diff --git a/.gitignore b/.gitignore
index afdd0e7..01ff985 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/openssl-1.0.1e-hobbled.tar.xz
+SOURCES/openssl-1.0.2k-hobbled.tar.xz
diff --git a/.openssl.metadata b/.openssl.metadata
index e6892fa..d7cb582 100644
--- a/.openssl.metadata
+++ b/.openssl.metadata
@@ -1 +1 @@
-95086e8de8260fc514fc8df683a96237308c5e37 SOURCES/openssl-1.0.1e-hobbled.tar.xz
+06ae179d01fcde6a4594bf4023f863290a7f050c SOURCES/openssl-1.0.2k-hobbled.tar.xz
diff --git a/SOURCES/Makefile.certificate b/SOURCES/Makefile.certificate
index 4f9d55d..cc88c52 100644
--- a/SOURCES/Makefile.certificate
+++ b/SOURCES/Makefile.certificate
@@ -1,8 +1,11 @@
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
-SERIAL=0
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
+EXTRA_FLAGS=
+ifdef SERIAL
+ EXTRA_FLAGS+=-set_serial $(SERIAL)
+endif
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
@@ -23,8 +26,9 @@ usage:
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
- @echo "To create a test certificate with serial number other than zero, add SERIAL=num"
+ @echo "To create a test certificate with serial number other than random, add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
+ @echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
@echo
@echo Examples:
@echo " make server.key"
@@ -35,14 +39,14 @@ usage:
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
- @echo " make stunnel.pem SERIAL=2"
- @echo " make testcert SERIAL=3"
+ @echo " make stunnel.pem EXTRA_FLAGS=-sha384"
+ @echo " make testcert DAYS=600"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
- /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
+ /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
@@ -58,7 +62,7 @@ usage:
%.crt: %.key
umask 77 ; \
- /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)
+ /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
@@ -75,4 +79,4 @@ $(CSR): $(KEY)
$(CRT): $(KEY)
umask 77 ; \
- /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)
+ /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)
diff --git a/SOURCES/README.FIPS b/SOURCES/README.FIPS
index eb17bca..bf3229b 100644
--- a/SOURCES/README.FIPS
+++ b/SOURCES/README.FIPS
@@ -6,10 +6,10 @@ Red Hat Enterprise Linux - OPENSSL Module.
The module files
================
-/usr/lib[64]/libcrypto.so.1.0.0d
-/usr/lib[64]/libssl.so.1.0.0d
-/usr/lib[64]/.libcrypto.so.1.0.0d.hmac
-/usr/lib[64]/.libssl.so.1.0.0d.hmac
+/usr/lib[64]/libcrypto.so.1.0.2j
+/usr/lib[64]/libssl.so.1.0.2j
+/usr/lib[64]/.libcrypto.so.1.0.2j.hmac
+/usr/lib[64]/.libssl.so.1.0.2j.hmac
Dependencies
============
diff --git a/SOURCES/README.legacy-settings b/SOURCES/README.legacy-settings
new file mode 100644
index 0000000..cf7068e
--- /dev/null
+++ b/SOURCES/README.legacy-settings
@@ -0,0 +1,53 @@
+Guide for legacy support enablement
+===================================
+
+To improve security provided by use of OpenSSL especially in context of
+TLS connections we regularly review and deprecate algorithms and algorithm
+settings which are no longer viewed as secure.
+
+For some of these deprecated algorithms we provide a way for the
+system administrator to reenable them.
+
+Deprecated algorithms, protocols and settings in OpenSSL
+========================================================
+
+Previous Red Hat Enterprise Linux 7 update releases:
+
+* SSL2 protocol disabled by default.
+* Minimum DH group size accepted by SSL/TLS client 768 bits.
+* Verification of certificates and signatures using MD5 hash
+ disabled.
+
+Red Hat Enterprise Linux 7.4:
+
+* SSL2 protocol support completely disabled (cannot be re-enabled).
+* All SSL/TLS export ciphers disabled.
+* All SSL/TLS ciphersuites with keys smaller than 128 bits disabled.
+* Minimum DH group size accepted by SSL/TLS client 1024 bits.
+* Disabled support for verification of certificates and signatures
+ using MD2, MD4, MD5, and SHA0 hashes.
+
+Legacy support enablement
+=========================
+
+The OpenSSL now supports /etc/pki/tls/legacy-settings configuration file
+which can be created by the system administrator which contains lines with
+simple Key Value pairs.
+
+The library recognizes the following possible configuration settings in
+that file:
+
+LegacySigningMDs md2 md5
+MinimumDHBits 512
+
+The LegacySigningMDs option allows reenabling support for verification of
+signatures with the specified hash algorithms. These can be any combination
+of md2, md4, md5 and sha. (sha represents SHA0 algorithm, not SHA1.) Any
+unrecognized algorithms are ignored.
+
+The MinimumDHBits option allows setting of the minimum bit size of DH group
+accepted by SSL/TLS client. It can be any value between 512 and 10000.
+
+If the configuration file is not present the built-in defaults (that is the
+secure defaults) are used. Any unrecognized lines (with other parameter
+names or comments) are ignored.
diff --git a/SOURCES/ec_curve.c b/SOURCES/ec_curve.c
index 0c287bf..ea3a479 100644
--- a/SOURCES/ec_curve.c
+++ b/SOURCES/ec_curve.c
@@ -10,7 +10,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -58,339 +58,398 @@
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
- * Portions of the attached software ("Contribution") are developed by
+ * Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the OpenSSL open source
* license provided above.
*
- * The elliptic curve binary polynomial software is originally written by
+ * The elliptic curve binary polynomial software is originally written by
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
*
*/
+#include <string.h>
#include "ec_lcl.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
typedef struct {
- int field_type, /* either NID_X9_62_prime_field or
- * NID_X9_62_characteristic_two_field */
- seed_len,
- param_len;
- unsigned int cofactor; /* promoted to BN_ULONG */
+ int field_type, /* either NID_X9_62_prime_field or
+ * NID_X9_62_characteristic_two_field */
+ seed_len, param_len;
+ unsigned int cofactor; /* promoted to BN_ULONG */
} EC_CURVE_DATA;
-static const struct { EC_CURVE_DATA h; unsigned char data[20+48*6]; }
- _EC_NIST_PRIME_384 = {
- { NID_X9_62_prime_field,20,48,1 },
- { 0xA3,0x35,0x92,0x6A,0xA3,0x19,0xA2,0x7A,0x1D,0x00, /* seed */
- 0x89,0x6A,0x67,0x73,0xA4,0x82,0x7A,0xCD,0xAC,0x73,
-
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFC,
- 0xB3,0x31,0x2F,0xA7,0xE2,0x3E,0xE7,0xE4,0x98,0x8E, /* b */
- 0x05,0x6B,0xE3,0xF8,0x2D,0x19,0x18,0x1D,0x9C,0x6E,
- 0xFE,0x81,0x41,0x12,0x03,0x14,0x08,0x8F,0x50,0x13,
- 0x87,0x5A,0xC6,0x56,0x39,0x8D,0x8A,0x2E,0xD1,0x9D,
- 0x2A,0x85,0xC8,0xED,0xD3,0xEC,0x2A,0xEF,
- 0xAA,0x87,0xCA,0x22,0xBE,0x8B,0x05,0x37,0x8E,0xB1, /* x */
- 0xC7,0x1E,0xF3,0x20,0xAD,0x74,0x6E,0x1D,0x3B,0x62,
- 0x8B,0xA7,0x9B,0x98,0x59,0xF7,0x41,0xE0,0x82,0x54,
- 0x2A,0x38,0x55,0x02,0xF2,0x5D,0xBF,0x55,0x29,0x6C,
- 0x3A,0x54,0x5E,0x38,0x72,0x76,0x0A,0xB7,
- 0x36,0x17,0xde,0x4a,0x96,0x26,0x2c,0x6f,0x5d,0x9e, /* y */
- 0x98,0xbf,0x92,0x92,0xdc,0x29,0xf8,0xf4,0x1d,0xbd,
- 0x28,0x9a,0x14,0x7c,0xe9,0xda,0x31,0x13,0xb5,0xf0,
- 0xb8,0xc0,0x0a,0x60,0xb1,0xce,0x1d,0x7e,0x81,0x9d,
- 0x7a,0x43,0x1d,0x7c,0x90,0xea,0x0e,0x5f,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xC7,0x63,0x4D,0x81,0xF4,0x37,
- 0x2D,0xDF,0x58,0x1A,0x0D,0xB2,0x48,0xB0,0xA7,0x7A,
- 0xEC,0xEC,0x19,0x6A,0xCC,0xC5,0x29,0x73 }
- };
-
-static const struct { EC_CURVE_DATA h; unsigned char data[20+66*6]; }
- _EC_NIST_PRIME_521 = {
- { NID_X9_62_prime_field,20,66,1 },
- { 0xD0,0x9E,0x88,0x00,0x29,0x1C,0xB8,0x53,0x96,0xCC, /* seed */
- 0x67,0x17,0x39,0x32,0x84,0xAA,0xA0,0xDA,0x64,0xBA,
-
- 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFC,
- 0x00,0x51,0x95,0x3E,0xB9,0x61,0x8E,0x1C,0x9A,0x1F, /* b */
- 0x92,0x9A,0x21,0xA0,0xB6,0x85,0x40,0xEE,0xA2,0xDA,
- 0x72,0x5B,0x99,0xB3,0x15,0xF3,0xB8,0xB4,0x89,0x91,
- 0x8E,0xF1,0x09,0xE1,0x56,0x19,0x39,0x51,0xEC,0x7E,
- 0x93,0x7B,0x16,0x52,0xC0,0xBD,0x3B,0xB1,0xBF,0x07,
- 0x35,0x73,0xDF,0x88,0x3D,0x2C,0x34,0xF1,0xEF,0x45,
- 0x1F,0xD4,0x6B,0x50,0x3F,0x00,
- 0x00,0xC6,0x85,0x8E,0x06,0xB7,0x04,0x04,0xE9,0xCD, /* x */
- 0x9E,0x3E,0xCB,0x66,0x23,0x95,0xB4,0x42,0x9C,0x64,
- 0x81,0x39,0x05,0x3F,0xB5,0x21,0xF8,0x28,0xAF,0x60,
- 0x6B,0x4D,0x3D,0xBA,0xA1,0x4B,0x5E,0x77,0xEF,0xE7,
- 0x59,0x28,0xFE,0x1D,0xC1,0x27,0xA2,0xFF,0xA8,0xDE,
- 0x33,0x48,0xB3,0xC1,0x85,0x6A,0x42,0x9B,0xF9,0x7E,
- 0x7E,0x31,0xC2,0xE5,0xBD,0x66,
- 0x01,0x18,0x39,0x29,0x6a,0x78,0x9a,0x3b,0xc0,0x04, /* y */
- 0x5c,0x8a,0x5f,0xb4,0x2c,0x7d,0x1b,0xd9,0x98,0xf5,
- 0x44,0x49,0x57,0x9b,0x44,0x68,0x17,0xaf,0xbd,0x17,
- 0x27,0x3e,0x66,0x2c,0x97,0xee,0x72,0x99,0x5e,0xf4,
- 0x26,0x40,0xc5,0x50,0xb9,0x01,0x3f,0xad,0x07,0x61,
- 0x35,0x3c,0x70,0x86,0xa2,0x72,0xc2,0x40,0x88,0xbe,
- 0x94,0x76,0x9f,0xd1,0x66,0x50,
- 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFA,0x51,0x86,0x87,0x83,0xBF,0x2F,
- 0x96,0x6B,0x7F,0xCC,0x01,0x48,0xF7,0x09,0xA5,0xD0,
- 0x3B,0xB5,0xC9,0xB8,0x89,0x9C,0x47,0xAE,0xBB,0x6F,
- 0xB7,0x1E,0x91,0x38,0x64,0x09 }
- };
-
-static const struct { EC_CURVE_DATA h; unsigned char data[20+32*6]; }
- _EC_X9_62_PRIME_256V1 = {
- { NID_X9_62_prime_field,20,32,1 },
- { 0xC4,0x9D,0x36,0x08,0x86,0xE7,0x04,0x93,0x6A,0x66, /* seed */
- 0x78,0xE1,0x13,0x9D,0x26,0xB7,0x81,0x9F,0x7E,0x90,
-
- 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* p */
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* a */
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFC,
- 0x5A,0xC6,0x35,0xD8,0xAA,0x3A,0x93,0xE7,0xB3,0xEB, /* b */
- 0xBD,0x55,0x76,0x98,0x86,0xBC,0x65,0x1D,0x06,0xB0,
- 0xCC,0x53,0xB0,0xF6,0x3B,0xCE,0x3C,0x3E,0x27,0xD2,
- 0x60,0x4B,
- 0x6B,0x17,0xD1,0xF2,0xE1,0x2C,0x42,0x47,0xF8,0xBC, /* x */
- 0xE6,0xE5,0x63,0xA4,0x40,0xF2,0x77,0x03,0x7D,0x81,
- 0x2D,0xEB,0x33,0xA0,0xF4,0xA1,0x39,0x45,0xD8,0x98,
- 0xC2,0x96,
- 0x4f,0xe3,0x42,0xe2,0xfe,0x1a,0x7f,0x9b,0x8e,0xe7, /* y */
- 0xeb,0x4a,0x7c,0x0f,0x9e,0x16,0x2b,0xce,0x33,0x57,
- 0x6b,0x31,0x5e,0xce,0xcb,0xb6,0x40,0x68,0x37,0xbf,
- 0x51,0xf5,
- 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xFF,0xFF, /* order */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xBC,0xE6,0xFA,0xAD,
- 0xA7,0x17,0x9E,0x84,0xF3,0xB9,0xCA,0xC2,0xFC,0x63,
- 0x25,0x51 }
- };
+/* the nist prime curves */
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[20 + 48 * 6];
+} _EC_NIST_PRIME_384 = {
+ {
+ NID_X9_62_prime_field, 20, 48, 1
+ },
+ {
+ /* seed */
+ 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
+ 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
+ /* p */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ /* a */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
+ /* b */
+ 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
+ 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
+ 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
+ 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
+ /* x */
+ 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
+ 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
+ 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
+ 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
+ /* y */
+ 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
+ 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
+ 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
+ 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
+ /* order */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
+ 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
+ }
+};
+
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[20 + 66 * 6];
+} _EC_NIST_PRIME_521 = {
+ {
+ NID_X9_62_prime_field, 20, 66, 1
+ },
+ {
+ /* seed */
+ 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
+ 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
+ /* p */
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ /* a */
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
+ /* b */
+ 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
+ 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
+ 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
+ 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
+ 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
+ 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
+ /* x */
+ 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
+ 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
+ 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
+ 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
+ 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
+ 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
+ /* y */
+ 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
+ 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
+ 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
+ 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
+ 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
+ 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
+ /* order */
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
+ 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
+ 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
+ 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
+ }
+};
+
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[20 + 32 * 6];
+} _EC_X9_62_PRIME_256V1 = {
+ {
+ NID_X9_62_prime_field, 20, 32, 1
+ },
+ {
+ /* seed */
+ 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
+ 0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
+ /* p */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ /* a */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
+ /* b */
+ 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
+ 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
+ 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
+ /* x */
+ 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
+ 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
+ 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
+ /* y */
+ 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
+ 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
+ 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
+ /* order */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
+ 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
+ }
+};
typedef struct _ec_list_element_st {
- int nid;
- const EC_CURVE_DATA *data;
- const EC_METHOD *(*meth)(void);
- const char *comment;
- } ec_list_element;
+ int nid;
+ const EC_CURVE_DATA *data;
+ const EC_METHOD *(*meth) (void);
+ const char *comment;
+} ec_list_element;
static const ec_list_element curve_list[] = {
- /* prime field curves */
- /* secg curves */
- /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
- { NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" },
+ /* prime field curves */
+ /* secg curves */
+ /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+ {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
+ "NIST/SECG curve over a 384 bit prime field"},
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- { NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field" },
+ {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
+ "NIST/SECG curve over a 521 bit prime field"},
#else
- { NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field" },
+ {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
+ "NIST/SECG curve over a 521 bit prime field"},
#endif
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, EC_GFp_nistp256_method, "X9.62/SECG curve over a 256 bit prime field" },
+ /* X9.62 curves */
+ {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
+#if defined(ECP_NISTZ256_ASM)
+ EC_GFp_nistz256_method,
+#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+ EC_GFp_nistp256_method,
#else
- { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field" },
+ 0,
#endif
+ "X9.62/SECG curve over a 256 bit prime field"},
};
#define curve_list_length (sizeof(curve_list)/sizeof(ec_list_element))
static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
- {
- EC_GROUP *group=NULL;
- EC_POINT *P=NULL;
- BN_CTX *ctx=NULL;
- BIGNUM *p=NULL, *a=NULL, *b=NULL, *x=NULL, *y=NULL, *order=NULL;
- int ok=0;
- int seed_len,param_len;
- const EC_METHOD *meth;
- const EC_CURVE_DATA *data;
- const unsigned char *params;
-
- if ((ctx = BN_CTX_new()) == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- data = curve.data;
- seed_len = data->seed_len;
- param_len = data->param_len;
- params = (const unsigned char *)(data+1); /* skip header */
- params += seed_len; /* skip seed */
-
- if (!(p = BN_bin2bn(params+0*param_len, param_len, NULL))
- || !(a = BN_bin2bn(params+1*param_len, param_len, NULL))
- || !(b = BN_bin2bn(params+2*param_len, param_len, NULL)))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
- goto err;
- }
-
- if (curve.meth != 0)
- {
- meth = curve.meth();
- if (((group = EC_GROUP_new(meth)) == NULL) ||
- (!(group->meth->group_set_curve(group, p, a, b, ctx))))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- }
- else if (data->field_type == NID_X9_62_prime_field)
- {
- if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- }
+{
+ EC_GROUP *group = NULL;
+ EC_POINT *P = NULL;
+ BN_CTX *ctx = NULL;
+ BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
+ NULL;
+ int ok = 0;
+ int seed_len, param_len;
+ const EC_METHOD *meth;
+ const EC_CURVE_DATA *data;
+ const unsigned char *params;
+
+ if ((ctx = BN_CTX_new()) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ data = curve.data;
+ seed_len = data->seed_len;
+ param_len = data->param_len;
+ params = (const unsigned char *)(data + 1); /* skip header */
+ params += seed_len; /* skip seed */
+
+ if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL))
+ || !(a = BN_bin2bn(params + 1 * param_len, param_len, NULL))
+ || !(b = BN_bin2bn(params + 2 * param_len, param_len, NULL))) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ if (curve.meth != 0) {
+ meth = curve.meth();
+ if (((group = EC_GROUP_new(meth)) == NULL) ||
+ (!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ } else if (data->field_type == NID_X9_62_prime_field) {
+ if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ }
#ifndef OPENSSL_NO_EC2M
- else /* field_type == NID_X9_62_characteristic_two_field */
- {
- if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- }
+ else { /* field_type ==
+ * NID_X9_62_characteristic_two_field */
+
+ if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ }
#endif
- if ((P = EC_POINT_new(group)) == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
-
- if (!(x = BN_bin2bn(params+3*param_len, param_len, NULL))
- || !(y = BN_bin2bn(params+4*param_len, param_len, NULL)))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
- goto err;
- }
- if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- if (!(order = BN_bin2bn(params+5*param_len, param_len, NULL))
- || !BN_set_word(x, (BN_ULONG)data->cofactor))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
- goto err;
- }
- if (!EC_GROUP_set_generator(group, P, order, x))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- if (seed_len)
- {
- if (!EC_GROUP_set_seed(group, params-seed_len, seed_len))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- }
- ok=1;
-err:
- if (!ok)
- {
- EC_GROUP_free(group);
- group = NULL;
- }
- if (P)
- EC_POINT_free(P);
- if (ctx)
- BN_CTX_free(ctx);
- if (p)
- BN_free(p);
- if (a)
- BN_free(a);
- if (b)
- BN_free(b);
- if (order)
- BN_free(order);
- if (x)
- BN_free(x);
- if (y)
- BN_free(y);
- return group;
- }
+ if ((P = EC_POINT_new(group)) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+
+ if (!(x = BN_bin2bn(params + 3 * param_len, param_len, NULL))
+ || !(y = BN_bin2bn(params + 4 * param_len, param_len, NULL))) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
+ goto err;
+ }
+ if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ if (!(order = BN_bin2bn(params + 5 * param_len, param_len, NULL))
+ || !BN_set_word(x, (BN_ULONG)data->cofactor)) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
+ goto err;
+ }
+ if (!EC_GROUP_set_generator(group, P, order, x)) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ if (seed_len) {
+ if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ }
+ ok = 1;
+ err:
+ if (!ok) {
+ EC_GROUP_free(group);
+ group = NULL;
+ }
+ if (P)
+ EC_POINT_free(P);
+ if (ctx)
+ BN_CTX_free(ctx);
+ if (p)
+ BN_free(p);
+ if (a)
+ BN_free(a);
+ if (b)
+ BN_free(b);
+ if (order)
+ BN_free(order);
+ if (x)
+ BN_free(x);
+ if (y)
+ BN_free(y);
+ return group;
+}
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
- {
- size_t i;
- EC_GROUP *ret = NULL;
+{
+ size_t i;
+ EC_GROUP *ret = NULL;
- if (nid <= 0)
- return NULL;
+ if (nid <= 0)
+ return NULL;
- for (i=0; i<curve_list_length; i++)
- if (curve_list[i].nid == nid)
- {
- ret = ec_group_new_from_data(curve_list[i]);
- break;
- }
+ for (i = 0; i < curve_list_length; i++)
+ if (curve_list[i].nid == nid) {
+ ret = ec_group_new_from_data(curve_list[i]);
+ break;
+ }
- if (ret == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
- return NULL;
- }
+ if (ret == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
+ return NULL;
+ }
- EC_GROUP_set_curve_name(ret, nid);
+ EC_GROUP_set_curve_name(ret, nid);
- return ret;
- }
+ return ret;
+}
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
- {
- size_t i, min;
+{
+ size_t i, min;
+
+ if (r == NULL || nitems == 0)
+ return curve_list_length;
+
+ min = nitems < curve_list_length ? nitems : curve_list_length;
- if (r == NULL || nitems == 0)
- return curve_list_length;
+ for (i = 0; i < min; i++) {
+ r[i].nid = curve_list[i].nid;
+ r[i].comment = curve_list[i].comment;
+ }
- min = nitems < curve_list_length ? nitems : curve_list_length;
+ return curve_list_length;
+}
+
+/* Functions to translate between common NIST curve names and NIDs */
+
+typedef struct {
+ const char *name; /* NIST Name of curve */
+ int nid; /* Curve NID */
+} EC_NIST_NAME;
+
+static EC_NIST_NAME nist_curves[] = {
+ {"B-163", NID_sect163r2},
+ {"B-233", NID_sect233r1},
+ {"B-283", NID_sect283r1},
+ {"B-409", NID_sect409r1},
+ {"B-571", NID_sect571r1},
+ {"K-163", NID_sect163k1},
+ {"K-233", NID_sect233k1},
+ {"K-283", NID_sect283k1},
+ {"K-409", NID_sect409k1},
+ {"K-571", NID_sect571k1},
+ {"P-192", NID_X9_62_prime192v1},
+ {"P-224", NID_secp224r1},
+ {"P-256", NID_X9_62_prime256v1},
+ {"P-384", NID_secp384r1},
+ {"P-521", NID_secp521r1}
+};
- for (i = 0; i < min; i++)
- {
- r[i].nid = curve_list[i].nid;
- r[i].comment = curve_list[i].comment;
- }
+const char *EC_curve_nid2nist(int nid)
+{
+ size_t i;
+ for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) {
+ if (nist_curves[i].nid == nid)
+ return nist_curves[i].name;
+ }
+ return NULL;
+}
- return curve_list_length;
- }
+int EC_curve_nist2nid(const char *name)
+{
+ size_t i;
+ for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) {
+ if (!strcmp(nist_curves[i].name, name))
+ return nist_curves[i].nid;
+ }
+ return NID_undef;
+}
diff --git a/SOURCES/ectest.c b/SOURCES/ectest.c
index 921edcd..701e706 100644
--- a/SOURCES/ectest.c
+++ b/SOURCES/ectest.c
@@ -10,7 +10,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -58,13 +58,13 @@
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
- * Portions of the attached software ("Contribution") are developed by
+ * Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the OpenSSL open source
* license provided above.
*
- * The elliptic curve binary polynomial software is originally written by
+ * The elliptic curve binary polynomial software is originally written by
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
*
*/
@@ -72,671 +72,923 @@
#include <stdio.h>
#include <stdlib.h>
#ifdef FLAT_INC
-#include "e_os.h"
+# include "e_os.h"
#else
-#include "../e_os.h"
+# include "../e_os.h"
#endif
#include <string.h>
#include <time.h>
-
#ifdef OPENSSL_NO_EC
-int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); return 0; }
+int main(int argc, char *argv[])
+{
+ puts("Elliptic curves are disabled.");
+ return 0;
+}
#else
-
-#include <openssl/ec.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-#include <openssl/err.h>
-#include <openssl/obj_mac.h>
-#include <openssl/objects.h>
-#include <openssl/rand.h>
-#include <openssl/bn.h>
-#include <openssl/opensslconf.h>
-
-#if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
+# include <openssl/ec.h>
+# ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+# endif
+# include <openssl/err.h>
+# include <openssl/obj_mac.h>
+# include <openssl/objects.h>
+# include <openssl/rand.h>
+# include <openssl/bn.h>
+# include <openssl/opensslconf.h>
+
+# if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
/* suppress "too big too optimize" warning */
-#pragma warning(disable:4959)
-#endif
-
-#define ABORT do { \
- fflush(stdout); \
- fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
- ERR_print_errors_fp(stderr); \
- EXIT(1); \
+# pragma warning(disable:4959)
+# endif
+
+# define ABORT do { \
+ fflush(stdout); \
+ fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
+ ERR_print_errors_fp(stderr); \
+ EXIT(1); \
} while (0)
-#define TIMING_BASE_PT 0
-#define TIMING_RAND_PT 1
-#define TIMING_SIMUL 2
+# define TIMING_BASE_PT 0
+# define TIMING_RAND_PT 1
+# define TIMING_SIMUL 2
-#if 0
+# if 0
static void timings(EC_GROUP *group, int type, BN_CTX *ctx)
- {
- clock_t clck;
- int i, j;
- BIGNUM *s;
- BIGNUM *r[10], *r0[10];
- EC_POINT *P;
-
- s = BN_new();
- if (s == NULL) ABORT;
-
- fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));
- if (!EC_GROUP_get_order(group, s, ctx)) ABORT;
- fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));
- fflush(stdout);
-
- P = EC_POINT_new(group);
- if (P == NULL) ABORT;
- EC_POINT_copy(P, EC_GROUP_get0_generator(group));
-
- for (i = 0; i < 10; i++)
- {
- if ((r[i] = BN_new()) == NULL) ABORT;
- if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0)) ABORT;
- if (type != TIMING_BASE_PT)
- {
- if ((r0[i] = BN_new()) == NULL) ABORT;
- if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0)) ABORT;
- }
- }
-
- clck = clock();
- for (i = 0; i < 10; i++)
- {
- for (j = 0; j < 10; j++)
- {
- if (!EC_POINT_mul(group, P, (type != TIMING_RAND_PT) ? r[i] : NULL,
- (type != TIMING_BASE_PT) ? P : NULL, (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx)) ABORT;
- }
- }
- clck = clock() - clck;
-
- fprintf(stdout, "\n");
-
-#ifdef CLOCKS_PER_SEC
- /* "To determine the time in seconds, the value returned
- * by the clock function should be divided by the value
- * of the macro CLOCKS_PER_SEC."
- * -- ISO/IEC 9899 */
-# define UNIT "s"
-#else
- /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
- * -- cc on NeXTstep/OpenStep */
-# define UNIT "units"
-# define CLOCKS_PER_SEC 1
-#endif
-
- if (type == TIMING_BASE_PT) {
- fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
- "base point multiplications", (double)clck/CLOCKS_PER_SEC);
- } else if (type == TIMING_RAND_PT) {
- fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
- "random point multiplications", (double)clck/CLOCKS_PER_SEC);
- } else if (type == TIMING_SIMUL) {
- fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
- "s*P+t*Q operations", (double)clck/CLOCKS_PER_SEC);
- }
- fprintf(stdout, "average: %.4f " UNIT "\n", (double)clck/(CLOCKS_PER_SEC*i*j));
-
- EC_POINT_free(P);
- BN_free(s);
- for (i = 0; i < 10; i++)
- {
- BN_free(r[i]);
- if (type != TIMING_BASE_PT) BN_free(r0[i]);
- }
- }
-#endif
+{
+ clock_t clck;
+ int i, j;
+ BIGNUM *s;
+ BIGNUM *r[10], *r0[10];
+ EC_POINT *P;
+
+ s = BN_new();
+ if (s == NULL)
+ ABORT;
+
+ fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));
+ if (!EC_GROUP_get_order(group, s, ctx))
+ ABORT;
+ fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));
+ fflush(stdout);
+
+ P = EC_POINT_new(group);
+ if (P == NULL)
+ ABORT;
+ EC_POINT_copy(P, EC_GROUP_get0_generator(group));
+
+ for (i = 0; i < 10; i++) {
+ if ((r[i] = BN_new()) == NULL)
+ ABORT;
+ if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0))
+ ABORT;
+ if (type != TIMING_BASE_PT) {
+ if ((r0[i] = BN_new()) == NULL)
+ ABORT;
+ if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0))
+ ABORT;
+ }
+ }
+
+ clck = clock();
+ for (i = 0; i < 10; i++) {
+ for (j = 0; j < 10; j++) {
+ if (!EC_POINT_mul
+ (group, P, (type != TIMING_RAND_PT) ? r[i] : NULL,
+ (type != TIMING_BASE_PT) ? P : NULL,
+ (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx))
+ ABORT;
+ }
+ }
+ clck = clock() - clck;
+
+ fprintf(stdout, "\n");
+
+# ifdef CLOCKS_PER_SEC
+ /*
+ * "To determine the time in seconds, the value returned by the clock
+ * function should be divided by the value of the macro CLOCKS_PER_SEC."
+ * -- ISO/IEC 9899
+ */
+# define UNIT "s"
+# else
+ /*
+ * "`CLOCKS_PER_SEC' undeclared (first use this function)" -- cc on
+ * NeXTstep/OpenStep
+ */
+# define UNIT "units"
+# define CLOCKS_PER_SEC 1
+# endif
+
+ if (type == TIMING_BASE_PT) {
+ fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
+ "base point multiplications", (double)clck / CLOCKS_PER_SEC);
+ } else if (type == TIMING_RAND_PT) {
+ fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
+ "random point multiplications",
+ (double)clck / CLOCKS_PER_SEC);
+ } else if (type == TIMING_SIMUL) {
+ fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
+ "s*P+t*Q operations", (double)clck / CLOCKS_PER_SEC);
+ }
+ fprintf(stdout, "average: %.4f " UNIT "\n",
+ (double)clck / (CLOCKS_PER_SEC * i * j));
+
+ EC_POINT_free(P);
+ BN_free(s);
+ for (i = 0; i < 10; i++) {
+ BN_free(r[i]);
+ if (type != TIMING_BASE_PT)
+ BN_free(r0[i]);
+ }
+}
+# endif
/* test multiplication with group order, long and negative scalars */
static void group_order_tests(EC_GROUP *group)
- {
- BIGNUM *n1, *n2, *order;
- EC_POINT *P = EC_POINT_new(group);
- EC_POINT *Q = EC_POINT_new(group);
- BN_CTX *ctx = BN_CTX_new();
-
- n1 = BN_new(); n2 = BN_new(); order = BN_new();
- fprintf(stdout, "verify group order ...");
- fflush(stdout);
- if (!EC_GROUP_get_order(group, order, ctx)) ABORT;
- if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
- fprintf(stdout, ".");
- fflush(stdout);
- if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
- if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
- fprintf(stdout, " ok\n");
- fprintf(stdout, "long/negative scalar tests ... ");
- if (!BN_one(n1)) ABORT;
- /* n1 = 1 - order */
- if (!BN_sub(n1, n1, order)) ABORT;
- if(!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
- /* n2 = 1 + order */
- if (!BN_add(n2, order, BN_value_one())) ABORT;
- if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
- /* n2 = (1 - order) * (1 + order) */
- if (!BN_mul(n2, n1, n2, ctx)) ABORT;
- if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
- fprintf(stdout, "ok\n");
- EC_POINT_free(P);
- EC_POINT_free(Q);
- BN_free(n1);
- BN_free(n2);
- BN_free(order);
- BN_CTX_free(ctx);
- }
+{
+ BIGNUM *n1, *n2, *order;
+ EC_POINT *P = EC_POINT_new(group);
+ EC_POINT *Q = EC_POINT_new(group);
+ BN_CTX *ctx = BN_CTX_new();
+ int i;
+
+ n1 = BN_new();
+ n2 = BN_new();
+ order = BN_new();
+ fprintf(stdout, "verify group order ...");
+ fflush(stdout);
+ if (!EC_GROUP_get_order(group, order, ctx))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+ fprintf(stdout, ".");
+ fflush(stdout);
+ if (!EC_GROUP_precompute_mult(group, ctx))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+ fprintf(stdout, " ok\n");
+ fprintf(stdout, "long/negative scalar tests ");
+ for (i = 1; i <= 2; i++) {
+ const BIGNUM *scalars[6];
+ const EC_POINT *points[6];
+
+ fprintf(stdout, i == 1 ?
+ "allowing precomputation ... " :
+ "without precomputation ... ");
+ if (!BN_set_word(n1, i))
+ ABORT;
+ /*
+ * If i == 1, P will be the predefined generator for which
+ * EC_GROUP_precompute_mult has set up precomputation.
+ */
+ if (!EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
+ ABORT;
+
+ if (!BN_one(n1))
+ ABORT;
+ /* n1 = 1 - order */
+ if (!BN_sub(n1, n1, order))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, NULL, P, n1, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, Q, P, ctx))
+ ABORT;
+
+ /* n2 = 1 + order */
+ if (!BN_add(n2, order, BN_value_one()))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, Q, P, ctx))
+ ABORT;
+
+ /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
+ if (!BN_mul(n2, n1, n2, ctx))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, Q, P, ctx))
+ ABORT;
+
+ /* n2 = order^2 - 1 */
+ BN_set_negative(n2, 0);
+ if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
+ ABORT;
+ /* Add P to verify the result. */
+ if (!EC_POINT_add(group, Q, Q, P, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+
+ /* Exercise EC_POINTs_mul, including corner cases. */
+ if (EC_POINT_is_at_infinity(group, P))
+ ABORT;
+ scalars[0] = n1;
+ points[0] = Q; /* => infinity */
+ scalars[1] = n2;
+ points[1] = P; /* => -P */
+ scalars[2] = n1;
+ points[2] = Q; /* => infinity */
+ scalars[3] = n2;
+ points[3] = Q; /* => infinity */
+ scalars[4] = n1;
+ points[4] = P; /* => P */
+ scalars[5] = n2;
+ points[5] = Q; /* => infinity */
+ if (!EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, P))
+ ABORT;
+ }
+ fprintf(stdout, "ok\n");
+
+ EC_POINT_free(P);
+ EC_POINT_free(Q);
+ BN_free(n1);
+ BN_free(n2);
+ BN_free(order);
+ BN_CTX_free(ctx);
+}
static void prime_field_tests(void)
- {
- BN_CTX *ctx = NULL;
- BIGNUM *p, *a, *b;
- EC_GROUP *group;
- EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
- EC_POINT *P, *Q, *R;
- BIGNUM *x, *y, *z;
- unsigned char buf[100];
- size_t i, len;
- int k;
-
-#if 1 /* optional */
- ctx = BN_CTX_new();
- if (!ctx) ABORT;
-#endif
-
- p = BN_new();
- a = BN_new();
- b = BN_new();
- if (!p || !a || !b) ABORT;
-
- group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp
- * so that the library gets to choose the EC_METHOD */
- if (!group) ABORT;
-
- P = EC_POINT_new(group);
- Q = EC_POINT_new(group);
- R = EC_POINT_new(group);
- if (!P || !Q || !R) ABORT;
-
- x = BN_new();
- y = BN_new();
- z = BN_new();
- if (!x || !y || !z) ABORT;
-
-/* Curve P-256 (FIPS PUB 186-2, App. 6) */
-
- if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
- if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
- if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
-
- if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
- if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
- "84F3B9CAC2FC632551")) ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
- fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
- /* G_y value taken from the standard: */
- if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
- if (0 != BN_cmp(y, z)) ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 256) ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
- if (!EC_GROUP_copy(P_256, group)) ABORT;
-
-
- /* Curve P-384 (FIPS PUB 186-2, App. 6) */
-
- if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
- if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT;
- if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
- "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
-
- if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
- "9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
- if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
- fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
- /* G_y value taken from the standard: */
- if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
- "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
- if (0 != BN_cmp(y, z)) ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 384) ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
- if (!EC_GROUP_copy(P_384, group)) ABORT;
-
-
- /* Curve P-521 (FIPS PUB 186-2, App. 6) */
-
- if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
- if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
- if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
- "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
- "DF883D2C34F1EF451FD46B503F00")) ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
-
- if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
- "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
- "3C1856A429BF97E7E31C2E5BD66")) ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
- if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
- "C9B8899C47AEBB6FB71E91386409")) ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
- fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
- /* G_y value taken from the standard: */
- if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
- "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
- "7086A272C24088BE94769FD16650")) ABORT;
- if (0 != BN_cmp(y, z)) ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 521) ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
- if (!EC_GROUP_copy(P_521, group)) ABORT;
-
-
- /* more tests using the last curve */
-
- if (!EC_POINT_copy(Q, P)) ABORT;
- if (EC_POINT_is_at_infinity(group, Q)) ABORT;
- if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
- if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
-
- if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
- if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
-
- {
- const EC_POINT *points[4];
- const BIGNUM *scalars[4];
- BIGNUM scalar3;
-
- if (EC_POINT_is_at_infinity(group, Q)) ABORT;
- points[0] = Q;
- points[1] = Q;
- points[2] = Q;
- points[3] = Q;
-
- if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
- if (!BN_add(y, z, BN_value_one())) ABORT;
- if (BN_is_odd(y)) ABORT;
- if (!BN_rshift1(y, y)) ABORT;
- scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
- scalars[1] = y;
-
- fprintf(stdout, "combined multiplication ...");
- fflush(stdout);
-
- /* z is still the group order */
- if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
- if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
-
- fprintf(stdout, ".");
- fflush(stdout);
-
- if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
- if (!BN_add(z, z, y)) ABORT;
- BN_set_negative(z, 1);
- scalars[0] = y;
- scalars[1] = z; /* z = -(order + y) */
-
- if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, P)) ABORT;
-
- fprintf(stdout, ".");
- fflush(stdout);
-
- if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
- if (!BN_add(z, x, y)) ABORT;
- BN_set_negative(z, 1);
- scalars[0] = x;
- scalars[1] = y;
- scalars[2] = z; /* z = -(x+y) */
-
- BN_init(&scalar3);
- BN_zero(&scalar3);
- scalars[3] = &scalar3;
-
- if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, P)) ABORT;
-
- fprintf(stdout, " ok\n\n");
-
- BN_free(&scalar3);
- }
-
-
-#if 0
- timings(P_256, TIMING_BASE_PT, ctx);
- timings(P_256, TIMING_RAND_PT, ctx);
- timings(P_256, TIMING_SIMUL, ctx);
- timings(P_384, TIMING_BASE_PT, ctx);
- timings(P_384, TIMING_RAND_PT, ctx);
- timings(P_384, TIMING_SIMUL, ctx);
-#endif
-
-
- if (ctx)
- BN_CTX_free(ctx);
- BN_free(p); BN_free(a); BN_free(b);
- EC_GROUP_free(group);
- EC_POINT_free(P);
- EC_POINT_free(Q);
- EC_POINT_free(R);
- BN_free(x); BN_free(y); BN_free(z);
-
- if (P_160) EC_GROUP_free(P_160);
- if (P_192) EC_GROUP_free(P_192);
- if (P_224) EC_GROUP_free(P_224);
- if (P_256) EC_GROUP_free(P_256);
- if (P_384) EC_GROUP_free(P_384);
- if (P_521) EC_GROUP_free(P_521);
-
- }
+{
+ BN_CTX *ctx = NULL;
+ BIGNUM *p, *a, *b;
+ EC_GROUP *group;
+ EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 =
+ NULL, *P_384 = NULL, *P_521 = NULL;
+ EC_POINT *P, *Q, *R;
+ BIGNUM *x, *y, *z;
+ unsigned char buf[100];
+ size_t i, len;
+ int k;
+
+# if 1 /* optional */
+ ctx = BN_CTX_new();
+ if (!ctx)
+ ABORT;
+# endif
+
+ p = BN_new();
+ a = BN_new();
+ b = BN_new();
+ if (!p || !a || !b)
+ ABORT;
+
+ group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use
+ * EC_GROUP_new_curve_GFp so
+ * that the library gets to
+ * choose the EC_METHOD */
+ if (!group)
+ ABORT;
+
+ P = EC_POINT_new(group);
+ Q = EC_POINT_new(group);
+ R = EC_POINT_new(group);
+ if (!P || !Q || !R)
+ ABORT;
+
+ x = BN_new();
+ y = BN_new();
+ z = BN_new();
+ if (!x || !y || !z)
+ ABORT;
+
+ /* Curve P-256 (FIPS PUB 186-2, App. 6) */
+
+ if (!BN_hex2bn
+ (&p,
+ "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"))
+ ABORT;
+ if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ ABORT;
+ if (!BN_hex2bn
+ (&a,
+ "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC"))
+ ABORT;
+ if (!BN_hex2bn
+ (&b,
+ "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B"))
+ ABORT;
+ if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ ABORT;
+
+ if (!BN_hex2bn
+ (&x,
+ "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"))
+ ABORT;
+ if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
+ ABORT;
+ if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
+ ABORT;
+ if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
+ "84F3B9CAC2FC632551"))
+ ABORT;
+ if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ ABORT;
+
+ if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
+ ABORT;
+ fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
+ BN_print_fp(stdout, x);
+ fprintf(stdout, "\n y = 0x");
+ BN_print_fp(stdout, y);
+ fprintf(stdout, "\n");
+ /* G_y value taken from the standard: */
+ if (!BN_hex2bn
+ (&z,
+ "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"))
+ ABORT;
+ if (0 != BN_cmp(y, z))
+ ABORT;
+
+ fprintf(stdout, "verify degree ...");
+ if (EC_GROUP_get_degree(group) != 256)
+ ABORT;
+ fprintf(stdout, " ok\n");
+
+ group_order_tests(group);
+
+ if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group))))
+ ABORT;
+ if (!EC_GROUP_copy(P_256, group))
+ ABORT;
+
+ /* Curve P-384 (FIPS PUB 186-2, App. 6) */
+
+ if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF"))
+ ABORT;
+ if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ ABORT;
+ if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC"))
+ ABORT;
+ if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
+ "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF"))
+ ABORT;
+ if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ ABORT;
+
+ if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
+ "9859F741E082542A385502F25DBF55296C3A545E3872760AB7"))
+ ABORT;
+ if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
+ ABORT;
+ if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
+ ABORT;
+ if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"))
+ ABORT;
+ if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ ABORT;
+
+ if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
+ ABORT;
+ fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
+ BN_print_fp(stdout, x);
+ fprintf(stdout, "\n y = 0x");
+ BN_print_fp(stdout, y);
+ fprintf(stdout, "\n");
+ /* G_y value taken from the standard: */
+ if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
+ "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F"))
+ ABORT;
+ if (0 != BN_cmp(y, z))
+ ABORT;
+
+ fprintf(stdout, "verify degree ...");
+ if (EC_GROUP_get_degree(group) != 384)
+ ABORT;
+ fprintf(stdout, " ok\n");
+
+ group_order_tests(group);
+
+ if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group))))
+ ABORT;
+ if (!EC_GROUP_copy(P_384, group))
+ ABORT;
+
+ /* Curve P-521 (FIPS PUB 186-2, App. 6) */
+
+ if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
+ ABORT;
+ if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ ABORT;
+ if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
+ ABORT;
+ if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
+ "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
+ "DF883D2C34F1EF451FD46B503F00"))
+ ABORT;
+ if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ ABORT;
+
+ if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
+ "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
+ "3C1856A429BF97E7E31C2E5BD66"))
+ ABORT;
+ if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
+ ABORT;
+ if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
+ ABORT;
+ if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
+ "C9B8899C47AEBB6FB71E91386409"))
+ ABORT;
+ if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ ABORT;
+
+ if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
+ ABORT;
+ fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
+ BN_print_fp(stdout, x);
+ fprintf(stdout, "\n y = 0x");
+ BN_print_fp(stdout, y);
+ fprintf(stdout, "\n");
+ /* G_y value taken from the standard: */
+ if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
+ "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
+ "7086A272C24088BE94769FD16650"))
+ ABORT;
+ if (0 != BN_cmp(y, z))
+ ABORT;
+
+ fprintf(stdout, "verify degree ...");
+ if (EC_GROUP_get_degree(group) != 521)
+ ABORT;
+ fprintf(stdout, " ok\n");
+
+ group_order_tests(group);
+
+ if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group))))
+ ABORT;
+ if (!EC_GROUP_copy(P_521, group))
+ ABORT;
+
+ /* more tests using the last curve */
+
+ if (!EC_POINT_copy(Q, P))
+ ABORT;
+ if (EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+ if (!EC_POINT_dbl(group, P, P, ctx))
+ ABORT;
+ if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
+ ABORT;
+ if (!EC_POINT_invert(group, Q, ctx))
+ ABORT; /* P = -2Q */
+
+ if (!EC_POINT_add(group, R, P, Q, ctx))
+ ABORT;
+ if (!EC_POINT_add(group, R, R, Q, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, R))
+ ABORT; /* R = P + 2Q */
+
+ {
+ const EC_POINT *points[4];
+ const BIGNUM *scalars[4];
+ BIGNUM scalar3;
+
+ if (EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+ points[0] = Q;
+ points[1] = Q;
+ points[2] = Q;
+ points[3] = Q;
+
+ if (!EC_GROUP_get_order(group, z, ctx))
+ ABORT;
+ if (!BN_add(y, z, BN_value_one()))
+ ABORT;
+ if (BN_is_odd(y))
+ ABORT;
+ if (!BN_rshift1(y, y))
+ ABORT;
+ scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
+ scalars[1] = y;
+
+ fprintf(stdout, "combined multiplication ...");
+ fflush(stdout);
+
+ /* z is still the group order */
+ if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
+ ABORT;
+ if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, P, R, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, R, Q, ctx))
+ ABORT;
+
+ fprintf(stdout, ".");
+ fflush(stdout);
+
+ if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0))
+ ABORT;
+ if (!BN_add(z, z, y))
+ ABORT;
+ BN_set_negative(z, 1);
+ scalars[0] = y;
+ scalars[1] = z; /* z = -(order + y) */
+
+ if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, P))
+ ABORT;
+
+ fprintf(stdout, ".");
+ fflush(stdout);
+
+ if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0))
+ ABORT;
+ if (!BN_add(z, x, y))
+ ABORT;
+ BN_set_negative(z, 1);
+ scalars[0] = x;
+ scalars[1] = y;
+ scalars[2] = z; /* z = -(x+y) */
+
+ BN_init(&scalar3);
+ BN_zero(&scalar3);
+ scalars[3] = &scalar3;
+
+ if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, P))
+ ABORT;
+
+ fprintf(stdout, " ok\n\n");
+
+ BN_free(&scalar3);
+ }
+
+# if 0
+ timings(P_256, TIMING_BASE_PT, ctx);
+ timings(P_256, TIMING_RAND_PT, ctx);
+ timings(P_256, TIMING_SIMUL, ctx);
+ timings(P_384, TIMING_BASE_PT, ctx);
+ timings(P_384, TIMING_RAND_PT, ctx);
+ timings(P_384, TIMING_SIMUL, ctx);
+ timings(P_521, TIMING_BASE_PT, ctx);
+ timings(P_521, TIMING_RAND_PT, ctx);
+ timings(P_521, TIMING_SIMUL, ctx);
+# endif
+
+ if (ctx)
+ BN_CTX_free(ctx);
+ BN_free(p);
+ BN_free(a);
+ BN_free(b);
+ EC_GROUP_free(group);
+ EC_POINT_free(P);
+ EC_POINT_free(Q);
+ EC_POINT_free(R);
+ BN_free(x);
+ BN_free(y);
+ BN_free(z);
+
+ if (P_160)
+ EC_GROUP_free(P_160);
+ if (P_192)
+ EC_GROUP_free(P_192);
+ if (P_224)
+ EC_GROUP_free(P_224);
+ if (P_256)
+ EC_GROUP_free(P_256);
+ if (P_384)
+ EC_GROUP_free(P_384);
+ if (P_521)
+ EC_GROUP_free(P_521);
+
+}
static void internal_curve_test(void)
- {
- EC_builtin_curve *curves = NULL;
- size_t crv_len = 0, n = 0;
- int ok = 1;
-
- crv_len = EC_get_builtin_curves(NULL, 0);
-
- curves = OPENSSL_malloc(sizeof(EC_builtin_curve) * crv_len);
-
- if (curves == NULL)
- return;
-
- if (!EC_get_builtin_curves(curves, crv_len))
- {
- OPENSSL_free(curves);
- return;
- }
-
- fprintf(stdout, "testing internal curves: ");
-
- for (n = 0; n < crv_len; n++)
- {
- EC_GROUP *group = NULL;
- int nid = curves[n].nid;
- if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL)
- {
- ok = 0;
- fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with"
- " curve %s\n", OBJ_nid2sn(nid));
- /* try next curve */
- continue;
- }
- if (!EC_GROUP_check(group, NULL))
- {
- ok = 0;
- fprintf(stdout, "\nEC_GROUP_check() failed with"
- " curve %s\n", OBJ_nid2sn(nid));
- EC_GROUP_free(group);
- /* try the next curve */
- continue;
- }
- fprintf(stdout, ".");
- fflush(stdout);
- EC_GROUP_free(group);
- }
- if (ok)
- fprintf(stdout, " ok\n\n");
- else
- {
- fprintf(stdout, " failed\n\n");
- ABORT;
- }
- OPENSSL_free(curves);
- return;
- }
-
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-/* nistp_test_params contains magic numbers for testing our optimized
- * implementations of several NIST curves with characteristic > 3. */
-struct nistp_test_params
- {
- const EC_METHOD* (*meth) ();
- int degree;
- /* Qx, Qy and D are taken from
- * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
- * Otherwise, values are standard curve parameters from FIPS 180-3 */
- const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
- };
-
-static const struct nistp_test_params nistp_tests_params[] =
- {
- {
- /* P-256 */
- EC_GFp_nistp256_method,
- 256,
- "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", /* p */
- "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", /* a */
- "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", /* b */
- "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", /* Qx */
- "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", /* Qy */
- "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", /* Gx */
- "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", /* Gy */
- "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", /* order */
- "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", /* d */
- },
- };
-
-void nistp_single_test(const struct nistp_test_params *test)
- {
- BN_CTX *ctx;
- BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
- EC_GROUP *NISTP;
- EC_POINT *G, *P, *Q, *Q_CHECK;
-
- fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n", test->degree);
- ctx = BN_CTX_new();
- p = BN_new();
- a = BN_new();
- b = BN_new();
- x = BN_new(); y = BN_new();
- m = BN_new(); n = BN_new(); order = BN_new();
-
- NISTP = EC_GROUP_new(test->meth());
- if(!NISTP) ABORT;
- if (!BN_hex2bn(&p, test->p)) ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
- if (!BN_hex2bn(&a, test->a)) ABORT;
- if (!BN_hex2bn(&b, test->b)) ABORT;
- if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx)) ABORT;
- G = EC_POINT_new(NISTP);
- P = EC_POINT_new(NISTP);
- Q = EC_POINT_new(NISTP);
- Q_CHECK = EC_POINT_new(NISTP);
- if(!BN_hex2bn(&x, test->Qx)) ABORT;
- if(!BN_hex2bn(&y, test->Qy)) ABORT;
- if(!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) ABORT;
- if (!BN_hex2bn(&x, test->Gx)) ABORT;
- if (!BN_hex2bn(&y, test->Gy)) ABORT;
- if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx)) ABORT;
- if (!BN_hex2bn(&order, test->order)) ABORT;
- if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
-
- fprintf(stdout, "verify degree ... ");
- if (EC_GROUP_get_degree(NISTP) != test->degree) ABORT;
- fprintf(stdout, "ok\n");
-
- fprintf(stdout, "NIST test vectors ... ");
- if (!BN_hex2bn(&n, test->d)) ABORT;
- /* fixed point multiplication */
- EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
- /* random point multiplication */
- EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
-
- /* set generator to P = 2*G, where G is the standard generator */
- if (!EC_POINT_dbl(NISTP, P, G, ctx)) ABORT;
- if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) ABORT;
- /* set the scalar to m=n/2, where n is the NIST test scalar */
- if (!BN_rshift(m, n, 1)) ABORT;
-
- /* test the non-standard generator */
- /* fixed point multiplication */
- EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
- /* random point multiplication */
- EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
-
- /* now repeat all tests with precomputation */
- if (!EC_GROUP_precompute_mult(NISTP, ctx)) ABORT;
-
- /* fixed point multiplication */
- EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
- /* random point multiplication */
- EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
-
- /* reset generator */
- if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
- /* fixed point multiplication */
- EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
- /* random point multiplication */
- EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
-
- fprintf(stdout, "ok\n");
- group_order_tests(NISTP);
-#if 0
- timings(NISTP, TIMING_BASE_PT, ctx);
- timings(NISTP, TIMING_RAND_PT, ctx);
-#endif
- EC_GROUP_free(NISTP);
- EC_POINT_free(G);
- EC_POINT_free(P);
- EC_POINT_free(Q);
- EC_POINT_free(Q_CHECK);
- BN_free(n);
- BN_free(m);
- BN_free(p);
- BN_free(a);
- BN_free(b);
- BN_free(x);
- BN_free(y);
- BN_free(order);
- BN_CTX_free(ctx);
- }
-
-void nistp_tests()
- {
- unsigned i;
-
- for (i = 0; i < sizeof(nistp_tests_params) / sizeof(struct nistp_test_params); i++)
- {
- nistp_single_test(&nistp_tests_params[i]);
- }
- }
-#endif
-
-static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+{
+ EC_builtin_curve *curves = NULL;
+ size_t crv_len = 0, n = 0;
+ int ok = 1;
+
+ crv_len = EC_get_builtin_curves(NULL, 0);
+
+ curves = OPENSSL_malloc(sizeof(EC_builtin_curve) * crv_len);
+
+ if (curves == NULL)
+ return;
+
+ if (!EC_get_builtin_curves(curves, crv_len)) {
+ OPENSSL_free(curves);
+ return;
+ }
+
+ fprintf(stdout, "testing internal curves: ");
+
+ for (n = 0; n < crv_len; n++) {
+ EC_GROUP *group = NULL;
+ int nid = curves[n].nid;
+ if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
+ ok = 0;
+ fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with"
+ " curve %s\n", OBJ_nid2sn(nid));
+ /* try next curve */
+ continue;
+ }
+ if (!EC_GROUP_check(group, NULL)) {
+ ok = 0;
+ fprintf(stdout, "\nEC_GROUP_check() failed with"
+ " curve %s\n", OBJ_nid2sn(nid));
+ EC_GROUP_free(group);
+ /* try the next curve */
+ continue;
+ }
+ fprintf(stdout, ".");
+ fflush(stdout);
+ EC_GROUP_free(group);
+ }
+ if (ok)
+ fprintf(stdout, " ok\n\n");
+ else {
+ fprintf(stdout, " failed\n\n");
+ ABORT;
+ }
+ OPENSSL_free(curves);
+ return;
+}
+
+# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+/*
+ * nistp_test_params contains magic numbers for testing our optimized
+ * implementations of several NIST curves with characteristic > 3.
