983 +0200
782d48
@@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE
782d48
         pmeth = ENGINE_get_pkey_meth(e, id);
782d48
     else
782d48
 #endif
782d48
+    {
782d48
         pmeth = EVP_PKEY_meth_find(id);
782d48
+#ifdef OPENSSL_FIPS
782d48
+        if (pmeth && !(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) {
782d48
+            EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS);
782d48
+            return NULL;
782d48
+        }
782d48
+#endif
782d48
+    }
782d48
 
782d48
     if (pmeth == NULL) {
782d48
 #ifndef OPENSSL_NO_ENGINE
782d48
diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/build.info
782d48
--- openssl-1.1.1b/crypto/fips/build.info.fips	2019-02-28 11:30:06.806745670 +0100
782d48
+++ openssl-1.1.1b/crypto/fips/build.info	2019-02-28 11:30:06.806745670 +0100
e4b8d1
@@ -0,0 +1,15 @@
e4b8d1
+LIBS=../../libcrypto
e4b8d1
+SOURCE[../../libcrypto]=\
e4b8d1
+        fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
e4b8d1
+        fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
e4b8d1
+        fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
e4b8d1
+        fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
e4b8d1
+        fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
782d48
+        fips_dh_selftest.c fips_ers.c
e4b8d1
+
e4b8d1
+PROGRAMS_NO_INST=\
e4b8d1
+          fips_standalone_hmac
e4b8d1
+
e4b8d1
+SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
e4b8d1
+INCLUDE[fips_standalone_hmac]=../../include
e4b8d1
+DEPEND[fips_standalone_hmac]=../../libcrypto
782d48
diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_aes_selftest.c
782d48
--- openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips	2019-02-28 11:30:06.807745651 +0100
782d48
+++ openssl-1.1.1b/crypto/fips/fips_aes_selftest.c	2019-02-28 11:30:06.807745651 +0100
e4b8d1
@@ -0,0 +1,372 @@
e4b8d1
+/* ====================================================================
e4b8d1
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
e4b8d1
+ *
e4b8d1
+ * Redistribution and use in source and binary forms, with or without
e4b8d1
+ * modification, are permitted provided that the following conditions
e4b8d1
+ * are met:
e4b8d1
+ *
e4b8d1
+ * 1. Redistributions of source code must retain the above copyright
e4b8d1
+ *    notice, this list of conditions and the following disclaimer. 
e4b8d1
+ *
e4b8d1
+ * 2. Redistributions in binary form must reproduce the above copyright
e4b8d1
+ *    notice, this list of conditions and the following disclaimer in
e4b8d1
+ *    the documentation and/or other materials provided with the
e4b8d1
+ *    distribution.
e4b8d1
+ *
e4b8d1
+ * 3. All advertising materials mentioning features or use of this
e4b8d1
+ *    software must display the following acknowledgment:
e4b8d1
+ *    "This product includes software developed by the OpenSSL Project
e4b8d1
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
e4b8d1
+ *
e4b8d1
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
e4b8d1
+ *    endorse or promote products derived from this software without
e4b8d1
+ *    prior written permission. For written permission, please contact
e4b8d1
+ *    openssl-core@openssl.org.
e4b8d1
+ *
e4b8d1
+ * 5. Products derived from this software may not be called "OpenSSL"
e4b8d1
+ *    nor may "OpenSSL" appear in their names without prior written
e4b8d1
+ *    permission of the OpenSSL Project.
e4b8d1
+ *
e4b8d1
+ * 6. Redistributions of any form whatsoever must retain the following
e4b8d1
+ *    acknowledgment:
e4b8d1
+ *    "This product includes software developed by the OpenSSL Project
e4b8d1
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
e4b8d1
+ *
e4b8d1
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
e4b8d1
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
e4b8d1
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
e4b8d1
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
e4b8d1
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
e4b8d1
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
e4b8d1
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
e4b8d1
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
e4b8d1
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
e4b8d1
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
e4b8d1
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
e4b8d1
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
e4b8d1
+ *
e4b8d1
+ */
e4b8d1
+
e4b8d1
+#include <string.h>
e4b8d1
+#include <openssl/err.h>
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+# include <openssl/fips.h>
e4b8d1
+# include "internal/fips_int.h"
e4b8d1
+#endif
e4b8d1
+
e4b8d1
+#ifdef OPENSSL_FIPS
e4b8d1
+static const struct {
e4b8d1
+    const unsigned char key[16];
e4b8d1
+    const unsigned char plaintext[16];
e4b8d1
+    const unsigned char ciphertext[16];
e4b8d1
+} tests[] = {
e4b8d1
+    {
e4b8d1
+        {
e4b8d1
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
e4b8d1
+                0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
e4b8d1
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
e4b8d1
+                0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
e4b8d1
+0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
e4b8d1
+                0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
e4b8d1
+
e4b8d1
+int FIPS_selftest_aes()
e4b8d1
+{
e4b8d1
+    int n;
e4b8d1
+    int ret = 0;
e4b8d1
+    EVP_CIPHER_CTX *ctx;
e4b8d1
+
e4b8d1
+    ctx = EVP_CIPHER_CTX_new();
e4b8d1
+    if (ctx == NULL)