+ */
+struct nistp_test_params {
+ const EC_METHOD *(*meth) ();
+ int degree;
+ /*
+ * Qx, Qy and D are taken from
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
+ * Otherwise, values are standard curve parameters from FIPS 180-3
+ */
+ const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
+};
+
+static const struct nistp_test_params nistp_tests_params[] = {
+ {
+ /* P-256 */
+ EC_GFp_nistp256_method,
+ 256,
+ /* p */
+ "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
+ /* a */
+ "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
+ /* b */
+ "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
+ /* Qx */
+ "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19",
+ /* Qy */
+ "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09",
+ /* Gx */
+ "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
+ /* Gy */
+ "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
+ /* order */
+ "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
+ /* d */
+ "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96",
+ },
+ {
+ /* P-521 */
+ EC_GFp_nistp521_method,
+ 521,
+ /* p */
+ "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+ /* a */
+ "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
+ /* b */
+ "051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
+ /* Qx */
+ "0098e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
+ /* Qy */
+ "0164350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
+ /* Gx */
+ "c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
+ /* Gy */
+ "11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
+ /* order */
+ "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
+ /* d */
+ "0100085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eeedf09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
+ },
+};
+
+static void nistp_single_test(const struct nistp_test_params *test)
+{
+ BN_CTX *ctx;
+ BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
+ EC_GROUP *NISTP;
+ EC_POINT *G, *P, *Q, *Q_CHECK;
+
+ fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n",
+ test->degree);
+ ctx = BN_CTX_new();
+ p = BN_new();
+ a = BN_new();
+ b = BN_new();
+ x = BN_new();
+ y = BN_new();
+ m = BN_new();
+ n = BN_new();
+ order = BN_new();
+
+ NISTP = EC_GROUP_new(test->meth());
+ if (!NISTP)
+ ABORT;
+ if (!BN_hex2bn(&p, test->p))
+ ABORT;
+ if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ ABORT;
+ if (!BN_hex2bn(&a, test->a))
+ ABORT;
+ if (!BN_hex2bn(&b, test->b))
+ ABORT;
+ if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx))
+ ABORT;
+ G = EC_POINT_new(NISTP);
+ P = EC_POINT_new(NISTP);
+ Q = EC_POINT_new(NISTP);
+ Q_CHECK = EC_POINT_new(NISTP);
+ if (!BN_hex2bn(&x, test->Qx))
+ ABORT;
+ if (!BN_hex2bn(&y, test->Qy))
+ ABORT;
+ if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx))
+ ABORT;
+ if (!BN_hex2bn(&x, test->Gx))
+ ABORT;
+ if (!BN_hex2bn(&y, test->Gy))
+ ABORT;
+ if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx))
+ ABORT;
+ if (!BN_hex2bn(&order, test->order))
+ ABORT;
+ if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
+ ABORT;
+
+ fprintf(stdout, "verify degree ... ");
+ if (EC_GROUP_get_degree(NISTP) != test->degree)
+ ABORT;
+ fprintf(stdout, "ok\n");
+
+ fprintf(stdout, "NIST test vectors ... ");
+ if (!BN_hex2bn(&n, test->d))
+ ABORT;
+ /* fixed point multiplication */
+ EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+ /* random point multiplication */
+ EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+
+ /* set generator to P = 2*G, where G is the standard generator */
+ if (!EC_POINT_dbl(NISTP, P, G, ctx))
+ ABORT;
+ if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
+ ABORT;
+ /* set the scalar to m=n/2, where n is the NIST test scalar */
+ if (!BN_rshift(m, n, 1))
+ ABORT;
+
+ /* test the non-standard generator */
+ /* fixed point multiplication */
+ EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+ /* random point multiplication */
+ EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+
+ /*
+ * We have not performed precomputation so have_precompute mult should be
+ * false
+ */
+ if (EC_GROUP_have_precompute_mult(NISTP))
+ ABORT;
+
+ /* now repeat all tests with precomputation */
+ if (!EC_GROUP_precompute_mult(NISTP, ctx))
+ ABORT;
+ if (!EC_GROUP_have_precompute_mult(NISTP))
+ ABORT;
+
+ /* fixed point multiplication */
+ EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+ /* random point multiplication */
+ EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+
+ /* reset generator */
+ if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
+ ABORT;
+ /* fixed point multiplication */
+ EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+ /* random point multiplication */
+ EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+
+ fprintf(stdout, "ok\n");
+ group_order_tests(NISTP);
+# if 0
+ timings(NISTP, TIMING_BASE_PT, ctx);
+ timings(NISTP, TIMING_RAND_PT, ctx);
+# endif
+ EC_GROUP_free(NISTP);
+ EC_POINT_free(G);
+ EC_POINT_free(P);
+ EC_POINT_free(Q);
+ EC_POINT_free(Q_CHECK);
+ BN_free(n);
+ BN_free(m);
+ BN_free(p);
+ BN_free(a);
+ BN_free(b);
+ BN_free(x);
+ BN_free(y);
+ BN_free(order);
+ BN_CTX_free(ctx);
+}
+
+static void nistp_tests()
+{
+ unsigned i;
+
+ for (i = 0;
+ i < sizeof(nistp_tests_params) / sizeof(struct nistp_test_params);
+ i++) {
+ nistp_single_test(&nistp_tests_params[i]);
+ }
+}
+# endif
+
+static const char rnd_seed[] =
+ "string to make the random number generator think it has entropy";
int main(int argc, char *argv[])
- {
-
- /* enable memory leak checking unless explicitly disabled */
- if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
- {
- CRYPTO_malloc_debug_init();
- CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
- }
- else
- {
- /* OPENSSL_DEBUG_MEMORY=off */
- CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
- }
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
- ERR_load_crypto_strings();
-
- RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
-
- prime_field_tests();
- puts("");
-#ifndef OPENSSL_NO_EC2M
- char2_field_tests();
-#endif
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- nistp_tests();
-#endif
- /* test the internal curves */
- internal_curve_test();
-
-#ifndef OPENSSL_NO_ENGINE
- ENGINE_cleanup();
-#endif
- CRYPTO_cleanup_all_ex_data();
- ERR_free_strings();
- ERR_remove_thread_state(NULL);
- CRYPTO_mem_leaks_fp(stderr);
-
- return 0;
- }
+{
+
+ /* enable memory leak checking unless explicitly disabled */
+ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL)
+ && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) {
+ CRYPTO_malloc_debug_init();
+ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+ } else {
+ /* OPENSSL_DEBUG_MEMORY=off */
+ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+ }
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+ ERR_load_crypto_strings();
+
+ RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
+
+ prime_field_tests();
+ puts("");
+# ifndef OPENSSL_NO_EC2M
+ char2_field_tests();
+# endif
+# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+ nistp_tests();
+# endif
+ /* test the internal curves */
+ internal_curve_test();
+
+# ifndef OPENSSL_NO_ENGINE
+ ENGINE_cleanup();
+# endif
+ CRYPTO_cleanup_all_ex_data();
+ ERR_free_strings();
+ ERR_remove_thread_state(NULL);
+ CRYPTO_mem_leaks_fp(stderr);
+
+ return 0;
+}
#endif
diff --git a/SOURCES/hobble-openssl b/SOURCES/hobble-openssl
index 3c75ea1..8750ad6 100755
--- a/SOURCES/hobble-openssl
+++ b/SOURCES/hobble-openssl
@@ -6,42 +6,36 @@ set -e
# Clean out patent-or-otherwise-encumbered code.
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
-# RC5: 5,724,428 01/11/2015
+# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore
# EC: ????????? ??/??/2020
# SRP: ????????? ??/??/20??
# Remove assembler portions of IDEA, MDC2, and RC5.
-(find crypto/rc5/asm -type f | xargs -r rm -fv)
+# (find crypto/rc5/asm -type f | xargs -r rm -fv)
-# RC5, SRP.
-for a in rc5 srp; do
+# SRP.
+for a in srp; do
for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
echo Destroying $c
> $c
done
done
-for c in `find crypto/evp -name "*_rc5.c"`; do
- echo Destroying $c
- > $c
-done
-
for c in `find crypto/bn -name "*gf2m.c"`; do
echo Destroying $c
> $c
done
-for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp?2?.c" -o -name "ectest.c"`; do
+for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp22?.c" -o -name "ectest.c"`; do
echo Destroying $c
> $c
done
for h in `find crypto ssl apps test -name "*.h"` ; do
- echo Removing RC5, SRP and EC2M references from $h
+ echo Removing SRP and EC2M references from $h
cat $h | \
awk 'BEGIN {ech=1;} \
/^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
- /^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
/^#[ \t]*if/ {if(ech < 1) ech--;} \
{if(ech>0) {;print $0};} \
@@ -50,4 +44,4 @@ for h in `find crypto ssl apps test -name "*.h"` ; do
done
# Make the makefiles happy.
-touch crypto/rc5/asm/rc5-586.pl
+# touch crypto/rc5/asm/rc5-586.pl
diff --git a/SOURCES/openssl-0.9.6-x509.patch b/SOURCES/openssl-0.9.6-x509.patch
deleted file mode 100644
index 7b3f49f..0000000
--- a/SOURCES/openssl-0.9.6-x509.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Do not treat duplicate certs as an error.
-
---- openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 15:09:05 2000
-+++ openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 14:21:20 2000
-@@ -163,8 +163,12 @@
- }
- }
- i=X509_STORE_add_cert(ctx->store_ctx,x);
-- if (!i) goto err;
-- count++;
-+ /* ignore any problems with current certificate
-+ and continue with the next one */
-+ if (i)
-+ count++;
-+ else
-+ ERR_clear_error();
- X509_free(x);
- x=NULL;
- }
-@@ -179,7 +183,8 @@
- goto err;
- }
- i=X509_STORE_add_cert(ctx->store_ctx,x);
-- if (!i) goto err;
-+ if (!i)
-+ ERR_clear_error();
- ret=i;
- }
- else
diff --git a/SOURCES/openssl-0.9.8a-no-rpath.patch b/SOURCES/openssl-0.9.8a-no-rpath.patch
deleted file mode 100644
index 8f8fb91..0000000
--- a/SOURCES/openssl-0.9.8a-no-rpath.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- openssl-0.9.8a/Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200
-+++ openssl-0.9.8a/Makefile.shared 2005-11-16 22:35:37.000000000 +0100
-@@ -153,7 +153,7 @@
- NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
--DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(CFLAGS)"
-
- #This is rather special. It's a special target with which one can link
- #applications without bothering with any features that have anything to
diff --git a/SOURCES/openssl-0.9.8b-test-use-localhost.patch b/SOURCES/openssl-0.9.8b-test-use-localhost.patch
deleted file mode 100644
index 08adf1c..0000000
--- a/SOURCES/openssl-0.9.8b-test-use-localhost.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c
---- openssl-0.9.8b/ssl/ssltest.c.use-localhost 2006-02-24 18:58:35.000000000 +0100
-+++ openssl-0.9.8b/ssl/ssltest.c 2007-08-03 14:06:16.000000000 +0200
-@@ -839,19 +839,8 @@ bad:
- #ifndef OPENSSL_NO_KRB5
- if (c_ssl && c_ssl->kssl_ctx)
- {
-- char localhost[MAXHOSTNAMELEN+2];
--
-- if (gethostname(localhost, sizeof localhost-1) == 0)
-- {
-- localhost[sizeof localhost-1]='\0';
-- if(strlen(localhost) == sizeof localhost-1)
-- {
-- BIO_printf(bio_err,"localhost name too long\n");
-- goto end;
-- }
- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
-- localhost);
-- }
-+ "localhost");
- }
- #endif /* OPENSSL_NO_KRB5 */
-
diff --git a/SOURCES/openssl-0.9.8j-version-add-engines.patch b/SOURCES/openssl-0.9.8j-version-add-engines.patch
deleted file mode 100644
index f54326c..0000000
--- a/SOURCES/openssl-0.9.8j-version-add-engines.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c
---- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200
-+++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100
-@@ -131,6 +131,7 @@
- #ifndef OPENSSL_NO_BF
- # include <openssl/blowfish.h>
- #endif
-+#include <openssl/engine.h>
-
- #undef PROG
- #define PROG version_main
-@@ -140,7 +141,7 @@ int MAIN(int, char **);
- int MAIN(int argc, char **argv)
- {
- int i,ret=0;
-- int cflags=0,version=0,date=0,options=0,platform=0,dir=0;
-+ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0;
-
- apps_startup();
-
-@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv)
- else if (strcmp(argv[i],"-d") == 0)
- dir=1;
- else if (strcmp(argv[i],"-a") == 0)
-- date=version=cflags=options=platform=dir=1;
-+ date=version=cflags=options=platform=dir=engines=1;
- else
- {
- BIO_printf(bio_err,"usage:version -[avbofpd]\n");
-@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv)
- }
- if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
- if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR));
-+ if (engines)
-+ {
-+ ENGINE *e;
-+ printf("engines: ");
-+ e = ENGINE_get_first();
-+ while (e)
-+ {
-+ printf("%s ", ENGINE_get_id(e));
-+ e = ENGINE_get_next(e);
-+ }
-+ printf("\n");
-+ }
- end:
- apps_shutdown();
- OPENSSL_EXIT(ret);
diff --git a/SOURCES/openssl-1.0.0-beta5-enginesdir.patch b/SOURCES/openssl-1.0.0-beta5-enginesdir.patch
deleted file mode 100644
index d942d6e..0000000
--- a/SOURCES/openssl-1.0.0-beta5-enginesdir.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
---- openssl-1.0.0-beta5/Configure.enginesdir 2010-01-20 18:07:05.000000000 +0100
-+++ openssl-1.0.0-beta5/Configure 2010-01-20 18:10:48.000000000 +0100
-@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
- my $prefix="";
- my $libdir="";
- my $openssldir="";
-+my $enginesdir="";
- my $exe_ext="";
- my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
- my $cross_compile_prefix="";
-@@ -833,6 +834,10 @@ PROCESS_ARGS:
- {
- $openssldir=$1;
- }
-+ elsif (/^--enginesdir=(.*)$/)
-+ {
-+ $enginesdir=$1;
-+ }
- elsif (/^--install.prefix=(.*)$/)
- {
- $install_prefix=$1;
-@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/;
-
- $openssldir=$prefix . "/ssl" if $openssldir eq "";
- $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
--
-+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
-
- print "IsMK1MF=$IsMK1MF\n";
-
-@@ -1673,7 +1678,7 @@ while (<IN>)
- }
- elsif (/^#define\s+ENGINESDIR/)
- {
-- my $foo = "$prefix/$libdir/engines";
-+ my $foo = "$enginesdir";
- $foo =~ s/\\/\\\\/g;
- print OUT "#define ENGINESDIR \"$foo\"\n";
- }
-diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile
---- openssl-1.0.0-beta5/engines/Makefile.enginesdir 2010-01-16 21:06:09.000000000 +0100
-+++ openssl-1.0.0-beta5/engines/Makefile 2010-01-20 18:07:05.000000000 +0100
-@@ -124,7 +124,7 @@ install:
- sfx=".so"; \
- cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
- fi; \
-- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
-+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- done; \
- fi
diff --git a/SOURCES/openssl-1.0.0-beta5-readme-warning.patch b/SOURCES/openssl-1.0.0-beta5-readme-warning.patch
deleted file mode 100644
index 0d89720..0000000
--- a/SOURCES/openssl-1.0.0-beta5-readme-warning.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
---- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100
-+++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100
-@@ -5,6 +5,35 @@
- Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
- All rights reserved.
-
-+ WARNING
-+ -------
-+
-+ This version of OpenSSL is built in a way that supports operation in
-+ the so called FIPS mode. Note though that the library as we build it
-+ is not FIPS validated and the FIPS mode is present for testing purposes
-+ only.
-+
-+ This version also contains a few differences from the upstream code
-+ some of which are:
-+ * There are added changes forward ported from the upstream OpenSSL
-+ 0.9.8 FIPS branch however the FIPS integrity verification check
-+ is implemented differently from the upstream FIPS validated OpenSSL
-+ module. It verifies HMAC-SHA256 checksum of the whole shared
-+ libraries. For this reason the changes are ported to files in the
-+ crypto directory and not in a separate fips subdirectory. Also
-+ note that the FIPS integrity verification check requires unmodified
-+ libcrypto and libssl shared library files which means that it will
-+ fail if these files are modified for example by prelink.
-+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
-+ tries to initialize the FIPS mode if it is set to 1 aborting if the
-+ FIPS mode could not be initialized. It is also possible to force the
-+ OpenSSL library to FIPS mode especially for debugging purposes by
-+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
-+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
-+ will not automatically load the built in compression method ZLIB
-+ when initialized. Applications can still explicitely ask for ZLIB
-+ compression method.
-+
- DESCRIPTION
- -----------
-
diff --git a/SOURCES/openssl-1.0.0c-rsa-x931.patch b/SOURCES/openssl-1.0.0c-rsa-x931.patch
deleted file mode 100644
index a60bbcb..0000000
--- a/SOURCES/openssl-1.0.0c-rsa-x931.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-diff -up openssl-1.0.0c/apps/genrsa.c.x931 openssl-1.0.0c/apps/genrsa.c
---- openssl-1.0.0c/apps/genrsa.c.x931 2010-03-01 15:22:02.000000000 +0100
-+++ openssl-1.0.0c/apps/genrsa.c 2011-02-01 18:32:05.000000000 +0100
-@@ -95,6 +95,7 @@ int MAIN(int argc, char **argv)
- int ret=1;
- int i,num=DEFBITS;
- long l;
-+ int use_x931 = 0;
- const EVP_CIPHER *enc=NULL;
- unsigned long f4=RSA_F4;
- char *outfile=NULL;
-@@ -138,6 +139,8 @@ int MAIN(int argc, char **argv)
- f4=3;
- else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
- f4=RSA_F4;
-+ else if (strcmp(*argv,"-x931") == 0)
-+ use_x931 = 1;
- #ifndef OPENSSL_NO_ENGINE
- else if (strcmp(*argv,"-engine") == 0)
- {
-@@ -273,7 +276,14 @@ bad:
- if (!rsa)
- goto err;
-
-- if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
-+ if (use_x931)
-+ {
-+ if (!BN_set_word(bn, f4))
-+ goto err;
-+ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
-+ goto err;
-+ }
-+ else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
- goto err;
-
- app_RAND_write_file(NULL, bio_err);
diff --git a/SOURCES/openssl-1.0.0d-apps-dgst.patch b/SOURCES/openssl-1.0.0d-apps-dgst.patch
deleted file mode 100644
index da20481..0000000
--- a/SOURCES/openssl-1.0.0d-apps-dgst.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-diff -up openssl-1.0.0d/apps/ca.c.dgst openssl-1.0.0d/apps/ca.c
---- openssl-1.0.0d/apps/ca.c.dgst 2009-12-02 15:41:24.000000000 +0100
-+++ openssl-1.0.0d/apps/ca.c 2011-04-05 21:09:42.000000000 +0200
-@@ -157,7 +157,7 @@ static const char *ca_usage[]={
- " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
- " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
- " -days arg - number of days to certify the certificate for\n",
--" -md arg - md to use, one of md2, md5, sha or sha1\n",
-+" -md arg - md to use, see openssl dgst -h for list\n",
- " -policy arg - The CA 'policy' to support\n",
- " -keyfile arg - private key file\n",
- " -keyform arg - private key file format (PEM or ENGINE)\n",
-diff -up openssl-1.0.0d/apps/enc.c.dgst openssl-1.0.0d/apps/enc.c
---- openssl-1.0.0d/apps/enc.c.dgst 2010-06-15 19:25:02.000000000 +0200
-+++ openssl-1.0.0d/apps/enc.c 2011-04-05 21:11:54.000000000 +0200
-@@ -302,7 +302,7 @@ bad:
- BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k");
- BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");
- BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");
-- BIO_printf(bio_err,"%-14s from a passphrase. One of md2, md5, sha or sha1\n","");
-+ BIO_printf(bio_err,"%-14s from a passphrase. See openssl dgst -h for list.\n","");
- BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S");
- BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
- BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
-diff -up openssl-1.0.0d/apps/req.c.dgst openssl-1.0.0d/apps/req.c
---- openssl-1.0.0d/apps/req.c.dgst 2010-03-10 14:48:21.000000000 +0100
-+++ openssl-1.0.0d/apps/req.c 2011-04-05 21:12:33.000000000 +0200
-@@ -421,7 +421,7 @@ bad:
- #ifndef OPENSSL_NO_ECDSA
- BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
- #endif
-- BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
-+ BIO_printf(bio_err," -[digest] Digest to sign with (see openssl dgst -h for list)\n");
- BIO_printf(bio_err," -config file request template file.\n");
- BIO_printf(bio_err," -subj arg set or modify request subject\n");
- BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
-diff -up openssl-1.0.0d/apps/ts.c.dgst openssl-1.0.0d/apps/ts.c
---- openssl-1.0.0d/apps/ts.c.dgst 2009-10-18 16:42:26.000000000 +0200
-+++ openssl-1.0.0d/apps/ts.c 2011-04-05 21:16:07.000000000 +0200
-@@ -368,7 +368,7 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err, "usage:\n"
- "ts -query [-rand file%cfile%c...] [-config configfile] "
- "[-data file_to_hash] [-digest digest_bytes]"
-- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
-+ "[-<hashalg>] "
- "[-policy object_id] [-no_nonce] [-cert] "
- "[-in request.tsq] [-out request.tsq] [-text]\n",
- LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-diff -up openssl-1.0.0d/apps/x509.c.dgst openssl-1.0.0d/apps/x509.c
---- openssl-1.0.0d/apps/x509.c.dgst 2011-04-05 21:13:42.000000000 +0200
-+++ openssl-1.0.0d/apps/x509.c 2011-04-05 21:13:17.000000000 +0200
-@@ -141,7 +141,7 @@ static const char *x509_usage[]={
- " -set_serial - serial number to use\n",
- " -text - print the certificate in text form\n",
- " -C - print out C code forms\n",
--" -md2/-md5/-sha1/-mdc2 - digest to use\n",
-+" -<dgst> - digest to use, see openssl dgst -h output for list\n",
- " -extfile - configuration file with X509V3 extensions to add\n",
- " -extensions - section from config file with X509V3 extensions to add\n",
- " -clrext - delete extensions before signing and input certificate\n",
-diff -up openssl-1.0.0d/doc/apps/ca.pod.dgst openssl-1.0.0d/doc/apps/ca.pod
---- openssl-1.0.0d/doc/apps/ca.pod.dgst 2009-04-10 13:25:53.000000000 +0200
-+++ openssl-1.0.0d/doc/apps/ca.pod 2011-04-05 21:16:39.000000000 +0200
-@@ -160,7 +160,8 @@ the number of days to certify the certif
- =item B<-md alg>
-
- the message digest to use. Possible values include md5, sha1 and mdc2.
--This option also applies to CRLs.
-+For full list of digests see openssl dgst -h output. This option also
-+applies to CRLs.
-
- =item B<-policy arg>
-
-diff -up openssl-1.0.0d/doc/apps/ocsp.pod.dgst openssl-1.0.0d/doc/apps/ocsp.pod
---- openssl-1.0.0d/doc/apps/ocsp.pod.dgst 2008-02-25 19:11:47.000000000 +0100
-+++ openssl-1.0.0d/doc/apps/ocsp.pod 2011-04-05 21:18:17.000000000 +0200
-@@ -210,7 +210,8 @@ check is not performed.
- =item B<-md5|-sha1|-sha256|-ripemod160|...>
-
- this option sets digest algorithm to use for certificate identification
--in the OCSP request. By default SHA-1 is used.
-+in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
-+the list of available algorithms.
-
- =back
-
-diff -up openssl-1.0.0d/doc/apps/req.pod.dgst openssl-1.0.0d/doc/apps/req.pod
---- openssl-1.0.0d/doc/apps/req.pod.dgst 2009-04-10 18:42:28.000000000 +0200
-+++ openssl-1.0.0d/doc/apps/req.pod 2011-04-05 21:20:47.000000000 +0200
-@@ -201,7 +201,8 @@ will not be encrypted.
-
- this specifies the message digest to sign the request with (such as
- B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
--the configuration file.
-+the configuration file. For full list of possible digests see openssl
-+dgst -h output.
-
- Some public key algorithms may override this choice. For instance, DSA
- signatures always use SHA1, GOST R 34.10 signatures always use
-diff -up openssl-1.0.0d/doc/apps/x509.pod.dgst openssl-1.0.0d/doc/apps/x509.pod
---- openssl-1.0.0d/doc/apps/x509.pod.dgst 2010-01-12 18:27:11.000000000 +0100
-+++ openssl-1.0.0d/doc/apps/x509.pod 2011-04-05 21:19:56.000000000 +0200
-@@ -101,6 +101,7 @@ the digest to use. This affects any sign
- digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
- specified then SHA1 is used. If the key being used to sign with is a DSA key
- then this option has no effect: SHA1 is always used with DSA keys.
-+For full list of digests see openssl dgst -h output.
-
- =item B<-engine id>
-
diff --git a/SOURCES/openssl-1.0.0d-xmpp-starttls.patch b/SOURCES/openssl-1.0.0d-xmpp-starttls.patch
deleted file mode 100644
index b3999cc..0000000
--- a/SOURCES/openssl-1.0.0d-xmpp-starttls.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -ru openssl-1.0.0d.old/apps/s_client.c openssl-1.0.0d/apps/s_client.c
---- openssl-1.0.0d.old/apps/s_client.c 2011-07-17 21:05:19.934181169 +0200
-+++ openssl-1.0.0d/apps/s_client.c 2011-07-17 21:11:42.747824990 +0200
-@@ -1186,7 +1186,7 @@
- "xmlns='jabber:client' to='%s' version='1.0'>", host);
- seen = BIO_read(sbio,mbuf,BUFSIZZ);
- mbuf[seen] = 0;
-- while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
-+ while (!strcasestr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && !strcasestr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
- {
- if (strstr(mbuf, "/stream:features>"))
- goto shut;
diff --git a/SOURCES/openssl-1.0.0e-chil-fixes.patch b/SOURCES/openssl-1.0.0e-chil-fixes.patch
deleted file mode 100644
index 58a035f..0000000
--- a/SOURCES/openssl-1.0.0e-chil-fixes.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up openssl-1.0.0e/engines/e_chil.c.chil openssl-1.0.0e/engines/e_chil.c
---- openssl-1.0.0e/engines/e_chil.c.chil 2010-06-15 19:25:12.000000000 +0200
-+++ openssl-1.0.0e/engines/e_chil.c 2011-09-21 17:32:03.000000000 +0200
-@@ -1261,6 +1261,11 @@ static int hwcrhk_insert_card(const char
- UI *ui;
- void *callback_data = NULL;
- UI_METHOD *ui_method = NULL;
-+ /* Despite what the documentation says prompt_info can be
-+ * an empty string.
-+ */
-+ if (prompt_info && !*prompt_info)
-+ prompt_info = NULL;
-
- if (cactx)
- {
-@@ -1287,7 +1292,7 @@ static int hwcrhk_insert_card(const char
-
- if (ui)
- {
-- char answer;
-+ char answer = '\0';
- char buf[BUFSIZ];
- /* Despite what the documentation says wrong_info can be
- * an empty string.
diff --git a/SOURCES/openssl-1.0.0e-doc-noeof.patch b/SOURCES/openssl-1.0.0e-doc-noeof.patch
deleted file mode 100644
index 9686575..0000000
--- a/SOURCES/openssl-1.0.0e-doc-noeof.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff -up openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof openssl-1.0.0e/doc/apps/s_client.pod
---- openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof 2009-06-26 13:28:51.000000000 +0200
-+++ openssl-1.0.0e/doc/apps/s_client.pod 2011-11-03 08:30:35.000000000 +0100
-@@ -27,6 +27,7 @@ B<openssl> B<s_client>
- [B<-nbio>]
- [B<-crlf>]
- [B<-ign_eof>]
-+[B<-no_ign_eof>]
- [B<-quiet>]
- [B<-ssl2>]
- [B<-ssl3>]
-@@ -161,6 +162,11 @@ by some servers.
- inhibit shutting down the connection when end of file is reached in the
- input.
-
-+=item B<-no_ign_eof>
-+
-+shut down the connection when end of file is reached in the
-+input. Can be used to override the implicit B<-ign_eof> after B<-quiet>.
-+
- =item B<-quiet>
-
- inhibit printing of session and certificate information. This implicitly
diff --git a/SOURCES/openssl-1.0.1-beta2-dtls1-abi.patch b/SOURCES/openssl-1.0.1-beta2-dtls1-abi.patch
deleted file mode 100644
index 6a556be..0000000
--- a/SOURCES/openssl-1.0.1-beta2-dtls1-abi.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
---- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi 2012-02-06 17:07:34.630336118 +0100
-+++ openssl-1.0.1-beta2/ssl/dtls1.h 2012-02-06 17:10:08.956623707 +0100
-@@ -222,9 +222,6 @@ typedef struct dtls1_state_st
- */
- record_pqueue buffered_app_data;
-
-- /* Is set when listening for new connections with dtls1_listen() */
-- unsigned int listen;
--
- unsigned int mtu; /* max DTLS packet size */
-
- struct hm_header_st w_msg_hdr;
-@@ -248,6 +245,9 @@ typedef struct dtls1_state_st
- unsigned int retransmitting;
- unsigned int change_cipher_spec_ok;
-
-+ /* Is set when listening for new connections with dtls1_listen() */
-+ unsigned int listen;
-+
- #ifndef OPENSSL_NO_SCTP
- /* used when SSL_ST_XX_FLUSH is entered */
- int next_state;
diff --git a/SOURCES/openssl-1.0.1-beta2-fips-md5-allow.patch b/SOURCES/openssl-1.0.1-beta2-fips-md5-allow.patch
deleted file mode 100644
index d654730..0000000
--- a/SOURCES/openssl-1.0.1-beta2-fips-md5-allow.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -up openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.1-beta2/crypto/md5/md5_dgst.c
---- openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow 2012-02-06 20:09:56.000000000 +0100
-+++ openssl-1.0.1-beta2/crypto/md5/md5_dgst.c 2012-02-06 20:14:02.332117603 +0100
-@@ -71,7 +71,16 @@ const char MD5_version[]="MD5" OPENSSL_V
- #define INIT_DATA_C (unsigned long)0x98badcfeL
- #define INIT_DATA_D (unsigned long)0x10325476L
-
--nonfips_md_init(MD5)
-+int MD5_Init(MD5_CTX *c)
-+#ifdef OPENSSL_FIPS
-+ {
-+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
-+ OpenSSLDie(__FILE__, __LINE__, \
-+ "Digest MD5 forbidden in FIPS mode!");
-+ return private_MD5_Init(c);
-+ }
-+int private_MD5_Init(MD5_CTX *c)
-+#endif
- {
- memset (c,0,sizeof(*c));
- c->A=INIT_DATA_A;
diff --git a/SOURCES/openssl-1.0.1-beta2-padlock64.patch b/SOURCES/openssl-1.0.1-beta2-padlock64.patch
deleted file mode 100644
index 4b7f7da..0000000
--- a/SOURCES/openssl-1.0.1-beta2-padlock64.patch
+++ /dev/null
@@ -1,193 +0,0 @@
-diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
---- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 2011-06-21 18:42:15.000000000 +0200
-+++ openssl-1.0.1-beta2/engines/e_padlock.c 2012-02-06 20:18:52.039537799 +0100
-@@ -101,7 +101,10 @@
- compiler choice is limited to GCC and Microsoft C. */
- #undef COMPILE_HW_PADLOCK
- #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
--# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
-+# if (defined(__GNUC__) && __GNUC__>=2 && \
-+ (defined(__i386__) || defined(__i386) || \
-+ defined(__x86_64__) || defined(__x86_64)) \
-+ ) || \
- (defined(_MSC_VER) && defined(_M_IX86))
- # define COMPILE_HW_PADLOCK
- # endif
-@@ -137,7 +140,7 @@ void ENGINE_load_padlock (void)
- # endif
- #elif defined(__GNUC__)
- # ifndef alloca
--# define alloca(s) __builtin_alloca(s)
-+# define alloca(s) __builtin_alloca((s))
- # endif
- #endif
-
-@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
- * =======================================================
- */
- #if defined(__GNUC__) && __GNUC__>=2
-+#if defined(__i386__) || defined(__i386)
- /*
- * As for excessive "push %ebx"/"pop %ebx" found all over.
- * When generating position-independent code GCC won't let
-@@ -383,21 +387,6 @@ padlock_available(void)
- return padlock_use_ace + padlock_use_rng;
- }
-
--#ifndef OPENSSL_NO_AES
--/* Our own htonl()/ntohl() */
--static inline void
--padlock_bswapl(AES_KEY *ks)
--{
-- size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
-- unsigned int *key = ks->rd_key;
--
-- while (i--) {
-- asm volatile ("bswapl %0" : "+r"(*key));
-- key++;
-- }
--}
--#endif
--
- /* Force key reload from memory to the CPU microcode.
- Loading EFLAGS from the stack clears EFLAGS[30]
- which does the trick. */
-@@ -455,12 +444,127 @@ static inline void *name(size_t cnt, \
- : "edx", "cc", "memory"); \
- return iv; \
- }
-+#endif
-+
-+#elif defined(__x86_64__) || defined(__x86_64)
-+
-+/* Load supported features of the CPU to see if
-+ the PadLock is available. */
-+static int
-+padlock_available(void)
-+{
-+ char vendor_string[16];
-+ unsigned int eax, edx;
-
-+ /* Are we running on the Centaur (VIA) CPU? */
-+ eax = 0x00000000;
-+ vendor_string[12] = 0;
-+ asm volatile (
-+ "cpuid\n"
-+ "movl %%ebx,(%1)\n"
-+ "movl %%edx,4(%1)\n"
-+ "movl %%ecx,8(%1)\n"
-+ : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
-+ if (strcmp(vendor_string, "CentaurHauls") != 0)
-+ return 0;
-+
-+ /* Check for Centaur Extended Feature Flags presence */
-+ eax = 0xC0000000;
-+ asm volatile ("cpuid"
-+ : "+a"(eax) : : "rbx", "rcx", "rdx");
-+ if (eax < 0xC0000001)
-+ return 0;
-+
-+ /* Read the Centaur Extended Feature Flags */
-+ eax = 0xC0000001;
-+ asm volatile ("cpuid"
-+ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
-+
-+ /* Fill up some flags */
-+ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
-+ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
-+
-+ return padlock_use_ace + padlock_use_rng;
-+}
-+
-+/* Force key reload from memory to the CPU microcode.
-+ Loading EFLAGS from the stack clears EFLAGS[30]
-+ which does the trick. */
-+static inline void
-+padlock_reload_key(void)
-+{
-+ asm volatile ("pushfq; popfq");
-+}
-+
-+#ifndef OPENSSL_NO_AES
-+/*
-+ * This is heuristic key context tracing. At first one
-+ * believes that one should use atomic swap instructions,
-+ * but it's not actually necessary. Point is that if
-+ * padlock_saved_context was changed by another thread
-+ * after we've read it and before we compare it with cdata,
-+ * our key *shall* be reloaded upon thread context switch
-+ * and we are therefore set in either case...
-+ */
-+static inline void
-+padlock_verify_context(struct padlock_cipher_data *cdata)
-+{
-+ asm volatile (
-+ "pushfq\n"
-+" btl $30,(%%rsp)\n"
-+" jnc 1f\n"
-+" cmpq %2,%1\n"
-+" je 1f\n"
-+" popfq\n"
-+" subq $8,%%rsp\n"
-+"1: addq $8,%%rsp\n"
-+" movq %2,%0"
-+ :"+m"(padlock_saved_context)
-+ : "r"(padlock_saved_context), "r"(cdata) : "cc");
-+}
-+
-+/* Template for padlock_xcrypt_* modes */
-+/* BIG FAT WARNING:
-+ * The offsets used with 'leal' instructions
-+ * describe items of the 'padlock_cipher_data'
-+ * structure.
-+ */
-+#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
-+static inline void *name(size_t cnt, \
-+ struct padlock_cipher_data *cdata, \
-+ void *out, const void *inp) \
-+{ void *iv; \
-+ asm volatile ( "leaq 16(%0),%%rdx\n" \
-+ " leaq 32(%0),%%rbx\n" \
-+ rep_xcrypt "\n" \
-+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
-+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
-+ : "rbx", "rdx", "cc", "memory"); \
-+ return iv; \
-+}
-+#endif
-+
-+#endif /* cpu */
-+
-+#ifndef OPENSSL_NO_AES
- /* Generate all functions with appropriate opcodes */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
-+
-+/* Our own htonl()/ntohl() */
-+static inline void
-+padlock_bswapl(AES_KEY *ks)
-+{
-+ size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
-+ unsigned int *key = ks->rd_key;
-+
-+ while (i--) {
-+ asm volatile ("bswapl %0" : "+r"(*key));
-+ key++;
-+ }
-+}
- #endif
-
- /* The RNG call itself */
-@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
- static inline unsigned char *
- padlock_memcpy(void *dst,const void *src,size_t n)
- {
-- long *d=dst;
-- const long *s=src;
-+ size_t *d=dst;
-+ const size_t *s=src;
-
- n /= sizeof(*d);
- do { *d++ = *s++; } while (--n);
diff --git a/SOURCES/openssl-1.0.1-beta2-ssl-op-all.patch b/SOURCES/openssl-1.0.1-beta2-ssl-op-all.patch
deleted file mode 100644
index 3259d8c..0000000
--- a/SOURCES/openssl-1.0.1-beta2-ssl-op-all.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h
---- openssl-1.0.1-beta2/ssl/ssl.h.op-all 2012-02-02 12:49:00.828035916 +0100
-+++ openssl-1.0.1-beta2/ssl/ssl.h 2012-02-02 12:52:27.297818182 +0100
-@@ -540,7 +540,7 @@ struct ssl_session_st
- #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
- /* Allow initial connection to servers that don't support RI */
- #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
--#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
-+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* no effect since 1.0.0c due to CVE-2010-4180 */
- #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
- #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
- #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
-@@ -558,7 +558,7 @@ struct ssl_session_st
-
- /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
- * This used to be 0x000FFFFFL before 0.9.7. */
--#define SSL_OP_ALL 0x80000BFFL
-+#define SSL_OP_ALL 0x80000BF7L /* we still have to include SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
-
- /* DTLS options */
- #define SSL_OP_NO_QUERY_MTU 0x00001000L
diff --git a/SOURCES/openssl-1.0.1-pkgconfig-krb5.patch b/SOURCES/openssl-1.0.1-pkgconfig-krb5.patch
deleted file mode 100644
index 14a17bf..0000000
--- a/SOURCES/openssl-1.0.1-pkgconfig-krb5.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff -up openssl-1.0.1/Makefile.org.krb5 openssl-1.0.1/Makefile.org
---- openssl-1.0.1/Makefile.org.krb5 2012-03-14 21:15:04.000000000 +0100
-+++ openssl-1.0.1/Makefile.org 2012-04-11 16:28:31.254725422 +0200
-@@ -370,7 +370,7 @@ libcrypto.pc: Makefile
- echo 'Requires: '; \
- echo 'Libs: -L$${libdir} -lcrypto'; \
- echo 'Libs.private: $(EX_LIBS)'; \
-- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
-+ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
-
- libssl.pc: Makefile
- @ ( echo 'prefix=$(INSTALLTOP)'; \
-@@ -383,7 +383,7 @@ libssl.pc: Makefile
- echo 'Version: '$(VERSION); \
- echo 'Requires: '; \
- echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
-- echo 'Libs.private: $(EX_LIBS)'; \
-+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
-
- openssl.pc: Makefile
-@@ -397,7 +397,7 @@ openssl.pc: Makefile
- echo 'Version: '$(VERSION); \
- echo 'Requires: '; \
- echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
-- echo 'Libs.private: $(EX_LIBS)'; \
-+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
-
- Makefile: Makefile.org Configure config
diff --git a/SOURCES/openssl-1.0.1a-algo-doc.patch b/SOURCES/openssl-1.0.1a-algo-doc.patch
deleted file mode 100644
index c4aaa89..0000000
--- a/SOURCES/openssl-1.0.1a-algo-doc.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
---- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc 2012-04-11 00:28:22.000000000 +0200
-+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod 2012-04-20 09:14:01.865167011 +0200
-@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
-
- EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
- B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
--function. B<type> will typically be supplied by a functionsuch as EVP_sha1().
-+function. B<type> will typically be supplied by a function such as EVP_sha1().
- If B<impl> is NULL then the default implementation of digest B<type> is used.
-
- EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
-@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
- EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
- size in bytes.
-
--EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
-+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
-+EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(),
- EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
- corresponding EVP_MD structures.
-
-diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
---- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
-+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod 2012-04-20 09:10:59.114736465 +0200
-@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
- int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
- int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
-
-+ const EVP_CIPHER *EVP_des_ede3(void);
-+ const EVP_CIPHER *EVP_des_ede3_ecb(void);
-+ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
-+ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
-+ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
-+ const EVP_CIPHER *EVP_des_ede3_ofb(void);
-+ const EVP_CIPHER *EVP_des_ede3_cbc(void);
-+ const EVP_CIPHER *EVP_aes_128_ecb(void);
-+ const EVP_CIPHER *EVP_aes_128_cbc(void);
-+ const EVP_CIPHER *EVP_aes_128_cfb1(void);
-+ const EVP_CIPHER *EVP_aes_128_cfb8(void);
-+ const EVP_CIPHER *EVP_aes_128_cfb128(void);
-+ const EVP_CIPHER *EVP_aes_128_ofb(void);
-+ const EVP_CIPHER *EVP_aes_192_ecb(void);
-+ const EVP_CIPHER *EVP_aes_192_cbc(void);
-+ const EVP_CIPHER *EVP_aes_192_cfb1(void);
-+ const EVP_CIPHER *EVP_aes_192_cfb8(void);
-+ const EVP_CIPHER *EVP_aes_192_cfb128(void);
-+ const EVP_CIPHER *EVP_aes_192_ofb(void);
-+ const EVP_CIPHER *EVP_aes_256_ecb(void);
-+ const EVP_CIPHER *EVP_aes_256_cbc(void);
-+ const EVP_CIPHER *EVP_aes_256_cfb1(void);
-+ const EVP_CIPHER *EVP_aes_256_cfb8(void);
-+ const EVP_CIPHER *EVP_aes_256_cfb128(void);
-+ const EVP_CIPHER *EVP_aes_256_ofb(void);
-+
- =head1 DESCRIPTION
-
- The EVP cipher routines are a high level interface to certain
-@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an
-
- DESX algorithm in CBC mode.
-
-+=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void)
-+
-+AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively.
-+
-+=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void)
-+
-+AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively.
-+
-+=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void)
-+
-+AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively.
-+
- =item EVP_rc4(void)
-
- RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
diff --git a/SOURCES/openssl-1.0.1c-default-paths.patch b/SOURCES/openssl-1.0.1c-default-paths.patch
deleted file mode 100644
index 364128d..0000000
--- a/SOURCES/openssl-1.0.1c-default-paths.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c
---- openssl-1.0.1c/apps/s_client.c.default-paths 2012-03-18 19:16:05.000000000 +0100
-+++ openssl-1.0.1c/apps/s_client.c 2012-12-06 18:24:06.425933203 +0100
-@@ -1166,12 +1166,19 @@ bad:
- if (!set_cert_key_stuff(ctx,cert,key))
- goto end;
-
-- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx)))
-+ if (CAfile == NULL && CApath == NULL)
- {
-- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
-- ERR_print_errors(bio_err);
-- /* goto end; */
-+ if (!SSL_CTX_set_default_verify_paths(ctx))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ }
-+ else
-+ {
-+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
- }
-
- #ifndef OPENSSL_NO_TLSEXT
-diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c
---- openssl-1.0.1c/apps/s_server.c.default-paths 2012-03-18 19:16:05.000000000 +0100
-+++ openssl-1.0.1c/apps/s_server.c 2012-12-06 18:25:11.199329611 +0100
-@@ -1565,13 +1565,21 @@ bad:
- }
- #endif
-
-- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx)))
-+ if (CAfile == NULL && CApath == NULL)
- {
-- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
-- ERR_print_errors(bio_err);
-- /* goto end; */
-+ if (!SSL_CTX_set_default_verify_paths(ctx))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ }
-+ else
-+ {
-+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
- }
-+
- if (vpm)
- SSL_CTX_set1_param(ctx, vpm);
-
-@@ -1622,8 +1630,11 @@ bad:
- else
- SSL_CTX_sess_set_cache_size(ctx2,128);
-
-- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx2)))
-+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(ctx2))
- {
- ERR_print_errors(bio_err);
- }
-diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c
---- openssl-1.0.1c/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
-+++ openssl-1.0.1c/apps/s_time.c 2012-12-06 18:27:41.694574044 +0100
-@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
-
- SSL_load_error_strings();
-
-- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(tm_ctx)))
-+ if (CAfile == NULL && CApath == NULL)
- {
-- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
-- ERR_print_errors(bio_err);
-- /* goto end; */
-+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ }
-+ else
-+ {
-+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
- }
-
- if (tm_cipher == NULL)
diff --git a/SOURCES/openssl-1.0.1c-dh-1024.patch b/SOURCES/openssl-1.0.1c-dh-1024.patch
deleted file mode 100644
index 89f0f04..0000000
--- a/SOURCES/openssl-1.0.1c-dh-1024.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff -up openssl-1.0.1c/apps/s_server.c.dh1024 openssl-1.0.1c/apps/s_server.c
---- openssl-1.0.1c/apps/s_server.c.dh1024 2012-11-14 20:27:50.000000000 +0100
-+++ openssl-1.0.1c/apps/s_server.c 2012-11-15 20:56:15.247774465 +0100
-@@ -222,27 +222,31 @@ static void s_server_init(void);
- #endif
-
- #ifndef OPENSSL_NO_DH
--static unsigned char dh512_p[]={
-- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
-- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
-- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
-- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
-- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
-- 0x47,0x74,0xE8,0x33,
-- };
--static unsigned char dh512_g[]={
-- 0x02,
-- };
--
--static DH *get_dh512(void)
-+static DH *get_dh1024()
- {
-- DH *dh=NULL;
-+ static unsigned char dh1024_p[]={
-+ 0x99,0x58,0xFA,0x90,0x53,0x2F,0xE0,0x61,0x83,0x9D,0x54,0x63,
-+ 0xBD,0x35,0x5A,0x31,0xF3,0xC6,0x79,0xE5,0xA0,0x0F,0x66,0x79,
-+ 0x3C,0xA0,0x7F,0xE8,0xA2,0x5F,0xDF,0x11,0x08,0xA3,0xF0,0x3C,
-+ 0xC3,0x3C,0x5D,0x50,0x2C,0xD5,0xD6,0x58,0x12,0xDB,0xC1,0xEF,
-+ 0xB4,0x47,0x4A,0x5A,0x39,0x8A,0x4E,0xEB,0x44,0xE2,0x07,0xFB,
-+ 0x3D,0xA3,0xC7,0x6E,0x52,0xF3,0x2B,0x7B,0x10,0xA5,0x98,0xE3,
-+ 0x38,0x2A,0xE2,0x7F,0xA4,0x8F,0x26,0x87,0x9B,0x66,0x7A,0xED,
-+ 0x2D,0x4C,0xE7,0x33,0x77,0x47,0x94,0x43,0xB6,0xAA,0x97,0x23,
-+ 0x8A,0xFC,0xA5,0xA6,0x64,0x09,0xC0,0x27,0xC0,0xEF,0xCB,0x05,
-+ 0x90,0x9D,0xD5,0x75,0xBA,0x00,0xE0,0xFB,0xA8,0x81,0x52,0xA4,
-+ 0xB2,0x83,0x22,0x5B,0xCB,0xD7,0x16,0x93,
-+ };
-+ static unsigned char dh1024_g[]={
-+ 0x02,
-+ };
-+ DH *dh;
-
- if ((dh=DH_new()) == NULL) return(NULL);
-- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
-- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
-+ dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
-+ dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
-- return(NULL);
-+ { DH_free(dh); return(NULL); }
- return(dh);
- }
- #endif
-@@ -1657,7 +1661,7 @@ bad:
- else
- {
- BIO_printf(bio_s_out,"Using default temp DH parameters\n");
-- dh=get_dh512();
-+ dh=get_dh1024();
- }
- (void)BIO_flush(bio_s_out);
-
diff --git a/SOURCES/openssl-1.0.1c-ipv6-apps.patch b/SOURCES/openssl-1.0.1c-ipv6-apps.patch
deleted file mode 100644
index 41e0b36..0000000
--- a/SOURCES/openssl-1.0.1c-ipv6-apps.patch
+++ /dev/null
@@ -1,516 +0,0 @@
-diff -up openssl-1.0.1c/apps/s_apps.h.ipv6-apps openssl-1.0.1c/apps/s_apps.h
---- openssl-1.0.1c/apps/s_apps.h.ipv6-apps 2012-07-11 22:46:02.409221206 +0200
-+++ openssl-1.0.1c/apps/s_apps.h 2012-07-11 22:46:02.451222165 +0200
-@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
- #define PORT_STR "4433"
- #define PROTOCOL "tcp"
-
--int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
-+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
- #ifdef HEADER_X509_H
- int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
- #endif
-@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
- int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
- int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
- #endif
--int init_client(int *sock, char *server, int port, int type);
-+int init_client(int *sock, char *server, char *port, int type);
- int should_retry(int i);
--int extract_port(char *str, short *port_ptr);
--int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
-+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
-
- long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
- int argi, long argl, long ret);
-diff -up openssl-1.0.1c/apps/s_client.c.ipv6-apps openssl-1.0.1c/apps/s_client.c
---- openssl-1.0.1c/apps/s_client.c.ipv6-apps 2012-07-11 22:46:02.433221754 +0200
-+++ openssl-1.0.1c/apps/s_client.c 2012-07-11 22:46:02.452222187 +0200
-@@ -563,7 +563,7 @@ int MAIN(int argc, char **argv)
- int cbuf_len,cbuf_off;
- int sbuf_len,sbuf_off;
- fd_set readfds,writefds;
-- short port=PORT;
-+ char *port_str = PORT_STR;
- int full_log=1;
- char *host=SSL_HOST_NAME;
- char *cert_file=NULL,*key_file=NULL;
-@@ -664,13 +664,12 @@ int MAIN(int argc, char **argv)
- else if (strcmp(*argv,"-port") == 0)
- {
- if (--argc < 1) goto bad;
-- port=atoi(*(++argv));
-- if (port == 0) goto bad;
-+ port_str= *(++argv);
- }
- else if (strcmp(*argv,"-connect") == 0)
- {
- if (--argc < 1) goto bad;
-- if (!extract_host_port(*(++argv),&host,NULL,&port))
-+ if (!extract_host_port(*(++argv),&host,&port_str))
- goto bad;
- }
- else if (strcmp(*argv,"-verify") == 0)
-@@ -1253,7 +1252,7 @@ bad:
-
- re_start:
-
-- if (init_client(&s,host,port,socket_type) == 0)
-+ if (init_client(&s,host,port_str,socket_type) == 0)
- {
- BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
- SHUTDOWN(s);
-diff -up openssl-1.0.1c/apps/s_server.c.ipv6-apps openssl-1.0.1c/apps/s_server.c
---- openssl-1.0.1c/apps/s_server.c.ipv6-apps 2012-07-11 22:46:02.434221777 +0200
-+++ openssl-1.0.1c/apps/s_server.c 2012-07-11 22:46:02.453222210 +0200
-@@ -929,7 +929,7 @@ int MAIN(int argc, char *argv[])
- {
- X509_VERIFY_PARAM *vpm = NULL;
- int badarg = 0;
-- short port=PORT;
-+ char *port_str = PORT_STR;
- char *CApath=NULL,*CAfile=NULL;
- unsigned char *context = NULL;
- char *dhfile = NULL;
-@@ -1000,8 +1000,7 @@ int MAIN(int argc, char *argv[])
- (strcmp(*argv,"-accept") == 0))
- {
- if (--argc < 1) goto bad;
-- if (!extract_port(*(++argv),&port))
-- goto bad;
-+ port_str= *(++argv);
- }
- else if (strcmp(*argv,"-verify") == 0)
- {
-@@ -1878,9 +1877,9 @@ bad:
- BIO_printf(bio_s_out,"ACCEPT\n");
- (void)BIO_flush(bio_s_out);
- if (www)
-- do_server(port,socket_type,&accept_socket,www_body, context);
-+ do_server(port_str,socket_type,&accept_socket,www_body, context);
- else
-- do_server(port,socket_type,&accept_socket,sv_body, context);
-+ do_server(port_str,socket_type,&accept_socket,sv_body, context);
- print_stats(bio_s_out,ctx);
- ret=0;
- end:
-diff -up openssl-1.0.1c/apps/s_socket.c.ipv6-apps openssl-1.0.1c/apps/s_socket.c
---- openssl-1.0.1c/apps/s_socket.c.ipv6-apps 2011-12-02 15:39:40.000000000 +0100
-+++ openssl-1.0.1c/apps/s_socket.c 2012-07-11 22:49:05.411400450 +0200
-@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
- static void ssl_sock_cleanup(void);
- #endif
- static int ssl_sock_init(void);
--static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
--static int init_server(int *sock, int port, int type);
--static int init_server_long(int *sock, int port,char *ip, int type);
-+static int init_server(int *sock, char *port, int type);
- static int do_accept(int acc_sock, int *sock, char **host);
- static int host_ip(char *str, unsigned char ip[4]);
-
-@@ -234,57 +232,70 @@ static int ssl_sock_init(void)
- return(1);
- }
-
--int init_client(int *sock, char *host, int port, int type)
-+int init_client(int *sock, char *host, char *port, int type)
- {
-- unsigned char ip[4];
--
-- memset(ip, '\0', sizeof ip);
-- if (!host_ip(host,&(ip[0])))
-- return 0;
-- return init_client_ip(sock,ip,port,type);
-- }
--
--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
-- {
-- unsigned long addr;
-- struct sockaddr_in them;
-- int s,i;
-+ struct addrinfo *res, *res0, hints;
-+ char * failed_call = NULL;
-+ int s;
-+ int e;
-
- if (!ssl_sock_init()) return(0);
-
-- memset((char *)&them,0,sizeof(them));
-- them.sin_family=AF_INET;
-- them.sin_port=htons((unsigned short)port);
-- addr=(unsigned long)
-- ((unsigned long)ip[0]<<24L)|
-- ((unsigned long)ip[1]<<16L)|
-- ((unsigned long)ip[2]<< 8L)|
-- ((unsigned long)ip[3]);
-- them.sin_addr.s_addr=htonl(addr);
--
-- if (type == SOCK_STREAM)
-- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
-- else /* ( type == SOCK_DGRAM) */
-- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
--
-- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
-+ memset(&hints, '\0', sizeof(hints));
-+ hints.ai_socktype = type;
-+ hints.ai_flags = AI_ADDRCONFIG;
-+
-+ e = getaddrinfo(host, port, &hints, &res);
-+ if (e)
-+ {
-+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
-+ if (e == EAI_SYSTEM)
-+ perror("getaddrinfo");
-+ return (0);
-+ }
-
-+ res0 = res;
-+ while (res)
-+ {
-+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-+ if (s == INVALID_SOCKET)
-+ {
-+ failed_call = "socket";
-+ goto nextres;
-+ }
- #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
- if (type == SOCK_STREAM)
- {
-- i=0;
-- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-- if (i < 0) { perror("keepalive"); return(0); }
-+ int i=0;
-+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,
-+ (char *)&i,sizeof(i));
-+ if (i < 0) {
-+ failed_call = "keepalive";
-+ goto nextres;
-+ }
- }
- #endif
--
-- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
-- { closesocket(s); perror("connect"); return(0); }
-+ if (connect(s,(struct sockaddr *)res->ai_addr,
-+ res->ai_addrlen) == 0)
-+ {
-+ freeaddrinfo(res0);
- *sock=s;
- return(1);
- }
-
--int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
-+ failed_call = "socket";
-+nextres:
-+ if (s != INVALID_SOCKET)
-+ close(s);
-+ res = res->ai_next;
-+ }
-+ freeaddrinfo(res0);
-+
-+ perror(failed_call);
-+ return(0);
-+ }
-+
-+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
- {
- int sock;
- char *name = NULL;
-@@ -322,33 +333,50 @@ int do_server(int port, int type, int *r
- }
- }
-
--static int init_server_long(int *sock, int port, char *ip, int type)
-+static int init_server(int *sock, char *port, int type)
- {
-- int ret=0;
-- struct sockaddr_in server;
-- int s= -1;
-+ struct addrinfo *res, *res0 = NULL, hints;
-+ char * failed_call = NULL;
-+ int s = INVALID_SOCKET;
-+ int e;
-
- if (!ssl_sock_init()) return(0);
-
-- memset((char *)&server,0,sizeof(server));
-- server.sin_family=AF_INET;
-- server.sin_port=htons((unsigned short)port);
-- if (ip == NULL)
-- server.sin_addr.s_addr=INADDR_ANY;
-- else
--/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
--#ifndef BIT_FIELD_LIMITS
-- memcpy(&server.sin_addr.s_addr,ip,4);
--#else
-- memcpy(&server.sin_addr,ip,4);
--#endif
-+ memset(&hints, '\0', sizeof(hints));
-+ hints.ai_family = AF_INET6;
-+tryipv4:
-+ hints.ai_socktype = type;
-+ hints.ai_flags = AI_PASSIVE;
-
-- if (type == SOCK_STREAM)
-- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
-- else /* type == SOCK_DGRAM */
-- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
-+ e = getaddrinfo(NULL, port, &hints, &res);
-+ if (e)
-+ {
-+ if (hints.ai_family == AF_INET)
-+ {
-+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
-+ if (e == EAI_SYSTEM)
-+ perror("getaddrinfo");
-+ return (0);
-+ }
-+ else
-+ res = NULL;
-+ }
-
-- if (s == INVALID_SOCKET) goto err;
-+ res0 = res;
-+ while (res)
-+ {
-+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-+ if (s == INVALID_SOCKET)
-+ {
-+ failed_call = "socket";
-+ goto nextres;
-+ }
-+ if (hints.ai_family == AF_INET6)
-+ {
-+ int j = 0;
-+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
-+ (void *) &j, sizeof j);
-+ }
- #if defined SOL_SOCKET && defined SO_REUSEADDR
- {
- int j = 1;
-@@ -356,35 +384,49 @@ static int init_server_long(int *sock, i
- (void *) &j, sizeof j);
- }
- #endif
-- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
-+
-+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1)
- {
--#ifndef OPENSSL_SYS_WINDOWS
-- perror("bind");
--#endif
-- goto err;
-+ failed_call = "bind";
-+ goto nextres;
- }
-- /* Make it 128 for linux */
-- if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
-- *sock=s;
-- ret=1;
--err:
-- if ((ret == 0) && (s != -1))
-+ if (type==SOCK_STREAM && listen(s,128) == -1)
- {
-- SHUTDOWN(s);
-+ failed_call = "listen";
-+ goto nextres;
- }
-- return(ret);
-+
-+ *sock=s;
-+ return(1);
-+
-+nextres:
-+ if (s != INVALID_SOCKET)
-+ close(s);
-+ res = res->ai_next;
- }
-+ if (res0)
-+ freeaddrinfo(res0);
-
--static int init_server(int *sock, int port, int type)
-+ if (s == INVALID_SOCKET)
- {
-- return(init_server_long(sock, port, NULL, type));
-+ if (hints.ai_family == AF_INET6)
-+ {
-+ hints.ai_family = AF_INET;
-+ goto tryipv4;
-+ }
-+ perror("socket");
-+ return(0);
-+ }
-+
-+ perror(failed_call);
-+ return(0);
- }
-
- static int do_accept(int acc_sock, int *sock, char **host)
- {
-+ static struct sockaddr_storage from;
-+ char buffer[NI_MAXHOST];
- int ret;
-- struct hostent *h1,*h2;
-- static struct sockaddr_in from;
- int len;
- /* struct linger ling; */
-
-@@ -431,135 +473,58 @@ redoit:
- */
-
- if (host == NULL) goto end;
--#ifndef BIT_FIELD_LIMITS
-- /* I should use WSAAsyncGetHostByName() under windows */
-- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
-- sizeof(from.sin_addr.s_addr),AF_INET);
--#else
-- h1=gethostbyaddr((char *)&from.sin_addr,
-- sizeof(struct in_addr),AF_INET);
--#endif
-- if (h1 == NULL)
-+
-+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
-+ buffer, sizeof(buffer),
-+ NULL, 0, 0))
- {
-- BIO_printf(bio_err,"bad gethostbyaddr\n");
-+ BIO_printf(bio_err,"getnameinfo failed\n");
- *host=NULL;
- /* return(0); */
- }
- else
- {
-- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
-+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
- {
- perror("OPENSSL_malloc");
- return(0);
- }
-- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
--
-- h2=GetHostByName(*host);
-- if (h2 == NULL)
-- {
-- BIO_printf(bio_err,"gethostbyname failure\n");
-- return(0);
-- }
-- if (h2->h_addrtype != AF_INET)
-- {
-- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-- return(0);
-- }
-+ strcpy(*host, buffer);
- }
- end:
- *sock=ret;
- return(1);
- }
-
--int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
-- short *port_ptr)
-+int extract_host_port(char *str, char **host_ptr,
-+ char **port_ptr)
- {
-- char *h,*p;
-+ char *h,*p,*x;
-
-- h=str;
-- p=strchr(str,':');
-+ x=h=str;
-+ if (*h == '[')
-+ {
-+ h++;
-+ p=strchr(h,']');
- if (p == NULL)
- {
-- BIO_printf(bio_err,"no port defined\n");
-+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n");
- return(0);
- }
- *(p++)='\0';
--
-- if ((ip != NULL) && !host_ip(str,ip))
-- goto err;
-- if (host_ptr != NULL) *host_ptr=h;
--
-- if (!extract_port(p,port_ptr))
-- goto err;
-- return(1);
--err:
-- return(0);
-+ x = p;
- }
--
--static int host_ip(char *str, unsigned char ip[4])
-- {
-- unsigned int in[4];
-- int i;
--
-- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
-- {
-- for (i=0; i<4; i++)
-- if (in[i] > 255)
-- {
-- BIO_printf(bio_err,"invalid IP address\n");
-- goto err;
-- }
-- ip[0]=in[0];
-- ip[1]=in[1];
-- ip[2]=in[2];
-- ip[3]=in[3];
-- }
-- else
-- { /* do a gethostbyname */
-- struct hostent *he;
--
-- if (!ssl_sock_init()) return(0);
--
-- he=GetHostByName(str);
-- if (he == NULL)
-- {
-- BIO_printf(bio_err,"gethostbyname failure\n");
-- goto err;
-- }
-- /* cast to short because of win16 winsock definition */
-- if ((short)he->h_addrtype != AF_INET)
-+ p=strchr(x,':');
-+ if (p == NULL)
- {
-- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-- return(0);
-- }
-- ip[0]=he->h_addr_list[0][0];
-- ip[1]=he->h_addr_list[0][1];
-- ip[2]=he->h_addr_list[0][2];
-- ip[3]=he->h_addr_list[0][3];
-- }
-- return(1);
--err:
-+ BIO_printf(bio_err,"no port defined\n");
- return(0);
- }
-+ *(p++)='\0';
-
--int extract_port(char *str, short *port_ptr)
-- {
-- int i;
-- struct servent *s;
-+ if (host_ptr != NULL) *host_ptr=h;
-+ if (port_ptr != NULL) *port_ptr=p;
-
-- i=atoi(str);
-- if (i != 0)
-- *port_ptr=(unsigned short)i;
-- else
-- {
-- s=getservbyname(str,"tcp");
-- if (s == NULL)
-- {
-- BIO_printf(bio_err,"getservbyname failure for %s\n",str);
-- return(0);
-- }
-- *port_ptr=ntohs((unsigned short)s->s_port);
-- }
- return(1);
- }
-
diff --git a/SOURCES/openssl-1.0.1e-3des-strength.patch b/SOURCES/openssl-1.0.1e-3des-strength.patch
deleted file mode 100644
index 9fdefb6..0000000
--- a/SOURCES/openssl-1.0.1e-3des-strength.patch
+++ /dev/null
@@ -1,332 +0,0 @@
-We degrade all 64 bit block ciphers and RC4 to 112 bits.
-diff -up openssl-1.0.1e/ssl/s2_lib.c.3des-strength openssl-1.0.1e/ssl/s2_lib.c
---- openssl-1.0.1e/ssl/s2_lib.c.3des-strength 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s2_lib.c 2016-09-21 11:37:22.729563320 +0200
-@@ -152,7 +152,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_MEDIUM,
- 0,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_MEDIUM,
- 0,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -217,7 +217,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_MEDIUM,
- 0,
-- 128,
-+ 112,
- 128,
- },
- #endif
-
-@@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_HIGH,
- 0,
-- 168,
-+ 112,
- 168,
- },
-
-diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
---- openssl-1.0.1e/ssl/s3_lib.c.3des-strength 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s3_lib.c 2016-09-21 11:43:27.108247849 +0200
-@@ -230,7 +230,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -246,7 +246,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -279,7 +279,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
- #endif
-@@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -377,7 +377,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -474,7 +474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -554,7 +554,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -602,7 +602,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -687,7 +687,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -703,7 +703,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -719,7 +719,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -751,7 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -767,7 +767,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -783,7 +783,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -1380,7 +1380,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
- #endif
-@@ -1669,7 +1669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -1685,7 +1685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -2046,7 +2046,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -2062,7 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -2126,7 +2126,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -2142,7 +2142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -2206,7 +2206,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -2222,7 +2222,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -2286,7 +2286,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -2302,7 +2302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -2366,7 +2366,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 128,
-+ 112,
- 128,
- },
-
-@@ -2382,7 +2382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -2432,7 +2432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -2448,7 +2448,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
-@@ -2464,7 +2464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 168,
-+ 112,
- 168,
- },
-
diff --git a/SOURCES/openssl-1.0.1e-arm-use-elf-auxv-caps.patch b/SOURCES/openssl-1.0.1e-arm-use-elf-auxv-caps.patch
deleted file mode 100644
index 94a8c42..0000000
--- a/SOURCES/openssl-1.0.1e-arm-use-elf-auxv-caps.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-diff --git a/crypto/armcap.c b/crypto/armcap.c
-index 5258d2f..efb4009 100644
---- a/crypto/armcap.c
-+++ b/crypto/armcap.c
-@@ -9,11 +9,6 @@
-
- unsigned int OPENSSL_armcap_P;
-
--static sigset_t all_masked;
--
--static sigjmp_buf ill_jmp;
--static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
--
- /*
- * Following subroutines could have been inlined, but it's not all
- * ARM compilers support inline assembler...
-@@ -29,24 +24,26 @@ unsigned int OPENSSL_rdtsc(void)
- return 0;
- }
-
--#if defined(__GNUC__) && __GNUC__>=2
--void OPENSSL_cpuid_setup(void) __attribute__((constructor));
--#endif
--void OPENSSL_cpuid_setup(void)
-+#if defined(__GLIBC__) && __GLIBC__>=2 && __GLIBC_MINOR__>=16
-+#include <sys/auxv.h>
-+
-+void OPENSSL_cpuid_find(void)
-+ {
-+ unsigned long hwcap = getauxval(AT_HWCAP);
-+ char *plat = (char *)getauxval(AT_PLATFORM);
-+
-+ OPENSSL_armcap_P |= hwcap & HWCAP_ARM_NEON ? ARMV7_NEON : 0;
-+ OPENSSL_armcap_P |= plat ? (plat[1] == '7' ? ARMV7_TICK : 0) : 0;
-+ }
-+#else
-+static sigset_t all_masked;
-+static sigjmp_buf ill_jmp;
-+static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
-+
-+void OPENSSL_cpuid_find(void)
- {
-- char *e;
- struct sigaction ill_oact,ill_act;
- sigset_t oset;
-- static int trigger=0;
--
-- if (trigger) return;
-- trigger=1;
--
-- if ((e=getenv("OPENSSL_armcap")))
-- {
-- OPENSSL_armcap_P=strtoul(e,NULL,0);
-- return;
-- }
-
- sigfillset(&all_masked);
- sigdelset(&all_masked,SIGILL);
-@@ -55,8 +52,6 @@ void OPENSSL_cpuid_setup(void)
- sigdelset(&all_masked,SIGBUS);
- sigdelset(&all_masked,SIGSEGV);
-
-- OPENSSL_armcap_P = 0;
--
- memset(&ill_act,0,sizeof(ill_act));
- ill_act.sa_handler = ill_handler;
- ill_act.sa_mask = all_masked;
-@@ -78,3 +73,25 @@ void OPENSSL_cpuid_setup(void)
- sigaction (SIGILL,&ill_oact,NULL);
- sigprocmask(SIG_SETMASK,&oset,NULL);
- }
-+#endif
-+
-+#if defined(__GNUC__) && __GNUC__>=2
-+void OPENSSL_cpuid_setup(void) __attribute__((constructor));
-+#endif
-+void OPENSSL_cpuid_setup(void)
-+ {
-+ char *e;
-+ static int trigger=0;
-+
-+ if (trigger) return;
-+ trigger=1;
-+
-+ if ((e=getenv("OPENSSL_armcap")))
-+ {
-+ OPENSSL_armcap_P=strtoul(e,NULL,0);
-+ return;
-+ }
-+
-+ OPENSSL_armcap_P = 0;
-+ OPENSSL_cpuid_find();
-+ }
diff --git a/SOURCES/openssl-1.0.1e-backports.patch b/SOURCES/openssl-1.0.1e-backports.patch
deleted file mode 100644
index abe3017..0000000
--- a/SOURCES/openssl-1.0.1e-backports.patch
+++ /dev/null
@@ -1,345 +0,0 @@
-diff -up openssl-1.0.1e/crypto/pem/pem_info.c.backports openssl-1.0.1e/crypto/pem/pem_info.c
---- openssl-1.0.1e/crypto/pem/pem_info.c.backports 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/pem/pem_info.c 2013-08-16 15:31:35.726003892 +0200
-@@ -167,6 +167,7 @@ start:
- #ifndef OPENSSL_NO_RSA
- if (strcmp(name,PEM_STRING_RSA) == 0)
- {
-+ d2i=(D2I_OF(void))d2i_RSAPrivateKey;
- if (xi->x_pkey != NULL)
- {
- if (!sk_X509_INFO_push(ret,xi)) goto err;
-diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports openssl-1.0.1e/crypto/rsa/rsa_pmeth.c
---- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports 2013-08-16 15:31:35.697003256 +0200
-+++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-08-16 15:33:37.770673918 +0200
-@@ -582,6 +582,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CT
- pm = RSA_NO_PADDING;
- else if (!strcmp(value, "oeap"))
- pm = RSA_PKCS1_OAEP_PADDING;
-+ else if (!strcmp(value, "oaep"))
-+ pm = RSA_PKCS1_OAEP_PADDING;
- else if (!strcmp(value, "x931"))
- pm = RSA_X931_PADDING;
- else if (!strcmp(value, "pss"))
-diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.backports openssl-1.0.1e/crypto/x509/x509_vfy.c
---- openssl-1.0.1e/crypto/x509/x509_vfy.c.backports 2013-08-16 15:31:35.721003782 +0200
-+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:31:35.726003892 +0200
-@@ -696,6 +696,7 @@ static int check_cert(X509_STORE_CTX *ct
- X509_CRL *crl = NULL, *dcrl = NULL;
- X509 *x;
- int ok, cnum;
-+ unsigned int last_reasons;
- cnum = ctx->error_depth;
- x = sk_X509_value(ctx->chain, cnum);
- ctx->current_cert = x;
-@@ -704,6 +705,7 @@ static int check_cert(X509_STORE_CTX *ct
- ctx->current_reasons = 0;
- while (ctx->current_reasons != CRLDP_ALL_REASONS)
- {
-+ last_reasons = ctx->current_reasons;
- /* Try to retrieve relevant CRL */
- if (ctx->get_crl)
- ok = ctx->get_crl(ctx, &crl, x);
-@@ -747,6 +749,15 @@ static int check_cert(X509_STORE_CTX *ct
- X509_CRL_free(dcrl);
- crl = NULL;
- dcrl = NULL;
-+ /* If reasons not updated we wont get anywhere by
-+ * another iteration, so exit loop.
-+ */
-+ if (last_reasons == ctx->current_reasons)
-+ {
-+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
-+ ok = ctx->verify_cb(0, ctx);
-+ goto err;
-+ }
- }
- err:
- X509_CRL_free(crl);
-diff -up openssl-1.0.1e/crypto/x509/x_all.c.backports openssl-1.0.1e/crypto/x509/x_all.c
---- openssl-1.0.1e/crypto/x509/x_all.c.backports 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/x509/x_all.c 2013-08-16 15:33:25.247399940 +0200
-@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, c
-
- int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
- {
-+ x->cert_info->enc.modified = 1;
- return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
- x->cert_info->signature,
- x->sig_alg, x->signature, x->cert_info, ctx);
-@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY
-
- int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
- {
-+ x->crl->enc.modified = 1;
- return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
- x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
- }
-diff -up openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod
---- openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod 2013-08-16 15:31:35.727003914 +0200
-@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl
- an application specific error. This will never be returned unless explicitly
- set by an application.
-
-+=back
-+
- =head1 NOTES
-
- The above functions should be used instead of directly referencing the fields
-diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports openssl-1.0.1e/doc/ssl/SSL_accept.pod
---- openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-08-16 15:31:35.727003914 +0200
-@@ -44,17 +44,17 @@ The following return values can occur:
-
- =over 4
-
--=item 1
--
--The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
--established.
--
- =item 0
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
-+=item 1
-+
-+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-+established.
-+
- =item E<lt>0
-
- The TLS/SSL handshake was not successful because a fatal error occurred either
-diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports openssl-1.0.1e/doc/ssl/SSL_connect.pod
---- openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-08-16 15:31:35.727003914 +0200
-@@ -41,17 +41,17 @@ The following return values can occur:
-
- =over 4
-
--=item 1
--
--The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
--established.
--
- =item 0
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
-+=item 1
-+
-+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-+established.
-+
- =item E<lt>0
-
- The TLS/SSL handshake was not successful, because a fatal error occurred either
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-08-16 15:31:35.727003914 +0200
-@@ -66,16 +66,16 @@ values:
-
- =over 4
-
--=item 1
--
--The operation succeeded.
--
- =item 0
-
- A failure while manipulating the STACK_OF(X509_NAME) object occurred or
- the X509_NAME could not be extracted from B<cacert>. Check the error stack
- to find out the reason.
-
-+=item 1
-+
-+The operation succeeded.
-+
- =back
-
- =head1 EXAMPLES
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-08-16 15:31:35.727003914 +0200
-@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_
-
- Return values from the server callback are interpreted as follows:
-
-+=over 4
-+
- =item > 0
-
- PSK identity was found and the server callback has provided the PSK
-@@ -99,4 +101,6 @@ completely.
- PSK identity was not found. An "unknown_psk_identity" alert message
- will be sent and the connection setup fails.
-
-+=back
-+
- =cut
-diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
---- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-08-16 15:31:35.727003914 +0200
-@@ -45,17 +45,17 @@ The following return values can occur:
-
- =over 4
-
--=item 1
--
--The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
--established.
--
- =item 0
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
-+=item 1
-+
-+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-+established.
-+
- =item E<lt>0
-
- The TLS/SSL handshake was not successful because a fatal error occurred either
-diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
---- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-08-16 15:31:35.728003935 +0200
-@@ -92,11 +92,6 @@ The following return values can occur:
-
- =over 4
-
--=item 1
--
--The shutdown was successfully completed. The "close notify" alert was sent
--and the peer's "close notify" alert was received.
--
- =item 0
-
- The shutdown is not yet finished. Call SSL_shutdown() for a second time,
-@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be per
- The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
- erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
-
-+=item 1
-+
-+The shutdown was successfully completed. The "close notify" alert was sent
-+and the peer's "close notify" alert was received.
-+
- =item -1
-
- The shutdown was not successful because a fatal error occurred either
-diff -up openssl-1.0.1e/ssl/d1_lib.c.backports openssl-1.0.1e/ssl/d1_lib.c
---- openssl-1.0.1e/ssl/d1_lib.c.backports 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/d1_lib.c 2013-08-16 15:33:33.306576363 +0200
-@@ -196,6 +196,7 @@ void dtls1_free(SSL *s)
- pqueue_free(s->d1->buffered_app_data.q);
-
- OPENSSL_free(s->d1);
-+ s->d1 = NULL;
- }
-
- void dtls1_clear(SSL *s)
-diff -up openssl-1.0.1e/ssl/d1_pkt.c.backports openssl-1.0.1e/ssl/d1_pkt.c
---- openssl-1.0.1e/ssl/d1_pkt.c.backports 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/d1_pkt.c 2013-08-16 15:31:35.728003935 +0200
-@@ -847,6 +847,12 @@ start:
- }
- }
-
-+ if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
-+ {
-+ rr->length = 0;
-+ goto start;
-+ }
-+
- /* we now have a packet which can be read and processed */
-
- if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
-@@ -1051,6 +1057,7 @@ start:
- !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
- !s->s3->renegotiate)
- {
-+ s->d1->handshake_read_seq++;
- s->new_session = 1;
- ssl3_renegotiate(s);
- if (ssl3_renegotiate_check(s))
-diff -up openssl-1.0.1e/ssl/d1_srvr.c.backports openssl-1.0.1e/ssl/d1_srvr.c
---- openssl-1.0.1e/ssl/d1_srvr.c.backports 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/d1_srvr.c 2013-08-16 15:31:35.728003935 +0200
-@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s)
- case SSL3_ST_SW_HELLO_REQ_B:
-
- s->shutdown=0;
-+ dtls1_clear_record_buffer(s);
- dtls1_start_timer(s);
- ret=dtls1_send_hello_request(s);
- if (ret <= 0) goto end;
-- s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
-+ s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
- s->state=SSL3_ST_SW_FLUSH;
- s->init_num=0;
-
-diff -up openssl-1.0.1e/ssl/s3_cbc.c.backports openssl-1.0.1e/ssl/s3_cbc.c
---- openssl-1.0.1e/ssl/s3_cbc.c.backports 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s3_cbc.c 2013-08-16 15:31:35.729003956 +0200
-@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s
- unsigned padding_length, good, to_check, i;
- const unsigned overhead = 1 /* padding length byte */ + mac_size;
- /* Check if version requires explicit IV */
-- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
-+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
- {
- /* These lengths are all public so we can test them in
- * non-constant time.
-diff -up openssl-1.0.1e/ssl/ssl_lib.c.backports openssl-1.0.1e/ssl/ssl_lib.c
---- openssl-1.0.1e/ssl/ssl_lib.c.backports 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/ssl_lib.c 2013-08-16 15:31:35.729003956 +0200
-@@ -1797,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
-
- ret->extra_certs=NULL;
-- ret->comp_methods=SSL_COMP_get_compression_methods();
-+ /* No compression for DTLS */
-+ if (meth->version != DTLS1_VERSION)
-+ ret->comp_methods=SSL_COMP_get_compression_methods();
-
- ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
-
-@@ -2792,9 +2794,7 @@ void ssl_clear_cipher_ctx(SSL *s)
- /* Fix this function so that it takes an optional type parameter */
- X509 *SSL_get_certificate(const SSL *s)
- {
-- if (s->server)
-- return(ssl_get_server_send_cert(s));
-- else if (s->cert != NULL)
-+ if (s->cert != NULL)
- return(s->cert->key->x509);
- else
- return(NULL);
-diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
-index 3b6c469..e8a7518 100644
---- a/crypto/x86cpuid.pl
-+++ b/crypto/x86cpuid.pl
-@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- &inc ("esi"); # number of cores
-
- &mov ("eax",1);
-+ &xor ("ecx","ecx");
- &cpuid ();
- &bt ("edx",28);
- &jnc (&label("generic"));
-@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
-
- &set_label("nocacheinfo");
- &mov ("eax",1);
-+ &xor ("ecx","ecx");
- &cpuid ();
- &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0
- &cmp ("ebp",0);
diff --git a/SOURCES/openssl-1.0.1e-bad-mac.patch b/SOURCES/openssl-1.0.1e-bad-mac.patch
deleted file mode 100644
index 06d284e..0000000
--- a/SOURCES/openssl-1.0.1e-bad-mac.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Mon, 18 Mar 2013 19:29:41 +0100
-Subject: [PATCH] e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI
- plaforms.
-
-PR: 3002
-(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc)
----
- crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
-index 483e04b..fb2c884 100644
---- a/crypto/evp/e_aes_cbc_hmac_sha1.c
-+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
-@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-
- if (res!=SHA_CBLOCK) continue;
-
-- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
-+ /* j is not incremented yet */
-+ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
- data->u[SHA_LBLOCK-1] |= bitlen&mask;
- sha1_block_data_order(&key->md,data,1);
-- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
-+ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
- pmac->u[0] |= key->md.h0 & mask;
- pmac->u[1] |= key->md.h1 & mask;
- pmac->u[2] |= key->md.h2 & mask;
---
-1.7.9.5
-
diff --git a/SOURCES/openssl-1.0.1e-cc-reqs.patch b/SOURCES/openssl-1.0.1e-cc-reqs.patch
deleted file mode 100644
index e266bb1..0000000
--- a/SOURCES/openssl-1.0.1e-cc-reqs.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.1e/crypto/rsa/rsa_gen.c
---- openssl-1.0.1e/crypto/rsa/rsa_gen.c.cc-reqs 2015-01-13 12:45:51.000000000 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2015-01-15 17:35:04.649697922 +0100
-@@ -438,6 +438,10 @@ static int rsa_builtin_keygen(RSA *rsa,
- if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
- if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
-
-+ /* prepare minimum p and q difference */
-+ if (!BN_one(r3)) goto err;
-+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100)) goto err;
-+
- BN_copy(rsa->e, e_value);
-
- /* generate p and q */
-@@ -463,7 +467,9 @@ static int rsa_builtin_keygen(RSA *rsa,
- {
- if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
- goto err;
-- } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
-+ if (!BN_sub(r2, rsa->q, rsa->p))
-+ goto err;
-+ } while((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
- if(degenerate == 3)
- {
- ok = 0; /* we set our own err */
diff --git a/SOURCES/openssl-1.0.1e-compat-symbols.patch b/SOURCES/openssl-1.0.1e-compat-symbols.patch
deleted file mode 100644
index 25a9d02..0000000
--- a/SOURCES/openssl-1.0.1e-compat-symbols.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.compat openssl-1.0.1e/crypto/dsa/dsa_key.c
---- openssl-1.0.1e/crypto/dsa/dsa_key.c.compat 2013-11-26 14:36:35.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-12-11 16:34:58.638549687 +0100
-@@ -68,6 +68,11 @@
- #include <openssl/fips.h>
- #include <openssl/evp.h>
-
-+/* just a compatibility symbol - no-op */
-+void FIPS_corrupt_dsa_keygen(void)
-+ {
-+ }
-+
- static int fips_check_dsa(DSA *dsa)
- {
- EVP_PKEY *pk;
-diff -up openssl-1.0.1e/crypto/engine/eng_all.c.compat openssl-1.0.1e/crypto/engine/eng_all.c
---- openssl-1.0.1e/crypto/engine/eng_all.c.compat 2013-11-26 14:36:35.000000000 +0100
-+++ openssl-1.0.1e/crypto/engine/eng_all.c 2013-12-11 16:32:13.512820424 +0100
-@@ -62,6 +62,11 @@
- #include <openssl/fips.h>
- #endif
-
-+/* just backwards compatibility symbol - no-op */
-+void ENGINE_load_aesni (void)
-+{
-+}
-+
- void ENGINE_load_builtin_engines(void)
- {
- /* Some ENGINEs need this */
-diff -up openssl-1.0.1e/crypto/fips/fips.c.compat openssl-1.0.1e/crypto/fips/fips.c
---- openssl-1.0.1e/crypto/fips/fips.c.compat 2013-11-26 14:36:35.000000000 +0100
-+++ openssl-1.0.1e/crypto/fips/fips.c 2013-12-11 16:38:52.524831858 +0100
-@@ -111,6 +111,12 @@ int FIPS_module_mode(void)
- return ret;
- }
-
-+/* just a compat symbol - return NULL */
-+const void *FIPS_rand_check(void)
-+ {
-+ return NULL;
-+ }
-+
- int FIPS_selftest_failed(void)
- {
- int ret = 0;
diff --git a/SOURCES/openssl-1.0.1e-copy-algo.patch b/SOURCES/openssl-1.0.1e-copy-algo.patch
deleted file mode 100644
index 927c584..0000000
--- a/SOURCES/openssl-1.0.1e-copy-algo.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 6a33b9d..76a5f9e 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -3177,15 +3177,26 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
-
- SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
- {
-+ CERT *ocert = ssl->cert;
- if (ssl->ctx == ctx)
- return ssl->ctx;
- #ifndef OPENSSL_NO_TLSEXT
- if (ctx == NULL)
- ctx = ssl->initial_ctx;
- #endif
-- if (ssl->cert != NULL)
-- ssl_cert_free(ssl->cert);
- ssl->cert = ssl_cert_dup(ctx->cert);
-+ if (ocert)
-+ {
-+ int i;
-+ /* Copy negotiated digests from original */
-+ for (i = 0; i < SSL_PKEY_NUM; i++)
-+ {
-+ CERT_PKEY *cpk = ocert->pkeys + i;
-+ CERT_PKEY *rpk = ssl->cert->pkeys + i;
-+ rpk->digest = cpk->digest;
-+ }
-+ ssl_cert_free(ocert);
-+ }
- CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
- if (ssl->ctx != NULL)
- SSL_CTX_free(ssl->ctx); /* decrement reference count */
diff --git a/SOURCES/openssl-1.0.1e-cve-2010-5298.patch b/SOURCES/openssl-1.0.1e-cve-2010-5298.patch
deleted file mode 100644
index b4f92cd..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2010-5298.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-From: Ben Laurie <ben@links.org>
-Date: Wed, 23 Apr 2014 06:24:03 +0000 (+0100)
-Subject: Fix use after free.
-X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=94d1f4b
-
-Fix use after free.
----
-
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index b9e45c7..d601a18 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -1334,7 +1334,7 @@ start:
- {
- s->rstate=SSL_ST_READ_HEADER;
- rr->off=0;
-- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
-+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
- ssl3_release_read_buffer(s);
- }
- }
diff --git a/SOURCES/openssl-1.0.1e-cve-2013-4353.patch b/SOURCES/openssl-1.0.1e-cve-2013-4353.patch
deleted file mode 100644
index 5f96116..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2013-4353.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Fix for TLS record tampering bug. A carefully crafted invalid
-handshake could crash OpenSSL with a NULL pointer exception.
-Thanks to Anton Johansson for reporting this issues.
-(CVE-2013-4353)
-diff --git a/ssl/s3_both.c b/ssl/s3_both.c
-index 1e5dcab..53b9390 100644
---- a/ssl/s3_both.c
-+++ b/ssl/s3_both.c
-@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
- {
- const char *sender;
- int slen;
--
-+ /* If no new cipher setup return immediately: other functions will
-+ * set the appropriate error.
-+ */
-+ if (s->s3->tmp.new_cipher == NULL)
-+ return;
- if (s->state & SSL_ST_CONNECT)
- {
- sender=s->method->ssl3_enc->server_finished_label;
diff --git a/SOURCES/openssl-1.0.1e-cve-2013-6449.patch b/SOURCES/openssl-1.0.1e-cve-2013-6449.patch
deleted file mode 100644
index d80a178..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2013-6449.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-Use version in SSL_METHOD not SSL structure.
-
-When deciding whether to use TLS 1.2 PRF and record hash algorithms
-use the version number in the corresponding SSL_METHOD structure
-instead of the SSL structure. The SSL structure version is sometimes
-inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
-(CVE-2013-6449)
-
-Also preventively check EVP errors for handshake digests.
-
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index bf832bb..c4ef273 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
-@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
- long ssl_get_algorithm2(SSL *s)
- {
- long alg2 = s->s3->tmp.new_cipher->algorithm2;
-- if (TLS1_get_version(s) >= TLS1_2_VERSION &&
-+ if (s->method->version == TLS1_2_VERSION &&
- alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
- return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
- return alg2;
-diff --git a/ssl/s3_both.c b/ssl/s3_both.c
-index ead01c8..1e5dcab 100644
---- a/ssl/s3_both.c
-+++ b/ssl/s3_both.c
-@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
-
- i=s->method->ssl3_enc->final_finish_mac(s,
- sender,slen,s->s3->tmp.finish_md);
-+ if (i == 0)
-+ return 0;
- s->s3->tmp.finish_md_len = i;
- memcpy(p, s->s3->tmp.finish_md, i);
- p+=i;
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 804291e..c4bc4e7 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
- if (version != s->version)
- {
- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-- if ((s->version & 0xFF00) == (version & 0xFF00))
-+ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
- /* Send back error using their minor version number :-) */
- s->version = (unsigned short)version;
- al=SSL_AD_PROTOCOL_VERSION;
-@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
- slen=s->method->ssl3_enc->client_finished_label_len;
- }
-
-- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
-+ i = s->method->ssl3_enc->final_finish_mac(s,
- sender,slen,s->s3->tmp.peer_finish_md);
-+ if (i == 0)
-+ {
-+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
-+ return 0;
-+ }
-+ s->s3->tmp.peer_finish_md_len = i;
-
- return(1);
- }
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index e5a8b3f..52efed3 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
- (s->version != DTLS1_VERSION && s->client_version < s->version))
- {
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
-- if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
-+ if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
-+ !s->enc_write_ctx && !s->write_hash)
- {
- /* similar to ssl3_get_record, send alert using remote version number */
- s->version = s->client_version;
-diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index 809ad2e..72015f5 100644
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
- if (mask & ssl_get_algorithm2(s))
- {
- int hashsize = EVP_MD_size(md);
-- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
-+ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
-+ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
- {
- /* internal error: 'buf' is too small for this cipersuite! */
- err = 1;
- }
- else
- {
-- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
-- EVP_DigestFinal_ex(&ctx,q,&i);
-- if (i != (unsigned int)hashsize) /* can't really happen */
-+ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
-+ !EVP_DigestFinal_ex(&ctx,q,&i) ||
-+ (i != (unsigned int)hashsize))
- err = 1;
-- q+=i;
-+ q+=hashsize;
- }
- }
- }
---
-1.8.3.1
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2013-6450.patch b/SOURCES/openssl-1.0.1e-cve-2013-6450.patch
deleted file mode 100644
index fa096c8..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2013-6450.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-Fix DTLS retransmission from previous session.
-
-For DTLS we might need to retransmit messages from the previous session
-so keep a copy of write context in DTLS retransmission buffers instead
-of replacing it after sending CCS. CVE-2013-6450.
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 65ec001..7a5596a 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
- static void
- dtls1_hm_fragment_free(hm_fragment *frag)
- {
-+
-+ if (frag->msg_header.is_ccs)
-+ {
-+ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
-+ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
-+ }
- if (frag->fragment) OPENSSL_free(frag->fragment);
- if (frag->reassembly) OPENSSL_free(frag->reassembly);
- OPENSSL_free(frag);
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 96ce9a7..e485907 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
- extern SSL3_ENC_METHOD SSLv3_enc_data;
- extern SSL3_ENC_METHOD DTLSv1_enc_data;
-
-+#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
-+
- #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
- s_get_meth) \
- const SSL_METHOD *func_name(void) \
-diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index 72015f5..56db834 100644
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
- s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
- else
- s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
-- if (s->enc_write_ctx != NULL)
-+ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
- reuse_dd = 1;
-- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
-+ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
- goto err;
-- else
-- /* make sure it's intialized in case we exit later with an error */
-- EVP_CIPHER_CTX_init(s->enc_write_ctx);
- dd= s->enc_write_ctx;
-- mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
-+ if (SSL_IS_DTLS(s))
-+ {
-+ mac_ctx = EVP_MD_CTX_create();
-+ if (!mac_ctx)
-+ goto err;
-+ s->write_hash = mac_ctx;
-+ }
-+ else
-+ mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
- #ifndef OPENSSL_NO_COMP
- if (s->compress != NULL)
- {
-diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
-index 6fc469f..d14e8e4 100644
---- a/crypto/evp/digest.c
-+++ b/crypto/evp/digest.c
-@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count,
-
- void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
- {
-- EVP_MD_CTX_cleanup(ctx);
-- OPENSSL_free(ctx);
-+ if (ctx)
-+ {
-+ EVP_MD_CTX_cleanup(ctx);
-+ OPENSSL_free(ctx);
-+ }
- }
-
- /* This call frees resources associated with the context */
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-0160.patch b/SOURCES/openssl-1.0.1e-cve-2014-0160.patch
deleted file mode 100644
index 6d5c5ce..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-0160.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_both.c.heartbeat openssl-1.0.1e/ssl/d1_both.c
---- openssl-1.0.1e/ssl/d1_both.c.heartbeat 2014-04-07 12:52:01.884308971 +0200
-+++ openssl-1.0.1e/ssl/d1_both.c 2014-04-07 13:04:32.860128295 +0200
-@@ -1458,26 +1458,36 @@ dtls1_process_heartbeat(SSL *s)
- unsigned int payload;
- unsigned int padding = 16; /* Use minimum padding */
-
-- /* Read type and payload length first */
-- hbtype = *p++;
-- n2s(p, payload);
-- pl = p;
--
- if (s->msg_callback)
- s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- &s->s3->rrec.data[0], s->s3->rrec.length,
- s, s->msg_callback_arg);
-
-+ /* Read type and payload length first */
-+ if (1 + 2 + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard */
-+ hbtype = *p++;
-+ n2s(p, payload);
-+ if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard per RFC 6520 sec. 4 */
-+ pl = p;
-+
- if (hbtype == TLS1_HB_REQUEST)
- {
- unsigned char *buffer, *bp;
-+ unsigned int write_length = 1 /* heartbeat type */ +
-+ 2 /* heartbeat length */ +
-+ payload + padding;
- int r;
-
-+ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
-+ return 0;
-+
- /* Allocate memory for the response, size is 1 byte
- * message type, plus 2 bytes payload length, plus
- * payload, plus padding
- */
-- buffer = OPENSSL_malloc(1 + 2 + payload + padding);
-+ buffer = OPENSSL_malloc(write_length);
- bp = buffer;
-
- /* Enter response type, length and copy payload */
-@@ -1488,11 +1498,11 @@ dtls1_process_heartbeat(SSL *s)
- /* Random padding */
- RAND_pseudo_bytes(bp, padding);
-
-- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
-+ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
-
- if (r >= 0 && s->msg_callback)
- s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-- buffer, 3 + payload + padding,
-+ buffer, write_length,
- s, s->msg_callback_arg);
-
- OPENSSL_free(buffer);
-diff -up openssl-1.0.1e/ssl/t1_lib.c.heartbeat openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.heartbeat 2014-04-07 12:52:01.891308997 +0200
-+++ openssl-1.0.1e/ssl/t1_lib.c 2014-04-07 12:57:45.063603587 +0200
-@@ -2463,16 +2463,20 @@ tls1_process_heartbeat(SSL *s)
- unsigned int payload;
- unsigned int padding = 16; /* Use minimum padding */
-
-- /* Read type and payload length first */
-- hbtype = *p++;
-- n2s(p, payload);
-- pl = p;
--
- if (s->msg_callback)
- s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- &s->s3->rrec.data[0], s->s3->rrec.length,
- s, s->msg_callback_arg);
-
-+ /* Read type and payload length first */
-+ if (1 + 2 + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard */
-+ hbtype = *p++;
-+ n2s(p, payload);
-+ if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard per RFC 6520 sec. 4 */
-+ pl = p;
-+
- if (hbtype == TLS1_HB_REQUEST)
- {
- unsigned char *buffer, *bp;
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-0195.patch b/SOURCES/openssl-1.0.1e-cve-2014-0195.patch
deleted file mode 100644
index 434eee2..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-0195.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-commit 208d54db20d58c9a5e45e856a0650caadd7d9612
-Author: Dr. Stephen Henson <steve@openssl.org>
-Date: Tue May 13 18:48:31 2014 +0100
-
- Fix for CVE-2014-0195
-
- A buffer overrun attack can be triggered by sending invalid DTLS fragments
- to an OpenSSL DTLS client or server. This is potentially exploitable to
- run arbitrary code on a vulnerable client or server.