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    for (n = 0; n < 1; ++n) {
e4b8d1
+        unsigned char key[16];
e4b8d1
+
e4b8d1
+        memcpy(key, tests[n].key, sizeof(key));
e4b8d1
+        if (fips_cipher_test(ctx, EVP_aes_128_ecb(),
e4b8d1
+                             key, NULL,
e4b8d1
+                             tests[n].plaintext,
e4b8d1
+                             tests[n].ciphertext, 16) <= 0)
e4b8d1
+            goto err;
e4b8d1
+    }
e4b8d1
+    ret = 1;
e4b8d1
+ err:
e4b8d1
+    EVP_CIPHER_CTX_free(ctx);
e4b8d1
+    if (ret == 0)
e4b8d1
+        FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
e4b8d1
+    return ret;
e4b8d1
+}
e4b8d1
+
e4b8d1
+/* AES-CCM test data from NIST public test vectors */
e4b8d1
+
e4b8d1
+static const unsigned char ccm_key[] = {
e4b8d1
+    0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
e4b8d1
+    0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char ccm_nonce[] = {
e4b8d1
+    0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char ccm_adata[] = {
e4b8d1
+    0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
e4b8d1
+    0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
e4b8d1
+    0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char ccm_pt[] = {
e4b8d1
+    0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
e4b8d1
+    0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char ccm_ct[] = {
e4b8d1
+    0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
e4b8d1
+    0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char ccm_tag[] = {
e4b8d1
+    0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
e4b8d1
+    0x14, 0xdb, 0x50, 0x6d
e4b8d1
+};
e4b8d1
+
e4b8d1
+int FIPS_selftest_aes_ccm(void)
e4b8d1
+{
e4b8d1
+    int ret = 0;
e4b8d1
+    unsigned char out[128], tag[16];
e4b8d1
+    EVP_CIPHER_CTX *ctx;
e4b8d1
+
e4b8d1
+    ctx = EVP_CIPHER_CTX_new();
e4b8d1
+    if (ctx == NULL)
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    memset(out, 0, sizeof(out));
e4b8d1
+    if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
e4b8d1
+                             sizeof(ccm_nonce), NULL))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
e4b8d1
+                             sizeof(ccm_tag), NULL))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
e4b8d1
+        goto err;
e4b8d1
+    if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
e4b8d1
+        || memcmp(out, ccm_ct, sizeof(ccm_ct)))
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    memset(out, 0, sizeof(out));
e4b8d1
+
e4b8d1
+    if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
e4b8d1
+                             sizeof(ccm_nonce), NULL))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    ret = 1;
e4b8d1
+
e4b8d1
+ err:
e4b8d1
+    EVP_CIPHER_CTX_free(ctx);
e4b8d1
+
e4b8d1
+    if (ret == 0) {
e4b8d1
+        FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
e4b8d1
+        return 0;
e4b8d1
+    } else
e4b8d1
+        return ret;
e4b8d1
+
e4b8d1
+}
e4b8d1
+
e4b8d1
+/* AES-GCM test data from NIST public test vectors */
e4b8d1
+
e4b8d1
+static const unsigned char gcm_key[] = {
e4b8d1
+    0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
e4b8d1
+    0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
e4b8d1
+    0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char gcm_iv[] = {
e4b8d1
+    0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char gcm_pt[] = {
e4b8d1
+    0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
e4b8d1
+    0xcc, 0x2b, 0xf2, 0xa5
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char gcm_aad[] = {
e4b8d1
+    0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
e4b8d1
+    0x7f, 0xec, 0x78, 0xde
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char gcm_ct[] = {
e4b8d1
+    0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
e4b8d1
+    0xb9, 0xf2, 0x17, 0x36
e4b8d1
+};
e4b8d1
+
e4b8d1
+static const unsigned char gcm_tag[] = {
e4b8d1
+    0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
e4b8d1
+    0x98, 0xf7, 0x7e, 0x0c
e4b8d1
+};
e4b8d1
+
e4b8d1
+int FIPS_selftest_aes_gcm(void)
e4b8d1
+{
e4b8d1
+    int ret = 0;
e4b8d1
+    unsigned char out[128], tag[16];
e4b8d1
+    EVP_CIPHER_CTX *ctx;
e4b8d1
+
e4b8d1
+    ctx = EVP_CIPHER_CTX_new();
e4b8d1
+    if (ctx == NULL)
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    memset(out, 0, sizeof(out));
e4b8d1
+    memset(tag, 0, sizeof(tag));
e4b8d1
+    if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
e4b8d1
+                             sizeof(gcm_iv), NULL))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1))
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    memset(out, 0, sizeof(out));
e4b8d1
+
e4b8d1
+    if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
e4b8d1
+                             sizeof(gcm_iv), NULL))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
e4b8d1
+        goto err;
e4b8d1
+    if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0))
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
e4b8d1
+        goto err;
e4b8d1
+    if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    if (memcmp(out, gcm_pt, 16))
e4b8d1
+        goto err;
e4b8d1
+
e4b8d1
+    ret = 1;
e4b8d1
+
e4b8d1
+ err:
e4b8d1
+    EVP_CIPHER_CTX_free(ctx);
e4b8d1
+
e4b8d1
+    if (ret == 0) {
e4b8d1
+        FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
e4b8d1
+        return 0;
e4b8d1
+    } else
e4b8d1
+        return ret;
e4b8d1
+
e4b8d1
+}
e4b8d1
+
e4b8d1
+static const unsigned char XTS_128_key[] = {