-
- Fixed by adding consistency check for DTLS fragments.
-
- Thanks to Jüri Aedla for reporting this issue.
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 2e8cf68..07f67f8 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- frag->msg_header.frag_off = 0;
- }
- else
-+ {
- frag = (hm_fragment*) item->data;
-+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
-+ {
-+ item = NULL;
-+ frag = NULL;
-+ goto err;
-+ }
-+ }
-+
-
- /* If message is already reassembled, this must be a
- * retransmit and can be dropped.
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-0198.patch b/SOURCES/openssl-1.0.1e-cve-2014-0198.patch
deleted file mode 100644
index 2c94bca..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-0198.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Matt Caswell <matt@openssl.org>
-Date: Sun, 11 May 2014 23:38:37 +0000 (+0100)
-Subject: Fixed NULL pointer dereference. See PR#3321
-X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=b107586
-
-Fixed NULL pointer dereference. See PR#3321
----
-
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 40eb0dd..d961d12 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
- SSL3_BUFFER *wb=&(s->s3->wbuf);
- SSL_SESSION *sess;
-
-- if (wb->buf == NULL)
-- if (!ssl3_setup_write_buffer(s))
-- return -1;
-
- /* first check if there is a SSL3_BUFFER still being written
- * out. This will happen with non blocking IO */
-@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
- /* if it went, fall through and send more stuff */
- }
-
-+ if (wb->buf == NULL)
-+ if (!ssl3_setup_write_buffer(s))
-+ return -1;
-+
- if (len == 0 && !create_empty_fragment)
- return 0;
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-0221.patch b/SOURCES/openssl-1.0.1e-cve-2014-0221.patch
deleted file mode 100644
index deb3a8b..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-0221.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-commit d30e582446b027868cdabd0994681643682045a4
-Author: Dr. Stephen Henson <steve@openssl.org>
-Date: Fri May 16 13:00:45 2014 +0100
-
- Fix CVE-2014-0221
-
- Unnecessary recursion when receiving a DTLS hello request can be used to
- crash a DTLS client. Fixed by handling DTLS hello request without recursion.
-
- Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 07f67f8..4c2fd03 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
- int i,al;
- struct hm_header_st msg_hdr;
-
-+ redo:
- /* see if we have the required fragment already */
- if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
- {
-@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
- s->msg_callback_arg);
-
- s->init_num = 0;
-- return dtls1_get_message_fragment(s, st1, stn,
-- max, ok);
-+ goto redo;
- }
- else /* Incorrectly formated Hello request */
- {
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-0224.patch b/SOURCES/openssl-1.0.1e-cve-2014-0224.patch
deleted file mode 100644
index 05e7e79..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-0224.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h
---- openssl-1.0.1e/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200
-+++ openssl-1.0.1e/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200
-@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
- #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
- #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
- #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
-+#define SSL3_FLAGS_CCS_OK 0x0080
-
- /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
- * restart a handshake because of MS SGC and so prevents us
-diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c
---- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200
-@@ -510,6 +510,7 @@ int ssl3_connect(SSL *s)
- s->method->ssl3_enc->client_finished_label,
- s->method->ssl3_enc->client_finished_label_len);
- if (ret <= 0) goto end;
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- s->state=SSL3_ST_CW_FLUSH;
-
- /* clear flags */
-@@ -559,6 +560,7 @@ int ssl3_connect(SSL *s)
- case SSL3_ST_CR_FINISHED_A:
- case SSL3_ST_CR_FINISHED_B:
-
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
- SSL3_ST_CR_FINISHED_B);
- if (ret <= 0) goto end;
-@@ -901,6 +903,7 @@ int ssl3_get_server_hello(SSL *s)
- {
- s->session->cipher = pref_cipher ?
- pref_cipher : ssl_get_cipher_by_char(s, p+j);
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- }
- }
- #endif /* OPENSSL_NO_TLSEXT */
-@@ -916,6 +918,7 @@ int ssl3_get_server_hello(SSL *s)
- SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
- goto f_err;
- }
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- s->hit=1;
- }
- else /* a miss or crap from the other end */
-diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c
---- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200
-+++ openssl-1.0.1e/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200
-@@ -1298,6 +1298,15 @@ start:
- goto f_err;
- }
-
-+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
-+ {
-+ al=SSL_AD_UNEXPECTED_MESSAGE;
-+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
-+ goto f_err;
-+ }
-+
-+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
-+
- rr->length=0;
-
- if (s->msg_callback)
-@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
-
- if (s->s3->tmp.key_block == NULL)
- {
-- if (s->session == NULL)
-+ if (s->session == NULL || s->session->master_key_length == 0)
- {
- /* might happen if dtls1_read_bytes() calls this */
- SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
-diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c
---- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200
-+++ openssl-1.0.1e/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200
-@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
- case SSL3_ST_SR_CERT_VRFY_A:
- case SSL3_ST_SR_CERT_VRFY_B:
-
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- /* we should decide if we expected this one */
- ret=ssl3_get_cert_verify(s);
- if (ret <= 0) goto end;
-@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
-
- case SSL3_ST_SR_FINISHED_A:
- case SSL3_ST_SR_FINISHED_B:
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
- SSL3_ST_SR_FINISHED_B);
- if (ret <= 0) goto end;
-@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
- s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
- #else
- if (s->s3->next_proto_neg_seen)
-+ {
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
-+ }
- else
- s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
- #endif
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3470.patch b/SOURCES/openssl-1.0.1e-cve-2014-3470.patch
deleted file mode 100644
index 32f4487..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3470.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86
-Author: Dr. Stephen Henson <steve@openssl.org>
-Date: Thu May 29 15:00:05 2014 +0100
-
- Fix CVE-2014-3470
-
- Check session_cert is not NULL before dereferencing it.
-
-diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index d35376d..4324f8d 100644
---- a/ssl/s3_clnt.c
-+++ b/ssl/s3_clnt.c
-@@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s)
- int ecdh_clnt_cert = 0;
- int field_size = 0;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- /* Did we send out the client's
- * ECDH share for use in premaster
- * computation as part of client certificate?
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3505.patch b/SOURCES/openssl-1.0.1e-cve-2014-3505.patch
deleted file mode 100644
index 8716fae..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3505.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@imperialviolet.org>
-Date: Fri, 6 Jun 2014 14:19:21 -0700
-Subject: [PATCH] Avoid double free when processing DTLS packets.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The |item| variable, in both of these cases, may contain a pointer to a
-|pitem| structure within |s->d1->buffered_messages|. It was being freed
-in the error case while still being in |buffered_messages|. When the
-error later caused the |SSL*| to be destroyed, the item would be double
-freed.
-
-Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
-inconsistent with the other error paths (but correct).
-
-Fixes CVE-2014-3505
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Emilia Käsper <emilia@openssl.org>
----
- ssl/d1_both.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index c1eb970..cdb83b6 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- return DTLS1_HM_FRAGMENT_RETRY;
-
- err:
-- if (frag != NULL) dtls1_hm_fragment_free(frag);
-- if (item != NULL) OPENSSL_free(item);
-+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
- *ok = 0;
- return i;
- }
-@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- return DTLS1_HM_FRAGMENT_RETRY;
-
- err:
-- if ( frag != NULL) dtls1_hm_fragment_free(frag);
-- if ( item != NULL) OPENSSL_free(item);
-+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
- *ok = 0;
- return i;
- }
---
-1.8.3.1
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3506.patch b/SOURCES/openssl-1.0.1e-cve-2014-3506.patch
deleted file mode 100644
index 05e364f..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3506.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From fc7804ec392fcf8051abe6bc9da9108744d2ae35 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 6 Jun 2014 14:25:52 -0700
-Subject: [PATCH] Fix DTLS handshake message size checks.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In |dtls1_reassemble_fragment|, the value of
-|msg_hdr->frag_off+frag_len| was being checked against the maximum
-handshake message size, but then |msg_len| bytes were allocated for the
-fragment buffer. This means that so long as the fragment was within the
-allowed size, the pending handshake message could consume 16MB + 2MB
-(for the reassembly bitmap). Approx 10 outstanding handshake messages
-are allowed, meaning that an attacker could consume ~180MB per DTLS
-connection.
-
-In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
-check was applied.
-
-Fixes CVE-2014-3506
-
-Wholly based on patch by Adam Langley with one minor amendment.
-
-Reviewed-by: Emilia Käsper <emilia@openssl.org>
----
- ssl/d1_both.c | 29 ++++++++++++++++-------------
- 1 file changed, 16 insertions(+), 13 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 6559dfc..b9e15df 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -587,6 +587,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
- return 0;
- }
-
-+/* dtls1_max_handshake_message_len returns the maximum number of bytes
-+ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
-+ * be greater if the maximum certificate list size requires it. */
-+static unsigned long dtls1_max_handshake_message_len(const SSL *s)
-+ {
-+ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
-+ if (max_len < (unsigned long)s->max_cert_list)
-+ return s->max_cert_list;
-+ return max_len;
-+ }
-
- static int
- dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
-@@ -595,20 +605,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- pitem *item = NULL;
- int i = -1, is_complete;
- unsigned char seq64be[8];
-- unsigned long frag_len = msg_hdr->frag_len, max_len;
--
-- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
-- goto err;
--
-- /* Determine maximum allowed message size. Depends on (user set)
-- * maximum certificate length, but 16k is minimum.
-- */
-- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list)
-- max_len = s->max_cert_list;
-- else
-- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
-+ unsigned long frag_len = msg_hdr->frag_len;
-
-- if ((msg_hdr->frag_off+frag_len) > max_len)
-+ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len ||
-+ msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
- goto err;
-
- /* Try to find item in queue */
-@@ -749,6 +749,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- if (frag_len && frag_len < msg_hdr->msg_len)
- return dtls1_reassemble_fragment(s, msg_hdr, ok);
-
-+ if (frag_len > dtls1_max_handshake_message_len(s))
-+ goto err;
-+
- frag = dtls1_hm_fragment_new(frag_len, 0);
- if ( frag == NULL)
- goto err;
---
-1.8.3.1
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3507.patch b/SOURCES/openssl-1.0.1e-cve-2014-3507.patch
deleted file mode 100644
index 0507315..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3507.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_both.c.dtls-memleak openssl-1.0.1e/ssl/d1_both.c
---- openssl-1.0.1e/ssl/d1_both.c.dtls-memleak 2014-08-07 17:51:18.457493922 +0200
-+++ openssl-1.0.1e/ssl/d1_both.c 2014-08-07 17:58:28.478558785 +0200
-@@ -610,6 +610,9 @@ dtls1_reassemble_fragment(SSL *s, struct
- msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
- goto err;
-
-+ if (frag_len == 0)
-+ return DTLS1_HM_FRAGMENT_RETRY;
-+
- /* Try to find item in queue */
- memset(seq64be,0,sizeof(seq64be));
- seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
-@@ -686,7 +689,12 @@ dtls1_reassemble_fragment(SSL *s, struct
- i = -1;
- }
-
-- pqueue_insert(s->d1->buffered_messages, item);
-+ item = pqueue_insert(s->d1->buffered_messages, item);
-+ /* pqueue_insert fails iff a duplicate item is inserted.
-+ * However, |item| cannot be a duplicate. If it were,
-+ * |pqueue_find|, above, would have returned it and control
-+ * would never have reached this branch. */
-+ OPENSSL_assert(item != NULL);
- }
-
- return DTLS1_HM_FRAGMENT_RETRY;
-@@ -744,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s,
- }
- else
- {
-- if (frag_len && frag_len < msg_hdr->msg_len)
-+ if (frag_len < msg_hdr->msg_len)
- return dtls1_reassemble_fragment(s, msg_hdr, ok);
-
- if (frag_len > dtls1_max_handshake_message_len(s))
-@@ -773,7 +781,15 @@ dtls1_process_out_of_seq_message(SSL *s,
- if ( item == NULL)
- goto err;
-
-- pqueue_insert(s->d1->buffered_messages, item);
-+ item = pqueue_insert(s->d1->buffered_messages, item);
-+ /* pqueue_insert fails iff a duplicate item is inserted.
-+ * However, |item| cannot be a duplicate. If it were,
-+ * |pqueue_find|, above, would have returned it. Then, either
-+ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
-+ * to NULL and it will have been processed with
-+ * |dtls1_reassemble_fragment|, above, or the record will have
-+ * been discarded. */
-+ OPENSSL_assert(item != NULL);
- }
-
- return DTLS1_HM_FRAGMENT_RETRY;
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3508.patch b/SOURCES/openssl-1.0.1e-cve-2014-3508.patch
deleted file mode 100644
index 31dd08d..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3508.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From 03b04ddac162c7b7fa3c57eadccc5a583a00d291 Mon Sep 17 00:00:00 2001
-From: Emilia Kasper <emilia@openssl.org>
-Date: Wed, 2 Jul 2014 19:02:33 +0200
-Subject: [PATCH] Fix OID handling:
-
-- Upon parsing, reject OIDs with invalid base-128 encoding.
-- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.
-
-CVE-2014-3508
-
-Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-Reviewed-by: Kurt Roeckx <kurt@openssl.org>
-Reviewed-by: Tim Hudson <tjh@openssl.org>
----
- crypto/asn1/a_object.c | 30 +++++++++++++++++++++---------
- crypto/objects/obj_dat.c | 16 +++++++++-------
- 2 files changed, 30 insertions(+), 16 deletions(-)
-
-diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
-index 3978c91..77b2768 100644
---- a/crypto/asn1/a_object.c
-+++ b/crypto/asn1/a_object.c
-@@ -283,17 +283,29 @@ err:
- ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
- return(NULL);
- }
-+
- ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
- long len)
- {
- ASN1_OBJECT *ret=NULL;
- const unsigned char *p;
- unsigned char *data;
-- int i;
-- /* Sanity check OID encoding: can't have leading 0x80 in
-- * subidentifiers, see: X.690 8.19.2
-+ int i, length;
-+
-+ /* Sanity check OID encoding.
-+ * Need at least one content octet.
-+ * MSB must be clear in the last octet.
-+ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2
- */
-- for (i = 0, p = *pp; i < len; i++, p++)
-+ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
-+ p[len - 1] & 0x80)
-+ {
-+ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
-+ return NULL;
-+ }
-+ /* Now 0 < len <= INT_MAX, so the cast is safe. */
-+ length = (int)len;
-+ for (i = 0; i < length; i++, p++)
- {
- if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
- {
-@@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
- data = (unsigned char *)ret->data;
- ret->data = NULL;
- /* once detached we can change it */
-- if ((data == NULL) || (ret->length < len))
-+ if ((data == NULL) || (ret->length < length))
- {
- ret->length=0;
- if (data != NULL) OPENSSL_free(data);
-- data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
-+ data=(unsigned char *)OPENSSL_malloc(length);
- if (data == NULL)
- { i=ERR_R_MALLOC_FAILURE; goto err; }
- ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
- }
-- memcpy(data,p,(int)len);
-+ memcpy(data,p,length);
- /* reattach data to object, after which it remains const */
- ret->data =data;
-- ret->length=(int)len;
-+ ret->length=length;
- ret->sn=NULL;
- ret->ln=NULL;
- /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
-- p+=len;
-+ p+=length;
-
- if (a != NULL) (*a)=ret;
- *pp=p;
-diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
-index 8a342ba..0b2f442 100644
---- a/crypto/objects/obj_dat.c
-+++ b/crypto/objects/obj_dat.c
-@@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- const unsigned char *p;
- char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
-
-- if ((a == NULL) || (a->data == NULL)) {
-- buf[0]='\0';
-- return(0);
-- }
-+ /* Ensure that, at every state, |buf| is NUL-terminated. */
-+ if (buf && buf_len > 0)
-+ buf[0] = '\0';
-
-+ if ((a == NULL) || (a->data == NULL))
-+ return(0);
-
- if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef)
- {
-@@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- i=(int)(l/40);
- l-=(long)(i*40);
- }
-- if (buf && (buf_len > 0))
-+ if (buf && (buf_len > 1))
- {
- *buf++ = i + '0';
-+ *buf = '\0';
- buf_len--;
- }
- n++;
-@@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- i = strlen(bndec);
- if (buf)
- {
-- if (buf_len > 0)
-+ if (buf_len > 1)
- {
- *buf++ = '.';
-+ *buf = '\0';
- buf_len--;
- }
- BUF_strlcpy(buf,bndec,buf_len);
-@@ -807,4 +810,3 @@ err:
- OPENSSL_free(buf);
- return(ok);
- }
--
---
-1.8.3.1
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3509.patch b/SOURCES/openssl-1.0.1e-cve-2014-3509.patch
deleted file mode 100644
index cee4aad..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3509.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001
-From: Gabor Tyukasz <Gabor.Tyukasz@logmein.com>
-Date: Wed, 23 Jul 2014 23:42:06 +0200
-Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext
-
-CVE-2014-3509
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
----
- ssl/t1_lib.c | 17 ++++++++++-------
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 8167a51..022a4fb 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
- }
-- s->session->tlsext_ecpointformatlist_length = 0;
-- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
-+ if (!s->hit)
- {
-- *al = TLS1_AD_INTERNAL_ERROR;
-- return 0;
-+ s->session->tlsext_ecpointformatlist_length = 0;
-+ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
-+ {
-+ *al = TLS1_AD_INTERNAL_ERROR;
-+ return 0;
-+ }
-+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
- }
-- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
- #if 0
- fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
- sdata = s->session->tlsext_ecpointformatlist;
---
-1.8.3.1
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3510.patch b/SOURCES/openssl-1.0.1e-cve-2014-3510.patch
deleted file mode 100644
index 4196536..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3510.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 88ae012c8092852f03c50f6461175271104b4c8a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Emilia=20K=C3=A4sper?= <emilia@openssl.org>
-Date: Thu, 24 Jul 2014 22:15:29 +0200
-Subject: [PATCH] Fix DTLS anonymous EC(DH) denial of service
-
-CVE-2014-3510
-
-Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
----
- ssl/d1_clnt.c | 23 +++++++++++++++++++++--
- ssl/s3_clnt.c | 7 +++++++
- 2 files changed, 28 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
-index 65dbb4a..fd6562c 100644
---- a/ssl/d1_clnt.c
-+++ b/ssl/d1_clnt.c
-@@ -996,6 +996,13 @@ int dtls1_send_client_key_exchange(SSL *s)
- RSA *rsa;
- unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ /* We should always have a server certificate with SSL_kRSA. */
-+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_rsa_tmp != NULL)
- rsa=s->session->sess_cert->peer_rsa_tmp;
- else
-@@ -1186,6 +1193,13 @@ int dtls1_send_client_key_exchange(SSL *s)
- {
- DH *dh_srvr,*dh_clnt;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_dh_tmp != NULL)
- dh_srvr=s->session->sess_cert->peer_dh_tmp;
- else
-@@ -1245,6 +1259,13 @@ int dtls1_send_client_key_exchange(SSL *s)
- int ecdh_clnt_cert = 0;
- int field_size = 0;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- /* Did we send out the client's
- * ECDH share for use in premaster
- * computation as part of client certificate?
-@@ -1720,5 +1741,3 @@ int dtls1_send_client_certificate(SSL *s)
- /* SSL3_ST_CW_CERT_D */
- return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
- }
--
--
-diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index 2afb892..df05f78 100644
---- a/ssl/s3_clnt.c
-+++ b/ssl/s3_clnt.c
-@@ -2253,6 +2253,13 @@ int ssl3_send_client_key_exchange(SSL *s)
- RSA *rsa;
- unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ /* We should always have a server certificate with SSL_kRSA. */
-+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_rsa_tmp != NULL)
- rsa=s->session->sess_cert->peer_rsa_tmp;
- else
---
-1.8.3.1
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3511.patch b/SOURCES/openssl-1.0.1e-cve-2014-3511.patch
deleted file mode 100644
index f9cb4ea..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3511.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From fc4f4cdb8bf9981904e652abf69b892a45bddacf Mon Sep 17 00:00:00 2001
-From: David Benjamin <davidben@google.com>
-Date: Wed, 23 Jul 2014 22:32:21 +0200
-Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CVE-2014-3511
-
-Reviewed-by: Emilia Käsper <emilia@openssl.org>
-Reviewed-by: Bodo Möller <bodo@openssl.org>
----
- ssl/s23_srvr.c | 30 +++++++++++++++++++++++-------
- 1 file changed, 23 insertions(+), 7 deletions(-)
-
-diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
-index 4877849..2901a6b 100644
---- a/ssl/s23_srvr.c
-+++ b/ssl/s23_srvr.c
-@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s)
- * Client Hello message, this would be difficult, and we'd have
- * to read more records to find out.
- * No known SSL 3.0 client fragments ClientHello like this,
-- * so we simply assume TLS 1.0 to avoid protocol version downgrade
-- * attacks. */
-+ * so we simply reject such connections to avoid
-+ * protocol version downgrade attacks. */
- if (p[3] == 0 && p[4] < 6)
- {
--#if 0
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
- goto err;
--#else
-- v[1] = TLS1_VERSION_MINOR;
--#endif
- }
- /* if major version number > 3 set minor to a value
- * which will use the highest version 3 we support.
- * If TLS 2.0 ever appears we will need to revise
- * this....
- */
-- else if (p[9] > SSL3_VERSION_MAJOR)
-+ if (p[9] > SSL3_VERSION_MAJOR)
- v[1]=0xff;
- else
- v[1]=p[10]; /* minor version according to client_version */
-@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s)
- v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
- v[1] = p[4];
-
-+ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
-+ * header is sent directly on the wire, not wrapped as a TLS
-+ * record. It's format is:
-+ * Byte Content
-+ * 0-1 msg_length
-+ * 2 msg_type
-+ * 3-4 version
-+ * 5-6 cipher_spec_length
-+ * 7-8 session_id_length
-+ * 9-10 challenge_length
-+ * ... ...
-+ */
- n=((p[0]&0x7f)<<8)|p[1];
- if (n > (1024*4))
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
- goto err;
- }
-+ if (n < 9)
-+ {
-+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
-+ goto err;
-+ }
-
- j=ssl23_read_bytes(s,n+2);
-+ /* We previously read 11 bytes, so if j > 0, we must have
-+ * j == n+2 == s->packet_length. We have at least 11 valid
-+ * packet bytes. */
- if (j <= 0) return(j);
-
- ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
---
-1.8.3.1
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3513.patch b/SOURCES/openssl-1.0.1e-cve-2014-3513.patch
deleted file mode 100644
index 0d42eec..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3513.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c
---- openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/d1_srtp.c 2014-10-15 13:23:34.253040160 +0200
-@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr
- return 1;
- }
-
--static int find_profile_by_num(unsigned profile_num,
-- SRTP_PROTECTION_PROFILE **pptr)
-- {
-- SRTP_PROTECTION_PROFILE *p;
--
-- p=srtp_known_profiles;
-- while(p->name)
-- {
-- if(p->id == profile_num)
-- {
-- *pptr=p;
-- return 0;
-- }
-- p++;
-- }
--
-- return 1;
-- }
--
- static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
- {
- STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
-@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c
- if(!find_profile_by_name(ptr,&p,
- col ? col-ptr : (int)strlen(ptr)))
- {
-+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
-+ {
-+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
-+ return 1;
-+ }
-+
- sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
- }
- else
- {
- SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
-+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
- return 1;
- }
-
-@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL
-
- int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
- {
-- SRTP_PROTECTION_PROFILE *cprof,*sprof;
-- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
-+ SRTP_PROTECTION_PROFILE *sprof;
-+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
- int ct;
- int mki_len;
-- int i,j;
-- int id;
-- int ret;
-+ int i, srtp_pref;
-+ unsigned int id;
-
- /* Length value + the MKI length */
- if(len < 3)
-@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S
- return 1;
- }
-
-+ srvr=SSL_get_srtp_profiles(s);
-+ s->srtp_profile = NULL;
-+ /* Search all profiles for a match initially */
-+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
-
-- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
--
- while(ct)
- {
- n2s(d,id);
- ct-=2;
- len-=2;
-
-- if(!find_profile_by_num(id,&cprof))
-+ /*
-+ * Only look for match in profiles of higher preference than
-+ * current match.
-+ * If no profiles have been have been configured then this
-+ * does nothing.
-+ */
-+ for (i = 0; i < srtp_pref; i++)
- {
-- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
-- }
-- else
-- {
-- ; /* Ignore */
-+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
-+ if (sprof->id == id)
-+ {
-+ s->srtp_profile = sprof;
-+ srtp_pref = i;
-+ break;
-+ }
- }
- }
-
-@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S
- return 1;
- }
-
-- srvr=SSL_get_srtp_profiles(s);
--
-- /* Pick our most preferred profile. If no profiles have been
-- configured then the outer loop doesn't run
-- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
-- and so we just return without doing anything */
-- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
-- {
-- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
--
-- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
-- {
-- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
--
-- if(cprof->id==sprof->id)
-- {
-- s->srtp_profile=sprof;
-- *al=0;
-- ret=0;
-- goto done;
-- }
-- }
-- }
--
-- ret=0;
--
--done:
-- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
--
-- return ret;
-+ return 0;
- }
-
- int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
-diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.srtp-leak 2014-10-15 13:19:59.955202293 +0200
-+++ openssl-1.0.1e/ssl/t1_lib.c 2014-10-15 13:23:34.254040182 +0200
-@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex
- #endif
-
- #ifndef OPENSSL_NO_SRTP
-- if(SSL_get_srtp_profiles(s))
-+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
- {
- int el;
-
-@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex
- #endif
-
- #ifndef OPENSSL_NO_SRTP
-- if(s->srtp_profile)
-+ if(SSL_IS_DTLS(s) && s->srtp_profile)
- {
- int el;
-
-@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
-
- /* session ticket processed earlier */
- #ifndef OPENSSL_NO_SRTP
-- else if (type == TLSEXT_TYPE_use_srtp)
-+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
-+ && type == TLSEXT_TYPE_use_srtp)
- {
- if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
- al))
-@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
- }
- #endif
- #ifndef OPENSSL_NO_SRTP
-- else if (type == TLSEXT_TYPE_use_srtp)
-+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
- {
- if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
- al))
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3567.patch b/SOURCES/openssl-1.0.1e-cve-2014-3567.patch
deleted file mode 100644
index a01ee69..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3567.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-leak openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.ticket-leak 2014-10-15 13:19:26.825454374 +0200
-+++ openssl-1.0.1e/ssl/t1_lib.c 2014-10-15 13:19:59.955202293 +0200
-@@ -2280,7 +2280,10 @@ static int tls_decrypt_ticket(SSL *s, co
- HMAC_Final(&hctx, tick_hmac, NULL);
- HMAC_CTX_cleanup(&hctx);
- if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
-+ {
-+ EVP_CIPHER_CTX_cleanup(&ctx);
- return 2;
-+ }
- /* Attempt to decrypt session data */
- /* Move p after IV to start of encrypted ticket, update length */
- p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3570.patch b/SOURCES/openssl-1.0.1e-cve-2014-3570.patch
deleted file mode 100644
index aff2f02..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3570.patch
+++ /dev/null
@@ -1,3155 +0,0 @@
-From e078642ddea29bbb6ba29788a6a513796387fbbb Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Mon, 5 Jan 2015 14:52:56 +0100
-Subject: [PATCH] Fix for CVE-2014-3570.
-
-Reviewed-by: Emilia Kasper <emilia@openssl.org>
-(cherry picked from commit e793809ba50c1e90ab592fb640a856168e50f3de)
-(with 1.0.1-specific addendum)
----
- crypto/bn/asm/mips.pl | 611 +++---------
- crypto/bn/asm/mips3.s | 2201 --------------------------------------------
- crypto/bn/asm/x86_64-gcc.c | 34 +-
- crypto/bn/bn_asm.c | 16 +-
- crypto/bn/bntest.c | 102 +-
- 5 files changed, 234 insertions(+), 2730 deletions(-)
- delete mode 100644 crypto/bn/asm/mips3.s
-
-diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
-index d2f3ef7..215c9a7 100644
---- a/crypto/bn/asm/mips.pl
-+++ b/crypto/bn/asm/mips.pl
-@@ -1872,6 +1872,41 @@ ___
-
- ($a_4,$a_5,$a_6,$a_7)=($b_0,$b_1,$b_2,$b_3);
-
-+sub add_c2 () {
-+my ($hi,$lo,$c0,$c1,$c2,
-+ $warm, # !$warm denotes first call with specific sequence of
-+ # $c_[XYZ] when there is no Z-carry to accumulate yet;
-+ $an,$bn # these two are arguments for multiplication which
-+ # result is used in *next* step [which is why it's
-+ # commented as "forward multiplication" below];
-+ )=@_;
-+$code.=<<___;
-+ mflo $lo
-+ mfhi $hi
-+ $ADDU $c0,$lo
-+ sltu $at,$c0,$lo
-+ $MULTU $an,$bn # forward multiplication
-+ $ADDU $c0,$lo
-+ $ADDU $at,$hi
-+ sltu $lo,$c0,$lo
-+ $ADDU $c1,$at
-+ $ADDU $hi,$lo
-+___
-+$code.=<<___ if (!$warm);
-+ sltu $c2,$c1,$at
-+ $ADDU $c1,$hi
-+ sltu $hi,$c1,$hi
-+ $ADDU $c2,$hi
-+___
-+$code.=<<___ if ($warm);
-+ sltu $at,$c1,$at
-+ $ADDU $c1,$hi
-+ $ADDU $c2,$at
-+ sltu $hi,$c1,$hi
-+ $ADDU $c2,$hi
-+___
-+}
-+
- $code.=<<___;
-
- .align 5
-@@ -1920,21 +1955,10 @@ $code.=<<___;
- sltu $at,$c_2,$t_1
- $ADDU $c_3,$t_2,$at
- $ST $c_2,$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_1 # mul_add_c(a[1],b[1],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_3,$t_1
-@@ -1945,67 +1969,19 @@ $code.=<<___;
- sltu $at,$c_1,$t_2
- $ADDU $c_2,$at
- $ST $c_3,2*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_2 # mul_add_c2(a[1],b[2],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_4,$a_0 # mul_add_c2(a[4],b[0],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_1,$a_2); # mul_add_c2(a[1],b[2],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_4,$a_0); # mul_add_c2(a[4],b[0],c2,c3,c1);
-+$code.=<<___;
- $ST $c_1,3*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_3,$a_1 # mul_add_c2(a[3],b[1],c2,c3,c1);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_2,$a_2 # mul_add_c(a[2],b[2],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_2,$t_1
-@@ -2016,97 +1992,23 @@ $code.=<<___;
- sltu $at,$c_3,$t_2
- $ADDU $c_1,$at
- $ST $c_2,4*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_4 # mul_add_c2(a[1],b[4],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_2,$at
-- $MULTU $a_2,$a_3 # mul_add_c2(a[2],b[3],c3,c1,c2);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $MULTU $a_6,$a_0 # mul_add_c2(a[6],b[0],c1,c2,c3);
-- $ADDU $c_2,$at
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_1,$a_4); # mul_add_c2(a[1],b[4],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_2,$a_3); # mul_add_c2(a[2],b[3],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_6,$a_0); # mul_add_c2(a[6],b[0],c1,c2,c3);
-+$code.=<<___;
- $ST $c_3,5*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_5,$a_1 # mul_add_c2(a[5],b[1],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_4,$a_2 # mul_add_c2(a[4],b[2],c1,c2,c3);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_3,$a_3 # mul_add_c(a[3],b[3],c1,c2,c3);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_5,$a_1); # mul_add_c2(a[5],b[1],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_4,$a_2); # mul_add_c2(a[4],b[2],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_1,$t_1
-@@ -2117,112 +2019,25 @@ $code.=<<___;
- sltu $at,$c_2,$t_2
- $ADDU $c_3,$at
- $ST $c_1,6*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_6 # mul_add_c2(a[1],b[6],c2,c3,c1);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_2,$a_5 # mul_add_c2(a[2],b[5],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_3,$a_4 # mul_add_c2(a[3],b[4],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_7,$a_1 # mul_add_c2(a[7],b[1],c3,c1,c2);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_1,$a_6); # mul_add_c2(a[1],b[6],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_2,$a_5); # mul_add_c2(a[2],b[5],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_3,$a_4); # mul_add_c2(a[3],b[4],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_7,$a_1); # mul_add_c2(a[7],b[1],c3,c1,c2);
-+$code.=<<___;
- $ST $c_2,7*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_6,$a_2 # mul_add_c2(a[6],b[2],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_2,$at
-- $MULTU $a_5,$a_3 # mul_add_c2(a[5],b[3],c3,c1,c2);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_2,$at
-- $MULTU $a_4,$a_4 # mul_add_c(a[4],b[4],c3,c1,c2);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_6,$a_2); # mul_add_c2(a[6],b[2],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_5,$a_3); # mul_add_c2(a[5],b[3],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_4,$a_4); # mul_add_c(a[4],b[4],c3,c1,c2);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_3,$t_1
-@@ -2233,82 +2048,21 @@ $code.=<<___;
- sltu $at,$c_1,$t_2
- $ADDU $c_2,$at
- $ST $c_3,8*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_3,$a_6 # mul_add_c2(a[3],b[6],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_4,$a_5 # mul_add_c2(a[4],b[5],c1,c2,c3);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_7,$a_3 # mul_add_c2(a[7],b[3],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_3,$a_6); # mul_add_c2(a[3],b[6],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_4,$a_5); # mul_add_c2(a[4],b[5],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_7,$a_3); # mul_add_c2(a[7],b[3],c2,c3,c1);
-+$code.=<<___;
- $ST $c_1,9*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_6,$a_4 # mul_add_c2(a[6],b[4],c2,c3,c1);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_5,$a_5 # mul_add_c(a[5],b[5],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_6,$a_4); # mul_add_c2(a[6],b[4],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_5,$a_5); # mul_add_c(a[5],b[5],c2,c3,c1);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_2,$t_1
-@@ -2319,52 +2073,17 @@ $code.=<<___;
- sltu $at,$c_3,$t_2
- $ADDU $c_1,$at
- $ST $c_2,10*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_5,$a_6 # mul_add_c2(a[5],b[6],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_2,$at
-- $MULTU $a_7,$a_5 # mul_add_c2(a[7],b[5],c1,c2,c3);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_5,$a_6); # mul_add_c2(a[5],b[6],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_7,$a_5); # mul_add_c2(a[7],b[5],c1,c2,c3);
-+$code.=<<___;
- $ST $c_3,11*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_6,$a_6 # mul_add_c(a[6],b[6],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_6,$a_6); # mul_add_c(a[6],b[6],c1,c2,c3);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_1,$t_1
-@@ -2375,21 +2094,10 @@ $code.=<<___;
- sltu $at,$c_2,$t_2
- $ADDU $c_3,$at
- $ST $c_1,12*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_7,$a_7 # mul_add_c(a[7],b[7],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_7,$a_7); # mul_add_c(a[7],b[7],c3,c1,c2);
-+$code.=<<___;
- $ST $c_2,13*$BNSZ($a0)
-
- mflo $t_1
-@@ -2457,21 +2165,10 @@ $code.=<<___;
- sltu $at,$c_2,$t_1
- $ADDU $c_3,$t_2,$at
- $ST $c_2,$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_1 # mul_add_c(a[1],b[1],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_3,$t_1
-@@ -2482,52 +2179,17 @@ $code.=<<___;
- sltu $at,$c_1,$t_2
- $ADDU $c_2,$at
- $ST $c_3,2*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_2 # mul_add_c(a2[1],b[2],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_3,$a_1 # mul_add_c2(a[3],b[1],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_1,$a_2); # mul_add_c2(a2[1],b[2],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1);
-+$code.=<<___;
- $ST $c_1,3*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_2,$a_2 # mul_add_c(a[2],b[2],c2,c3,c1);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_2,$t_1
-@@ -2538,21 +2200,10 @@ $code.=<<___;
- sltu $at,$c_3,$t_2
- $ADDU $c_1,$at
- $ST $c_2,4*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_3,$a_3 # mul_add_c(a[3],b[3],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3);
-+$code.=<<___;
- $ST $c_3,5*$BNSZ($a0)
-
- mflo $t_1
-diff --git a/crypto/bn/asm/mips3.s b/crypto/bn/asm/mips3.s
-deleted file mode 100644
-index dca4105..0000000
---- a/crypto/bn/asm/mips3.s
-+++ /dev/null
-@@ -1,2201 +0,0 @@
--.rdata
--.asciiz "mips3.s, Version 1.1"
--.asciiz "MIPS III/IV ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
--
--/*
-- * ====================================================================
-- * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
-- * project.
-- *
-- * Rights for redistribution and usage in source and binary forms are
-- * granted according to the OpenSSL license. Warranty of any kind is
-- * disclaimed.
-- * ====================================================================
-- */
--
--/*
-- * This is my modest contributon to the OpenSSL project (see
-- * http://www.openssl.org/ for more information about it) and is
-- * a drop-in MIPS III/IV ISA replacement for crypto/bn/bn_asm.c
-- * module. For updates see http://fy.chalmers.se/~appro/hpe/.
-- *
-- * The module is designed to work with either of the "new" MIPS ABI(5),
-- * namely N32 or N64, offered by IRIX 6.x. It's not ment to work under
-- * IRIX 5.x not only because it doesn't support new ABIs but also
-- * because 5.x kernels put R4x00 CPU into 32-bit mode and all those
-- * 64-bit instructions (daddu, dmultu, etc.) found below gonna only
-- * cause illegal instruction exception:-(
-- *
-- * In addition the code depends on preprocessor flags set up by MIPSpro
-- * compiler driver (either as or cc) and therefore (probably?) can't be
-- * compiled by the GNU assembler. GNU C driver manages fine though...
-- * I mean as long as -mmips-as is specified or is the default option,
-- * because then it simply invokes /usr/bin/as which in turn takes
-- * perfect care of the preprocessor definitions. Another neat feature
-- * offered by the MIPSpro assembler is an optimization pass. This gave
-- * me the opportunity to have the code looking more regular as all those
-- * architecture dependent instruction rescheduling details were left to
-- * the assembler. Cool, huh?
-- *
-- * Performance improvement is astonishing! 'apps/openssl speed rsa dsa'
-- * goes way over 3 times faster!
-- *
-- * <appro@fy.chalmers.se>
-- */
--#include <asm.h>
--#include <regdef.h>
--
--#if _MIPS_ISA>=4
--#define MOVNZ(cond,dst,src) \
-- movn dst,src,cond
--#else
--#define MOVNZ(cond,dst,src) \
-- .set noreorder; \
-- bnezl cond,.+8; \
-- move dst,src; \
-- .set reorder
--#endif
--
--.text
--
--.set noat
--.set reorder
--
--#define MINUS4 v1
--
--.align 5
--LEAF(bn_mul_add_words)
-- .set noreorder
-- bgtzl a2,.L_bn_mul_add_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_mul_add_words_proceed:
-- li MINUS4,-4
-- and ta0,a2,MINUS4
-- move v0,zero
-- beqz ta0,.L_bn_mul_add_words_tail
--
--.L_bn_mul_add_words_loop:
-- dmultu t0,a3
-- ld t1,0(a0)
-- ld t2,8(a1)
-- ld t3,8(a0)
-- ld ta0,16(a1)
-- ld ta1,16(a0)
-- daddu t1,v0
-- sltu v0,t1,v0 /* All manuals say it "compares 32-bit
-- * values", but it seems to work fine
-- * even on 64-bit registers. */
-- mflo AT
-- mfhi t0
-- daddu t1,AT
-- daddu v0,t0
-- sltu AT,t1,AT
-- sd t1,0(a0)
-- daddu v0,AT
--
-- dmultu t2,a3
-- ld ta2,24(a1)
-- ld ta3,24(a0)
-- daddu t3,v0
-- sltu v0,t3,v0
-- mflo AT
-- mfhi t2
-- daddu t3,AT
-- daddu v0,t2
-- sltu AT,t3,AT
-- sd t3,8(a0)
-- daddu v0,AT
--
-- dmultu ta0,a3
-- subu a2,4
-- PTR_ADD a0,32
-- PTR_ADD a1,32
-- daddu ta1,v0
-- sltu v0,ta1,v0
-- mflo AT
-- mfhi ta0
-- daddu ta1,AT
-- daddu v0,ta0
-- sltu AT,ta1,AT
-- sd ta1,-16(a0)
-- daddu v0,AT
--
--
-- dmultu ta2,a3
-- and ta0,a2,MINUS4
-- daddu ta3,v0
-- sltu v0,ta3,v0
-- mflo AT
-- mfhi ta2
-- daddu ta3,AT
-- daddu v0,ta2
-- sltu AT,ta3,AT
-- sd ta3,-8(a0)
-- daddu v0,AT
-- .set noreorder
-- bgtzl ta0,.L_bn_mul_add_words_loop
-- ld t0,0(a1)
--
-- bnezl a2,.L_bn_mul_add_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_mul_add_words_return:
-- jr ra
--
--.L_bn_mul_add_words_tail:
-- dmultu t0,a3
-- ld t1,0(a0)
-- subu a2,1
-- daddu t1,v0
-- sltu v0,t1,v0
-- mflo AT
-- mfhi t0
-- daddu t1,AT
-- daddu v0,t0
-- sltu AT,t1,AT
-- sd t1,0(a0)
-- daddu v0,AT
-- beqz a2,.L_bn_mul_add_words_return
--
-- ld t0,8(a1)
-- dmultu t0,a3
-- ld t1,8(a0)
-- subu a2,1
-- daddu t1,v0
-- sltu v0,t1,v0
-- mflo AT
-- mfhi t0
-- daddu t1,AT
-- daddu v0,t0
-- sltu AT,t1,AT
-- sd t1,8(a0)
-- daddu v0,AT
-- beqz a2,.L_bn_mul_add_words_return
--
-- ld t0,16(a1)
-- dmultu t0,a3
-- ld t1,16(a0)
-- daddu t1,v0
-- sltu v0,t1,v0
-- mflo AT
-- mfhi t0
-- daddu t1,AT
-- daddu v0,t0
-- sltu AT,t1,AT
-- sd t1,16(a0)
-- daddu v0,AT
-- jr ra
--END(bn_mul_add_words)
--
--.align 5
--LEAF(bn_mul_words)
-- .set noreorder
-- bgtzl a2,.L_bn_mul_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_mul_words_proceed:
-- li MINUS4,-4
-- and ta0,a2,MINUS4
-- move v0,zero
-- beqz ta0,.L_bn_mul_words_tail
--
--.L_bn_mul_words_loop:
-- dmultu t0,a3
-- ld t2,8(a1)
-- ld ta0,16(a1)
-- ld ta2,24(a1)
-- mflo AT
-- mfhi t0
-- daddu v0,AT
-- sltu t1,v0,AT
-- sd v0,0(a0)
-- daddu v0,t1,t0
--
-- dmultu t2,a3
-- subu a2,4
-- PTR_ADD a0,32
-- PTR_ADD a1,32
-- mflo AT
-- mfhi t2
-- daddu v0,AT
-- sltu t3,v0,AT
-- sd v0,-24(a0)
-- daddu v0,t3,t2
--
-- dmultu ta0,a3
-- mflo AT
-- mfhi ta0
-- daddu v0,AT
-- sltu ta1,v0,AT
-- sd v0,-16(a0)
-- daddu v0,ta1,ta0
--
--
-- dmultu ta2,a3
-- and ta0,a2,MINUS4
-- mflo AT
-- mfhi ta2
-- daddu v0,AT
-- sltu ta3,v0,AT
-- sd v0,-8(a0)
-- daddu v0,ta3,ta2
-- .set noreorder
-- bgtzl ta0,.L_bn_mul_words_loop
-- ld t0,0(a1)
--
-- bnezl a2,.L_bn_mul_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_mul_words_return:
-- jr ra
--
--.L_bn_mul_words_tail:
-- dmultu t0,a3
-- subu a2,1
-- mflo AT
-- mfhi t0
-- daddu v0,AT
-- sltu t1,v0,AT
-- sd v0,0(a0)
-- daddu v0,t1,t0
-- beqz a2,.L_bn_mul_words_return
--
-- ld t0,8(a1)
-- dmultu t0,a3
-- subu a2,1
-- mflo AT
-- mfhi t0
-- daddu v0,AT
-- sltu t1,v0,AT
-- sd v0,8(a0)
-- daddu v0,t1,t0
-- beqz a2,.L_bn_mul_words_return
--
-- ld t0,16(a1)
-- dmultu t0,a3
-- mflo AT
-- mfhi t0
-- daddu v0,AT
-- sltu t1,v0,AT
-- sd v0,16(a0)
-- daddu v0,t1,t0
-- jr ra
--END(bn_mul_words)
--
--.align 5
--LEAF(bn_sqr_words)
-- .set noreorder
-- bgtzl a2,.L_bn_sqr_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_sqr_words_proceed:
-- li MINUS4,-4
-- and ta0,a2,MINUS4
-- move v0,zero
-- beqz ta0,.L_bn_sqr_words_tail
--
--.L_bn_sqr_words_loop:
-- dmultu t0,t0
-- ld t2,8(a1)
-- ld ta0,16(a1)
-- ld ta2,24(a1)
-- mflo t1
-- mfhi t0
-- sd t1,0(a0)
-- sd t0,8(a0)
--
-- dmultu t2,t2
-- subu a2,4
-- PTR_ADD a0,64
-- PTR_ADD a1,32
-- mflo t3
-- mfhi t2
-- sd t3,-48(a0)
-- sd t2,-40(a0)
--
-- dmultu ta0,ta0
-- mflo ta1
-- mfhi ta0
-- sd ta1,-32(a0)
-- sd ta0,-24(a0)
--
--
-- dmultu ta2,ta2
-- and ta0,a2,MINUS4
-- mflo ta3
-- mfhi ta2
-- sd ta3,-16(a0)
-- sd ta2,-8(a0)
--
-- .set noreorder
-- bgtzl ta0,.L_bn_sqr_words_loop
-- ld t0,0(a1)
--
-- bnezl a2,.L_bn_sqr_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_sqr_words_return:
-- move v0,zero
-- jr ra
--
--.L_bn_sqr_words_tail:
-- dmultu t0,t0
-- subu a2,1
-- mflo t1
-- mfhi t0
-- sd t1,0(a0)
-- sd t0,8(a0)
-- beqz a2,.L_bn_sqr_words_return
--
-- ld t0,8(a1)
-- dmultu t0,t0
-- subu a2,1
-- mflo t1
-- mfhi t0
-- sd t1,16(a0)
-- sd t0,24(a0)
-- beqz a2,.L_bn_sqr_words_return
--
-- ld t0,16(a1)
-- dmultu t0,t0
-- mflo t1
-- mfhi t0
-- sd t1,32(a0)
-- sd t0,40(a0)
-- jr ra
--END(bn_sqr_words)
--
--.align 5
--LEAF(bn_add_words)
-- .set noreorder
-- bgtzl a3,.L_bn_add_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_add_words_proceed:
-- li MINUS4,-4
-- and AT,a3,MINUS4
-- move v0,zero
-- beqz AT,.L_bn_add_words_tail
--
--.L_bn_add_words_loop:
-- ld ta0,0(a2)
-- subu a3,4
-- ld t1,8(a1)
-- and AT,a3,MINUS4
-- ld t2,16(a1)
-- PTR_ADD a2,32
-- ld t3,24(a1)
-- PTR_ADD a0,32
-- ld ta1,-24(a2)
-- PTR_ADD a1,32
-- ld ta2,-16(a2)
-- ld ta3,-8(a2)
-- daddu ta0,t0
-- sltu t8,ta0,t0
-- daddu t0,ta0,v0
-- sltu v0,t0,ta0
-- sd t0,-32(a0)
-- daddu v0,t8
--
-- daddu ta1,t1
-- sltu t9,ta1,t1
-- daddu t1,ta1,v0
-- sltu v0,t1,ta1
-- sd t1,-24(a0)
-- daddu v0,t9
--
-- daddu ta2,t2
-- sltu t8,ta2,t2
-- daddu t2,ta2,v0
-- sltu v0,t2,ta2
-- sd t2,-16(a0)
-- daddu v0,t8
--
-- daddu ta3,t3
-- sltu t9,ta3,t3
-- daddu t3,ta3,v0
-- sltu v0,t3,ta3
-- sd t3,-8(a0)
-- daddu v0,t9
--
-- .set noreorder
-- bgtzl AT,.L_bn_add_words_loop
-- ld t0,0(a1)
--
-- bnezl a3,.L_bn_add_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_add_words_return:
-- jr ra
--
--.L_bn_add_words_tail:
-- ld ta0,0(a2)
-- daddu ta0,t0
-- subu a3,1
-- sltu t8,ta0,t0
-- daddu t0,ta0,v0
-- sltu v0,t0,ta0
-- sd t0,0(a0)
-- daddu v0,t8
-- beqz a3,.L_bn_add_words_return
--
-- ld t1,8(a1)
-- ld ta1,8(a2)
-- daddu ta1,t1
-- subu a3,1
-- sltu t9,ta1,t1
-- daddu t1,ta1,v0
-- sltu v0,t1,ta1
-- sd t1,8(a0)
-- daddu v0,t9
-- beqz a3,.L_bn_add_words_return
--
-- ld t2,16(a1)
-- ld ta2,16(a2)
-- daddu ta2,t2
-- sltu t8,ta2,t2
-- daddu t2,ta2,v0
-- sltu v0,t2,ta2
-- sd t2,16(a0)
-- daddu v0,t8
-- jr ra
--END(bn_add_words)
--
--.align 5
--LEAF(bn_sub_words)
-- .set noreorder
-- bgtzl a3,.L_bn_sub_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_sub_words_proceed:
-- li MINUS4,-4
-- and AT,a3,MINUS4
-- move v0,zero
-- beqz AT,.L_bn_sub_words_tail
--
--.L_bn_sub_words_loop:
-- ld ta0,0(a2)
-- subu a3,4
-- ld t1,8(a1)
-- and AT,a3,MINUS4
-- ld t2,16(a1)
-- PTR_ADD a2,32
-- ld t3,24(a1)
-- PTR_ADD a0,32
-- ld ta1,-24(a2)
-- PTR_ADD a1,32
-- ld ta2,-16(a2)
-- ld ta3,-8(a2)
-- sltu t8,t0,ta0
-- dsubu t0,ta0
-- dsubu ta0,t0,v0
-- sd ta0,-32(a0)
-- MOVNZ (t0,v0,t8)
--
-- sltu t9,t1,ta1
-- dsubu t1,ta1
-- dsubu ta1,t1,v0
-- sd ta1,-24(a0)
-- MOVNZ (t1,v0,t9)
--
--
-- sltu t8,t2,ta2
-- dsubu t2,ta2
-- dsubu ta2,t2,v0
-- sd ta2,-16(a0)
-- MOVNZ (t2,v0,t8)
--
-- sltu t9,t3,ta3
-- dsubu t3,ta3
-- dsubu ta3,t3,v0
-- sd ta3,-8(a0)
-- MOVNZ (t3,v0,t9)
--
-- .set noreorder
-- bgtzl AT,.L_bn_sub_words_loop
-- ld t0,0(a1)
--
-- bnezl a3,.L_bn_sub_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_sub_words_return:
-- jr ra
--
--.L_bn_sub_words_tail:
-- ld ta0,0(a2)
-- subu a3,1
-- sltu t8,t0,ta0
-- dsubu t0,ta0
-- dsubu ta0,t0,v0
-- MOVNZ (t0,v0,t8)
-- sd ta0,0(a0)
-- beqz a3,.L_bn_sub_words_return
--
-- ld t1,8(a1)
-- subu a3,1
-- ld ta1,8(a2)
-- sltu t9,t1,ta1
-- dsubu t1,ta1
-- dsubu ta1,t1,v0
-- MOVNZ (t1,v0,t9)
-- sd ta1,8(a0)
-- beqz a3,.L_bn_sub_words_return
--
-- ld t2,16(a1)
-- ld ta2,16(a2)
-- sltu t8,t2,ta2
-- dsubu t2,ta2
-- dsubu ta2,t2,v0
-- MOVNZ (t2,v0,t8)
-- sd ta2,16(a0)
-- jr ra
--END(bn_sub_words)
--
--#undef MINUS4
--
--.align 5
--LEAF(bn_div_3_words)
-- .set reorder
-- move a3,a0 /* we know that bn_div_words doesn't
-- * touch a3, ta2, ta3 and preserves a2
-- * so that we can save two arguments
-- * and return address in registers
-- * instead of stack:-)
-- */
-- ld a0,(a3)
-- move ta2,a1
-- ld a1,-8(a3)
-- bne a0,a2,.L_bn_div_3_words_proceed
-- li v0,-1
-- jr ra
--.L_bn_div_3_words_proceed:
-- move ta3,ra
-- bal bn_div_words
-- move ra,ta3
-- dmultu ta2,v0
-- ld t2,-16(a3)
-- move ta0,zero
-- mfhi t1
-- mflo t0
-- sltu t8,t1,v1
--.L_bn_div_3_words_inner_loop:
-- bnez t8,.L_bn_div_3_words_inner_loop_done
-- sgeu AT,t2,t0
-- seq t9,t1,v1
-- and AT,t9
-- sltu t3,t0,ta2
-- daddu v1,a2
-- dsubu t1,t3
-- dsubu t0,ta2
-- sltu t8,t1,v1
-- sltu ta0,v1,a2
-- or t8,ta0
-- .set noreorder
-- beqzl AT,.L_bn_div_3_words_inner_loop
-- dsubu v0,1
-- .set reorder
--.L_bn_div_3_words_inner_loop_done:
-- jr ra
--END(bn_div_3_words)
--
--.align 5
--LEAF(bn_div_words)
-- .set noreorder
-- bnezl a2,.L_bn_div_words_proceed
-- move v1,zero
-- jr ra
-- li v0,-1 /* I'd rather signal div-by-zero
-- * which can be done with 'break 7' */
--
--.L_bn_div_words_proceed:
-- bltz a2,.L_bn_div_words_body
-- move t9,v1
-- dsll a2,1
-- bgtz a2,.-4
-- addu t9,1
--
-- .set reorder
-- negu t1,t9
-- li t2,-1
-- dsll t2,t1
-- and t2,a0
-- dsrl AT,a1,t1
-- .set noreorder
-- bnezl t2,.+8
-- break 6 /* signal overflow */
-- .set reorder
-- dsll a0,t9
-- dsll a1,t9
-- or a0,AT
--
--#define QT ta0
--#define HH ta1
--#define DH v1
--.L_bn_div_words_body:
-- dsrl DH,a2,32
-- sgeu AT,a0,a2
-- .set noreorder
-- bnezl AT,.+8
-- dsubu a0,a2
-- .set reorder
--
-- li QT,-1
-- dsrl HH,a0,32
-- dsrl QT,32 /* q=0xffffffff */
-- beq DH,HH,.L_bn_div_words_skip_div1
-- ddivu zero,a0,DH
-- mflo QT
--.L_bn_div_words_skip_div1:
-- dmultu a2,QT
-- dsll t3,a0,32
-- dsrl AT,a1,32
-- or t3,AT
-- mflo t0
-- mfhi t1
--.L_bn_div_words_inner_loop1:
-- sltu t2,t3,t0
-- seq t8,HH,t1
-- sltu AT,HH,t1
-- and t2,t8
-- sltu v0,t0,a2
-- or AT,t2
-- .set noreorder
-- beqz AT,.L_bn_div_words_inner_loop1_done
-- dsubu t1,v0
-- dsubu t0,a2
-- b .L_bn_div_words_inner_loop1
-- dsubu QT,1
-- .set reorder
--.L_bn_div_words_inner_loop1_done:
--
-- dsll a1,32
-- dsubu a0,t3,t0
-- dsll v0,QT,32
--
-- li QT,-1
-- dsrl HH,a0,32
-- dsrl QT,32 /* q=0xffffffff */
-- beq DH,HH,.L_bn_div_words_skip_div2
-- ddivu zero,a0,DH
-- mflo QT
--.L_bn_div_words_skip_div2:
--#undef DH
-- dmultu a2,QT
-- dsll t3,a0,32
-- dsrl AT,a1,32
-- or t3,AT
-- mflo t0
-- mfhi t1
--.L_bn_div_words_inner_loop2:
-- sltu t2,t3,t0
-- seq t8,HH,t1
-- sltu AT,HH,t1
-- and t2,t8
-- sltu v1,t0,a2
-- or AT,t2
-- .set noreorder
-- beqz AT,.L_bn_div_words_inner_loop2_done
-- dsubu t1,v1
-- dsubu t0,a2
-- b .L_bn_div_words_inner_loop2
-- dsubu QT,1
-- .set reorder
--.L_bn_div_words_inner_loop2_done:
--#undef HH
--
-- dsubu a0,t3,t0
-- or v0,QT
-- dsrl v1,a0,t9 /* v1 contains remainder if anybody wants it */
-- dsrl a2,t9 /* restore a2 */
-- jr ra
--#undef QT
--END(bn_div_words)
--
--#define a_0 t0
--#define a_1 t1
--#define a_2 t2
--#define a_3 t3
--#define b_0 ta0
--#define b_1 ta1
--#define b_2 ta2
--#define b_3 ta3
--
--#define a_4 s0
--#define a_5 s2
--#define a_6 s4
--#define a_7 a1 /* once we load a[7] we don't need a anymore */
--#define b_4 s1
--#define b_5 s3
--#define b_6 s5
--#define b_7 a2 /* once we load b[7] we don't need b anymore */
--
--#define t_1 t8
--#define t_2 t9
--
--#define c_1 v0
--#define c_2 v1
--#define c_3 a3
--
--#define FRAME_SIZE 48
--
--.align 5
--LEAF(bn_mul_comba8)
-- .set noreorder
-- PTR_SUB sp,FRAME_SIZE
-- .frame sp,64,ra
-- .set reorder
-- ld a_0,0(a1) /* If compiled with -mips3 option on
-- * R5000 box assembler barks on this
-- * line with "shouldn't have mult/div
-- * as last instruction in bb (R10K
-- * bug)" warning. If anybody out there
-- * has a clue about how to circumvent
-- * this do send me a note.
-- * <appro@fy.chalmers.se>
-- */
-- ld b_0,0(a2)
-- ld a_1,8(a1)
-- ld a_2,16(a1)
-- ld a_3,24(a1)
-- ld b_1,8(a2)
-- ld b_2,16(a2)
-- ld b_3,24(a2)
-- dmultu a_0,b_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
-- sd s0,0(sp)
-- sd s1,8(sp)
-- sd s2,16(sp)
-- sd s3,24(sp)
-- sd s4,32(sp)
-- sd s5,40(sp)
-- mflo c_1
-- mfhi c_2
--
-- dmultu a_0,b_1 /* mul_add_c(a[0],b[1],c2,c3,c1); */
-- ld a_4,32(a1)
-- ld a_5,40(a1)
-- ld a_6,48(a1)
-- ld a_7,56(a1)
-- ld b_4,32(a2)
-- ld b_5,40(a2)
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu c_3,t_2,AT
-- dmultu a_1,b_0 /* mul_add_c(a[1],b[0],c2,c3,c1); */
-- ld b_6,48(a2)
-- ld b_7,56(a2)
-- sd c_1,0(a0) /* r[0]=c1; */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- sd c_2,8(a0) /* r[1]=c2; */
--
-- dmultu a_2,b_0 /* mul_add_c(a[2],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- dmultu a_1,b_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_0,b_2 /* mul_add_c(a[0],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,16(a0) /* r[2]=c3; */
--
-- dmultu a_0,b_3 /* mul_add_c(a[0],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,b_0 /* mul_add_c(a[3],b[0],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,24(a0) /* r[3]=c1; */
--
-- dmultu a_4,b_0 /* mul_add_c(a[4],b[0],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_3,b_1 /* mul_add_c(a[3],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_1,b_3 /* mul_add_c(a[1],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_0,b_4 /* mul_add_c(a[0],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,32(a0) /* r[4]=c2; */
--
-- dmultu a_0,b_5 /* mul_add_c(a[0],b[5],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_1,b_4 /* mul_add_c(a[1],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_2,b_3 /* mul_add_c(a[2],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_3,b_2 /* mul_add_c(a[3],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_4,b_1 /* mul_add_c(a[4],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_5,b_0 /* mul_add_c(a[5],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,40(a0) /* r[5]=c3; */
--
-- dmultu a_6,b_0 /* mul_add_c(a[6],b[0],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_5,b_1 /* mul_add_c(a[5],b[1],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_4,b_2 /* mul_add_c(a[4],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,b_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_2,b_4 /* mul_add_c(a[2],b[4],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_1,b_5 /* mul_add_c(a[1],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_0,b_6 /* mul_add_c(a[0],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,48(a0) /* r[6]=c1; */
--
-- dmultu a_0,b_7 /* mul_add_c(a[0],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_1,b_6 /* mul_add_c(a[1],b[6],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,b_5 /* mul_add_c(a[2],b[5],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_3,b_4 /* mul_add_c(a[3],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_4,b_3 /* mul_add_c(a[4],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_5,b_2 /* mul_add_c(a[5],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_6,b_1 /* mul_add_c(a[6],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_7,b_0 /* mul_add_c(a[7],b[0],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,56(a0) /* r[7]=c2; */
--
-- dmultu a_7,b_1 /* mul_add_c(a[7],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_6,b_2 /* mul_add_c(a[6],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_5,b_3 /* mul_add_c(a[5],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_4,b_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_3,b_5 /* mul_add_c(a[3],b[5],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_2,b_6 /* mul_add_c(a[2],b[6],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_1,b_7 /* mul_add_c(a[1],b[7],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,64(a0) /* r[8]=c3; */
--
-- dmultu a_2,b_7 /* mul_add_c(a[2],b[7],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_3,b_6 /* mul_add_c(a[3],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_4,b_5 /* mul_add_c(a[4],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_5,b_4 /* mul_add_c(a[5],b[4],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_6,b_3 /* mul_add_c(a[6],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_7,b_2 /* mul_add_c(a[7],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,72(a0) /* r[9]=c1; */
--
-- dmultu a_7,b_3 /* mul_add_c(a[7],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_6,b_4 /* mul_add_c(a[6],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_5,b_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_4,b_6 /* mul_add_c(a[4],b[6],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_3,b_7 /* mul_add_c(a[3],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,80(a0) /* r[10]=c2; */
--
-- dmultu a_4,b_7 /* mul_add_c(a[4],b[7],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_5,b_6 /* mul_add_c(a[5],b[6],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_6,b_5 /* mul_add_c(a[6],b[5],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_7,b_4 /* mul_add_c(a[7],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,88(a0) /* r[11]=c3; */
--
-- dmultu a_7,b_5 /* mul_add_c(a[7],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_6,b_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_5,b_7 /* mul_add_c(a[5],b[7],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,96(a0) /* r[12]=c1; */
--
-- dmultu a_6,b_7 /* mul_add_c(a[6],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_7,b_6 /* mul_add_c(a[7],b[6],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,104(a0) /* r[13]=c2; */
--
-- dmultu a_7,b_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */
-- ld s0,0(sp)
-- ld s1,8(sp)
-- ld s2,16(sp)
-- ld s3,24(sp)
-- ld s4,32(sp)
-- ld s5,40(sp)
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sd c_3,112(a0) /* r[14]=c3; */
-- sd c_1,120(a0) /* r[15]=c1; */
--
-- PTR_ADD sp,FRAME_SIZE
--
-- jr ra
--END(bn_mul_comba8)
--
--.align 5
--LEAF(bn_mul_comba4)
-- .set reorder
-- ld a_0,0(a1)
-- ld b_0,0(a2)
-- ld a_1,8(a1)
-- ld a_2,16(a1)
-- dmultu a_0,b_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
-- ld a_3,24(a1)
-- ld b_1,8(a2)
-- ld b_2,16(a2)
-- ld b_3,24(a2)
-- mflo c_1
-- mfhi c_2
-- sd c_1,0(a0)
--
-- dmultu a_0,b_1 /* mul_add_c(a[0],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu c_3,t_2,AT
-- dmultu a_1,b_0 /* mul_add_c(a[1],b[0],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- sd c_2,8(a0)
--
-- dmultu a_2,b_0 /* mul_add_c(a[2],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- dmultu a_1,b_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_0,b_2 /* mul_add_c(a[0],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,16(a0)
--
-- dmultu a_0,b_3 /* mul_add_c(a[0],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,b_0 /* mul_add_c(a[3],b[0],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,24(a0)
--
-- dmultu a_3,b_1 /* mul_add_c(a[3],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_1,b_3 /* mul_add_c(a[1],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,32(a0)
--
-- dmultu a_2,b_3 /* mul_add_c(a[2],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_3,b_2 /* mul_add_c(a[3],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,40(a0)
--
-- dmultu a_3,b_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sd c_1,48(a0)
-- sd c_2,56(a0)
--
-- jr ra
--END(bn_mul_comba4)
--
--#undef a_4
--#undef a_5
--#undef a_6
--#undef a_7
--#define a_4 b_0
--#define a_5 b_1
--#define a_6 b_2
--#define a_7 b_3
--
--.align 5
--LEAF(bn_sqr_comba8)
-- .set reorder
-- ld a_0,0(a1)
-- ld a_1,8(a1)
-- ld a_2,16(a1)
-- ld a_3,24(a1)
--
-- dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
-- ld a_4,32(a1)
-- ld a_5,40(a1)
-- ld a_6,48(a1)
-- ld a_7,56(a1)
-- mflo c_1
-- mfhi c_2
-- sd c_1,0(a0)
--
-- dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu c_3,t_2,AT
-- sd c_2,8(a0)
--
-- dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,16(a0)
--
-- dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_1,a_2 /* mul_add_c2(a[1],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,24(a0)
--
-- dmultu a_4,a_0 /* mul_add_c2(a[4],b[0],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,32(a0)
--
-- dmultu a_0,a_5 /* mul_add_c2(a[0],b[5],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_1,a_4 /* mul_add_c2(a[1],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,40(a0)
--
-- dmultu a_6,a_0 /* mul_add_c2(a[6],b[0],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_5,a_1 /* mul_add_c2(a[5],b[1],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_4,a_2 /* mul_add_c2(a[4],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,48(a0)
--
-- dmultu a_0,a_7 /* mul_add_c2(a[0],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_1,a_6 /* mul_add_c2(a[1],b[6],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,a_5 /* mul_add_c2(a[2],b[5],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_3,a_4 /* mul_add_c2(a[3],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,56(a0)
--
-- dmultu a_7,a_1 /* mul_add_c2(a[7],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_6,a_2 /* mul_add_c2(a[6],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_5,a_3 /* mul_add_c2(a[5],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_4,a_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,64(a0)
--
-- dmultu a_2,a_7 /* mul_add_c2(a[2],b[7],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,a_6 /* mul_add_c2(a[3],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_4,a_5 /* mul_add_c2(a[4],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,72(a0)
--
-- dmultu a_7,a_3 /* mul_add_c2(a[7],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_6,a_4 /* mul_add_c2(a[6],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_5,a_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,80(a0)
--
-- dmultu a_4,a_7 /* mul_add_c2(a[4],b[7],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_5,a_6 /* mul_add_c2(a[5],b[6],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,88(a0)
--
-- dmultu a_7,a_5 /* mul_add_c2(a[7],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_6,a_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,96(a0)
--
-- dmultu a_6,a_7 /* mul_add_c2(a[6],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,104(a0)
--
-- dmultu a_7,a_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sd c_3,112(a0)
-- sd c_1,120(a0)
--
-- jr ra
--END(bn_sqr_comba8)
--
--.align 5
--LEAF(bn_sqr_comba4)
-- .set reorder
-- ld a_0,0(a1)
-- ld a_1,8(a1)
-- ld a_2,16(a1)
-- ld a_3,24(a1)
-- dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
-- mflo c_1
-- mfhi c_2
-- sd c_1,0(a0)
--
-- dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu c_3,t_2,AT
-- sd c_2,8(a0)
--
-- dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,16(a0)
--
-- dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_1,a_2 /* mul_add_c(a2[1],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,24(a0)
--
-- dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,32(a0)
--
-- dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,40(a0)
--
-- dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sd c_1,48(a0)
-- sd c_2,56(a0)
--
-- jr ra
--END(bn_sqr_comba4)
-diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c
-index 31476ab..2d39407 100644
---- a/crypto/bn/asm/x86_64-gcc.c
-+++ b/crypto/bn/asm/x86_64-gcc.c
-@@ -273,6 +273,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
- /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
- /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
-
-+/*
-+ * Keep in mind that carrying into high part of multiplication result
-+ * can not overflow, because it cannot be all-ones.
-+ */
- #if 0
- /* original macros are kept for reference purposes */
- #define mul_add_c(a,b,c0,c1,c2) { \
-@@ -287,10 +291,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
- BN_ULONG ta=(a),tb=(b),t0; \
- t1 = BN_UMULT_HIGH(ta,tb); \
- t0 = ta * tb; \
-- t2 = t1+t1; c2 += (t2<t1)?1:0; \
-- t1 = t0+t0; t2 += (t1<t0)?1:0; \
-- c0 += t1; t2 += (c0<t1)?1:0; \
-+ c0 += t0; t2 = t1+((c0<t0)?1:0);\
- c1 += t2; c2 += (c1<t2)?1:0; \
-+ c0 += t0; t1 += (c0<t0)?1:0; \
-+ c1 += t1; c2 += (c1<t1)?1:0; \
- }
- #else
- #define mul_add_c(a,b,c0,c1,c2) do { \
-@@ -328,22 +332,14 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
- : "=a"(t1),"=d"(t2) \
- : "a"(a),"m"(b) \
- : "cc"); \
-- asm ("addq %0,%0; adcq %2,%1" \
-- : "+d"(t2),"+r"(c2) \
-- : "g"(0) \
-- : "cc"); \
-- asm ("addq %0,%0; adcq %2,%1" \
-- : "+a"(t1),"+d"(t2) \
-- : "g"(0) \
-- : "cc"); \
-- asm ("addq %2,%0; adcq %3,%1" \
-- : "+r"(c0),"+d"(t2) \
-- : "a"(t1),"g"(0) \
-- : "cc"); \
-- asm ("addq %2,%0; adcq %3,%1" \
-- : "+r"(c1),"+r"(c2) \
-- : "d"(t2),"g"(0) \
-- : "cc"); \
-+ asm ("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-+ : "+r"(c0),"+r"(c1),"+r"(c2) \
-+ : "r"(t1),"r"(t2),"g"(0) \
-+ : "cc"); \
-+ asm ("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-+ : "+r"(c0),"+r"(c1),"+r"(c2) \
-+ : "r"(t1),"r"(t2),"g"(0) \
-+ : "cc"); \
- } while (0)
- #endif
-
-diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c
-index c43c91c..a33b634 100644
---- a/crypto/bn/bn_asm.c
-+++ b/crypto/bn/bn_asm.c
-@@ -438,6 +438,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
- /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
- /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
-
-+/*
-+ * Keep in mind that carrying into high part of multiplication result
-+ * can not overflow, because it cannot be all-ones.
-+ */
- #ifdef BN_LLONG
- #define mul_add_c(a,b,c0,c1,c2) \
- t=(BN_ULLONG)a*b; \
-@@ -478,10 +482,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
- #define mul_add_c2(a,b,c0,c1,c2) { \
- BN_ULONG ta=(a),tb=(b),t0; \
- BN_UMULT_LOHI(t0,t1,ta,tb); \
-- t2 = t1+t1; c2 += (t2<t1)?1:0; \
-- t1 = t0+t0; t2 += (t1<t0)?1:0; \
-- c0 += t1; t2 += (c0<t1)?1:0; \
-+ c0 += t0; t2 = t1+((c0<t0)?1:0);\
- c1 += t2; c2 += (c1<t2)?1:0; \
-+ c0 += t0; t1 += (c0<t0)?1:0; \
-+ c1 += t1; c2 += (c1<t1)?1:0; \
- }
-
- #define sqr_add_c(a,i,c0,c1,c2) { \
-@@ -508,10 +512,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
- BN_ULONG ta=(a),tb=(b),t0; \
- t1 = BN_UMULT_HIGH(ta,tb); \
- t0 = ta * tb; \
-- t2 = t1+t1; c2 += (t2<t1)?1:0; \
-- t1 = t0+t0; t2 += (t1<t0)?1:0; \
-- c0 += t1; t2 += (c0<t1)?1:0; \
-+ c0 += t0; t2 = t1+((c0<t0)?1:0);\
- c1 += t2; c2 += (c1<t2)?1:0; \
-+ c0 += t0; t1 += (c0<t0)?1:0; \
-+ c1 += t1; c2 += (c1<t1)?1:0; \
- }
-
- #define sqr_add_c(a,i,c0,c1,c2) { \
-diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
-index 7771e92..48bc633 100644
---- a/crypto/bn/bntest.c
-+++ b/crypto/bn/bntest.c
-@@ -678,44 +678,98 @@ int test_mul(BIO *bp)
-
- int test_sqr(BIO *bp, BN_CTX *ctx)
- {
-- BIGNUM a,c,d,e;
-- int i;
-+ BIGNUM *a,*c,*d,*e;
-+ int i, ret = 0;
-
-- BN_init(&a);
-- BN_init(&c);
-- BN_init(&d);
-- BN_init(&e);
-+ a = BN_new();
-+ c = BN_new();
-+ d = BN_new();
-+ e = BN_new();
-+ if (a == NULL || c == NULL || d == NULL || e == NULL)
-+ {
-+ goto err;
-+ }
-
- for (i=0; i<num0; i++)
- {
-- BN_bntest_rand(&a,40+i*10,0,0);
-- a.neg=rand_neg();
-- BN_sqr(&c,&a,ctx);
-+ BN_bntest_rand(a,40+i*10,0,0);
-+ a->neg=rand_neg();
-+ BN_sqr(c,a,ctx);
- if (bp != NULL)
- {
- if (!results)
- {
-- BN_print(bp,&a);
-+ BN_print(bp,a);
- BIO_puts(bp," * ");
-- BN_print(bp,&a);
-+ BN_print(bp,a);
- BIO_puts(bp," - ");
- }
-- BN_print(bp,&c);
-+ BN_print(bp,c);
- BIO_puts(bp,"\n");
- }
-- BN_div(&d,&e,&c,&a,ctx);
-- BN_sub(&d,&d,&a);
-- if(!BN_is_zero(&d) || !BN_is_zero(&e))
-- {
-- fprintf(stderr,"Square test failed!\n");
-- return 0;
-- }
-+ BN_div(d,e,c,a,ctx);
-+ BN_sub(d,d,a);
-+ if(!BN_is_zero(d) || !BN_is_zero(e))
-+ {
-+ fprintf(stderr,"Square test failed!\n");
-+ goto err;
-+ }
- }
-- BN_free(&a);
-- BN_free(&c);
-- BN_free(&d);
-- BN_free(&e);
-- return(1);
-+
-+ /* Regression test for a BN_sqr overflow bug. */
-+ BN_hex2bn(&a,
-+ "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000");
-+ BN_sqr(c, a, ctx);
-+ if (bp != NULL)
-+ {
-+ if (!results)
-+ {
-+ BN_print(bp,a);
-+ BIO_puts(bp," * ");
-+ BN_print(bp,a);
-+ BIO_puts(bp," - ");
-+ }
-+ BN_print(bp,c);
-+ BIO_puts(bp,"\n");
-+ }
-+ BN_mul(d, a, a, ctx);
-+ if (BN_cmp(c, d))
-+ {
-+ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
-+ "different results!\n");
-+ goto err;
-+ }
-+
-+ /* Regression test for a BN_sqr overflow bug. */
-+ BN_hex2bn(&a,
-+ "80000000000000000000000080000001FFFFFFFE000000000000000000000000");
-+ BN_sqr(c, a, ctx);
-+ if (bp != NULL)
-+ {
-+ if (!results)
-+ {
-+ BN_print(bp,a);
-+ BIO_puts(bp," * ");
-+ BN_print(bp,a);
-+ BIO_puts(bp," - ");
-+ }
-+ BN_print(bp,c);
-+ BIO_puts(bp,"\n");
-+ }
-+ BN_mul(d, a, a, ctx);
-+ if (BN_cmp(c, d))
-+ {
-+ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
-+ "different results!\n");
-+ goto err;
-+ }
-+ ret = 1;
-+err:
-+ if (a != NULL) BN_free(a);
-+ if (c != NULL) BN_free(c);
-+ if (d != NULL) BN_free(d);
-+ if (e != NULL) BN_free(e);
-+ return ret;
- }
-
- int test_mont(BIO *bp, BN_CTX *ctx)
---
-1.8.3.1
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3571.patch b/SOURCES/openssl-1.0.1e-cve-2014-3571.patch
deleted file mode 100644
index 9c93b7f..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3571.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls1-reads openssl-1.0.1e/ssl/d1_pkt.c
---- openssl-1.0.1e/ssl/d1_pkt.c.dtls1-reads 2015-01-12 17:31:41.647213706 +0100
-+++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-12 17:38:21.708261411 +0100
-@@ -641,8 +641,6 @@ again:
- /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
- i=rr->length;
- n=ssl3_read_n(s,i,i,1);
-- if (n <= 0) return(n); /* error or non-blocking io */
--
- /* this packet contained a partial record, dump it */
- if ( n != i)
- {
-@@ -677,7 +675,8 @@ again:
- * would be dropped unnecessarily.
- */
- if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
-- *p == SSL3_MT_CLIENT_HELLO) &&
-+ s->packet_length > DTLS1_RT_HEADER_LENGTH &&
-+ s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) &&
- !dtls1_record_replay_check(s, bitmap))
- {
- rr->length = 0;
-diff -up openssl-1.0.1e/ssl/s3_pkt.c.dtls1-reads openssl-1.0.1e/ssl/s3_pkt.c
---- openssl-1.0.1e/ssl/s3_pkt.c.dtls1-reads 2015-01-12 17:31:41.680214453 +0100
-+++ openssl-1.0.1e/ssl/s3_pkt.c 2015-01-12 17:38:06.721922482 +0100
-@@ -182,6 +182,8 @@ int ssl3_read_n(SSL *s, int n, int max,
- * at once (as long as it fits into the buffer). */
- if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
- {
-+ if (left == 0 && extend)
-+ return 0;
- if (left > 0 && n > left)
- n = left;
- }
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-3572.patch b/SOURCES/openssl-1.0.1e-cve-2014-3572.patch
deleted file mode 100644
index 013876b..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-3572.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-diff -up openssl-1.0.1e/ssl/s3_clnt.c.ecdh-downgrade openssl-1.0.1e/ssl/s3_clnt.c
---- openssl-1.0.1e/ssl/s3_clnt.c.ecdh-downgrade 2015-01-12 16:37:49.978126895 +0100
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2015-01-12 17:02:01.740959687 +0100
-@@ -1287,6 +1287,8 @@ int ssl3_get_key_exchange(SSL *s)
- int encoded_pt_len = 0;
- #endif
-
-+ EVP_MD_CTX_init(&md_ctx);
-+
- /* use same message size as in ssl3_get_certificate_request()
- * as ServerKeyExchange message may be skipped */
- n=s->method->ssl_get_message(s,
-@@ -1297,14 +1299,26 @@ int ssl3_get_key_exchange(SSL *s)
- &ok);
- if (!ok) return((int)n);
-
-+ alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
-+
- if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
- {
-+ /*
-+ * Can't skip server key exchange if this is an ephemeral
-+ * ciphersuite.
-+ */
-+ if (alg_k & (SSL_kEDH|SSL_kEECDH))
-+ {
-+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
-+ al = SSL_AD_UNEXPECTED_MESSAGE;
-+ goto f_err;
-+ }
- #ifndef OPENSSL_NO_PSK
- /* In plain PSK ciphersuite, ServerKeyExchange can be
- omitted if no identity hint is sent. Set
- session->sess_cert anyway to avoid problems
- later.*/
-- if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
-+ if (alg_k & SSL_kPSK)
- {
- s->session->sess_cert=ssl_sess_cert_new();
- if (s->ctx->psk_identity_hint)
-@@ -1347,9 +1361,8 @@ int ssl3_get_key_exchange(SSL *s)
- }
-
- param_len=0;
-- alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
-+
- alg_a=s->s3->tmp.new_cipher->algorithm_auth;
-- EVP_MD_CTX_init(&md_ctx);
-
- #ifndef OPENSSL_NO_PSK
- if (alg_k & SSL_kPSK)
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-8176.patch b/SOURCES/openssl-1.0.1e-cve-2014-8176.patch
deleted file mode 100644
index 052b907..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-8176.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From bcc311668ede6ffdcd6dc5a65454a548b5404fcc Mon Sep 17 00:00:00 2001
-From: zhu qun-ying <qunying@yahoo.com>
-Date: Mon, 2 Jun 2014 14:38:52 +0100
-Subject: [PATCH] Free up s->d1->buffered_app_data.q properly.
-
-PR#3286
-(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)
----
- ssl/d1_lib.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
-index 106939f..6bde16f 100644
---- a/ssl/d1_lib.c
-+++ b/ssl/d1_lib.c
-@@ -176,9 +176,12 @@ static void dtls1_clear_queues(SSL *s)
-
- while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
- {
-- frag = (hm_fragment *)item->data;
-- OPENSSL_free(frag->fragment);
-- OPENSSL_free(frag);
-+ rdata = (DTLS1_RECORD_DATA *) item->data;
-+ if (rdata->rbuf.buf)
-+ {
-+ OPENSSL_free(rdata->rbuf.buf);
-+ }
-+ OPENSSL_free(item->data);
- pitem_free(item);
- }
- }
---
-2.1.0
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2014-8275.patch b/SOURCES/openssl-1.0.1e-cve-2014-8275.patch
deleted file mode 100644
index 91041ac..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2014-8275.patch
+++ /dev/null
@@ -1,202 +0,0 @@
-diff -up openssl-1.0.1e/crypto/asn1/a_bitstr.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/a_bitstr.c
---- openssl-1.0.1e/crypto/asn1/a_bitstr.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/a_bitstr.c 2015-01-13 12:23:36.090478923 +0100
-@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN
-
- p= *pp;
- i= *(p++);
-+ if (i > 7)
-+ {
-+ i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
-+ goto err;
-+ }
- /* We do this to preserve the settings. If we modify
- * the settings, via the _set_bit function, we will recalculate
- * on output */
- ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-- ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
-+ ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
-
- if (len-- > 1) /* using one because of the bits left byte */
- {
-diff -up openssl-1.0.1e/crypto/asn1/asn1_err.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/asn1_err.c
---- openssl-1.0.1e/crypto/asn1/asn1_err.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/asn1_err.c 2015-01-13 12:23:36.090478923 +0100
-@@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
- {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE) ,"illegal time value"},
- {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
- {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
-+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
- {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
- {ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"},
- {ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"},
-diff -up openssl-1.0.1e/crypto/asn1/asn1.h.cert-fingerprint openssl-1.0.1e/crypto/asn1/asn1.h
---- openssl-1.0.1e/crypto/asn1/asn1.h.cert-fingerprint 2015-01-13 11:44:11.999013082 +0100
-+++ openssl-1.0.1e/crypto/asn1/asn1.h 2015-01-13 12:23:36.090478923 +0100
-@@ -776,7 +776,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE,
- int ASN1_TYPE_get(ASN1_TYPE *a);
- void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
- int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
--int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b);
-+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
-
- ASN1_OBJECT * ASN1_OBJECT_new(void );
- void ASN1_OBJECT_free(ASN1_OBJECT *a);
-@@ -1329,6 +1329,7 @@ void ERR_load_ASN1_strings(void);
- #define ASN1_R_ILLEGAL_TIME_VALUE 184
- #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185
- #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128
-+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220
- #define ASN1_R_INVALID_BMPSTRING_LENGTH 129
- #define ASN1_R_INVALID_DIGIT 130
- #define ASN1_R_INVALID_MIME_TYPE 205
-diff -up openssl-1.0.1e/crypto/asn1/a_type.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/a_type.c
---- openssl-1.0.1e/crypto/asn1/a_type.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/a_type.c 2015-01-13 12:43:36.779633480 +0100
-@@ -113,7 +113,7 @@ IMPLEMENT_STACK_OF(ASN1_TYPE)
- IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
-
- /* Returns 0 if they are equal, != 0 otherwise. */
--int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b)
-+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
- {
- int result = -1;
-
-diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/a_verify.c
---- openssl-1.0.1e/crypto/asn1/a_verify.c.cert-fingerprint 2015-01-13 11:44:12.308020070 +0100
-+++ openssl-1.0.1e/crypto/asn1/a_verify.c 2015-01-13 11:44:12.413022445 +0100
-@@ -93,6 +93,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_A
- ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
- goto err;
- }
-+
-+ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
-+ {
-+ ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
-+ goto err;
-+ }
-
- inl=i2d(data,NULL);
- buf_in=OPENSSL_malloc((unsigned int)inl);
-@@ -149,6 +155,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
- return -1;
- }
-
-+ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
-+ {
-+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
-+ return -1;
-+ }
-+
- EVP_MD_CTX_init(&ctx);
-
- /* Convert signature OID into digest and public key OIDs */
-diff -up openssl-1.0.1e/crypto/asn1/x_algor.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/x_algor.c
---- openssl-1.0.1e/crypto/asn1/x_algor.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/x_algor.c 2015-01-13 12:43:36.780633502 +0100
-@@ -142,3 +142,14 @@ void X509_ALGOR_set_md(X509_ALGOR *alg,
- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);
-
- }
-+
-+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
-+ {
-+ int rv;
-+ rv = OBJ_cmp(a->algorithm, b->algorithm);
-+ if (rv)
-+ return rv;
-+ if (!a->parameter && !b->parameter)
-+ return 0;
-+ return ASN1_TYPE_cmp(a->parameter, b->parameter);
-+ }
-diff -up openssl-1.0.1e/crypto/dsa/dsa_asn1.c.cert-fingerprint openssl-1.0.1e/crypto/dsa/dsa_asn1.c
---- openssl-1.0.1e/crypto/dsa/dsa_asn1.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_asn1.c 2015-01-13 11:44:12.414022468 +0100
-@@ -176,13 +176,25 @@ int DSA_verify(int type, const unsigned
- const unsigned char *sigbuf, int siglen, DSA *dsa)
- {
- DSA_SIG *s;
-+ const unsigned char *p = sigbuf;
-+ unsigned char *der = NULL;
-+ int derlen = -1;
- int ret=-1;
-
- s = DSA_SIG_new();
- if (s == NULL) return(ret);
-- if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
-+ if (d2i_DSA_SIG(&s,&p,siglen) == NULL) goto err;
-+ /* Ensure signature uses DER and doesn't have trailing garbage */
-+ derlen = i2d_DSA_SIG(s, &der);
-+ if (derlen != siglen || memcmp(sigbuf, der, derlen))
-+ goto err;
- ret=DSA_do_verify(dgst,dgst_len,s,dsa);
- err:
-+ if (derlen > 0)
-+ {
-+ OPENSSL_cleanse(der, derlen);
-+ OPENSSL_free(der);
-+ }
- DSA_SIG_free(s);
- return(ret);
- }
-diff -up openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c.cert-fingerprint openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c
---- openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c.cert-fingerprint 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c 2015-01-13 11:44:12.414022468 +0100
-@@ -57,6 +57,7 @@
- */
-
- #include "ecs_locl.h"
-+#include "cryptlib.h"
- #ifndef OPENSSL_NO_ENGINE
- #include <openssl/engine.h>
- #endif
-@@ -84,13 +85,25 @@ int ECDSA_verify(int type, const unsigne
- const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
- {
- ECDSA_SIG *s;
-+ const unsigned char *p = sigbuf;
-+ unsigned char *der = NULL;
-+ int derlen = -1;
- int ret=-1;
-
- s = ECDSA_SIG_new();
- if (s == NULL) return(ret);
-- if (d2i_ECDSA_SIG(&s, &sigbuf, sig_len) == NULL) goto err;
-+ if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) goto err;
-+ /* Ensure signature uses DER and doesn't have trailing garbage */
-+ derlen = i2d_ECDSA_SIG(s, &der);
-+ if (derlen != sig_len || memcmp(sigbuf, der, derlen))
-+ goto err;
- ret=ECDSA_do_verify(dgst, dgst_len, s, eckey);
- err:
-+ if (derlen > 0)
-+ {
-+ OPENSSL_cleanse(der, derlen);
-+ OPENSSL_free(der);
-+ }
- ECDSA_SIG_free(s);
- return(ret);
- }
-diff -up openssl-1.0.1e/crypto/x509/x_all.c.cert-fingerprint openssl-1.0.1e/crypto/x509/x_all.c
---- openssl-1.0.1e/crypto/x509/x_all.c.cert-fingerprint 2015-01-13 11:44:12.330020568 +0100
-+++ openssl-1.0.1e/crypto/x509/x_all.c 2015-01-13 11:44:12.414022468 +0100
-@@ -72,6 +72,8 @@
-
- int X509_verify(X509 *a, EVP_PKEY *r)
- {
-+ if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
-+ return 0;
- return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
- a->signature,a->cert_info,r));
- }
-diff -up openssl-1.0.1e/crypto/x509/x509.h.cert-fingerprint openssl-1.0.1e/crypto/x509/x509.h
---- openssl-1.0.1e/crypto/x509/x509.h.cert-fingerprint 2015-01-13 11:44:12.126015954 +0100
-+++ openssl-1.0.1e/crypto/x509/x509.h 2015-01-13 12:43:36.780633502 +0100
-@@ -768,6 +768,7 @@ int X509_ALGOR_set0(X509_ALGOR *alg, ASN
- void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
- X509_ALGOR *algor);
- void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
-+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
-
- X509_NAME *X509_NAME_dup(X509_NAME *xn);
- X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0204.patch b/SOURCES/openssl-1.0.1e-cve-2015-0204.patch
deleted file mode 100644
index 527f7c5..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0204.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod 2015-01-13 11:15:25.096957795 +0100
-@@ -151,15 +151,7 @@ temporary/ephemeral DH parameters are us
-
- =item SSL_OP_EPHEMERAL_RSA
-
--Always use ephemeral (temporary) RSA key when doing RSA operations
--(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
--According to the specifications this is only done, when a RSA key
--can only be used for signature operations (namely under export ciphers
--with restricted RSA keylength). By setting this option, ephemeral
--RSA keys are always used. This option breaks compatibility with the
--SSL/TLS specifications and may lead to interoperability problems with
--clients and should therefore never be used. Ciphers with EDH (ephemeral
--Diffie-Hellman) key exchange should be used instead.
-+This option is no longer implemented and is treated as no op.
-
- =item SSL_OP_CIPHER_SERVER_PREFERENCE
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod 2015-01-13 11:15:25.096957795 +0100
-@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-H
- in order to achieve forward secrecy (see
- L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
-
--On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
--and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
--L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
--standard. When ephemeral RSA key exchange is required for export ciphers,
--it will automatically be used without this option!
--
--An application may either directly specify the key or can supply the key via
--a callback function. The callback approach has the advantage, that the
--callback may generate the key only in case it is actually needed. As the
--generation of a RSA key is however costly, it will lead to a significant
--delay in the handshake procedure. Another advantage of the callback function
--is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
--usage) while the explicit setting of the key is only useful for key size of
--512 bits to satisfy the export restricted ciphers and does give away key length
--if a longer key would be allowed.
-+An application may either directly specify the key or can supply the key via a
-+callback function. The callback approach has the advantage, that the callback
-+may generate the key only in case it is actually needed. As the generation of a
-+RSA key is however costly, it will lead to a significant delay in the handshake
-+procedure. Another advantage of the callback function is that it can supply
-+keys of different size while the explicit setting of the key is only useful for
-+key size of 512 bits to satisfy the export restricted ciphers and does give
-+away key length if a longer key would be allowed.
-
- The B<tmp_rsa_callback> is called with the B<keylength> needed and
- the B<is_export> information. The B<is_export> flag is set, when the
-diff -up openssl-1.0.1e/CHANGES.rsa-ephemeral openssl-1.0.1e/CHANGES
-diff -up openssl-1.0.1e/ssl/d1_srvr.c.rsa-ephemeral openssl-1.0.1e/ssl/d1_srvr.c
---- openssl-1.0.1e/ssl/d1_srvr.c.rsa-ephemeral 2015-01-12 17:49:04.912808002 +0100
-+++ openssl-1.0.1e/ssl/d1_srvr.c 2015-01-13 11:15:25.096957795 +0100
-@@ -450,24 +450,15 @@ int dtls1_accept(SSL *s)
- case SSL3_ST_SW_KEY_EXCH_B:
- alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-
-- /* clear this, it may get reset by
-- * send_server_key_exchange */
-- if ((s->options & SSL_OP_EPHEMERAL_RSA)
--#ifndef OPENSSL_NO_KRB5
-- && !(alg_k & SSL_kKRB5)
--#endif /* OPENSSL_NO_KRB5 */
-- )
-- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-- * even when forbidden by protocol specs
-- * (handshake may fail as clients are not required to
-- * be able to handle this) */
-- s->s3->tmp.use_rsa_tmp=1;
-- else
-- s->s3->tmp.use_rsa_tmp=0;
-+ /*
-+ * clear this, it may get reset by
-+ * send_server_key_exchange
-+ */
-+ s->s3->tmp.use_rsa_tmp=0;
-
- /* only send if a DH key exchange or
- * RSA but we have a sign only certificate */
-- if (s->s3->tmp.use_rsa_tmp
-+ if (0
- /* PSK: send ServerKeyExchange if PSK identity
- * hint if provided */
- #ifndef OPENSSL_NO_PSK
-diff -up openssl-1.0.1e/ssl/ssl.h.rsa-ephemeral openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.rsa-ephemeral 2015-01-12 17:49:04.936808545 +0100
-+++ openssl-1.0.1e/ssl/ssl.h 2015-01-13 11:15:25.098957840 +0100
-@@ -587,9 +587,8 @@ struct ssl_session_st
- #define SSL_OP_SINGLE_ECDH_USE 0x00080000L
- /* If set, always create a new key when using tmp_dh parameters */
- #define SSL_OP_SINGLE_DH_USE 0x00100000L
--/* Set to always use the tmp_rsa key when doing RSA operations,
-- * even when this violates protocol specs */
--#define SSL_OP_EPHEMERAL_RSA 0x00200000L
-+/* Does nothing: retained for compatibiity */
-+#define SSL_OP_EPHEMERAL_RSA 0x0
- /* Set on servers to choose the cipher according to the server's
- * preferences */
- #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
-diff -up openssl-1.0.1e/ssl/s3_clnt.c.rsa-ephemeral openssl-1.0.1e/ssl/s3_clnt.c
---- openssl-1.0.1e/ssl/s3_clnt.c.rsa-ephemeral 2015-01-12 17:49:04.946808771 +0100
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2015-01-13 11:15:25.097957817 +0100
-@@ -1492,6 +1492,13 @@ int ssl3_get_key_exchange(SSL *s)
- #ifndef OPENSSL_NO_RSA
- if (alg_k & SSL_kRSA)
- {
-+ /* Temporary RSA keys only allowed in export ciphersuites */
-+ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
-+ {
-+ al=SSL_AD_UNEXPECTED_MESSAGE;
-+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto f_err;
-+ }
- if ((rsa=RSA_new()) == NULL)
- {
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
-diff -up openssl-1.0.1e/ssl/s3_srvr.c.rsa-ephemeral openssl-1.0.1e/ssl/s3_srvr.c
---- openssl-1.0.1e/ssl/s3_srvr.c.rsa-ephemeral 2015-01-12 17:51:32.044135496 +0100
-+++ openssl-1.0.1e/ssl/s3_srvr.c 2015-01-13 11:15:25.098957840 +0100
-@@ -441,20 +441,11 @@ int ssl3_accept(SSL *s)
- case SSL3_ST_SW_KEY_EXCH_B:
- alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-
-- /* clear this, it may get reset by
-- * send_server_key_exchange */
-- if ((s->options & SSL_OP_EPHEMERAL_RSA)
--#ifndef OPENSSL_NO_KRB5
-- && !(alg_k & SSL_kKRB5)
--#endif /* OPENSSL_NO_KRB5 */
-- )
-- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-- * even when forbidden by protocol specs
-- * (handshake may fail as clients are not required to
-- * be able to handle this) */
-- s->s3->tmp.use_rsa_tmp=1;
-- else
-- s->s3->tmp.use_rsa_tmp=0;
-+ /*
-+ * clear this, it may get reset by
-+ * send_server_key_exchange
-+ */
-+ s->s3->tmp.use_rsa_tmp=0;
-
-
- /* only send if a DH key exchange, fortezza or
-@@ -468,7 +459,7 @@ int ssl3_accept(SSL *s)
- * server certificate contains the server's
- * public key for key exchange.
- */
-- if (s->s3->tmp.use_rsa_tmp
-+ if (0
- /* PSK: send ServerKeyExchange if PSK identity
- * hint if provided */
- #ifndef OPENSSL_NO_PSK
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0205.patch b/SOURCES/openssl-1.0.1e-cve-2015-0205.patch
deleted file mode 100644
index ff378ae..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0205.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/ssl/s3_srvr.c.dh-unauthenticated openssl-1.0.1e/ssl/s3_srvr.c
---- openssl-1.0.1e/ssl/s3_srvr.c.dh-unauthenticated 2015-01-12 17:49:04.930808409 +0100
-+++ openssl-1.0.1e/ssl/s3_srvr.c 2015-01-13 11:15:25.098957840 +0100
-@@ -2951,7 +2951,7 @@ int ssl3_get_cert_verify(SSL *s)
- if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
- {
- s->s3->tmp.reuse_message=1;
-- if ((peer != NULL) && (type & EVP_PKT_SIGN))
-+ if (peer != NULL)
- {
- al=SSL_AD_UNEXPECTED_MESSAGE;
- SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0206.patch b/SOURCES/openssl-1.0.1e-cve-2015-0206.patch
deleted file mode 100644
index e2d1718..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0206.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls-recleak openssl-1.0.1e/ssl/d1_pkt.c
---- openssl-1.0.1e/ssl/d1_pkt.c.dtls-rec-leak 2015-01-13 11:44:12.410022377 +0100
-+++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-13 11:50:40.062789458 +0100
-@@ -212,7 +212,7 @@ dtls1_buffer_record(SSL *s, record_pqueu
- /* Limit the size of the queue to prevent DOS attacks */
- if (pqueue_size(queue->q) >= 100)
- return 0;
--
-+
- rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
- item = pitem_new(priority, rdata);
- if (rdata == NULL || item == NULL)
-@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueu
- }
- #endif
-
-- /* insert should not fail, since duplicates are dropped */
-- if (pqueue_insert(queue->q, item) == NULL)
-- {
-- OPENSSL_free(rdata);
-- pitem_free(item);
-- return(0);
-- }
--
- s->packet = NULL;
- s->packet_length = 0;
- memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
-@@ -255,11 +247,24 @@ dtls1_buffer_record(SSL *s, record_pqueu
- if (!ssl3_setup_buffers(s))
- {
- SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
-+ if (rdata->rbuf.buf != NULL)
-+ OPENSSL_free(rdata->rbuf.buf);
- OPENSSL_free(rdata);
- pitem_free(item);
-- return(0);
-+ return(-1);
- }
--
-+
-+ /* insert should not fail, since duplicates are dropped */
-+ if (pqueue_insert(queue->q, item) == NULL)
-+ {
-+ SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
-+ if (rdata->rbuf.buf != NULL)
-+ OPENSSL_free(rdata->rbuf.buf);
-+ OPENSSL_free(rdata);
-+ pitem_free(item);
-+ return(-1);
-+ }
-+
- return(1);
- }
-
-@@ -313,8 +318,9 @@ dtls1_process_buffered_records(SSL *s)
- dtls1_get_unprocessed_record(s);
- if ( ! dtls1_process_record(s))
- return(0);
-- dtls1_buffer_record(s, &(s->d1->processed_rcds),
-- s->s3->rrec.seq_num);
-+ if(dtls1_buffer_record(s, &(s->d1->processed_rcds),
-+ s->s3->rrec.seq_num)<0)
-+ return -1;
- }
- }
-
-@@ -529,7 +535,6 @@ printf("\n");
-
- /* we have pulled in a full packet so zero things */
- s->packet_length=0;
-- dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
- return(1);
-
- f_err:
-@@ -562,7 +567,8 @@ int dtls1_get_record(SSL *s)
-
- /* The epoch may have changed. If so, process all the
- * pending records. This is a non-blocking operation. */
-- dtls1_process_buffered_records(s);
-+ if(dtls1_process_buffered_records(s)<0)
-+ return -1;
-
- /* if we're renegotiating, then there may be buffered records */
- if (dtls1_get_processed_record(s))
-@@ -699,7 +705,9 @@ again:
- {
- if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
- {
-- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
-+ if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0)
-+ return -1;
-+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
- }
- rr->length = 0;
- s->packet_length = 0;
-@@ -712,6 +720,7 @@ again:
- s->packet_length = 0; /* dump this record */
- goto again; /* get another record */
- }
-+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
-
- return(1);
-
-@@ -863,7 +872,11 @@ start:
- * buffer the application data for later processing rather
- * than dropping the connection.
- */
-- dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
-+ if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0)
-+ {
-+ SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
-+ return -1;
-+ }
- rr->length = 0;
- goto start;
- }
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0209.patch b/SOURCES/openssl-1.0.1e-cve-2015-0209.patch
deleted file mode 100644
index 0ebcc56..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0209.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-diff -up openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free openssl-1.0.1e/crypto/asn1/x_x509.c
---- openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/x_x509.c 2015-06-11 11:14:52.581856349 +0200
-@@ -170,8 +170,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsig
- {
- const unsigned char *q;
- X509 *ret;
-+ int freeret = 0;
-+
- /* Save start position */
- q = *pp;
-+
-+ if(!a || *a == NULL) {
-+ freeret = 1;
-+ }
- ret = d2i_X509(a, pp, length);
- /* If certificate unreadable then forget it */
- if(!ret) return NULL;
-@@ -181,7 +187,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsig
- if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
- return ret;
- err:
-- X509_free(ret);
-+ if(freeret) {
-+ X509_free(ret);
-+ if (a)
-+ *a = NULL;
-+ }
- return NULL;
- }
-
-diff -up openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free openssl-1.0.1e/crypto/ec/ec_asn1.c
---- openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ec/ec_asn1.c 2015-06-11 11:14:52.581856349 +0200
-@@ -1140,8 +1140,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
- ERR_R_MALLOC_FAILURE);
- goto err;
- }
-- if (a)
-- *a = ret;
- }
- else
- ret = *a;
-@@ -1206,11 +1204,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
- }
- }
-
-+ if (a)
-+ *a = ret;
- ok = 1;
- err:
- if (!ok)
- {
-- if (ret)
-+ if (ret && (a == NULL || *a != ret))
- EC_KEY_free(ret);
- ret = NULL;
- }
-@@ -1358,8 +1358,6 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con
- ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
- return NULL;
- }
-- if (a)
-- *a = ret;
- }
- else
- ret = *a;
-@@ -1367,9 +1365,14 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con
- if (!d2i_ECPKParameters(&ret->group, in, len))
- {
- ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
-+ if (a == NULL || *a != ret)
-+ EC_KEY_free(ret);
- return NULL;
- }
-
-+ if (a)
-+ *a = ret;
-+
- return ret;
- }
-
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0286.patch b/SOURCES/openssl-1.0.1e-cve-2015-0286.patch
deleted file mode 100644
index 64ec2b7..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0286.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -up openssl-1.0.1e/crypto/asn1/a_type.c.bool-cmp openssl-1.0.1e/crypto/asn1/a_type.c
---- openssl-1.0.1e/crypto/asn1/a_type.c.bool-cmp 2015-03-18 13:02:36.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/a_type.c 2015-03-18 14:38:07.111401390 +0100
-@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
- case V_ASN1_OBJECT:
- result = OBJ_cmp(a->value.object, b->value.object);
- break;
-+ case V_ASN1_BOOLEAN:
-+ result = a->value.boolean - b->value.boolean;
-+ break;
- case V_ASN1_NULL:
- result = 0; /* They do not have content. */
- break;
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0287.patch b/SOURCES/openssl-1.0.1e-cve-2015-0287.patch
deleted file mode 100644
index f77b099..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0287.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse openssl-1.0.1e/crypto/asn1/tasn_dec.c
---- openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2015-03-19 15:46:51.097022616 +0100
-@@ -310,9 +310,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
- case ASN1_ITYPE_CHOICE:
- if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
- goto auxerr;
--
-- /* Allocate structure */
-- if (!*pval && !ASN1_item_ex_new(pval, it))
-+ if (*pval)
-+ {
-+ /* Free up and zero CHOICE value if initialised */
-+ i = asn1_get_choice_selector(pval, it);
-+ if ((i >= 0) && (i < it->tcount))
-+ {
-+ tt = it->templates + i;
-+ pchptr = asn1_get_field_ptr(pval, tt);
-+ ASN1_template_free(pchptr, tt);
-+ asn1_set_choice_selector(pval, -1, it);
-+ }
-+ }
-+ else if (!ASN1_item_ex_new(pval, it))
- {
- ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
- ERR_R_NESTED_ASN1_ERROR);
-@@ -407,6 +417,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
- if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
- goto auxerr;
-
-+ /* Free up and zero any ADB found */
-+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
-+ {
-+ if (tt->flags & ASN1_TFLG_ADB_MASK)
-+ {
-+ const ASN1_TEMPLATE *seqtt;
-+ ASN1_VALUE **pseqval;
-+ seqtt = asn1_do_adb(pval, tt, 1);
-+ pseqval = asn1_get_field_ptr(pval, seqtt);
-+ ASN1_template_free(pseqval, seqtt);
-+ }
-+ }
-+
- /* Get each field entry */
- for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
- {
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0288.patch b/SOURCES/openssl-1.0.1e-cve-2015-0288.patch
deleted file mode 100644
index c8dc6b9..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0288.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/crypto/x509/x509_req.c.req-null-deref openssl-1.0.1e/crypto/x509/x509_req.c
---- openssl-1.0.1e/crypto/x509/x509_req.c.req-null-deref 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/x509/x509_req.c 2015-03-18 18:34:35.732448017 +0100
-@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_
- goto err;
-
- pktmp = X509_get_pubkey(x);
-+ if (pktmp == NULL)
-+ goto err;
- i=X509_REQ_set_pubkey(ret,pktmp);
- EVP_PKEY_free(pktmp);
- if (!i) goto err;
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0289.patch b/SOURCES/openssl-1.0.1e-cve-2015-0289.patch
deleted file mode 100644
index b52889d..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0289.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
---- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-03-18 18:54:10.064871658 +0100
-@@ -272,6 +272,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
- PKCS7_RECIP_INFO *ri=NULL;
- ASN1_OCTET_STRING *os=NULL;
-
-+ if (p7 == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
-+ return NULL;
-+ }
-+ /*
-+ * The content field in the PKCS7 ContentInfo is optional, but that really
-+ * only applies to inner content (precisely, detached signatures).
-+ *
-+ * When reading content, missing outer content is therefore treated as an
-+ * error.
-+ *
-+ * When creating content, PKCS7_content_new() must be called before
-+ * calling this method, so a NULL p7->d is always an error.
-+ */
-+ if (p7->d.ptr == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
-+ return NULL;
-+ }
-+
- i=OBJ_obj2nid(p7->type);
- p7->state=PKCS7_S_HEADER;
-
-@@ -433,6 +454,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- unsigned char *ek = NULL, *tkey = NULL;
- int eklen = 0, tkeylen = 0;
-
-+ if (p7 == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
-+ return NULL;
-+ }
-+
-+ if (p7->d.ptr == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
-+ return NULL;
-+ }
-+
- i=OBJ_obj2nid(p7->type);
- p7->state=PKCS7_S_HEADER;
-
-@@ -440,6 +473,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- {
- case NID_pkcs7_signed:
- data_body=PKCS7_get_octet_string(p7->d.sign->contents);
-+ if (!PKCS7_is_detached(p7) && data_body == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATADECODE,
-+ PKCS7_R_NO_CONTENT);
-+ goto err;
-+ }
- md_sk=p7->d.sign->md_algs;
- break;
- case NID_pkcs7_signedAndEnveloped:
-@@ -747,6 +786,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
- STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
- ASN1_OCTET_STRING *os=NULL;
-
-+ if (p7 == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
-+ return 0;
-+ }
-+
-+ if (p7->d.ptr == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
-+ return 0;
-+ }
-+
- EVP_MD_CTX_init(&ctx_tmp);
- i=OBJ_obj2nid(p7->type);
- p7->state=PKCS7_S_HEADER;
-@@ -791,6 +842,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
- /* If detached data then the content is excluded */
- if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
- M_ASN1_OCTET_STRING_free(os);
-+ os = NULL;
- p7->d.sign->contents->d.data = NULL;
- }
- break;
-@@ -801,6 +853,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
- if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
- {
- M_ASN1_OCTET_STRING_free(os);
-+ os = NULL;
- p7->d.digest->contents->d.data = NULL;
- }
- break;
-@@ -873,23 +926,32 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
- M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
- }
-
-- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
-+ if (!PKCS7_is_detached(p7))
- {
-- char *cont;
-- long contlen;
-- btmp=BIO_find_type(bio,BIO_TYPE_MEM);
-- if (btmp == NULL)
-- {
-- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
-+ /*
-+ * NOTE(emilia): I think we only reach os == NULL here because detached
-+ * digested data support is broken.
-+ */
-+ if (os == NULL)
- goto err;
-+ if (!(os->flags & ASN1_STRING_FLAG_NDEF))
-+ {
-+ char *cont;
-+ long contlen;
-+ btmp=BIO_find_type(bio,BIO_TYPE_MEM);
-+ if (btmp == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
-+ goto err;
-+ }
-+ contlen = BIO_get_mem_data(btmp, &cont);
-+ /* Mark the BIO read only then we can use its copy of the data
-+ * instead of making an extra copy.
-+ */
-+ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
-+ BIO_set_mem_eof_return(btmp, 0);
-+ ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
- }
-- contlen = BIO_get_mem_data(btmp, &cont);
-- /* Mark the BIO read only then we can use its copy of the data
-- * instead of making an extra copy.
-- */
-- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
-- BIO_set_mem_eof_return(btmp, 0);
-- ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
- }
- ret=1;
- err:
-@@ -928,6 +990,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_
- if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0)
- goto err;
- OPENSSL_free(abuf);
-+ abuf = NULL;
- if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
- goto err;
- abuf = OPENSSL_malloc(siglen);
-@@ -965,6 +1028,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st
- STACK_OF(X509) *cert;
- X509 *x509;
-
-+ if (p7 == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
-+ return 0;
-+ }
-+
-+ if (p7->d.ptr == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
-+ return 0;
-+ }
-+
- if (PKCS7_type_is_signed(p7))
- {
- cert=p7->d.sign->cert;
-diff -up openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_lib.c
---- openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/pkcs7/pk7_lib.c 2015-03-18 18:05:58.398767116 +0100
-@@ -459,6 +459,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV
-
- STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
- {
-+ if (p7 == NULL || p7->d.ptr == NULL)
-+ return NULL;
- if (PKCS7_type_is_signed(p7))
- {
- return(p7->d.sign->signer_info);
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0292.patch b/SOURCES/openssl-1.0.1e-cve-2015-0292.patch
deleted file mode 100644
index dd6a737..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0292.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -up openssl-1.0.1e/crypto/evp/encode.c.b64-underflow openssl-1.0.1e/crypto/evp/encode.c
---- openssl-1.0.1e/crypto/evp/encode.c.b64-underflow 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/encode.c 2015-03-18 18:16:26.452331934 +0100
-@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx
- v=EVP_DecodeBlock(out,d,n);
- n=0;
- if (v < 0) { rv=0; goto end; }
-+ if (eof > v) { rv=-1; goto end; }
- ret+=(v-eof);
- }
- else
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-0293.patch b/SOURCES/openssl-1.0.1e-cve-2015-0293.patch
deleted file mode 100644
index 1ca78b3..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-0293.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-diff -up openssl-1.0.1e/ssl/s2_lib.c.ssl2-assert openssl-1.0.1e/ssl/s2_lib.c
---- openssl-1.0.1e/ssl/s2_lib.c.ssl2-assert 2015-03-18 13:02:36.000000000 +0100
-+++ openssl-1.0.1e/ssl/s2_lib.c 2015-03-18 18:22:20.195322489 +0100
-@@ -488,7 +488,7 @@ int ssl2_generate_key_material(SSL *s)
-
- OPENSSL_assert(s->session->master_key_length >= 0
- && s->session->master_key_length
-- < (int)sizeof(s->session->master_key));
-+ <= (int)sizeof(s->session->master_key));
- EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
- EVP_DigestUpdate(&ctx,&c,1);
- c++;
-diff -up openssl-1.0.1e/ssl/s2_srvr.c.ssl2-assert openssl-1.0.1e/ssl/s2_srvr.c
---- openssl-1.0.1e/ssl/s2_srvr.c.ssl2-assert 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s2_srvr.c 2015-03-18 18:30:11.403974038 +0100
-@@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s)
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
- return(-1);
- }
-- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
-- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
-- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
-
- is_export=SSL_C_IS_EXPORT(s->session->cipher);
-
-@@ -467,21 +464,61 @@ static int get_client_master_key(SSL *s)
- else
- ek=5;
-
-+ /*
-+ * The format of the CLIENT-MASTER-KEY message is
-+ * 1 byte message type
-+ * 3 bytes cipher
-+ * 2-byte clear key length (stored in s->s2->tmp.clear)
-+ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
-+ * 2-byte key args length (IV etc)
-+ * clear key
-+ * encrypted key
-+ * key args
-+ *
-+ * If the cipher is an export cipher, then the encrypted key bytes
-+ * are a fixed portion of the total key (5 or 8 bytes). The size of
-+ * this portion is in |ek|. If the cipher is not an export cipher,
-+ * then the entire key material is encrypted (i.e., clear key length
-+ * must be zero).
-+ */
-+ if ((!is_export && s->s2->tmp.clear != 0) ||
-+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c)))
-+ {
-+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
-+ return -1;
-+ }
-+ /*
-+ * The encrypted blob must decrypt to the encrypted portion of the key.
-+ * Decryption can't be expanding, so if we don't have enough encrypted
-+ * bytes to fit the key in the buffer, stop now.
-+ */
-+ if ((is_export && s->s2->tmp.enc < ek) ||
-+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c)))
-+ {
-+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
-+ return -1;
-+ }
-+
-+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
-+ &(p[s->s2->tmp.clear]),
-+ &(p[s->s2->tmp.clear]),
-+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING);
-+
- /* bad decrypt */
- #if 1
- /* If a bad decrypt, continue with protocol but with a
- * random master secret (Bleichenbacher attack) */
-- if ((i < 0) ||
-- ((!is_export && (i != EVP_CIPHER_key_length(c)))
-- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
-- (unsigned int)EVP_CIPHER_key_length(c))))))
-+ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
-+ || (is_export && i != ek)))
- {
- ERR_clear_error();
- if (is_export)
- i=ek;
- else
- i=EVP_CIPHER_key_length(c);
-- if (RAND_pseudo_bytes(p,i) <= 0)
-+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear],i) <= 0)
- return 0;
- }
- #else
-@@ -505,7 +542,8 @@ static int get_client_master_key(SSL *s)
- }
- #endif
-
-- if (is_export) i+=s->s2->tmp.clear;
-+ if (is_export)
-+ i = EVP_CIPHER_key_length(c);
-
- if (i > SSL_MAX_MASTER_KEY_LENGTH)
- {
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-1789.patch b/SOURCES/openssl-1.0.1e-cve-2015-1789.patch
deleted file mode 100644
index 8633a76..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-1789.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.oob-read openssl-1.0.1e/crypto/x509/x509_vfy.c
---- openssl-1.0.1e/crypto/x509/x509_vfy.c.oob-read 2015-05-25 12:03:41.000000000 +0200
-+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2015-06-09 15:01:51.688640453 +0200
-@@ -1702,49 +1702,92 @@ int X509_cmp_time(const ASN1_TIME *ctm,
- ASN1_TIME atm;
- long offset;
- char buff1[24],buff2[24],*p;
-- int i,j;
-+ int i, j, remaining;
-
- p=buff1;
-- i=ctm->length;
-+ remaining=ctm->length;
- str=(char *)ctm->data;
-+ /*
-+ * Note that the following (historical) code allows much more slack in the
-+ * time format than RFC5280. In RFC5280, the representation is fixed:
-+ * UTCTime: YYMMDDHHMMSSZ
-+ * GeneralizedTime: YYYYMMDDHHMMSSZ
-+ */
- if (ctm->type == V_ASN1_UTCTIME)
- {
-- if ((i < 11) || (i > 17)) return 0;
-+ /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
-+ int min_length = sizeof("YYMMDDHHMMZ") - 1;
-+ int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
-+ if (remaining < min_length || remaining > max_length)
-+ return 0;
- memcpy(p,str,10);
- p+=10;
- str+=10;
-+ remaining -= 10;
- }
- else
- {
-- if (i < 13) return 0;
-+ /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
-+ int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
-+ int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
-+ if (remaining < min_length || remaining > max_length)
-+ return 0;
- memcpy(p,str,12);
- p+=12;
- str+=12;
-+ remaining -= 12;
- }
-
- if ((*str == 'Z') || (*str == '-') || (*str == '+'))
- { *(p++)='0'; *(p++)='0'; }
- else
- {
-+ /* SS (seconds) */
-+ if (remaining < 2)
-+ return 0;
- *(p++)= *(str++);
- *(p++)= *(str++);
-- /* Skip any fractional seconds... */
-- if (*str == '.')
-+ remaining -= 2;
-+ /*
-+ * Skip any (up to three) fractional seconds...
-+ * TODO(emilia): in RFC5280, fractional seconds are forbidden.
-+ * Can we just kill them altogether?
-+ */
-+ if (remaining && *str == '.')
- {
- str++;
-- while ((*str >= '0') && (*str <= '9')) str++;
-+ remaining--;
-+ for (i = 0; i < 3 && remaining; i++, str++, remaining--)
-+ {
-+ if (*str < '0' || *str > '9')
-+ break;
-+ }
- }
-
- }
- *(p++)='Z';
- *(p++)='\0';
-
-+ /* We now need either a terminating 'Z' or an offset. */
-+ if (!remaining)
-+ return 0;
- if (*str == 'Z')
-+ {
-+ if (remaining != 1)
-+ return 0;
- offset=0;
-+ }
- else
- {
-+ /* (+-)HHMM */
- if ((*str != '+') && (*str != '-'))
- return 0;
-+ /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
-+ if (remaining != 5)
-+ return 0;
-+ if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
-+ str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
-+ return 0;
- offset=((str[1]-'0')*10+(str[2]-'0'))*60;
- offset+=(str[3]-'0')*10+(str[4]-'0');
- if (*str == '-')
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-1790.patch b/SOURCES/openssl-1.0.1e-cve-2015-1790.patch
deleted file mode 100644
index 3b30240..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-1790.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.missing-content openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
---- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.missing-content 2015-05-25 12:03:41.000000000 +0200
-+++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-06-09 15:21:21.377951520 +0200
-@@ -472,6 +472,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- switch (i)
- {
- case NID_pkcs7_signed:
-+ /*
-+ * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
-+ * field and optional content.
-+ * data_body is NULL if that structure has no (=detached) content
-+ * or if the contentType is wrong (i.e., not "data").
-+ */
- data_body=PKCS7_get_octet_string(p7->d.sign->contents);
- if (!PKCS7_is_detached(p7) && data_body == NULL)
- {
-@@ -484,6 +490,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- case NID_pkcs7_signedAndEnveloped:
- rsk=p7->d.signed_and_enveloped->recipientinfo;
- md_sk=p7->d.signed_and_enveloped->md_algs;
-+ /* data_body is NULL if the optional EncryptedContent is missing. */
- data_body=p7->d.signed_and_enveloped->enc_data->enc_data;
- enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm;
- evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
-@@ -496,6 +503,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- case NID_pkcs7_enveloped:
- rsk=p7->d.enveloped->recipientinfo;
- enc_alg=p7->d.enveloped->enc_data->algorithm;
-+ /* data_body is NULL if the optional EncryptedContent is missing. */
- data_body=p7->d.enveloped->enc_data->enc_data;
- evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
- if (evp_cipher == NULL)
-@@ -509,6 +517,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- goto err;
- }
-
-+ /* Detached content must be supplied via in_bio instead. */
-+ if (data_body == NULL && in_bio == NULL)
-+ {
-+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
-+ goto err;
-+ }
-+
- /* We will be checking the signature */
- if (md_sk != NULL)
- {
-@@ -665,7 +680,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- }
-
- #if 1
-- if (PKCS7_is_detached(p7) || (in_bio != NULL))
-+ if (in_bio != NULL)
- {
- bio=in_bio;
- }
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-1791.patch b/SOURCES/openssl-1.0.1e-cve-2015-1791.patch
deleted file mode 100644
index 2b6f315..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-1791.patch
+++ /dev/null
@@ -1,231 +0,0 @@
-diff -up openssl-1.0.1e/ssl/ssl_err.c.ticket-race openssl-1.0.1e/ssl/ssl_err.c
---- openssl-1.0.1e/ssl/ssl_err.c.ticket-race 2015-06-09 15:40:41.000000000 +0200
-+++ openssl-1.0.1e/ssl/ssl_err.c 2015-06-09 15:45:06.879198463 +0200
-@@ -245,6 +245,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
- {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
- {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
- {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
-+{ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"},
- {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
- {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
- {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"},
-diff -up openssl-1.0.1e/ssl/ssl.h.ticket-race openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.ticket-race 2015-06-09 15:40:41.000000000 +0200
-+++ openssl-1.0.1e/ssl/ssl.h 2015-06-09 15:44:22.696191291 +0200
-@@ -2176,6 +2176,7 @@ void ERR_load_SSL_strings(void);
- #define SSL_F_SSL_READ 223
- #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
- #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
-+#define SSL_F_SSL_SESSION_DUP 348
- #define SSL_F_SSL_SESSION_NEW 189
- #define SSL_F_SSL_SESSION_PRINT_FP 190
- #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
-diff -up openssl-1.0.1e/ssl/ssl_locl.h.ticket-race openssl-1.0.1e/ssl/ssl_locl.h
---- openssl-1.0.1e/ssl/ssl_locl.h.ticket-race 2015-06-09 15:40:41.000000000 +0200
-+++ openssl-1.0.1e/ssl/ssl_locl.h 2015-06-09 16:02:41.105243796 +0200
-@@ -822,6 +822,7 @@ void ssl_sess_cert_free(SESS_CERT *sc);
- int ssl_set_peer_cert_type(SESS_CERT *c, int type);
- int ssl_get_new_session(SSL *s, int session);
- int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
-+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
- int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
- DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
- ssl_cipher_id);
-diff -up openssl-1.0.1e/ssl/ssl_sess.c.ticket-race openssl-1.0.1e/ssl/ssl_sess.c
---- openssl-1.0.1e/ssl/ssl_sess.c.ticket-race 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/ssl_sess.c 2015-06-11 13:48:26.724348868 +0200
-@@ -224,6 +224,146 @@ SSL_SESSION *SSL_SESSION_new(void)
- return(ss);
- }
-
-+/*
-+ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
-+ * ticket == 0 then no ticket information is duplicated, otherwise it is.
-+ */
-+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
-+{
-+ SSL_SESSION *dest;
-+
-+ dest = OPENSSL_malloc(sizeof(*src));
-+ if (dest == NULL)
-+ {
-+ goto err;
-+ }
-+ memcpy(dest, src, sizeof(*dest));
-+
-+ /*
-+ * Set the various pointers to NULL so that we can call SSL_SESSION_free in
-+ * the case of an error whilst halfway through constructing dest
-+ */
-+#ifndef OPENSSL_NO_PSK
-+ dest->psk_identity_hint = NULL;
-+ dest->psk_identity = NULL;
-+#endif
-+ dest->ciphers = NULL;
-+#ifndef OPENSSL_NO_TLSEXT
-+ dest->tlsext_hostname = NULL;
-+# ifndef OPENSSL_NO_EC
-+ dest->tlsext_ecpointformatlist = NULL;
-+ dest->tlsext_ellipticcurvelist = NULL;
-+# endif
-+#endif
-+ dest->tlsext_tick = NULL;
-+#ifndef OPENSSL_NO_SRP
-+ dest->srp_username = NULL;
-+#endif
-+ memset(&dest->ex_data, 0, sizeof(dest->ex_data));
-+
-+ /* We deliberately don't copy the prev and next pointers */
-+ dest->prev = NULL;
-+ dest->next = NULL;
-+
-+ dest->references = 1;
-+
-+ if (src->sess_cert != NULL)
-+ CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
-+
-+ if (src->peer != NULL)
-+ CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
-+
-+#ifndef OPENSSL_NO_PSK
-+ if (src->psk_identity_hint)
-+ {
-+ dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint);
-+ if (dest->psk_identity_hint == NULL)
-+ {
-+ goto err;
-+ }
-+ }
-+ if (src->psk_identity)
-+ {
-+ dest->psk_identity = BUF_strdup(src->psk_identity);
-+ if (dest->psk_identity == NULL)
-+ {
-+ goto err;
-+ }
-+ }
-+#endif
-+
-+ if(src->ciphers != NULL)
-+ {
-+ dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
-+ if (dest->ciphers == NULL)
-+ goto err;
-+ }
-+
-+ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
-+ &dest->ex_data, &src->ex_data))
-+ {
-+ goto err;
-+ }
-+
-+#ifndef OPENSSL_NO_TLSEXT
-+ if (src->tlsext_hostname)
-+ {
-+ dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname);
-+ if (dest->tlsext_hostname == NULL)
-+ {
-+ goto err;
-+ }
-+ }
-+# ifndef OPENSSL_NO_EC
-+ if (src->tlsext_ecpointformatlist)
-+ {
-+ dest->tlsext_ecpointformatlist =
-+ BUF_memdup(src->tlsext_ecpointformatlist,
-+ src->tlsext_ecpointformatlist_length);
-+ if (dest->tlsext_ecpointformatlist == NULL)
-+ goto err;
-+ }
-+ if (src->tlsext_ellipticcurvelist)
-+ {
-+ dest->tlsext_ellipticcurvelist =
-+ BUF_memdup(src->tlsext_ellipticcurvelist,
-+ src->tlsext_ellipticcurvelist_length);
-+ if (dest->tlsext_ellipticcurvelist == NULL)
-+ goto err;
-+ }
-+# endif
-+#endif
-+
-+ if (ticket != 0)
-+ {
-+ dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen);
-+ if(dest->tlsext_tick == NULL)
-+ goto err;
-+ }
-+ else
-+ {
-+ dest->tlsext_tick_lifetime_hint = 0;
-+ dest->tlsext_ticklen = 0;
-+ }
-+
-+#ifndef OPENSSL_NO_SRP
-+ if (src->srp_username)
-+ {
-+ dest->srp_username = BUF_strdup(src->srp_username);
-+ if (dest->srp_username == NULL)
-+ {
-+ goto err;
-+ }
-+ }
-+#endif
-+
-+ return dest;
-+err:
-+ SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
-+ SSL_SESSION_free(dest);
-+ return NULL;
-+}
-+
- const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
- {
- if(len)
-diff -up openssl-1.0.1e/ssl/s3_clnt.c.ticket-race openssl-1.0.1e/ssl/s3_clnt.c
---- openssl-1.0.1e/ssl/s3_clnt.c.ticket-race 2015-06-09 15:40:41.000000000 +0200
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2015-06-09 15:39:56.315119013 +0200
-@@ -2092,6 +2092,44 @@ int ssl3_get_new_session_ticket(SSL *s)
- }
-
- p=d=(unsigned char *)s->init_msg;
-+
-+ if (s->session->session_id_length > 0)
-+ {
-+ int i = s->session_ctx->session_cache_mode;
-+ SSL_SESSION *new_sess;
-+ /*
-+ * We reused an existing session, so we need to replace it with a new
-+ * one
-+ */
-+ if (i & SSL_SESS_CACHE_CLIENT)
-+ {
-+ /*
-+ * Remove the old session from the cache
-+ */
-+ if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
-+ {
-+ if (s->session_ctx->remove_session_cb != NULL)
-+ s->session_ctx->remove_session_cb(s->session_ctx,
-+ s->session);
-+ }
-+ else
-+ {
-+ /* We carry on if this fails */
-+ SSL_CTX_remove_session(s->session_ctx, s->session);
-+ }
-+ }
-+
-+ if ((new_sess = ssl_session_dup(s->session, 0)) == 0)
-+ {
-+ al = SSL_AD_INTERNAL_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
-+ goto f_err;
-+ }
-+
-+ SSL_SESSION_free(s->session);
-+ s->session = new_sess;
-+ }
-+
- n2l(p, s->session->tlsext_tick_lifetime_hint);
- n2s(p, ticklen);
- /* ticket_lifetime_hint + ticket_length + ticket */
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-1792.patch b/SOURCES/openssl-1.0.1e-cve-2015-1792.patch
deleted file mode 100644
index 5f2b0cd..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-1792.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/crypto/cms/cms_smime.c.unknown-hash openssl-1.0.1e/crypto/cms/cms_smime.c
---- openssl-1.0.1e/crypto/cms/cms_smime.c.unknown-hash 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/cms/cms_smime.c 2015-06-09 16:07:16.001516190 +0200
-@@ -141,7 +141,7 @@ static void do_free_upto(BIO *f, BIO *up
- BIO_free(f);
- f = tbio;
- }
-- while (f != upto);
-+ while (f && f != upto);
- }
- else
- BIO_free_all(f);
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-3194.patch b/SOURCES/openssl-1.0.1e-cve-2015-3194.patch
deleted file mode 100644
index 58b52f2..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-3194.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check openssl-1.0.1e/crypto/rsa/rsa_ameth.c
---- openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_ameth.c 2015-12-04 09:03:18.300660817 +0100
-@@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co
- {
- ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
- if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
-- && param->type == V_ASN1_SEQUENCE)
-+ && param && param->type == V_ASN1_SEQUENCE)
- {
- p = param->value.sequence->data;
- plen = param->value.sequence->length;
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-3195.patch b/SOURCES/openssl-1.0.1e-cve-2015-3195.patch
deleted file mode 100644
index 80f196f..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-3195.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak openssl-1.0.1e/crypto/asn1/tasn_dec.c
---- openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak 2015-12-04 09:01:53.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2015-12-04 09:09:30.629793475 +0100
-@@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
- int otag;
- int ret = 0;
- ASN1_VALUE **pchptr, *ptmpval;
-+ int combine = aclass & ASN1_TFLG_COMBINE;
-+ aclass &= ~ASN1_TFLG_COMBINE;
- if (!pval)
- return 0;
- if (aux && aux->asn1_cb)
-@@ -539,7 +541,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
- auxerr:
- ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
- err:
-- ASN1_item_ex_free(pval, it);
-+ if (combine == 0)
-+ ASN1_item_ex_free(pval, it);
- if (errtt)
- ERR_add_error_data(4, "Field=", errtt->field_name,
- ", Type=", it->sname);
-@@ -767,7 +770,7 @@ static int asn1_template_noexp_d2i(ASN1_
- {
- /* Nothing special */
- ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-- -1, 0, opt, ctx);
-+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
- if (!ret)
- {
- ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-3196.patch b/SOURCES/openssl-1.0.1e-cve-2015-3196.patch
deleted file mode 100644
index 19dc323..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-3196.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff -up openssl-1.0.1e/ssl/s3_clnt.c.psk-identity openssl-1.0.1e/ssl/s3_clnt.c
---- openssl-1.0.1e/ssl/s3_clnt.c.psk-identity 2015-12-04 09:01:53.000000000 +0100
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2015-12-04 09:36:24.182010426 +0100
-@@ -1367,8 +1367,6 @@ int ssl3_get_key_exchange(SSL *s)
- #ifndef OPENSSL_NO_PSK
- if (alg_k & SSL_kPSK)
- {
-- char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
--
- al=SSL_AD_HANDSHAKE_FAILURE;
- n2s(p,i);
- param_len=i+2;
-@@ -1389,16 +1387,8 @@ int ssl3_get_key_exchange(SSL *s)
- SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
- goto f_err;
- }
-- /* If received PSK identity hint contains NULL
-- * characters, the hint is truncated from the first
-- * NULL. p may not be ending with NULL, so create a
-- * NULL-terminated string. */
-- memcpy(tmp_id_hint, p, i);
-- memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
-- if (s->ctx->psk_identity_hint != NULL)
-- OPENSSL_free(s->ctx->psk_identity_hint);
-- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
-- if (s->ctx->psk_identity_hint == NULL)
-+ s->session->psk_identity_hint = BUF_strndup((char *)p, i);
-+ if (s->session->psk_identity_hint == NULL)
- {
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- goto f_err;
-@@ -2904,7 +2894,7 @@ int ssl3_send_client_key_exchange(SSL *s
- goto err;
- }
-
-- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
-+ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
- identity, PSK_MAX_IDENTITY_LEN,
- psk_or_pre_ms, sizeof(psk_or_pre_ms));
- if (psk_len > PSK_MAX_PSK_LEN)
-diff -up openssl-1.0.1e/ssl/s3_srvr.c.psk-identity openssl-1.0.1e/ssl/s3_srvr.c
---- openssl-1.0.1e/ssl/s3_srvr.c.psk-identity 2015-12-04 09:01:53.000000000 +0100
-+++ openssl-1.0.1e/ssl/s3_srvr.c 2015-12-04 09:43:45.144086868 +0100
-@@ -2751,7 +2751,7 @@ int ssl3_get_client_key_exchange(SSL *s)
-
- if (s->session->psk_identity != NULL)
- OPENSSL_free(s->session->psk_identity);
-- s->session->psk_identity = BUF_strdup((char *)p);
-+ s->session->psk_identity = BUF_strndup((char *)p, i);
- if (s->session->psk_identity == NULL)
- {
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-3197.patch b/SOURCES/openssl-1.0.1e-cve-2015-3197.patch
deleted file mode 100644
index 325ad2d..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-3197.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-diff -up openssl-1.0.1e/ssl/s2_srvr.c.ssl2-ciphers openssl-1.0.1e/ssl/s2_srvr.c
---- openssl-1.0.1e/ssl/s2_srvr.c.ssl2-ciphers 2016-01-14 17:38:50.000000000 +0100
-+++ openssl-1.0.1e/ssl/s2_srvr.c 2016-02-16 16:18:59.790225008 +0100
-@@ -392,7 +392,7 @@ static int get_client_master_key(SSL *s)
- }
-
- cp=ssl2_get_cipher_by_char(p);
-- if (cp == NULL)
-+ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
- {
- ssl2_return_error(s,SSL2_PE_NO_CIPHER);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
-@@ -692,9 +692,13 @@ static int get_client_hello(SSL *s)
- prio = cs;
- allow = cl;
- }
-+
-+ /* Generate list of SSLv2 ciphers shared between client and server */
- for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
- {
-- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
-+ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
-+ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
-+ sk_SSL_CIPHER_find(allow,cp) < 0)
- {
- (void)sk_SSL_CIPHER_delete(prio,z);
- z--;
-@@ -705,6 +709,14 @@ static int get_client_hello(SSL *s)
- sk_SSL_CIPHER_free(s->session->ciphers);
- s->session->ciphers = prio;
- }
-+
-+ /* Make sure we have at least one cipher in common */
-+ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
-+ {
-+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
-+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
-+ return -1;
-+ }
- /* s->session->ciphers should now have a list of
- * ciphers that are on both the client and server.
- * This list is ordered by the order the client sent
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-4000.patch b/SOURCES/openssl-1.0.1e-cve-2015-4000.patch
deleted file mode 100644
index 66dd559..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-4000.patch
+++ /dev/null
@@ -1,241 +0,0 @@
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod 2015-05-25 11:37:08.893049771 +0200
-@@ -12,12 +12,10 @@ SSL_CTX_set_tmp_dh_callback, SSL_CTX_set
- DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
- long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh);
-
-- void SSL_set_tmp_dh_callback(SSL_CTX *ctx,
-+ void SSL_set_tmp_dh_callback(SSL *ctx,
- DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
- long SSL_set_tmp_dh(SSL *ssl, DH *dh)
-
-- DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
--
- =head1 DESCRIPTION
-
- SSL_CTX_set_tmp_dh_callback() sets the callback function for B<ctx> to be
-@@ -50,24 +48,25 @@ even if he gets hold of the normal (cert
- only used for signing.
-
- In order to perform a DH key exchange the server must use a DH group
--(DH parameters) and generate a DH key. The server will always generate a new
--DH key during the negotiation, when the DH parameters are supplied via
--callback and/or when the SSL_OP_SINGLE_DH_USE option of
--L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)> is set. It will
--immediately create a DH key, when DH parameters are supplied via
--SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case,
-+(DH parameters) and generate a DH key.
-+The server will always generate a new DH key during the negotiation
-+if either the DH parameters are supplied via callback or the
-+SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both).
-+It will immediately create a DH key if DH parameters are supplied via
-+SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set.
-+In this case,
- it may happen that a key is generated on initialization without later
- being needed, while on the other hand the computer time during the
- negotiation is being saved.
-
- If "strong" primes were used to generate the DH parameters, it is not strictly
- necessary to generate a new key for each handshake but it does improve forward
--secrecy. If it is not assured, that "strong" primes were used (see especially
--the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used
--in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE
--has an impact on the computer time needed during negotiation, but it is not
--very large, so application authors/users should consider to always enable
--this option.
-+secrecy. If it is not assured that "strong" primes were used,
-+SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup
-+attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the
-+computer time needed during negotiation, but it is not very large, so
-+application authors/users should consider always enabling this option.
-+The option is required to implement perfect forward secrecy (PFS).
-
- As generating DH parameters is extremely time consuming, an application
- should not generate the parameters on the fly but supply the parameters.
-@@ -75,82 +74,62 @@ DH parameters can be reused, as the actu
- the negotiation. The risk in reusing DH parameters is that an attacker
- may specialize on a very often used DH group. Applications should therefore
- generate their own DH parameters during the installation process using the
--openssl L<dhparam(1)|dhparam(1)> application. In order to reduce the computer
--time needed for this generation, it is possible to use DSA parameters
--instead (see L<dhparam(1)|dhparam(1)>), but in this case SSL_OP_SINGLE_DH_USE
--is mandatory.
-+openssl L<dhparam(1)|dhparam(1)> application. This application
-+guarantees that "strong" primes are used.
-
--Application authors may compile in DH parameters. Files dh512.pem,
--dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current
-+Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current
- version of the OpenSSL distribution contain the 'SKIP' DH parameters,
- which use safe primes and were generated verifiably pseudo-randomly.
- These files can be converted into C code using the B<-C> option of the
--L<dhparam(1)|dhparam(1)> application.
--Authors may also generate their own set of parameters using
--L<dhparam(1)|dhparam(1)>, but a user may not be sure how the parameters were
--generated. The generation of DH parameters during installation is therefore
--recommended.
-+L<dhparam(1)|dhparam(1)> application. Generation of custom DH
-+parameters during installation should still be preferred to stop an
-+attacker from specializing on a commonly used group. Files dh1024.pem
-+and dh512.pem contain old parameters that must not be used by
-+applications.
-
- An application may either directly specify the DH parameters or
--can supply the DH parameters via a callback function. The callback approach
--has the advantage, that the callback may supply DH parameters for different
--key lengths.
--
--The B<tmp_dh_callback> is called with the B<keylength> needed and
--the B<is_export> information. The B<is_export> flag is set, when the
--ephemeral DH key exchange is performed with an export cipher.
-+can supply the DH parameters via a callback function.
-+
-+Previous versions of the callback used B<is_export> and B<keylength>
-+parameters to control parameter generation for export and non-export
-+cipher suites. Modern servers that do not support export ciphersuites
-+are advised to either use SSL_CTX_set_tmp_dh() in combination with
-+SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore
-+B<keylength> and B<is_export> and simply supply at least 2048-bit
-+parameters in the callback.
-
- =head1 EXAMPLES
-
--Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling
-+Setup DH parameters with a key length of 2048 bits. (Error handling
- partly left out.)
-
-- ...
-- /* Set up ephemeral DH stuff */
-- DH *dh_512 = NULL;
-- DH *dh_1024 = NULL;
-- FILE *paramfile;
-+ Command-line parameter generation:
-+ $ openssl dhparam -out dh_param_2048.pem 2048
-
-+ Code for setting up parameters during server initialization:
-+
-+ ...
-+ SSL_CTX ctx = SSL_CTX_new();
- ...
-- /* "openssl dhparam -out dh_param_512.pem -2 512" */
-- paramfile = fopen("dh_param_512.pem", "r");
-+
-+ /* Set up ephemeral DH parameters. */
-+ DH *dh_2048 = NULL;
-+ FILE *paramfile;
-+ paramfile = fopen("dh_param_2048.pem", "r");
- if (paramfile) {
-- dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
-+ dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
- fclose(paramfile);
-+ } else {
-+ /* Error. */
- }
-- /* "openssl dhparam -out dh_param_1024.pem -2 1024" */
-- paramfile = fopen("dh_param_1024.pem", "r");
-- if (paramfile) {
-- dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
-- fclose(paramfile);
-+ if (dh_2048 == NULL) {
-+ /* Error. */
- }
-- ...
--
-- /* "openssl dhparam -C -2 512" etc... */
-- DH *get_dh512() { ... }
-- DH *get_dh1024() { ... }
--
-- DH *tmp_dh_callback(SSL *s, int is_export, int keylength)
-- {
-- DH *dh_tmp=NULL;
--
-- switch (keylength) {
-- case 512:
-- if (!dh_512)
-- dh_512 = get_dh512();
-- dh_tmp = dh_512;
-- break;
-- case 1024:
-- if (!dh_1024)
-- dh_1024 = get_dh1024();
-- dh_tmp = dh_1024;
-- break;
-- default:
-- /* Generating a key on the fly is very costly, so use what is there */
-- setup_dh_parameters_like_above();
-- }
-- return(dh_tmp);
-+ if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) {
-+ /* Error. */
- }
-+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
-+ ...
-
- =head1 RETURN VALUES
-
-diff -up openssl-1.0.1e/ssl/ssl_err.c.logjam openssl-1.0.1e/ssl/ssl_err.c
---- openssl-1.0.1e/ssl/ssl_err.c.logjam 2015-05-25 11:38:29.834858712 +0200
-+++ openssl-1.0.1e/ssl/ssl_err.c 2015-05-25 11:42:01.041578905 +0200
-@@ -361,6 +361,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
- {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
- {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
- {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
-+{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL) ,"dh key too small"},
- {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
- {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
- {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"},
-diff -up openssl-1.0.1e/ssl/ssl.h.logjam openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.logjam 2015-05-25 11:38:29.834858712 +0200
-+++ openssl-1.0.1e/ssl/ssl.h 2015-05-25 11:40:42.482823220 +0200
-@@ -2289,6 +2289,7 @@ void ERR_load_SSL_strings(void);
- #define SSL_R_DATA_LENGTH_TOO_LONG 146
- #define SSL_R_DECRYPTION_FAILED 147
- #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
-+#define SSL_R_DH_KEY_TOO_SMALL 372
- #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
- #define SSL_R_DIGEST_CHECK_FAILED 149
- #define SSL_R_DTLS_MESSAGE_TOO_BIG 334
-diff -up openssl-1.0.1e/ssl/s3_clnt.c.logjam openssl-1.0.1e/ssl/s3_clnt.c
---- openssl-1.0.1e/ssl/s3_clnt.c.logjam 2015-05-25 11:38:29.833858690 +0200
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2015-05-25 11:51:05.845754562 +0200
-@@ -3277,24 +3277,34 @@ int ssl3_check_cert_and_algorithm(SSL *s
- }
- #endif
- #ifndef OPENSSL_NO_DH
-- if ((alg_k & SSL_kEDH) &&
-- !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
-+ if ((alg_k & SSL_kEDH) && dh == NULL)
- {
-- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
-+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
-- else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
-+ if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
- {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
- goto f_err;
- }
- #ifndef OPENSSL_NO_DSA
-- else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
-+ if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
- {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
- goto f_err;
- }
- #endif
-+ /* Check DHE only: static DH not implemented. */
-+ if (alg_k & SSL_kEDH)
-+ {
-+ int dh_size = BN_num_bits(dh->p);
-+ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
-+ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512))
-+ {
-+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
-+ goto f_err;
-+ }
-+ }
- #endif
-
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-7575.patch b/SOURCES/openssl-1.0.1e-cve-2015-7575.patch
deleted file mode 100644
index dc86361..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2015-7575.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -up openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls 2015-12-04 09:51:39.000000000 +0100
-+++ openssl-1.0.1e/ssl/t1_lib.c 2015-12-21 14:09:35.239084727 +0100
-@@ -390,19 +390,11 @@ static unsigned char tls12_sigalgs[] = {
- #ifndef OPENSSL_NO_SHA
- tlsext_sigalg(TLSEXT_hash_sha1)
- #endif
--#ifndef OPENSSL_NO_MD5
-- tlsext_sigalg_rsa(TLSEXT_hash_md5)
--#endif
- };
-
- int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
- {
- size_t slen = sizeof(tls12_sigalgs);
--#ifdef OPENSSL_FIPS
-- /* If FIPS mode don't include MD5 which is last */
-- if (FIPS_mode())
-- slen -= 2;
--#endif
- if (p)
- memcpy(p, tls12_sigalgs, slen);
- return (int)slen;
-@@ -2413,14 +2405,6 @@ const EVP_MD *tls12_get_hash(unsigned ch
- {
- switch(hash_alg)
- {
--#ifndef OPENSSL_NO_MD5
-- case TLSEXT_hash_md5:
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return NULL;
--#endif
-- return EVP_md5();
--#endif
- #ifndef OPENSSL_NO_SHA
- case TLSEXT_hash_sha1:
- return EVP_sha1();
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-0702.patch b/SOURCES/openssl-1.0.1e-cve-2016-0702.patch
deleted file mode 100644
index 9ce1ca6..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-0702.patch
+++ /dev/null
@@ -1,1187 +0,0 @@
-diff -up openssl-1.0.1e/crypto/bn/asm/x86_64-mont5.pl.rsa-const openssl-1.0.1e/crypto/bn/asm/x86_64-mont5.pl
---- openssl-1.0.1e/crypto/bn/asm/x86_64-mont5.pl.rsa-const 2016-01-14 17:38:50.127212987 +0100
-+++ openssl-1.0.1e/crypto/bn/asm/x86_64-mont5.pl 2016-02-24 12:03:28.180178677 +0100
-@@ -66,60 +66,113 @@ bn_mul_mont_gather5:
- .align 16
- .Lmul_enter:
- mov ${num}d,${num}d
-- mov `($win64?56:8)`(%rsp),%r10d # load 7th argument
-+ movd `($win64?56:8)`(%rsp),%xmm5 # load 7th argument
-+ lea .Linc(%rip),%r10
- push %rbx
- push %rbp
- push %r12
- push %r13
- push %r14
- push %r15
--___
--$code.=<<___ if ($win64);
-- lea -0x28(%rsp),%rsp
-- movaps %xmm6,(%rsp)
-- movaps %xmm7,0x10(%rsp)
-+
- .Lmul_alloca:
--___
--$code.=<<___;
- mov %rsp,%rax
- lea 2($num),%r11
- neg %r11
-- lea (%rsp,%r11,8),%rsp # tp=alloca(8*(num+2))
-+ lea -264(%rsp,%r11,8),%rsp # tp=alloca(8*(num+2)+256+8)
- and \$-1024,%rsp # minimize TLB usage
-
- mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp
- .Lmul_body:
-- mov $bp,%r12 # reassign $bp
-+ lea 128($bp),%r12 # reassign $bp (+size optimization)
- ___
- $bp="%r12";
- $STRIDE=2**5*8; # 5 is "window size"
- $N=$STRIDE/4; # should match cache line size
- $code.=<<___;
-- mov %r10,%r11
-- shr \$`log($N/8)/log(2)`,%r10
-- and \$`$N/8-1`,%r11
-- not %r10
-- lea .Lmagic_masks(%rip),%rax
-- and \$`2**5/($N/8)-1`,%r10 # 5 is "window size"
-- lea 96($bp,%r11,8),$bp # pointer within 1st cache line
-- movq 0(%rax,%r10,8),%xmm4 # set of masks denoting which
-- movq 8(%rax,%r10,8),%xmm5 # cache line contains element
-- movq 16(%rax,%r10,8),%xmm6 # denoted by 7th argument
-- movq 24(%rax,%r10,8),%xmm7
--
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
-+ movdqa 0(%r10),%xmm0 # 00000001000000010000000000000000
-+ movdqa 16(%r10),%xmm1 # 00000002000000020000000200000002
-+ lea 24-112(%rsp,$num,8),%r10# place the mask after tp[num+3] (+ICache optimization)
-+ and \$-16,%r10
-+
-+ pshufd \$0,%xmm5,%xmm5 # broadcast index
-+ movdqa %xmm1,%xmm4
-+ movdqa %xmm1,%xmm2
-+___
-+########################################################################
-+# calculate mask by comparing 0..31 to index and save result to stack
-+#
-+$code.=<<___;
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0 # compare to 1,0
-+ .byte 0x67
-+ movdqa %xmm4,%xmm3
-+___
-+for($k=0;$k<$STRIDE/16-4;$k+=4) {
-+$code.=<<___;
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1 # compare to 3,2
-+ movdqa %xmm0,`16*($k+0)+112`(%r10)
-+ movdqa %xmm4,%xmm0
-+
-+ paddd %xmm2,%xmm3
-+ pcmpeqd %xmm5,%xmm2 # compare to 5,4
-+ movdqa %xmm1,`16*($k+1)+112`(%r10)
-+ movdqa %xmm4,%xmm1
-+
-+ paddd %xmm3,%xmm0
-+ pcmpeqd %xmm5,%xmm3 # compare to 7,6
-+ movdqa %xmm2,`16*($k+2)+112`(%r10)
-+ movdqa %xmm4,%xmm2
-+
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0
-+ movdqa %xmm3,`16*($k+3)+112`(%r10)
-+ movdqa %xmm4,%xmm3
-+___
-+}
-+$code.=<<___; # last iteration can be optimized
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1
-+ movdqa %xmm0,`16*($k+0)+112`(%r10)
-+
-+ paddd %xmm2,%xmm3
-+ .byte 0x67
-+ pcmpeqd %xmm5,%xmm2
-+ movdqa %xmm1,`16*($k+1)+112`(%r10)
-+
-+ pcmpeqd %xmm5,%xmm3
-+ movdqa %xmm2,`16*($k+2)+112`(%r10)
-+ pand `16*($k+0)-128`($bp),%xmm0 # while it's still in register
-+
-+ pand `16*($k+1)-128`($bp),%xmm1
-+ pand `16*($k+2)-128`($bp),%xmm2
-+ movdqa %xmm3,`16*($k+3)+112`(%r10)
-+ pand `16*($k+3)-128`($bp),%xmm3
- por %xmm2,%xmm0
-+ por %xmm3,%xmm1
-+___
-+for($k=0;$k<$STRIDE/16-4;$k+=4) {
-+$code.=<<___;
-+ movdqa `16*($k+0)-128`($bp),%xmm4
-+ movdqa `16*($k+1)-128`($bp),%xmm5
-+ movdqa `16*($k+2)-128`($bp),%xmm2
-+ pand `16*($k+0)+112`(%r10),%xmm4
-+ movdqa `16*($k+3)-128`($bp),%xmm3
-+ pand `16*($k+1)+112`(%r10),%xmm5
-+ por %xmm4,%xmm0
-+ pand `16*($k+2)+112`(%r10),%xmm2
-+ por %xmm5,%xmm1
-+ pand `16*($k+3)+112`(%r10),%xmm3
-+ por %xmm2,%xmm0
-+ por %xmm3,%xmm1
-+___
-+}
-+$code.=<<___;
-+ por %xmm1,%xmm0
-+ pshufd \$0x4e,%xmm0,%xmm1
-+ por %xmm1,%xmm0
- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- movq %xmm0,$m0 # m0=bp[0]
-
- mov ($n0),$n0 # pull n0[0] value
-@@ -128,29 +181,14 @@ $code.=<<___;
- xor $i,$i # i=0
- xor $j,$j # j=0
-
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
--
- mov $n0,$m1
- mulq $m0 # ap[0]*bp[0]
- mov %rax,$lo0
- mov ($np),%rax
-
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
--
- imulq $lo0,$m1 # "tp[0]"*n0
- mov %rdx,$hi0
-
-- por %xmm2,%xmm0
-- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- mulq $m1 # np[0]*m1
- add %rax,$lo0 # discarded
- mov 8($ap),%rax
-@@ -183,8 +221,6 @@ $code.=<<___;
- cmp $num,$j
- jne .L1st
-
-- movq %xmm0,$m0 # bp[1]
--
- add %rax,$hi1
- mov ($ap),%rax # ap[0]
- adc \$0,%rdx
-@@ -204,33 +240,46 @@ $code.=<<___;
- jmp .Louter
- .align 16
- .Louter:
-+ lea 24+128(%rsp,$num,8),%rdx # where 256-byte mask is (+size optimization)
-+ and \$-16,%rdx
-+ pxor %xmm4,%xmm4
-+ pxor %xmm5,%xmm5
-+___
-+for($k=0;$k<$STRIDE/16;$k+=4) {
-+$code.=<<___;
-+ movdqa `16*($k+0)-128`($bp),%xmm0
-+ movdqa `16*($k+1)-128`($bp),%xmm1
-+ movdqa `16*($k+2)-128`($bp),%xmm2
-+ movdqa `16*($k+3)-128`($bp),%xmm3
-+ pand `16*($k+0)-128`(%rdx),%xmm0
-+ pand `16*($k+1)-128`(%rdx),%xmm1
-+ por %xmm0,%xmm4
-+ pand `16*($k+2)-128`(%rdx),%xmm2
-+ por %xmm1,%xmm5
-+ pand `16*($k+3)-128`(%rdx),%xmm3
-+ por %xmm2,%xmm4
-+ por %xmm3,%xmm5
-+___
-+}
-+$code.=<<___;
-+ por %xmm5,%xmm4
-+ pshufd \$0x4e,%xmm4,%xmm0
-+ por %xmm4,%xmm0
-+ lea $STRIDE($bp),$bp
-+ movq %xmm0,$m0 # m0=bp[i]
-+
- xor $j,$j # j=0
- mov $n0,$m1
- mov (%rsp),$lo0
-
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
--
- mulq $m0 # ap[0]*bp[i]
- add %rax,$lo0 # ap[0]*bp[i]+tp[0]
- mov ($np),%rax
- adc \$0,%rdx
-
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
--
- imulq $lo0,$m1 # tp[0]*n0
- mov %rdx,$hi0
-
-- por %xmm2,%xmm0
-- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- mulq $m1 # np[0]*m1
- add %rax,$lo0 # discarded
- mov 8($ap),%rax
-@@ -266,8 +315,6 @@ $code.=<<___;
- cmp $num,$j
- jne .Linner
-
-- movq %xmm0,$m0 # bp[i+1]
--
- add %rax,$hi1
- mov ($ap),%rax # ap[0]
- adc \$0,%rdx
-@@ -321,13 +368,7 @@ $code.=<<___;
-
- mov 8(%rsp,$num,8),%rsi # restore %rsp
- mov \$1,%rax
--___
--$code.=<<___ if ($win64);
-- movaps (%rsi),%xmm6
-- movaps 0x10(%rsi),%xmm7
-- lea 0x28(%rsi),%rsi
--___
--$code.=<<___;
-+
- mov (%rsi),%r15
- mov 8(%rsi),%r14
- mov 16(%rsi),%r13
-@@ -348,91 +389,130 @@ $code.=<<___;
- bn_mul4x_mont_gather5:
- .Lmul4x_enter:
- mov ${num}d,${num}d
-- mov `($win64?56:8)`(%rsp),%r10d # load 7th argument
-+ movd `($win64?56:8)`(%rsp),%xmm5 # load 7th argument
-+ lea .Linc(%rip),%r10
- push %rbx
- push %rbp
- push %r12
- push %r13
- push %r14
- push %r15
--___
--$code.=<<___ if ($win64);
-- lea -0x28(%rsp),%rsp
-- movaps %xmm6,(%rsp)
-- movaps %xmm7,0x10(%rsp)
-+
- .Lmul4x_alloca:
--___
--$code.=<<___;
- mov %rsp,%rax
- lea 4($num),%r11
- neg %r11
-- lea (%rsp,%r11,8),%rsp # tp=alloca(8*(num+4))
-+ lea -256(%rsp,%r11,8),%rsp # tp=alloca(8*(num+4)+256)
- and \$-1024,%rsp # minimize TLB usage
-
- mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp
- .Lmul4x_body:
- mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp
-- mov %rdx,%r12 # reassign $bp
-+ lea 128(%rdx),%r12 # reassign $bp (+size optimization)
- ___
- $bp="%r12";
- $STRIDE=2**5*8; # 5 is "window size"
- $N=$STRIDE/4; # should match cache line size
- $code.=<<___;
-- mov %r10,%r11
-- shr \$`log($N/8)/log(2)`,%r10
-- and \$`$N/8-1`,%r11
-- not %r10
-- lea .Lmagic_masks(%rip),%rax
-- and \$`2**5/($N/8)-1`,%r10 # 5 is "window size"
-- lea 96($bp,%r11,8),$bp # pointer within 1st cache line
-- movq 0(%rax,%r10,8),%xmm4 # set of masks denoting which
-- movq 8(%rax,%r10,8),%xmm5 # cache line contains element
-- movq 16(%rax,%r10,8),%xmm6 # denoted by 7th argument
-- movq 24(%rax,%r10,8),%xmm7
--
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
-+ movdqa 0(%r10),%xmm0 # 00000001000000010000000000000000
-+ movdqa 16(%r10),%xmm1 # 00000002000000020000000200000002
-+ lea 32-112(%rsp,$num,8),%r10# place the mask after tp[num+4] (+ICache optimization)
-+
-+ pshufd \$0,%xmm5,%xmm5 # broadcast index
-+ movdqa %xmm1,%xmm4
-+ .byte 0x67,0x67
-+ movdqa %xmm1,%xmm2
-+___
-+########################################################################
-+# calculate mask by comparing 0..31 to index and save result to stack
-+#
-+$code.=<<___;
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0 # compare to 1,0
-+ .byte 0x67
-+ movdqa %xmm4,%xmm3
-+___
-+for($k=0;$k<$STRIDE/16-4;$k+=4) {
-+$code.=<<___;
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1 # compare to 3,2
-+ movdqa %xmm0,`16*($k+0)+112`(%r10)
-+ movdqa %xmm4,%xmm0
-+
-+ paddd %xmm2,%xmm3
-+ pcmpeqd %xmm5,%xmm2 # compare to 5,4
-+ movdqa %xmm1,`16*($k+1)+112`(%r10)
-+ movdqa %xmm4,%xmm1
-+
-+ paddd %xmm3,%xmm0
-+ pcmpeqd %xmm5,%xmm3 # compare to 7,6
-+ movdqa %xmm2,`16*($k+2)+112`(%r10)
-+ movdqa %xmm4,%xmm2
-+
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0
-+ movdqa %xmm3,`16*($k+3)+112`(%r10)
-+ movdqa %xmm4,%xmm3
-+___
-+}
-+$code.=<<___; # last iteration can be optimized
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1
-+ movdqa %xmm0,`16*($k+0)+112`(%r10)
-+
-+ paddd %xmm2,%xmm3
-+ .byte 0x67
-+ pcmpeqd %xmm5,%xmm2
-+ movdqa %xmm1,`16*($k+1)+112`(%r10)
-+
-+ pcmpeqd %xmm5,%xmm3
-+ movdqa %xmm2,`16*($k+2)+112`(%r10)
-+ pand `16*($k+0)-128`($bp),%xmm0 # while it's still in register
-+
-+ pand `16*($k+1)-128`($bp),%xmm1
-+ pand `16*($k+2)-128`($bp),%xmm2
-+ movdqa %xmm3,`16*($k+3)+112`(%r10)
-+ pand `16*($k+3)-128`($bp),%xmm3
-+ por %xmm2,%xmm0
-+ por %xmm3,%xmm1
-+___
-+for($k=0;$k<$STRIDE/16-4;$k+=4) {
-+$code.=<<___;
-+ movdqa `16*($k+0)-128`($bp),%xmm4
-+ movdqa `16*($k+1)-128`($bp),%xmm5
-+ movdqa `16*($k+2)-128`($bp),%xmm2
-+ pand `16*($k+0)+112`(%r10),%xmm4
-+ movdqa `16*($k+3)-128`($bp),%xmm3
-+ pand `16*($k+1)+112`(%r10),%xmm5
-+ por %xmm4,%xmm0
-+ pand `16*($k+2)+112`(%r10),%xmm2
-+ por %xmm5,%xmm1
-+ pand `16*($k+3)+112`(%r10),%xmm3
- por %xmm2,%xmm0
-+ por %xmm3,%xmm1
-+___
-+}
-+$code.=<<___;
-+ por %xmm1,%xmm0
-+ pshufd \$0x4e,%xmm0,%xmm1
-+ por %xmm1,%xmm0
- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- movq %xmm0,$m0 # m0=bp[0]
-+
- mov ($n0),$n0 # pull n0[0] value
- mov ($ap),%rax
-
- xor $i,$i # i=0
- xor $j,$j # j=0
-
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
--
- mov $n0,$m1
- mulq $m0 # ap[0]*bp[0]
- mov %rax,$A[0]
- mov ($np),%rax
-
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
--
- imulq $A[0],$m1 # "tp[0]"*n0
- mov %rdx,$A[1]
-
-- por %xmm2,%xmm0
-- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- mulq $m1 # np[0]*m1
- add %rax,$A[0] # discarded
- mov 8($ap),%rax
-@@ -550,8 +630,6 @@ $code.=<<___;
- mov $N[1],-16(%rsp,$j,8) # tp[j-1]
- mov %rdx,$N[0]
-
-- movq %xmm0,$m0 # bp[1]
--
- xor $N[1],$N[1]
- add $A[0],$N[0]
- adc \$0,$N[1]
-@@ -561,12 +639,34 @@ $code.=<<___;
- lea 1($i),$i # i++
- .align 4
- .Louter4x:
-+ lea 32+128(%rsp,$num,8),%rdx # where 256-byte mask is (+size optimization)
-+ pxor %xmm4,%xmm4
-+ pxor %xmm5,%xmm5
-+___
-+for($k=0;$k<$STRIDE/16;$k+=4) {
-+$code.=<<___;
-+ movdqa `16*($k+0)-128`($bp),%xmm0
-+ movdqa `16*($k+1)-128`($bp),%xmm1
-+ movdqa `16*($k+2)-128`($bp),%xmm2
-+ movdqa `16*($k+3)-128`($bp),%xmm3
-+ pand `16*($k+0)-128`(%rdx),%xmm0
-+ pand `16*($k+1)-128`(%rdx),%xmm1
-+ por %xmm0,%xmm4
-+ pand `16*($k+2)-128`(%rdx),%xmm2
-+ por %xmm1,%xmm5
-+ pand `16*($k+3)-128`(%rdx),%xmm3
-+ por %xmm2,%xmm4
-+ por %xmm3,%xmm5
-+___
-+}
-+$code.=<<___;
-+ por %xmm5,%xmm4
-+ pshufd \$0x4e,%xmm4,%xmm0
-+ por %xmm4,%xmm0
-+ lea $STRIDE($bp),$bp
-+ movq %xmm0,$m0 # m0=bp[i]
-+
- xor $j,$j # j=0
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
-
- mov (%rsp),$A[0]
- mov $n0,$m1
-@@ -575,18 +675,9 @@ $code.=<<___;
- mov ($np),%rax
- adc \$0,%rdx
-
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
--
- imulq $A[0],$m1 # tp[0]*n0
- mov %rdx,$A[1]
-
-- por %xmm2,%xmm0
-- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- mulq $m1 # np[0]*m1
- add %rax,$A[0] # "$N[0]", discarded
- mov 8($ap),%rax
-@@ -718,7 +809,6 @@ $code.=<<___;
- mov $N[0],-24(%rsp,$j,8) # tp[j-1]
- mov %rdx,$N[0]
-
-- movq %xmm0,$m0 # bp[i+1]
- mov $N[1],-16(%rsp,$j,8) # tp[j-1]
-
- xor $N[1],$N[1]
-@@ -809,13 +899,7 @@ ___
- $code.=<<___;
- mov 8(%rsp,$num,8),%rsi # restore %rsp
- mov \$1,%rax
--___
--$code.=<<___ if ($win64);
-- movaps (%rsi),%xmm6
-- movaps 0x10(%rsi),%xmm7
-- lea 0x28(%rsi),%rsi
--___
--$code.=<<___;
-+
- mov (%rsi),%r15
- mov 8(%rsi),%r14
- mov 16(%rsi),%r13
-@@ -830,8 +914,8 @@ ___
- }}}
-
- {
--my ($inp,$num,$tbl,$idx)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order
-- ("%rdi","%rsi","%rdx","%rcx"); # Unix order
-+my ($inp,$num,$tbl,$idx)=$win64?("%rcx","%rdx","%r8", "%r9d") : # Win64 order
-+ ("%rdi","%rsi","%rdx","%ecx"); # Unix order
- my $out=$inp;
- my $STRIDE=2**5*8;
- my $N=$STRIDE/4;
-@@ -859,53 +943,89 @@ bn_scatter5:
- .type bn_gather5,\@abi-omnipotent
- .align 16
- bn_gather5:
--___
--$code.=<<___ if ($win64);
--.LSEH_begin_bn_gather5:
-+.LSEH_begin_bn_gather5: # Win64 thing, but harmless in other cases
- # I can't trust assembler to use specific encoding:-(
-- .byte 0x48,0x83,0xec,0x28 #sub \$0x28,%rsp
-- .byte 0x0f,0x29,0x34,0x24 #movaps %xmm6,(%rsp)
-- .byte 0x0f,0x29,0x7c,0x24,0x10 #movdqa %xmm7,0x10(%rsp)
--___
--$code.=<<___;
-- mov $idx,%r11
-- shr \$`log($N/8)/log(2)`,$idx
-- and \$`$N/8-1`,%r11
-- not $idx
-- lea .Lmagic_masks(%rip),%rax
-- and \$`2**5/($N/8)-1`,$idx # 5 is "window size"
-- lea 96($tbl,%r11,8),$tbl # pointer within 1st cache line
-- movq 0(%rax,$idx,8),%xmm4 # set of masks denoting which
-- movq 8(%rax,$idx,8),%xmm5 # cache line contains element
-- movq 16(%rax,$idx,8),%xmm6 # denoted by 7th argument
-- movq 24(%rax,$idx,8),%xmm7
-+ .byte 0x4c,0x8d,0x14,0x24 # lea (%rsp),%r10
-+ .byte 0x48,0x81,0xec,0x08,0x01,0x00,0x00 # sub $0x108,%rsp
-+ lea .Linc(%rip),%rax
-+ and \$-16,%rsp # shouldn't be formally required
-+
-+ movd $idx,%xmm5
-+ movdqa 0(%rax),%xmm0 # 00000001000000010000000000000000
-+ movdqa 16(%rax),%xmm1 # 00000002000000020000000200000002
-+ lea 128($tbl),%r11 # size optimization
-+ lea 128(%rsp),%rax # size optimization
-+
-+ pshufd \$0,%xmm5,%xmm5 # broadcast $idx
-+ movdqa %xmm1,%xmm4
-+ movdqa %xmm1,%xmm2
-+___
-+########################################################################
-+# calculate mask by comparing 0..31 to $idx and save result to stack
-+#
-+for($i=0;$i<$STRIDE/16;$i+=4) {
-+$code.=<<___;
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0 # compare to 1,0
-+___
-+$code.=<<___ if ($i);
-+ movdqa %xmm3,`16*($i-1)-128`(%rax)
-+___
-+$code.=<<___;
-+ movdqa %xmm4,%xmm3
-+
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1 # compare to 3,2
-+ movdqa %xmm0,`16*($i+0)-128`(%rax)
-+ movdqa %xmm4,%xmm0
-+
-+ paddd %xmm2,%xmm3
-+ pcmpeqd %xmm5,%xmm2 # compare to 5,4
-+ movdqa %xmm1,`16*($i+1)-128`(%rax)
-+ movdqa %xmm4,%xmm1
-+
-+ paddd %xmm3,%xmm0
-+ pcmpeqd %xmm5,%xmm3 # compare to 7,6
-+ movdqa %xmm2,`16*($i+2)-128`(%rax)
-+ movdqa %xmm4,%xmm2
-+___
-+}
-+$code.=<<___;
-+ movdqa %xmm3,`16*($i-1)-128`(%rax)
- jmp .Lgather
--.align 16
--.Lgather:
-- movq `0*$STRIDE/4-96`($tbl),%xmm0
-- movq `1*$STRIDE/4-96`($tbl),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($tbl),%xmm2
-- pand %xmm5,%xmm1
-- movq `3*$STRIDE/4-96`($tbl),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
-- por %xmm2,%xmm0
-- lea $STRIDE($tbl),$tbl
-- por %xmm3,%xmm0
-
-+.align 32
-+.Lgather:
-+ pxor %xmm4,%xmm4
-+ pxor %xmm5,%xmm5
-+___
-+for($i=0;$i<$STRIDE/16;$i+=4) {
-+$code.=<<___;
-+ movdqa `16*($i+0)-128`(%r11),%xmm0
-+ movdqa `16*($i+1)-128`(%r11),%xmm1
-+ movdqa `16*($i+2)-128`(%r11),%xmm2
-+ pand `16*($i+0)-128`(%rax),%xmm0
-+ movdqa `16*($i+3)-128`(%r11),%xmm3
-+ pand `16*($i+1)-128`(%rax),%xmm1
-+ por %xmm0,%xmm4
-+ pand `16*($i+2)-128`(%rax),%xmm2
-+ por %xmm1,%xmm5
-+ pand `16*($i+3)-128`(%rax),%xmm3
-+ por %xmm2,%xmm4
-+ por %xmm3,%xmm5
-+___
-+}
-+$code.=<<___;
-+ por %xmm5,%xmm4
-+ lea $STRIDE(%r11),%r11
-+ pshufd \$0x4e,%xmm4,%xmm0
-+ por %xmm4,%xmm0
- movq %xmm0,($out) # m0=bp[0]
- lea 8($out),$out
- sub \$1,$num
- jnz .Lgather
--___
--$code.=<<___ if ($win64);
-- movaps %xmm6,(%rsp)
-- movaps %xmm7,0x10(%rsp)
-- lea 0x28(%rsp),%rsp
--___
--$code.=<<___;
-+
-+ lea (%r10),%rsp
- ret
- .LSEH_end_bn_gather5:
- .size bn_gather5,.-bn_gather5
-@@ -913,9 +1033,9 @@ ___
- }
- $code.=<<___;
- .align 64
--.Lmagic_masks:
-- .long 0,0, 0,0, 0,0, -1,-1
-- .long 0,0, 0,0, 0,0, 0,0
-+.Linc:
-+ .long 0,0, 1,1
-+ .long 2,2, 2,2
- .asciz "Montgomery Multiplication with scatter/gather for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
- ___
-
-@@ -954,7 +1074,7 @@ mul_handler:
- cmp %r10,%rbx # context->Rip<end of prologue label
- jb .Lcommon_seh_tail
-
-- lea `40+48`(%rax),%rax
-+ lea 48(%rax),%rax
-
- mov 4(%r11),%r10d # HandlerData[1]
- lea (%rsi,%r10),%r10 # end of alloca label
-@@ -971,9 +1091,7 @@ mul_handler:
- mov 192($context),%r10 # pull $num
- mov 8(%rax,%r10,8),%rax # pull saved stack pointer
-
-- movaps (%rax),%xmm0
-- movaps 16(%rax),%xmm1
-- lea `40+48`(%rax),%rax
-+ lea 48(%rax),%rax
-
- mov -8(%rax),%rbx
- mov -16(%rax),%rbp
-@@ -987,8 +1105,6 @@ mul_handler:
- mov %r13,224($context) # restore context->R13
- mov %r14,232($context) # restore context->R14
- mov %r15,240($context) # restore context->R15
-- movups %xmm0,512($context) # restore context->Xmm6
-- movups %xmm1,528($context) # restore context->Xmm7
-
- .Lcommon_seh_tail:
- mov 8(%rax),%rdi
-@@ -1057,10 +1173,9 @@ mul_handler:
- .rva .Lmul4x_alloca,.Lmul4x_body,.Lmul4x_epilogue # HandlerData[]
- .align 8
- .LSEH_info_bn_gather5:
-- .byte 0x01,0x0d,0x05,0x00
-- .byte 0x0d,0x78,0x01,0x00 #movaps 0x10(rsp),xmm7
-- .byte 0x08,0x68,0x00,0x00 #movaps (rsp),xmm6
-- .byte 0x04,0x42,0x00,0x00 #sub rsp,0x28
-+ .byte 0x01,0x0b,0x03,0x0a
-+ .byte 0x0b,0x01,0x21,0x00 # sub rsp,0x108
-+ .byte 0x04,0xa3,0x00,0x00 # lea r10,(rsp), set_frame r10
- .align 8
- ___
- }
-diff -up openssl-1.0.1e/crypto/bn/bn_exp.c.rsa-const openssl-1.0.1e/crypto/bn/bn_exp.c
---- openssl-1.0.1e/crypto/bn/bn_exp.c.rsa-const 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/bn/bn_exp.c 2016-02-24 12:00:20.807856735 +0100
-@@ -111,6 +111,7 @@
-
-
- #include "cryptlib.h"
-+#include "constant_time_locl.h"
- #include "bn_lcl.h"
-
- #include <stdlib.h>
-@@ -534,30 +535,74 @@ err:
- * as cache lines are concerned. The following functions are used to transfer a BIGNUM
- * from/to that table. */
-
--static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, unsigned char *buf, int idx, int width)
-+static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, unsigned char *buf, int idx, int window)
- {
-- size_t i, j;
-+ int i, j;
-+ int width = 1 << window;
-+ BN_ULONG *table = (BN_ULONG *)buf;
-
- if (top > b->top)
- top = b->top; /* this works because 'buf' is explicitly zeroed */
-- for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
-+ for (i = 0, j=idx; i < top; i++, j+=width)
- {
-- buf[j] = ((unsigned char*)b->d)[i];
-+ table[j] = b->d[i];
- }
-
- return 1;
- }
-
--static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
-+static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int window)
- {
-- size_t i, j;
-+ int i, j;
-+ int width = 1 << window;
-+ volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
-
- if (bn_wexpand(b, top) == NULL)
- return 0;
-
-- for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
-+ if (window <= 3)
- {
-- ((unsigned char*)b->d)[i] = buf[j];
-+ for (i = 0; i < top; i++, table += width)
-+ {
-+ BN_ULONG acc = 0;
-+
-+ for (j = 0; j < width; j++)
-+ {
-+ acc |= table[j] &
-+ ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
-+ }
-+
-+ b->d[i] = acc;
-+ }
-+ }
-+ else
-+ {
-+ int xstride = 1 << (window - 2);
-+ BN_ULONG y0, y1, y2, y3;
-+
-+ i = idx >> (window - 2); /* equivalent of idx / xstride */
-+ idx &= xstride - 1; /* equivalent of idx % xstride */
-+
-+ y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1);
-+ y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1);
-+ y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1);
-+ y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1);
-+
-+ for (i = 0; i < top; i++, table += width)
-+ {
-+ BN_ULONG acc = 0;
-+
-+ for (j = 0; j < xstride; j++)
-+ {
-+ acc |= ( (table[j + 0 * xstride] & y0) |
-+ (table[j + 1 * xstride] & y1) |
-+ (table[j + 2 * xstride] & y2) |
-+ (table[j + 3 * xstride] & y3) )
-+ & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
-+ }
-+
-+ b->d[i] = acc;
-+ }
- }
-
- b->top = top;
-@@ -592,17 +637,27 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
- bn_check_top(p);
- bn_check_top(m);
-
-- top = m->top;
--
-- if (!(m->d[0] & 1))
-+ if (!BN_is_odd(m))
- {
- BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,BN_R_CALLED_WITH_EVEN_MODULUS);
- return(0);
- }
-+
-+ top = m->top;
-+
- bits=BN_num_bits(p);
- if (bits == 0)
- {
-- ret = BN_one(rr);
-+ /* x**0 mod 1 is still zero. */
-+ if (BN_is_one(m))
-+ {
-+ ret = 1;
-+ BN_zero(rr);
-+ }
-+ else
-+ {
-+ ret = BN_one(rr);
-+ }
- return ret;
- }
-
-@@ -680,7 +735,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
-
- /* Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
- * 512-bit RSA is hardly relevant, we omit it to spare size... */
-- if (window==5)
-+ if (window==5 && top>1)
- {
- void bn_mul_mont_gather5(BN_ULONG *rp,const BN_ULONG *ap,
- const void *table,const BN_ULONG *np,
-@@ -767,8 +822,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
- else
- #endif
- {
-- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers)) goto err;
-- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window)) goto err;
-
- /* If the window size is greater than 1, then calculate
- * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
-@@ -778,20 +833,20 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
- if (window > 1)
- {
- if (!BN_mod_mul_montgomery(&tmp,&am,&am,mont,ctx)) goto err;
-- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, window)) goto err;
- for (i=3; i<numPowers; i++)
- {
- /* Calculate a^i = a^(i-1) * a */
- if (!BN_mod_mul_montgomery(&tmp,&am,&tmp,mont,ctx))
- goto err;
-- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i, numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i, window)) goto err;
- }
- }
-
- bits--;
- for (wvalue=0, i=bits%window; i>=0; i--,bits--)
- wvalue = (wvalue<<1)+BN_is_bit_set(p,bits);
-- if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp,top,powerbuf,wvalue,numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp,top,powerbuf,wvalue,window)) goto err;
-
- /* Scan the exponent one window at a time starting from the most
- * significant bits.
-@@ -808,7 +863,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
- }
-
- /* Fetch the appropriate pre-computed value from the pre-buf */
-- if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue, numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue, window)) goto err;
-
- /* Multiply the result into the intermediate result */
- if (!BN_mod_mul_montgomery(&tmp,&tmp,&am,mont,ctx)) goto err;
-@@ -874,7 +929,16 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_
- bits = BN_num_bits(p);
- if (bits == 0)
- {
-- ret = BN_one(rr);
-+ /* x**0 mod 1 is still zero. */
-+ if (BN_is_one(m))
-+ {
-+ ret = 1;
-+ BN_zero(rr);
-+ }
-+ else
-+ {
-+ ret = BN_one(rr);
-+ }
- return ret;
- }
- if (a == 0)
-@@ -997,10 +1061,18 @@ int BN_mod_exp_simple(BIGNUM *r, const B
- }
-
- bits=BN_num_bits(p);
--
- if (bits == 0)
- {
-- ret = BN_one(r);
-+ /* x**0 mod 1 is still zero. */
-+ if (BN_is_one(m))
-+ {
-+ ret = 1;
-+ BN_zero(r);
-+ }
-+ else
-+ {
-+ ret = BN_one(r);
-+ }
- return ret;
- }
-
-diff -up openssl-1.0.1e/crypto/constant_time_locl.h.rsa-const openssl-1.0.1e/crypto/constant_time_locl.h
---- openssl-1.0.1e/crypto/constant_time_locl.h.rsa-const 2016-02-24 11:29:44.635303119 +0100
-+++ openssl-1.0.1e/crypto/constant_time_locl.h 2016-02-24 11:27:44.000000000 +0100
-@@ -0,0 +1,211 @@
-+/* crypto/constant_time_locl.h */
-+/*-
-+ * Utilities for constant-time cryptography.
-+ *
-+ * Author: Emilia Kasper (emilia@openssl.org)
-+ * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley
-+ * (Google).
-+ * ====================================================================
-+ * Copyright (c) 2014 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#ifndef HEADER_CONSTANT_TIME_LOCL_H
-+# define HEADER_CONSTANT_TIME_LOCL_H
-+
-+# include "e_os.h" /* For 'inline' */
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+/*-
-+ * The boolean methods return a bitmask of all ones (0xff...f) for true
-+ * and 0 for false. This is useful for choosing a value based on the result
-+ * of a conditional in constant time. For example,
-+ *
-+ * if (a < b) {
-+ * c = a;
-+ * } else {
-+ * c = b;
-+ * }
-+ *
-+ * can be written as
-+ *
-+ * unsigned int lt = constant_time_lt(a, b);
-+ * c = constant_time_select(lt, a, b);
-+ */
-+
-+/*
-+ * Returns the given value with the MSB copied to all the other
-+ * bits. Uses the fact that arithmetic shift shifts-in the sign bit.
-+ * However, this is not ensured by the C standard so you may need to
-+ * replace this with something else on odd CPUs.
-+ */
-+static inline unsigned int constant_time_msb(unsigned int a);
-+
-+/*
-+ * Returns 0xff..f if a < b and 0 otherwise.
-+ */
-+static inline unsigned int constant_time_lt(unsigned int a, unsigned int b);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_lt_8(unsigned int a,
-+ unsigned int b);
-+
-+/*
-+ * Returns 0xff..f if a >= b and 0 otherwise.
-+ */
-+static inline unsigned int constant_time_ge(unsigned int a, unsigned int b);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_ge_8(unsigned int a,
-+ unsigned int b);
-+
-+/*
-+ * Returns 0xff..f if a == 0 and 0 otherwise.
-+ */
-+static inline unsigned int constant_time_is_zero(unsigned int a);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_is_zero_8(unsigned int a);
-+
-+/*
-+ * Returns 0xff..f if a == b and 0 otherwise.
-+ */
-+static inline unsigned int constant_time_eq(unsigned int a, unsigned int b);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_eq_8(unsigned int a,
-+ unsigned int b);
-+/* Signed integers. */
-+static inline unsigned int constant_time_eq_int(int a, int b);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_eq_int_8(int a, int b);
-+
-+/*-
-+ * Returns (mask & a) | (~mask & b).
-+ *
-+ * When |mask| is all 1s or all 0s (as returned by the methods above),
-+ * the select methods return either |a| (if |mask| is nonzero) or |b|
-+ * (if |mask| is zero).
-+ */
-+static inline unsigned int constant_time_select(unsigned int mask,
-+ unsigned int a,
-+ unsigned int b);
-+/* Convenience method for unsigned chars. */
-+static inline unsigned char constant_time_select_8(unsigned char mask,
-+ unsigned char a,
-+ unsigned char b);
-+/* Convenience method for signed integers. */
-+static inline int constant_time_select_int(unsigned int mask, int a, int b);
-+
-+static inline unsigned int constant_time_msb(unsigned int a)
-+{
-+ return 0 - (a >> (sizeof(a) * 8 - 1));
-+}
-+
-+static inline unsigned int constant_time_lt(unsigned int a, unsigned int b)
-+{
-+ return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b)));
-+}
-+
-+static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b)
-+{
-+ return (unsigned char)(constant_time_lt(a, b));
-+}
-+
-+static inline unsigned int constant_time_ge(unsigned int a, unsigned int b)
-+{
-+ return ~constant_time_lt(a, b);
-+}
-+
-+static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b)
-+{
-+ return (unsigned char)(constant_time_ge(a, b));
-+}
-+
-+static inline unsigned int constant_time_is_zero(unsigned int a)
-+{
-+ return constant_time_msb(~a & (a - 1));
-+}
-+
-+static inline unsigned char constant_time_is_zero_8(unsigned int a)
-+{
-+ return (unsigned char)(constant_time_is_zero(a));
-+}
-+
-+static inline unsigned int constant_time_eq(unsigned int a, unsigned int b)
-+{
-+ return constant_time_is_zero(a ^ b);
-+}
-+
-+static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b)
-+{
-+ return (unsigned char)(constant_time_eq(a, b));
-+}
-+
-+static inline unsigned int constant_time_eq_int(int a, int b)
-+{
-+ return constant_time_eq((unsigned)(a), (unsigned)(b));
-+}
-+
-+static inline unsigned char constant_time_eq_int_8(int a, int b)
-+{
-+ return constant_time_eq_8((unsigned)(a), (unsigned)(b));
-+}
-+
-+static inline unsigned int constant_time_select(unsigned int mask,
-+ unsigned int a,
-+ unsigned int b)
-+{
-+ return (mask & a) | (~mask & b);
-+}
-+
-+static inline unsigned char constant_time_select_8(unsigned char mask,
-+ unsigned char a,
-+ unsigned char b)
-+{
-+ return (unsigned char)(constant_time_select(mask, a, b));
-+}
-+
-+static inline int constant_time_select_int(unsigned int mask, int a, int b)
-+{
-+ return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b)));
-+}
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* HEADER_CONSTANT_TIME_LOCL_H */
-diff -up openssl-1.0.1e/crypto/perlasm/x86_64-xlate.pl.rsa-const openssl-1.0.1e/crypto/perlasm/x86_64-xlate.pl
---- openssl-1.0.1e/crypto/perlasm/x86_64-xlate.pl.rsa-const 2016-01-14 17:38:50.121212850 +0100
-+++ openssl-1.0.1e/crypto/perlasm/x86_64-xlate.pl 2016-02-24 11:26:40.316912890 +0100
-@@ -121,7 +121,7 @@ my %globals;
- $self->{sz} = "";
- } elsif ($self->{op} =~ /^v/) { # VEX
- $self->{sz} = "";
-- } elsif ($self->{op} =~ /movq/ && $line =~ /%xmm/) {
-+ } elsif ($self->{op} =~ /mov[dq]/ && $line =~ /%xmm/) {
- $self->{sz} = "";
- } elsif ($self->{op} =~ /([a-z]{3,})([qlwb])$/) {
- $self->{op} = $1;
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-0705.patch b/SOURCES/openssl-1.0.1e-cve-2016-0705.patch
deleted file mode 100644
index b82d7a3..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-0705.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-diff -up openssl-1.0.1e/crypto/dsa/dsa_ameth.c.dsa-doublefree openssl-1.0.1e/crypto/dsa/dsa_ameth.c
---- openssl-1.0.1e/crypto/dsa/dsa_ameth.c.dsa-doublefree 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_ameth.c 2016-02-24 14:38:46.075165304 +0100
-@@ -201,6 +201,8 @@ static int dsa_priv_decode(EVP_PKEY *pke
- STACK_OF(ASN1_TYPE) *ndsa = NULL;
- DSA *dsa = NULL;
-
-+ int ret = 0;
-+
- if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
- return 0;
- X509_ALGOR_get0(NULL, &ptype, &pval, palg);
-@@ -281,23 +283,21 @@ static int dsa_priv_decode(EVP_PKEY *pke
- }
-
- EVP_PKEY_assign_DSA(pkey, dsa);
-- BN_CTX_free (ctx);
-- if(ndsa)
-- sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-- else
-- ASN1_INTEGER_free(privkey);
-
-- return 1;
-+ ret = 1;
-+ goto done;
-
- decerr:
- DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
- dsaerr:
-- BN_CTX_free (ctx);
-- if (privkey)
-- ASN1_INTEGER_free(privkey);
-- sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
- DSA_free(dsa);
-- return 0;
-+ done:
-+ BN_CTX_free (ctx);
-+ if (ndsa)
-+ sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-+ else
-+ ASN1_INTEGER_free(privkey);
-+ return ret;
- }
-
- static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-0797.patch b/SOURCES/openssl-1.0.1e-cve-2016-0797.patch
deleted file mode 100644
index 278c353..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-0797.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-diff -up openssl-1.0.1e/crypto/bn/bn.h.bn-hex openssl-1.0.1e/crypto/bn/bn.h
---- openssl-1.0.1e/crypto/bn/bn.h.bn-hex 2016-02-24 14:23:33.020233047 +0100
-+++ openssl-1.0.1e/crypto/bn/bn.h 2016-02-24 14:23:06.078615397 +0100
-@@ -129,6 +129,7 @@
- #ifndef OPENSSL_NO_FP_API
- #include <stdio.h> /* FILE */
- #endif
-+#include <limits.h>
- #include <openssl/ossl_typ.h>
- #include <openssl/crypto.h>
-
-@@ -640,7 +641,8 @@ const BIGNUM *BN_get0_nist_prime_521(voi
-
- /* library internal functions */
-
--#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
-+#define bn_expand(a,bits) (bits > (INT_MAX - BN_BITS2 + 1)?\
-+ NULL:(((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
- (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
- #define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
- BIGNUM *bn_expand2(BIGNUM *a, int words);
-diff -up openssl-1.0.1e/crypto/bn/bn_print.c.bn-hex openssl-1.0.1e/crypto/bn/bn_print.c
---- openssl-1.0.1e/crypto/bn/bn_print.c.bn-hex 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/bn/bn_print.c 2016-02-24 14:15:21.215948376 +0100
-@@ -58,6 +58,7 @@
-
- #include <stdio.h>
- #include <ctype.h>
-+#include <limits.h>
- #include "cryptlib.h"
- #include <openssl/buffer.h>
- #include "bn_lcl.h"
-@@ -180,8 +181,10 @@ int BN_hex2bn(BIGNUM **bn, const char *a
-
- if (*a == '-') { neg=1; a++; }
-
-- for (i=0; isxdigit((unsigned char) a[i]); i++)
-+ for (i=0; i <= (INT_MAX/4) && isxdigit((unsigned char) a[i]); i++)
- ;
-+ if (i > INT_MAX/4)
-+ goto err;
-
- num=i+neg;
- if (bn == NULL) return(num);
-@@ -197,7 +200,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a
- BN_zero(ret);
- }
-
-- /* i is the number of hex digests; */
-+ /* i is the number of hex digits */
- if (bn_expand(ret,i*4) == NULL) goto err;
-
- j=i; /* least significant 'hex' */
-@@ -246,8 +249,10 @@ int BN_dec2bn(BIGNUM **bn, const char *a
- if ((a == NULL) || (*a == '\0')) return(0);
- if (*a == '-') { neg=1; a++; }
-
-- for (i=0; isdigit((unsigned char) a[i]); i++)
-+ for (i=0; i <= (INT_MAX/4) && isdigit((unsigned char) a[i]); i++)
- ;
-+ if (i > INT_MAX/4)
-+ goto err;
-
- num=i+neg;
- if (bn == NULL) return(num);
-@@ -264,7 +269,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a
- BN_zero(ret);
- }
-
-- /* i is the number of digests, a bit of an over expand; */
-+ /* i is the number of digits, a bit of an over expand */
- if (bn_expand(ret,i*4) == NULL) goto err;
-
- j=BN_DEC_NUM-(i%BN_DEC_NUM);
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-0799.patch b/SOURCES/openssl-1.0.1e-cve-2016-0799.patch
deleted file mode 100644
index 42a3d01..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-0799.patch
+++ /dev/null
@@ -1,437 +0,0 @@
-diff -up openssl-1.0.1e/crypto/bio/b_print.c.bio-printf openssl-1.0.1e/crypto/bio/b_print.c
---- openssl-1.0.1e/crypto/bio/b_print.c.bio-printf 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/bio/b_print.c 2016-04-07 14:36:55.538117697 +0200
-@@ -125,14 +125,14 @@
- #define LLONG long
- #endif
-
--static void fmtstr (char **, char **, size_t *, size_t *,
-+static int fmtstr(char **, char **, size_t *, size_t *,
- const char *, int, int, int);
--static void fmtint (char **, char **, size_t *, size_t *,
-+static int fmtint(char **, char **, size_t *, size_t *,
- LLONG, int, int, int, int);
--static void fmtfp (char **, char **, size_t *, size_t *,
-+static int fmtfp(char **, char **, size_t *, size_t *,
- LDOUBLE, int, int, int);
--static void doapr_outch (char **, char **, size_t *, size_t *, int);
--static void _dopr(char **sbuffer, char **buffer,
-+static int doapr_outch(char **, char **, size_t *, size_t *, int);
-+static int _dopr(char **sbuffer, char **buffer,
- size_t *maxlen, size_t *retlen, int *truncated,
- const char *format, va_list args);
-
-@@ -165,7 +165,7 @@ static void _dopr(char **sbuffer, char *
- #define char_to_int(p) (p - '0')
- #define OSSL_MAX(p,q) ((p >= q) ? p : q)
-
--static void
-+static int
- _dopr(
- char **sbuffer,
- char **buffer,
-@@ -200,7 +200,8 @@ _dopr(
- if (ch == '%')
- state = DP_S_FLAGS;
- else
-- doapr_outch(sbuffer,buffer, &currlen, maxlen, ch);
-+ if (!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
-+ return 0;
- ch = *format++;
- break;
- case DP_S_FLAGS:
-@@ -306,8 +307,9 @@ _dopr(
- value = va_arg(args, int);
- break;
- }
-- fmtint(sbuffer, buffer, &currlen, maxlen,
-- value, 10, min, max, flags);
-+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
-+ max, flags))
-+ return 0;
- break;
- case 'X':
- flags |= DP_F_UP;
-@@ -332,17 +334,19 @@ _dopr(
- unsigned int);
- break;
- }
-- fmtint(sbuffer, buffer, &currlen, maxlen, value,
-+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
- ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
-- min, max, flags);
-+ min, max, flags))
-+ return 0;
- break;
- case 'f':
- if (cflags == DP_C_LDOUBLE)
- fvalue = va_arg(args, LDOUBLE);
- else
- fvalue = va_arg(args, double);
-- fmtfp(sbuffer, buffer, &currlen, maxlen,
-- fvalue, min, max, flags);
-+ if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
-+ flags))
-+ return 0;
- break;
- case 'E':
- flags |= DP_F_UP;
-@@ -361,8 +365,9 @@ _dopr(
- fvalue = va_arg(args, double);
- break;
- case 'c':
-- doapr_outch(sbuffer, buffer, &currlen, maxlen,
-- va_arg(args, int));
-+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
-+ va_arg(args, int)))
-+ return 0;
- break;
- case 's':
- strvalue = va_arg(args, char *);
-@@ -372,13 +377,15 @@ _dopr(
- else
- max = *maxlen;
- }
-- fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
-- flags, min, max);
-+ if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
-+ flags, min, max))
-+ return 0;
- break;
- case 'p':
- value = (long)va_arg(args, void *);
-- fmtint(sbuffer, buffer, &currlen, maxlen,
-- value, 16, min, max, flags|DP_F_NUM);
-+ if (!fmtint(sbuffer, buffer, &currlen, maxlen,
-+ value, 16, min, max, flags | DP_F_NUM))
-+ return 0;
- break;
- case 'n': /* XXX */
- if (cflags == DP_C_SHORT) {
-@@ -400,7 +407,8 @@ _dopr(
- }
- break;
- case '%':
-- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
-+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
-+ return 0;
- break;
- case 'w':
- /* not supported yet, treat as next char */
-@@ -424,12 +432,13 @@ _dopr(
- *truncated = (currlen > *maxlen - 1);
- if (*truncated)
- currlen = *maxlen - 1;
-- doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0');
-+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'))
-+ return 0;
- *retlen = currlen - 1;
-- return;
-+ return 1;
- }
-
--static void
-+static int
- fmtstr(
- char **sbuffer,
- char **buffer,
-@@ -440,36 +449,44 @@ fmtstr(
- int min,
- int max)
- {
-- int padlen, strln;
-+ int padlen;
-+ size_t strln;
- int cnt = 0;
-
- if (value == 0)
- value = "<NULL>";
-- for (strln = 0; value[strln]; ++strln)
-- ;
-+
-+ strln = strlen(value);
-+ if (strln > INT_MAX)
-+ strln = INT_MAX;
-+
- padlen = min - strln;
-- if (padlen < 0)
-+ if (min < 0 || padlen < 0)
- padlen = 0;
- if (flags & DP_F_MINUS)
- padlen = -padlen;
-
- while ((padlen > 0) && (cnt < max)) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- --padlen;
- ++cnt;
- }
- while (*value && (cnt < max)) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, *value++);
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
-+ return 0;
- ++cnt;
- }
- while ((padlen < 0) && (cnt < max)) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- ++padlen;
- ++cnt;
- }
-+ return 1;
- }
-
--static void
-+static int
- fmtint(
- char **sbuffer,
- char **buffer,
-@@ -533,37 +550,44 @@ fmtint(
-
- /* spaces */
- while (spadlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- --spadlen;
- }
-
- /* sign */
- if (signvalue)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
-+ return 0;
-
- /* prefix */
- while (*prefix) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix))
-+ return 0;
- prefix++;
- }
-
- /* zeros */
- if (zpadlen > 0) {
- while (zpadlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
-+ return 0;
- --zpadlen;
- }
- }
- /* digits */
-- while (place > 0)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]);
-+ while (place > 0) {
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]))
-+ return 0;
-+ }
-
- /* left justified spaces */
- while (spadlen < 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- ++spadlen;
- }
-- return;
-+ return 1;
- }
-
- static LDOUBLE
-@@ -597,7 +621,7 @@ roundv(LDOUBLE value)
- return intpart;
- }
-
--static void
-+static int
- fmtfp(
- char **sbuffer,
- char **buffer,
-@@ -616,7 +640,6 @@ fmtfp(
- int fplace = 0;
- int padlen = 0;
- int zpadlen = 0;
-- int caps = 0;
- long intpart;
- long fracpart;
- long max10;
-@@ -650,9 +673,7 @@ fmtfp(
-
- /* convert integer part */
- do {
-- iconvert[iplace++] =
-- (caps ? "0123456789ABCDEF"
-- : "0123456789abcdef")[intpart % 10];
-+ iconvert[iplace++] = "0123456789"[intpart % 10];
- intpart = (intpart / 10);
- } while (intpart && (iplace < (int)sizeof(iconvert)));
- if (iplace == sizeof iconvert)
-@@ -661,9 +682,7 @@ fmtfp(
-
- /* convert fractional part */
- do {
-- fconvert[fplace++] =
-- (caps ? "0123456789ABCDEF"
-- : "0123456789abcdef")[fracpart % 10];
-+ fconvert[fplace++] = "0123456789"[fracpart % 10];
- fracpart = (fracpart / 10);
- } while (fplace < max);
- if (fplace == sizeof fconvert)
-@@ -682,47 +701,61 @@ fmtfp(
-
- if ((flags & DP_F_ZERO) && (padlen > 0)) {
- if (signvalue) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
-+ return 0;
- --padlen;
- signvalue = 0;
- }
- while (padlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
-+ return 0;
- --padlen;
- }
- }
- while (padlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- --padlen;
- }
-- if (signvalue)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
-+ if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
-+ return 0;
-
-- while (iplace > 0)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]);
-+ while (iplace > 0) {
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]))
-+ return 0;
-+ }
-
- /*
- * Decimal point. This should probably use locale to find the correct
- * char to print out.
- */
- if (max > 0 || (flags & DP_F_NUM)) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.'))
-+ return 0;
-
-- while (fplace > 0)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]);
-+ while (fplace > 0) {
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen,
-+ fconvert[--fplace]))
-+ return 0;
-+ }
- }
- while (zpadlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
-+ return 0;
- --zpadlen;
- }
-
- while (padlen < 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- ++padlen;
- }
-+ return 1;
- }
-
--static void
-+#define BUFFER_INC 1024
-+
-+static int
- doapr_outch(
- char **sbuffer,
- char **buffer,
-@@ -733,24 +766,30 @@ doapr_outch(
- /* If we haven't at least one buffer, someone has doe a big booboo */
- assert(*sbuffer != NULL || buffer != NULL);
-
-- if (buffer) {
-- while (*currlen >= *maxlen) {
-- if (*buffer == NULL) {
-- if (*maxlen == 0)
-- *maxlen = 1024;
-+ /* |currlen| must always be <= |*maxlen| */
-+ assert(*currlen <= *maxlen);
-+
-+ if (buffer && *currlen == *maxlen) {
-+ if (*maxlen > INT_MAX - BUFFER_INC)
-+ return 0;
-+
-+ *maxlen += BUFFER_INC;
-+ if (*buffer == NULL) {
- *buffer = OPENSSL_malloc(*maxlen);
-+ if (*buffer == NULL)
-+ return 0;
- if (*currlen > 0) {
- assert(*sbuffer != NULL);
- memcpy(*buffer, *sbuffer, *currlen);
- }
- *sbuffer = NULL;
-- } else {
-- *maxlen += 1024;
-- *buffer = OPENSSL_realloc(*buffer, *maxlen);
-- }
-+ } else {
-+ char *tmpbuf;
-+ tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
-+ if (tmpbuf == NULL)
-+ return 0;
-+ *buffer = tmpbuf;
- }
-- /* What to do if *buffer is NULL? */
-- assert(*sbuffer != NULL || *buffer != NULL);
- }
-
- if (*currlen < *maxlen) {
-@@ -760,7 +799,7 @@ doapr_outch(
- (*buffer)[(*currlen)++] = (char)c;
- }
-
-- return;
-+ return 1;
- }
-
- /***************************************************************************/
-@@ -792,11 +831,15 @@ int BIO_vprintf (BIO *bio, const char *f
-
- dynbuf = NULL;
- CRYPTO_push_info("doapr()");
-- _dopr(&hugebufp, &dynbuf, &hugebufsize,
-- &retlen, &ignored, format, args);
-+ if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format,
-+ args))
-+ {
-+ OPENSSL_free(dynbuf);
-+ return -1;
-+ }
- if (dynbuf)
- {
-- ret=BIO_write(bio, dynbuf, (int)retlen);
-+ ret = BIO_write(bio, dynbuf, (int)retlen);
- OPENSSL_free(dynbuf);
- }
- else
-@@ -829,7 +872,8 @@ int BIO_vsnprintf(char *buf, size_t n, c
- size_t retlen;
- int truncated;
-
-- _dopr(&buf, NULL, &n, &retlen, &truncated, format, args);
-+ if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args))
-+ return -1;
-
- if (truncated)
- /* In case of truncation, return -1 like traditional snprintf.
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2105.patch b/SOURCES/openssl-1.0.1e-cve-2016-2105.patch
deleted file mode 100644
index b6351a0..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2105.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-diff -up openssl-1.0.1e/crypto/evp/encode.c.b64-overflow openssl-1.0.1e/crypto/evp/encode.c
---- openssl-1.0.1e/crypto/evp/encode.c.b64-overflow 2016-04-07 15:45:20.000000000 +0200
-+++ openssl-1.0.1e/crypto/evp/encode.c 2016-04-29 12:46:34.232656522 +0200
-@@ -132,12 +132,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
- const unsigned char *in, int inl)
- {
- int i,j;
-- unsigned int total=0;
-+ size_t total=0;
-
- *outl=0;
- if (inl == 0) return;
- OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
-- if ((ctx->num+inl) < ctx->length)
-+ if (ctx->length - ctx->num > inl)
- {
- memcpy(&(ctx->enc_data[ctx->num]),in,inl);
- ctx->num+=inl;
-@@ -156,7 +156,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
- *out='\0';
- total=j+1;
- }
-- while (inl >= ctx->length)
-+ while (inl >= ctx->length && total <= INT_MAX)
- {
- j=EVP_EncodeBlock(out,in,ctx->length);
- in+=ctx->length;
-@@ -166,6 +166,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
- *out='\0';
- total+=j+1;
- }
-+ if (total > INT_MAX)
-+ {
-+ /* Too much output data! */
-+ *outl = 0;
-+ return;
-+ }
- if (inl != 0)
- memcpy(&(ctx->enc_data[0]),in,inl);
- ctx->num=inl;
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2106.patch b/SOURCES/openssl-1.0.1e-cve-2016-2106.patch
deleted file mode 100644
index ada5f75..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2106.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.enc-overflow openssl-1.0.1e/crypto/evp/evp_enc.c
---- openssl-1.0.1e/crypto/evp/evp_enc.c.enc-overflow 2016-04-29 12:42:43.000000000 +0200
-+++ openssl-1.0.1e/crypto/evp/evp_enc.c 2016-04-29 12:56:50.253736555 +0200
-@@ -408,7 +408,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct
- OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
- if (i != 0)
- {
-- if (i+inl < bl)
-+ if (bl - i > inl)
- {
- memcpy(&(ctx->buf[i]),in,inl);
- ctx->buf_len+=inl;
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2107.patch b/SOURCES/openssl-1.0.1e-cve-2016-2107.patch
deleted file mode 100644
index 340267e..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2107.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff -up openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c.padding-check openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c
---- openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c.padding-check 2016-04-29 12:42:43.000000000 +0200
-+++ openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c 2016-04-29 13:10:13.441125487 +0200
-@@ -59,6 +59,7 @@
- #include <openssl/aes.h>
- #include <openssl/sha.h>
- #include "evp_locl.h"
-+#include "constant_time_locl.h"
-
- #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
- #define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
-@@ -278,6 +279,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV
- maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
- maxpad &= 255;
-
-+ ret &= constant_time_ge(maxpad, pad);
-+
- inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
- mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
- inp_len &= mask;
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2108.patch b/SOURCES/openssl-1.0.1e-cve-2016-2108.patch
deleted file mode 100644
index 9520ed6..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2108.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-diff -up openssl-1.0.1e/crypto/asn1/a_int.c.asn1-negative openssl-1.0.1e/crypto/asn1/a_int.c
---- openssl-1.0.1e/crypto/asn1/a_int.c.asn1-negative 2016-04-29 13:23:05.221797998 +0200
-+++ openssl-1.0.1e/crypto/asn1/a_int.c 2016-04-29 13:26:51.030957218 +0200
-@@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
- {
- ret=a->length;
- i=a->data[0];
-+ if (ret == 1 && i == 0)
-+ neg = 0;
- if (!neg && (i > 127)) {
- pad=1;
- pb=0;
-@@ -157,7 +159,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
- p += a->length - 1;
- i = a->length;
- /* Copy zeros to destination as long as source is zero */
-- while(!*n) {
-+ while(!*n && i > 1) {
- *(p--) = 0;
- n--;
- i--;
-@@ -415,7 +417,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const B
- ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_NESTED_ASN1_ERROR);
- goto err;
- }
-- if (BN_is_negative(bn))
-+ if (BN_is_negative(bn) && !BN_is_zero(bn))
- ret->type = V_ASN1_NEG_INTEGER;
- else ret->type=V_ASN1_INTEGER;
- j=BN_num_bits(bn);
-diff -up openssl-1.0.1e/crypto/asn1/a_type.c.asn1-negative openssl-1.0.1e/crypto/asn1/a_type.c
---- openssl-1.0.1e/crypto/asn1/a_type.c.asn1-negative 2016-04-29 12:42:43.000000000 +0200
-+++ openssl-1.0.1e/crypto/asn1/a_type.c 2016-04-29 13:28:40.202443787 +0200
-@@ -131,9 +131,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
- result = 0; /* They do not have content. */
- break;
- case V_ASN1_INTEGER:
-- case V_ASN1_NEG_INTEGER:
- case V_ASN1_ENUMERATED:
-- case V_ASN1_NEG_ENUMERATED:
- case V_ASN1_BIT_STRING:
- case V_ASN1_OCTET_STRING:
- case V_ASN1_SEQUENCE:
-diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.asn1-negative openssl-1.0.1e/crypto/asn1/tasn_dec.c
---- openssl-1.0.1e/crypto/asn1/tasn_dec.c.asn1-negative 2016-04-29 12:42:43.000000000 +0200
-+++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2016-04-29 13:30:08.560456293 +0200
-@@ -1011,9 +1011,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
- break;
-
- case V_ASN1_INTEGER:
-- case V_ASN1_NEG_INTEGER:
- case V_ASN1_ENUMERATED:
-- case V_ASN1_NEG_ENUMERATED:
- tint = (ASN1_INTEGER **)pval;
- if (!c2i_ASN1_INTEGER(tint, &cont, len))
- goto err;
-diff -up openssl-1.0.1e/crypto/asn1/tasn_enc.c.asn1-negative openssl-1.0.1e/crypto/asn1/tasn_enc.c
---- openssl-1.0.1e/crypto/asn1/tasn_enc.c.asn1-negative 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/tasn_enc.c 2016-04-29 13:30:34.688051394 +0200
-@@ -638,9 +638,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig
- break;
-
- case V_ASN1_INTEGER:
-- case V_ASN1_NEG_INTEGER:
- case V_ASN1_ENUMERATED:
-- case V_ASN1_NEG_ENUMERATED:
- /* These are all have the same content format
- * as ASN1_INTEGER
- */
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2109.patch b/SOURCES/openssl-1.0.1e-cve-2016-2109.patch
deleted file mode 100644
index dd7de61..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2109.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-diff -up openssl-1.0.1e/crypto/asn1/a_d2i_fp.c.asn1-bio-dos openssl-1.0.1e/crypto/asn1/a_d2i_fp.c
---- openssl-1.0.1e/crypto/asn1/a_d2i_fp.c.asn1-bio-dos 2013-02-11 16:02:47.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/a_d2i_fp.c 2016-04-29 13:44:52.205538739 +0200
-@@ -139,6 +139,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *
- #endif
-
- #define HEADER_SIZE 8
-+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
- static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
- {
- BUF_MEM *b;
-@@ -230,6 +231,8 @@ static int asn1_d2i_read_bio(BIO *in, BU
- want=c.slen;
- if (want > (len-off))
- {
-+ size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
-+
- want-=(len-off);
- if (want > INT_MAX /* BIO_read takes an int length */ ||
- len+want < len)
-@@ -237,24 +240,38 @@ static int asn1_d2i_read_bio(BIO *in, BU
- ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
- goto err;
- }
-- if (!BUF_MEM_grow_clean(b,len+want))
-- {
-- ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
-- goto err;
-- }
- while (want > 0)
- {
-- i=BIO_read(in,&(b->data[len]),want);
-- if (i <= 0)
-+ /*
-+ * Read content in chunks of increasing size
-+ * so we can return an error for EOF without
-+ * having to allocate the entire content length
-+ * in one go.
-+ */
-+ size_t chunk = want > chunk_max ? chunk_max : want;
-+
-+ if (!BUF_MEM_grow_clean(b, len + chunk))
- {
-- ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-- ASN1_R_NOT_ENOUGH_DATA);
-+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-- /* This can't overflow because
-- * |len+want| didn't overflow. */
-- len+=i;
-- want-=i;
-+ want -= chunk;
-+ while (chunk > 0)
-+ {
-+ i = BIO_read(in, &(b->data[len]), chunk);
-+ if (i <= 0)
-+ {
-+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-+ ASN1_R_NOT_ENOUGH_DATA);
-+ goto err;
-+ }
-+ /* This can't overflow because
-+ * |len+want| didn't overflow. */
-+ len += i;
-+ chunk -= i;
-+ }
-+ if (chunk_max < INT_MAX/2)
-+ chunk_max *= 2;
- }
- }
- if (off + c.slen < off)
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2177.patch b/SOURCES/openssl-1.0.1e-cve-2016-2177.patch
deleted file mode 100644
index 00b100e..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2177.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-diff -up openssl-1.0.1e/ssl/ssl_sess.c.pointer-arithmetic openssl-1.0.1e/ssl/ssl_sess.c
-diff -up openssl-1.0.1e/ssl/s3_srvr.c.pointer-arithmetic openssl-1.0.1e/ssl/s3_srvr.c
---- openssl-1.0.1e/ssl/s3_srvr.c.pointer-aritmetic 2016-09-20 15:00:06.348015761 +0200
-+++ openssl-1.0.1e/ssl/s3_srvr.c 2016-09-20 15:14:11.630423575 +0200
-@@ -973,6 +973,13 @@ int ssl3_get_client_hello(SSL *s)
- unsigned int session_length, cookie_length;
-
- session_length = *(p + SSL3_RANDOM_SIZE);
-+
-+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p)
-+ {
-+ al = SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-+ goto f_err;
-+ }
- cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
-
- if (cookie_length == 0)
-@@ -986,6 +993,13 @@ int ssl3_get_client_hello(SSL *s)
- /* get the session-id */
- j= *(p++);
-
-+ if ((d + n) - p < j)
-+ {
-+ al = SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-+ goto f_err;
-+ }
-+
- s->hit=0;
- /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
- * 0.9.7 and later allow this by default, but optionally ignore resumption requests
-@@ -1024,8 +1038,21 @@ int ssl3_get_client_hello(SSL *s)
- if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
- {
- /* cookie stuff */
-+ if ((d + n) - p < 1)
-+ {
-+ al = SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-+ goto f_err;
-+ }
- cookie_len = *(p++);
-
-+ if ((d + n ) - p < cookie_len)
-+ {
-+ al = SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-+ goto f_err;
-+ }
-+
- /*
- * The ClientHello may contain a cookie even if the
- * HelloVerify message has not been sent--make sure that it
-@@ -1072,6 +1099,12 @@ int ssl3_get_client_hello(SSL *s)
- p += cookie_len;
- }
-
-+ if ((d + n ) - p < 2)
-+ {
-+ al = SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-+ goto f_err;
-+ }
- n2s(p,i);
- if ((i == 0) && (j != 0))
- {
-@@ -1080,7 +1113,9 @@ int ssl3_get_client_hello(SSL *s)
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
- goto f_err;
- }
-- if ((p+i) >= (d+n))
-+
-+ /* i bytes of cipher data + 1 byte for compression length later */
-+ if ((d + n) - p < i + 1)
- {
- /* not enough data */
- al=SSL_AD_DECODE_ERROR;
-@@ -1147,7 +1182,7 @@ int ssl3_get_client_hello(SSL *s)
-
- /* compression */
- i= *(p++);
-- if ((p+i) > (d+n))
-+ if ((d + n) - p < i)
- {
- /* not enough data */
- al=SSL_AD_DECODE_ERROR;
-diff -up openssl-1.0.1e/ssl/t1_lib.c.pointer-arithmetic openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.pointer-aritmetic 2016-09-20 15:00:06.351015830 +0200
-+++ openssl-1.0.1e/ssl/t1_lib.c 2016-09-20 15:37:34.660870014 +0200
-@@ -923,19 +923,19 @@ int ssl_parse_clienthello_tlsext(SSL *s,
- SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- #endif
-
-- if (data >= (d+n-2))
-+ if ((d + n) - data < 2)
- goto ri_check;
- n2s(data,len);
-
-- if (data > (d+n-len))
-+ if ((d + n) - data < len)
- goto ri_check;
-
-- while (data <= (d+n-4))
-+ while ((d + n) - data >= 4)
- {
- n2s(data,type);
- n2s(data,size);
-
-- if (data+size > (d+n))
-+ if ((d + n) - data < size)
- goto ri_check;
- #if 0
- fprintf(stderr,"Received extension type %d size %d\n",type,size);
-@@ -1437,22 +1437,22 @@ int ssl_parse_serverhello_tlsext(SSL *s,
- SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- #endif
-
-- if (data >= (d+n-2))
-+ if ((d + n) - data <= 2)
- goto ri_check;
-
- n2s(data,length);
-- if (data+length != d+n)
-+ if ((d + n) - data != length)
- {
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
-- while(data <= (d+n-4))
-+ while ((d + n) - data >= 4)
- {
- n2s(data,type);
- n2s(data,size);
-
-- if (data+size > (d+n))
-+ if ((d + n) - data < size)
- goto ri_check;
-
- if (s->tlsext_debug_cb)
-@@ -2139,30 +2139,30 @@ int tls1_process_ticket(SSL *s, unsigned
- if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
- {
- i = *(p++);
-- p+= i;
-- if (p >= limit)
-+ if (limit - p <= i)
- return -1;
-+ p += i;
- }
- /* Skip past cipher list */
- n2s(p, i);
-- p+= i;
-- if (p >= limit)
-+ if (limit - p <= i)
- return -1;
-+ p += i;
- /* Skip past compression algorithm list */
- i = *(p++);
-- p += i;
-- if (p > limit)
-+ if (limit - p < i)
- return -1;
-+ p += i;
- /* Now at start of extensions */
-- if ((p + 2) >= limit)
-+ if (limit - p <= 2)
- return 0;
- n2s(p, i);
-- while ((p + 4) <= limit)
-+ while (limit - p >= 4)
- {
- unsigned short type, size;
- n2s(p, type);
- n2s(p, size);
-- if (p + size > limit)
-+ if (limit - p < size)
- return 0;
- if (type == TLSEXT_TYPE_session_ticket)
- {
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2178.patch b/SOURCES/openssl-1.0.1e-cve-2016-2178.patch
deleted file mode 100644
index 4c6f142..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2178.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/crypto/dsa/dsa_ossl.c.dsa-consttime openssl-1.0.1e/crypto/dsa/dsa_ossl.c
---- openssl-1.0.1e/crypto/dsa/dsa_ossl.c.dsa-consttime 2016-09-20 14:55:57.000000000 +0200
-+++ openssl-1.0.1e/crypto/dsa/dsa_ossl.c 2016-09-20 15:46:32.608375100 +0200
-@@ -278,6 +278,8 @@ static int dsa_sign_setup(DSA *dsa, BN_C
- {
- if (!BN_copy(&kq, &k)) goto err;
-
-+ BN_set_flags(&kq, BN_FLG_CONSTTIME);
-+
- /* We do not want timing information to leak the length of k,
- * so we compute g^k using an equivalent exponent of fixed length.
- *
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2179.patch b/SOURCES/openssl-1.0.1e-cve-2016-2179.patch
deleted file mode 100644
index 4ddb440..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2179.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_both.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_both.c
---- openssl-1.0.1e/ssl/d1_both.c.dtls1-dos2 2016-09-20 15:53:03.748445806 +0200
-+++ openssl-1.0.1e/ssl/d1_both.c 2016-09-20 16:12:01.422861505 +0200
-@@ -211,7 +211,7 @@ dtls1_hm_fragment_new(unsigned long frag
- return frag;
- }
-
--static void
-+void
- dtls1_hm_fragment_free(hm_fragment *frag)
- {
-
-@@ -544,11 +544,26 @@ dtls1_retrieve_buffered_fragment(SSL *s,
- int al;
-
- *ok = 0;
-- item = pqueue_peek(s->d1->buffered_messages);
-- if ( item == NULL)
-- return 0;
-+ do
-+ {
-+ item = pqueue_peek(s->d1->buffered_messages);
-+ if (item == NULL)
-+ return 0;
-+
-+ frag = (hm_fragment *)item->data;
-+
-+ if (frag->msg_header.seq < s->d1->handshake_read_seq)
-+ {
-+ /* This is a stale message that has been buffered so clear it */
-+ pqueue_pop(s->d1->buffered_messages);
-+ dtls1_hm_fragment_free(frag);
-+ pitem_free(item);
-+ item = NULL;
-+ frag = NULL;
-+ }
-+ }
-+ while (item == NULL);
-
-- frag = (hm_fragment *)item->data;
-
- /* Don't return if reassembly still in progress */
- if (frag->reassembly != NULL)
-@@ -1339,21 +1354,6 @@ dtls1_retransmit_message(SSL *s, unsigne
- return ret;
- }
-
--/* call this function when the buffered messages are no longer needed */
--void
--dtls1_clear_record_buffer(SSL *s)
-- {
-- pitem *item;
--
-- for(item = pqueue_pop(s->d1->sent_messages);
-- item != NULL; item = pqueue_pop(s->d1->sent_messages))
-- {
-- dtls1_hm_fragment_free((hm_fragment *)item->data);
-- pitem_free(item);
-- }
-- }
--
--
- unsigned char *
- dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt,
- unsigned long len, unsigned long frag_off, unsigned long frag_len)
-diff -up openssl-1.0.1e/ssl/d1_clnt.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_clnt.c
---- openssl-1.0.1e/ssl/d1_clnt.c.dtls1-dos2 2016-09-20 15:53:03.748445806 +0200
-+++ openssl-1.0.1e/ssl/d1_clnt.c 2016-09-20 15:58:38.292200957 +0200
-@@ -739,6 +739,7 @@ int dtls1_connect(SSL *s)
- /* done with handshaking */
- s->d1->handshake_read_seq = 0;
- s->d1->next_handshake_write_seq = 0;
-+ dtls1_clear_received_buffer(s);
- goto end;
- /* break; */
-
-diff -up openssl-1.0.1e/ssl/d1_lib.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_lib.c
---- openssl-1.0.1e/ssl/d1_lib.c.dtls1-dos2 2016-09-20 15:53:03.749445830 +0200
-+++ openssl-1.0.1e/ssl/d1_lib.c 2016-09-20 16:18:10.046443374 +0200
-@@ -133,7 +133,6 @@ int dtls1_new(SSL *s)
- static void dtls1_clear_queues(SSL *s)
- {
- pitem *item = NULL;
-- hm_fragment *frag = NULL;
- DTLS1_RECORD_DATA *rdata;
-
- while( (item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL)
-@@ -158,32 +157,45 @@ static void dtls1_clear_queues(SSL *s)
- pitem_free(item);
- }
-
-- while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)
-- {
-+ while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
-+ {
-+ rdata = (DTLS1_RECORD_DATA *)item->data;
-+ if (rdata->rbuf.buf)
-+ {
-+ OPENSSL_free(rdata->rbuf.buf);
-+ }
-+ OPENSSL_free(item->data);
-+ pitem_free(item);
-+ }
-+
-+ dtls1_clear_received_buffer(s);
-+ dtls1_clear_sent_buffer(s);
-+ }
-+
-+void dtls1_clear_received_buffer(SSL *s)
-+ {
-+ pitem *item = NULL;
-+ hm_fragment *frag = NULL;
-+
-+ while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL)
-+ {
- frag = (hm_fragment *)item->data;
-- OPENSSL_free(frag->fragment);
-- OPENSSL_free(frag);
-+ dtls1_hm_fragment_free(frag);
- pitem_free(item);
- }
-+ }
-
-- while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)
-- {
-+void dtls1_clear_sent_buffer(SSL *s)
-+ {
-+ pitem *item = NULL;
-+ hm_fragment *frag = NULL;
-+
-+ while ((item = pqueue_pop(s->d1->sent_messages)) != NULL)
-+ {
- frag = (hm_fragment *)item->data;
-- OPENSSL_free(frag->fragment);
-- OPENSSL_free(frag);
-+ dtls1_hm_fragment_free(frag);
- pitem_free(item);
- }
--
-- while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
-- {
-- rdata = (DTLS1_RECORD_DATA *) item->data;
-- if (rdata->rbuf.buf)
-- {
-- OPENSSL_free(rdata->rbuf.buf);
-- }
-- OPENSSL_free(item->data);
-- pitem_free(item);
-- }
- }
-
- void dtls1_free(SSL *s)
-@@ -410,7 +422,7 @@ void dtls1_stop_timer(SSL *s)
- s->d1->timeout_duration = 1;
- BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout));
- /* Clear retransmission buffer */
-- dtls1_clear_record_buffer(s);
-+ dtls1_clear_sent_buffer(s);
- }
-
- int dtls1_check_timeout_num(SSL *s)
-diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_pkt.c
---- openssl-1.0.1e/ssl/d1_pkt.c.dtls1-dos2 2016-09-20 15:53:17.246758715 +0200
-+++ openssl-1.0.1e/ssl/d1_pkt.c 2016-09-20 16:14:33.020390824 +0200
-@@ -1900,6 +1900,12 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
- s->d1->r_epoch++;
- memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
- memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
-+
-+ /*
-+ * We must not use any buffered messages received from the previous
-+ * epoch
-+ */
-+ dtls1_clear_received_buffer(s);
- }
- else
- {
-diff -up openssl-1.0.1e/ssl/d1_srvr.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_srvr.c
---- openssl-1.0.1e/ssl/d1_srvr.c.dtls1-dos2 2016-09-20 15:53:03.750445853 +0200
-+++ openssl-1.0.1e/ssl/d1_srvr.c 2016-09-20 16:15:39.699943181 +0200
-@@ -276,7 +276,7 @@ int dtls1_accept(SSL *s)
- case SSL3_ST_SW_HELLO_REQ_B:
-
- s->shutdown=0;
-- dtls1_clear_record_buffer(s);
-+ dtls1_clear_sent_buffer(s);
- dtls1_start_timer(s);
- ret=dtls1_send_hello_request(s);
- if (ret <= 0) goto end;
-@@ -811,6 +811,7 @@ int dtls1_accept(SSL *s)
- /* next message is server hello */
- s->d1->handshake_write_seq = 0;
- s->d1->next_handshake_write_seq = 0;
-+ dtls1_clear_received_buffer(s);
- goto end;
- /* break; */
-
-diff -up openssl-1.0.1e/ssl/ssl_locl.h.dtls1-dos2 openssl-1.0.1e/ssl/ssl_locl.h
---- openssl-1.0.1e/ssl/ssl_locl.h.dtls1-dos2 2016-09-20 15:53:03.751445876 +0200
-+++ openssl-1.0.1e/ssl/ssl_locl.h 2016-09-20 16:11:36.288276350 +0200
-@@ -974,7 +974,8 @@ int dtls1_retransmit_message(SSL *s, uns
- unsigned long frag_off, int *found);
- int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
- int dtls1_retransmit_buffered_messages(SSL *s);
--void dtls1_clear_record_buffer(SSL *s);
-+void dtls1_clear_received_buffer(SSL *s);
-+void dtls1_clear_sent_buffer(SSL *s);
- void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr);
- void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
- void dtls1_reset_seq_numbers(SSL *s, int rw);
-@@ -989,6 +990,7 @@ int dtls1_is_timer_expired(SSL *s);
- void dtls1_double_timeout(SSL *s);
- int dtls1_send_newsession_ticket(SSL *s);
- unsigned int dtls1_min_mtu(void);
-+void dtls1_hm_fragment_free(hm_fragment *frag);
-
- /* some client-only functions */
- int ssl3_client_hello(SSL *s);
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2180.patch b/SOURCES/openssl-1.0.1e-cve-2016-2180.patch
deleted file mode 100644
index 183cd89..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2180.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff -up openssl-1.0.1e/crypto/ts/ts_lib.c.ts-oob-read openssl-1.0.1e/crypto/ts/ts_lib.c
---- openssl-1.0.1e/crypto/ts/ts_lib.c.ts-oob-read 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ts/ts_lib.c 2016-09-20 16:23:02.074244000 +0200
-@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN
- {
- char obj_txt[128];
-
-- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
-- BIO_write(bio, obj_txt, len);
-- BIO_write(bio, "\n", 1);
-+ OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
-+ BIO_printf(bio, "%s\n", obj_txt);
-
- return 1;
- }
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2181.patch b/SOURCES/openssl-1.0.1e-cve-2016-2181.patch
deleted file mode 100644
index e7bea7c..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2181.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls1-replay openssl-1.0.1e/ssl/d1_pkt.c
---- openssl-1.0.1e/ssl/d1_pkt.c.dtls1-replay 2016-09-20 16:29:36.767447143 +0200
-+++ openssl-1.0.1e/ssl/d1_pkt.c 2016-09-20 16:44:56.654893514 +0200
-@@ -178,7 +178,7 @@ static int dtls1_record_needs_buffering(
- #endif
- static int dtls1_buffer_record(SSL *s, record_pqueue *q,
- unsigned char *priority);
--static int dtls1_process_record(SSL *s);
-+static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap);
-
- /* copy buffered record into SSL structure */
- static int
-@@ -304,32 +304,84 @@ static int
- dtls1_process_buffered_records(SSL *s)
- {
- pitem *item;
--
-+ SSL3_BUFFER *rb;
-+ SSL3_RECORD *rr;
-+ DTLS1_BITMAP *bitmap;
-+ unsigned int is_next_epoch;
-+ int replayok = 1;
-+
- item = pqueue_peek(s->d1->unprocessed_rcds.q);
- if (item)
- {
- /* Check if epoch is current. */
- if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
-- return(1); /* Nothing to do. */
--
-+ return 1; /* Nothing to do. */
-+
-+ rr = &s->s3->rrec;
-+ rb = &s->s3->rbuf;
-+
-+ if (rb->left > 0)
-+ {
-+ /*
-+ * We've still got data from the current packet to read. There could
-+ * be a record from the new epoch in it - so don't overwrite it
-+ * with the unprocessed records yet (we'll do it when we've
-+ * finished reading the current packet).
-+ */
-+ return 1;
-+ }
-+
-+
- /* Process all the records. */
- while (pqueue_peek(s->d1->unprocessed_rcds.q))
- {
- dtls1_get_unprocessed_record(s);
-- if ( ! dtls1_process_record(s))
-- return(0);
-- if(dtls1_buffer_record(s, &(s->d1->processed_rcds),
-- s->s3->rrec.seq_num)<0)
-- return -1;
-- }
-+ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
-+ if (bitmap == NULL)
-+ {
-+ /*
-+ * Should not happen. This will only ever be NULL when the
-+ * current record is from a different epoch. But that cannot
-+ * be the case because we already checked the epoch above
-+ */
-+ SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS,
-+ ERR_R_INTERNAL_ERROR);
-+ return 0;
-+ }
-+#ifndef OPENSSL_NO_SCTP
-+ /* Only do replay check if no SCTP bio */
-+ if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
-+#endif
-+ {
-+ /*
-+ * Check whether this is a repeat, or aged record. We did this
-+ * check once already when we first received the record - but
-+ * we might have updated the window since then due to
-+ * records we subsequently processed.
-+ */
-+ replayok = dtls1_record_replay_check(s, bitmap);
-+ }
-+
-+ if (!replayok || !dtls1_process_record(s, bitmap))
-+ {
-+ /* dump this record */
-+ rr->length = 0;
-+ s->packet_length = 0;
-+ continue;
-+ }
-+
-+ if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
-+ s->s3->rrec.seq_num) < 0)
-+ return 0;
- }
-+ }
-
- /* sync epoch numbers once all the unprocessed records
- * have been processed */
- s->d1->processed_rcds.epoch = s->d1->r_epoch;
- s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
-
-- return(1);
-+ return 1;
- }
-
-
-@@ -379,7 +431,7 @@ dtls1_get_buffered_record(SSL *s)
- #endif
-
- static int
--dtls1_process_record(SSL *s)
-+dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
- {
- int i,al;
- int enc_err;
-@@ -535,6 +587,10 @@ printf("\n");
-
- /* we have pulled in a full packet so zero things */
- s->packet_length=0;
-+
-+ /* Mark receipt of record. */
-+ dtls1_record_bitmap_update(s, bitmap);
-+
- return(1);
-
- f_err:
-@@ -565,9 +621,10 @@ int dtls1_get_record(SSL *s)
-
- rr= &(s->s3->rrec);
-
-+again:
- /* The epoch may have changed. If so, process all the
- * pending records. This is a non-blocking operation. */
-- if(dtls1_process_buffered_records(s)<0)
-+ if(!dtls1_process_buffered_records(s))
- return -1;
-
- /* if we're renegotiating, then there may be buffered records */
-@@ -575,7 +632,6 @@ int dtls1_get_record(SSL *s)
- return 1;
-
- /* get something from the wire */
--again:
- /* check if we have the header */
- if ( (s->rstate != SSL_ST_READ_BODY) ||
- (s->packet_length < DTLS1_RT_HEADER_LENGTH))
-@@ -707,20 +763,18 @@ again:
- {
- if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0)
- return -1;
-- dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
- }
- rr->length = 0;
- s->packet_length = 0;
- goto again;
- }
-
-- if (!dtls1_process_record(s))
-+ if (!dtls1_process_record(s, bitmap))
- {
- rr->length = 0;
- s->packet_length = 0; /* dump this record */
- goto again; /* get another record */
- }
-- dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
-
- return(1);
-
-@@ -1811,8 +1865,13 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr
- if (rr->epoch == s->d1->r_epoch)
- return &s->d1->bitmap;
-
-- /* Only HM and ALERT messages can be from the next epoch */
-+ /*
-+ * Only HM and ALERT messages can be from the next epoch and only if we
-+ * have already processed all of the unprocessed records from the last
-+ * epoch
-+ */
- else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
-+ s->d1->unprocessed_rcds.epoch != s->d1->r_epoch &&
- (rr->type == SSL3_RT_HANDSHAKE ||
- rr->type == SSL3_RT_ALERT))
- {
-diff -up openssl-1.0.1e/ssl/ssl_err.c.dtls1-replay openssl-1.0.1e/ssl/ssl_err.c
---- openssl-1.0.1e/ssl/ssl_err.c.dtls1-replay 2016-09-20 14:55:57.789311197 +0200
-+++ openssl-1.0.1e/ssl/ssl_err.c 2016-09-20 16:45:49.827132881 +0200
-@@ -1,6 +1,6 @@
- /* ssl/ssl_err.c */
- /* ====================================================================
-- * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -92,6 +92,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
- {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "DTLS1_HEARTBEAT"},
- {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
- {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
-+{ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS), "DTLS1_PROCESS_BUFFERED_RECORDS"},
- {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
- {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
- {ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "DTLS1_READ_BYTES"},
-diff -up openssl-1.0.1e/ssl/ssl.h.dtls1-replay openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.dtls1-replay 2016-09-20 16:29:36.768447167 +0200
-+++ openssl-1.0.1e/ssl/ssl.h 2016-09-20 16:30:42.981991082 +0200
-@@ -2023,6 +2023,7 @@ void ERR_load_SSL_strings(void);
- #define SSL_F_DTLS1_HEARTBEAT 305
- #define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
- #define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
-+#define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424
- #define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
- #define SSL_F_DTLS1_PROCESS_RECORD 257
- #define SSL_F_DTLS1_READ_BYTES 258
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2182.patch b/SOURCES/openssl-1.0.1e-cve-2016-2182.patch
deleted file mode 100644
index 092605e..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-2182.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-diff -up openssl-1.0.1e/crypto/bn/bn_print.c.bn-overflow openssl-1.0.1e/crypto/bn/bn_print.c
---- openssl-1.0.1e/crypto/bn/bn_print.c.bn-overflow 2016-09-20 14:55:57.000000000 +0200
-+++ openssl-1.0.1e/crypto/bn/bn_print.c 2016-09-20 16:53:29.825854773 +0200
-@@ -108,6 +108,7 @@ char *BN_bn2dec(const BIGNUM *a)
- char *p;
- BIGNUM *t=NULL;
- BN_ULONG *bn_data=NULL,*lp;
-+ int bn_data_num;
-
- /* get an upper bound for the length of the decimal integer
- * num <= (BN_num_bits(a) + 1) * log(2)
-@@ -116,7 +117,8 @@ char *BN_bn2dec(const BIGNUM *a)
- */
- i=BN_num_bits(a)*3;
- num=(i/10+i/1000+1)+1;
-- bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG));
-+ bn_data_num=num/BN_DEC_NUM + 1;
-+ bn_data=(BN_ULONG *)OPENSSL_malloc(bn_data_num*sizeof(BN_ULONG));
- buf=(char *)OPENSSL_malloc(num+3);
- if ((buf == NULL) || (bn_data == NULL))
- {
-@@ -141,7 +143,11 @@ char *BN_bn2dec(const BIGNUM *a)
- i=0;
- while (!BN_is_zero(t))
- {
-+ if (lp - bn_data >= bn_data_num)
-+ goto err;
- *lp=BN_div_word(t,BN_DEC_CONV);
-+ if (*lp == (BN_ULONG)-1)
-+ goto err;
- lp++;
- }
- lp--;
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-6302.patch b/SOURCES/openssl-1.0.1e-cve-2016-6302.patch
deleted file mode 100644
index 8b720da..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-6302.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-length openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.ticket-length 2016-09-20 15:37:34.000000000 +0200
-+++ openssl-1.0.1e/ssl/t1_lib.c 2016-09-20 18:09:26.057028290 +0200
-@@ -2230,9 +2230,7 @@ static int tls_decrypt_ticket(SSL *s, co
- HMAC_CTX hctx;
- EVP_CIPHER_CTX ctx;
- SSL_CTX *tctx = s->initial_ctx;
-- /* Need at least keyname + iv + some encrypted data */
-- if (eticklen < 48)
-- return 2;
-+
- /* Initialize session ticket encryption and HMAC contexts */
- HMAC_CTX_init(&hctx);
- EVP_CIPHER_CTX_init(&ctx);
-@@ -2267,6 +2265,14 @@ static int tls_decrypt_ticket(SSL *s, co
- EVP_CIPHER_CTX_cleanup(&ctx);
- return -1;
- }
-+ /* Sanity check ticket length: must exceed keyname + IV + HMAC */
-+ if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen)
-+ {
-+ HMAC_CTX_cleanup(&hctx);
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ return 2;
-+ }
-+
- eticklen -= mlen;
- /* Check HMAC of encrypted ticket */
- HMAC_Update(&hctx, etick, eticklen);
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-6304.patch b/SOURCES/openssl-1.0.1e-cve-2016-6304.patch
deleted file mode 100644
index e0dd777..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-6304.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-diff -up openssl-1.0.1e/ssl/t1_lib.c.ocsp-memgrowth openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.ocsp-memgrowth 2016-09-20 18:09:26.000000000 +0200
-+++ openssl-1.0.1e/ssl/t1_lib.c 2016-09-22 10:57:23.195580623 +0200
-@@ -1239,6 +1239,27 @@ int ssl_parse_clienthello_tlsext(SSL *s,
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
-+
-+ /*
-+ * We remove any OCSP_RESPIDs from a previous handshake
-+ * to prevent unbounded memory growth - CVE-2016-6304
-+ */
-+ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
-+ OCSP_RESPID_free);
-+ if (dsize > 0)
-+ {
-+ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
-+ if (s->tlsext_ocsp_ids == NULL)
-+ {
-+ *al = SSL_AD_INTERNAL_ERROR;
-+ return 0;
-+ }
-+ }
-+ else
-+ {
-+ s->tlsext_ocsp_ids = NULL;
-+ }
-+
- while (dsize > 0)
- {
- OCSP_RESPID *id;
-@@ -1271,14 +1292,6 @@ int ssl_parse_clienthello_tlsext(SSL *s,
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
-- if (!s->tlsext_ocsp_ids
-- && !(s->tlsext_ocsp_ids =
-- sk_OCSP_RESPID_new_null()))
-- {
-- OCSP_RESPID_free(id);
-- *al = SSL_AD_INTERNAL_ERROR;
-- return 0;
-- }
- if (!sk_OCSP_RESPID_push(
- s->tlsext_ocsp_ids, id))
- {
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-6306.patch b/SOURCES/openssl-1.0.1e-cve-2016-6306.patch
deleted file mode 100644
index 0c7d7f2..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-6306.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_both.c.certmsg-len openssl-1.0.1e/ssl/d1_both.c
---- openssl-1.0.1e/ssl/d1_both.c.certmsg-len 2016-09-20 16:12:01.000000000 +0200
-+++ openssl-1.0.1e/ssl/d1_both.c 2016-09-22 11:02:54.277707284 +0200
-@@ -506,8 +506,11 @@ static int dtls1_preprocess_fragment(SSL
- if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
- {
- /* msg_len is limited to 2^24, but is effectively checked
-- * against max above */
-- if (!BUF_MEM_grow_clean(s->init_buf,msg_len+DTLS1_HM_HEADER_LENGTH))
-+ * against max above
-+ *
-+ * Make buffer slightly larger than message length as
-+ * a precaution against small OOB reads e.g. CVE-2016-6306 */
-+ if (!BUF_MEM_grow_clean(s->init_buf,msg_len+DTLS1_HM_HEADER_LENGTH+16))
- {
- SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,ERR_R_BUF_LIB);
- return SSL_AD_INTERNAL_ERROR;
-diff -up openssl-1.0.1e/ssl/s3_both.c.certmsg-len openssl-1.0.1e/ssl/s3_both.c
---- openssl-1.0.1e/ssl/s3_both.c.certmsg-len 2016-09-20 14:55:57.000000000 +0200
-+++ openssl-1.0.1e/ssl/s3_both.c 2016-09-22 11:06:00.945725379 +0200
-@@ -518,7 +518,11 @@ long ssl3_get_message(SSL *s, int st1, i
- SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
- goto f_err;
- }
-- if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4))
-+ /*
-+ * Make buffer slightly larger than message length as a precaution
-+ * against small OOB reads e.g. CVE-2016-6306
-+ */
-+ if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4+16))
- {
- SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
- goto err;
-diff -up openssl-1.0.1e/ssl/s3_clnt.c.certmsg-len openssl-1.0.1e/ssl/s3_clnt.c
---- openssl-1.0.1e/ssl/s3_clnt.c.certmsg-len 2016-09-20 14:55:57.000000000 +0200
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2016-09-20 18:27:22.683077436 +0200
-@@ -1128,6 +1128,12 @@ int ssl3_get_server_certificate(SSL *s)
- }
- for (nc=0; nc<llen; )
- {
-+ if (nc+3 > llen)
-+ {
-+ al = SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
-+ goto f_err;
-+ }
- n2l3(p,l);
- if ((l+nc+3) > llen)
- {
-@@ -1979,6 +1985,12 @@ fclose(out);
-
- for (nc=0; nc<llen; )
- {
-+ if (nc+2 > llen)
-+ {
-+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-+ SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
-+ goto err;
-+ }
- n2s(p,l);
- if ((l+nc+2) > llen)
- {
-diff -up openssl-1.0.1e/ssl/s3_srvr.c.certmsg-len openssl-1.0.1e/ssl/s3_srvr.c
---- openssl-1.0.1e/ssl/s3_srvr.c.certmsg-len 2016-09-20 15:14:11.000000000 +0200
-+++ openssl-1.0.1e/ssl/s3_srvr.c 2016-09-20 18:29:26.167950476 +0200
-@@ -3269,6 +3269,12 @@ int ssl3_get_client_certificate(SSL *s)
- }
- for (nc=0; nc<llen; )
- {
-+ if (nc+3 > llen)
-+ {
-+ al = SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
-+ goto f_err;
-+ }
- n2l3(p,l);
- if ((l+nc+3) > llen)
- {
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-8610.patch b/SOURCES/openssl-1.0.1e-cve-2016-8610.patch
deleted file mode 100644
index 84976ce..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2016-8610.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_pkt.c.many-alerts openssl-1.0.1e/ssl/d1_pkt.c
---- openssl-1.0.1e/ssl/d1_pkt.c.many-alerts 2016-10-04 16:12:30.000000000 +0200
-+++ openssl-1.0.1e/ssl/d1_pkt.c 2016-11-01 10:48:05.270349440 +0100
-@@ -915,6 +915,13 @@ start:
- goto start;
- }
-
-+ /*
-+ * Reset the count of consecutive warning alerts if we've got a non-empty
-+ * record that isn't an alert.
-+ */
-+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
-+ s->cert->alert_count = 0;
-+
- /* we now have a packet which can be read and processed */
-
- if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
-@@ -1184,6 +1191,15 @@ start:
- if (alert_level == 1) /* warning */
- {
- s->s3->warn_alert = alert_descr;
-+
-+ s->cert->alert_count++;
-+ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT)
-+ {
-+ al = SSL_AD_UNEXPECTED_MESSAGE;
-+ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
-+ goto f_err;
-+ }
-+
- if (alert_descr == SSL_AD_CLOSE_NOTIFY)
- {
- #ifndef OPENSSL_NO_SCTP
-diff -up openssl-1.0.1e/ssl/ssl_err.c.many-alerts openssl-1.0.1e/ssl/ssl_err.c
---- openssl-1.0.1e/ssl/ssl_err.c.many-alerts 2016-10-04 16:12:30.000000000 +0200
-+++ openssl-1.0.1e/ssl/ssl_err.c 2016-11-01 10:54:04.673900027 +0100
-@@ -552,6 +552,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
- {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
- {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
- {ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
-+{ERR_REASON(SSL_R_TOO_MANY_WARN_ALERTS), "too many warn alerts"},
- {ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
- {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
- {ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),"unable to decode ecdh certs"},
-diff -up openssl-1.0.1e/ssl/ssl.h.many-alerts openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.many-alerts 2016-10-04 16:12:30.000000000 +0200
-+++ openssl-1.0.1e/ssl/ssl.h 2016-11-01 10:52:48.442086392 +0100
-@@ -2474,6 +2474,7 @@ void ERR_load_SSL_strings(void);
- #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
- #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
- #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
-+#define SSL_R_TOO_MANY_WARN_ALERTS 409
- #define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
- #define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
- #define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
-diff -up openssl-1.0.1e/ssl/ssl_locl.h.many-alerts openssl-1.0.1e/ssl/ssl_locl.h
---- openssl-1.0.1e/ssl/ssl_locl.h.many-alerts 2016-10-04 16:12:30.000000000 +0200
-+++ openssl-1.0.1e/ssl/ssl_locl.h 2016-11-01 10:55:39.171148215 +0100
-@@ -485,6 +485,8 @@ typedef struct cert_pkey_st
- const EVP_MD *digest;
- } CERT_PKEY;
-
-+# define MAX_WARN_ALERT_COUNT 5
-+
- typedef struct cert_st
- {
- /* Current active set */
-@@ -516,6 +518,7 @@ typedef struct cert_st
- CERT_PKEY pkeys[SSL_PKEY_NUM];
-
- int references; /* >1 only if SSL_copy_session_id is used */
-+ unsigned int alert_count;
- } CERT;
-
-
-diff -up openssl-1.0.1e/ssl/s3_pkt.c.many-alerts openssl-1.0.1e/ssl/s3_pkt.c
---- openssl-1.0.1e/ssl/s3_pkt.c.many-alerts 2016-10-04 16:12:30.000000000 +0200
-+++ openssl-1.0.1e/ssl/s3_pkt.c 2016-11-01 10:51:21.504018044 +0100
-@@ -1009,6 +1009,13 @@ start:
- if (ret <= 0) return(ret);
- }
-
-+ /*
-+ * Reset the count of consecutive warning alerts if we've got a non-empty
-+ * record that isn't an alert.
-+ */
-+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
-+ s->cert->alert_count = 0;
-+
- /* we now have a packet which can be read and processed */
-
- if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
-@@ -1225,6 +1232,15 @@ start:
- if (alert_level == 1) /* warning */
- {
- s->s3->warn_alert = alert_descr;
-+
-+ s->cert->alert_count++;
-+ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT)
-+ {
-+ al = SSL_AD_UNEXPECTED_MESSAGE;
-+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
-+ goto f_err;
-+ }
-+
- if (alert_descr == SSL_AD_CLOSE_NOTIFY)
- {
- s->shutdown |= SSL_RECEIVED_SHUTDOWN;
diff --git a/SOURCES/openssl-1.0.1e-cve-2017-3731.patch b/SOURCES/openssl-1.0.1e-cve-2017-3731.patch
deleted file mode 100644
index 2deb8b2..0000000
--- a/SOURCES/openssl-1.0.1e-cve-2017-3731.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-diff -up openssl-1.0.1e/crypto/evp/e_aes.c.truncated openssl-1.0.1e/crypto/evp/e_aes.c
---- openssl-1.0.1e/crypto/evp/e_aes.c.truncated 2016-11-09 15:31:47.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/e_aes.c 2017-01-30 13:29:46.700570930 +0100
-@@ -796,11 +796,17 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
- gctx->tls_aad_len = arg;
- {
- unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
-+ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
-+ return 0;
- /* Correct length for explicit IV */
- len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
- /* If decrypting correct for tag too */
- if (!c->encrypt)
-+ {
-+ if (len < EVP_GCM_TLS_TAG_LEN)
-+ return 0;
- len -= EVP_GCM_TLS_TAG_LEN;
-+ }
- c->buf[arg-2] = len>>8;
- c->buf[arg-1] = len & 0xff;
- }
-diff -up openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c.truncated openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c
---- openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c.truncated 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c 2017-01-30 10:33:12.954714810 +0100
-@@ -257,6 +257,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_
-
- if (!ctx->encrypt)
- {
-+ if (len < MD5_DIGEST_LENGTH)
-+ return -1;
- len -= MD5_DIGEST_LENGTH;
- p[arg-2] = len>>8;
- p[arg-1] = len;
-diff -up openssl-1.0.1e/ssl/t1_enc.c.truncated openssl-1.0.1e/ssl/t1_enc.c
---- openssl-1.0.1e/ssl/t1_enc.c.truncated 2017-01-09 16:42:47.000000000 +0100
-+++ openssl-1.0.1e/ssl/t1_enc.c 2017-01-30 10:37:32.836053160 +0100
-@@ -805,6 +805,8 @@ int tls1_enc(SSL *s, int send)
- buf[11]=rec->length>>8;
- buf[12]=rec->length&0xff;
- pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf);
-+ if (pad <= 0)
-+ return -1;
- if (send)
- {
- l+=pad;
diff --git a/SOURCES/openssl-1.0.1e-defaults.patch b/SOURCES/openssl-1.0.1e-defaults.patch
deleted file mode 100644
index 4323e87..0000000
--- a/SOURCES/openssl-1.0.1e-defaults.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf
---- openssl-1.0.1e/apps/openssl.cnf.defaults 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/openssl.cnf 2014-02-06 18:00:00.170929334 +0100
-@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
-
- default_days = 365 # how long to certify for
- default_crl_days= 30 # how long before next CRL
--default_md = default # use public key default MD
-+default_md = sha256 # use SHA-256 by default
- preserve = no # keep passed DN ordering
-
- # A few difference way of specifying how similar the request should look
-@@ -103,7 +103,8 @@ emailAddress = optional
-
- ####################################################################
- [ req ]
--default_bits = 1024
-+default_bits = 2048
-+default_md = sha256
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
-@@ -126,17 +127,18 @@ string_mask = utf8only
-
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
--countryName_default = AU
-+countryName_default = XX
- countryName_min = 2
- countryName_max = 2
-
- stateOrProvinceName = State or Province Name (full name)
--stateOrProvinceName_default = Some-State
-+#stateOrProvinceName_default = Default Province
-
- localityName = Locality Name (eg, city)
-+localityName_default = Default City
-
- 0.organizationName = Organization Name (eg, company)
--0.organizationName_default = Internet Widgits Pty Ltd
-+0.organizationName_default = Default Company Ltd
-
- # we can do this but it is not needed normally :-)
- #1.organizationName = Second Organization Name (eg, company)
-@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
- organizationalUnitName = Organizational Unit Name (eg, section)
- #organizationalUnitName_default =
-
--commonName = Common Name (e.g. server FQDN or YOUR name)
-+commonName = Common Name (eg, your name or your server\'s hostname)
- commonName_max = 64
-
- emailAddress = Email Address
-@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
- default_policy = tsa_policy1 # Policy if request did not specify it
- # (optional)
- other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
--digests = md5, sha1 # Acceptable message digests (mandatory)
-+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
- accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
- clock_precision_digits = 0 # number of digits after dot. (optional)
- ordering = yes # Is ordering defined for timestamps?
diff --git a/SOURCES/openssl-1.0.1e-disable-sslv2.patch b/SOURCES/openssl-1.0.1e-disable-sslv2.patch
deleted file mode 100644
index 1e6bde0..0000000
--- a/SOURCES/openssl-1.0.1e-disable-sslv2.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-diff -up openssl-1.0.1e/ssl/ssl_lib.c.disable-sslv2 openssl-1.0.1e/ssl/ssl_lib.c
---- openssl-1.0.1e/ssl/ssl_lib.c.disable-sslv2 2016-01-14 17:38:50.018210499 +0100
-+++ openssl-1.0.1e/ssl/ssl_lib.c 2016-02-16 16:00:57.151508715 +0100
-@@ -1903,6 +1903,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
- */
- ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
-
-+ /* Disable SSLv2 by default (affects the SSLv23_method() only) */
-+ ret->options |= SSL_OP_NO_SSLv2;
-+
- return(ret);
- err:
- SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
-diff -up openssl-1.0.1e/doc/apps/ciphers.pod.disable-sslv2 openssl-1.0.1e/doc/apps/ciphers.pod
---- openssl-1.0.1e/doc/apps/ciphers.pod.disable-sslv2 2016-01-14 17:38:50.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/ciphers.pod 2016-02-24 11:17:36.297955053 +0100
-@@ -572,11 +572,11 @@ Note: these ciphers can also be used in
- =head2 Deprecated SSL v2.0 cipher suites.
-
- SSL_CK_RC4_128_WITH_MD5 RC4-MD5
-- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
-- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
-- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
-+ SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented.
-+ SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5
-+ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented.
- SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
-- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
-+ SSL_CK_DES_64_CBC_WITH_MD5 Not implemented.
- SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
-
- =head1 NOTES
-diff -up openssl-1.0.1e/ssl/s2_lib.c.disable-sslv2 openssl-1.0.1e/ssl/s2_lib.c
---- openssl-1.0.1e/ssl/s2_lib.c.disable-sslv2 2016-02-24 11:23:24.012237164 +0100
-+++ openssl-1.0.1e/ssl/s2_lib.c 2016-02-24 11:19:34.623773423 +0100
-@@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- 128,
- },
-
-+#if 0
- /* RC4_128_EXPORT40_WITH_MD5 */
- {
- 1,
-@@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- 40,
- 128,
- },
-+#endif
-
- /* RC2_128_CBC_WITH_MD5 */
- {
-@@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- 128,
- },
-
-+#if 0
- /* RC2_128_CBC_EXPORT40_WITH_MD5 */
- {
- 1,
-@@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- 40,
- 128,
- },
-+#endif
-
- #ifndef OPENSSL_NO_IDEA
- /* IDEA_128_CBC_WITH_MD5 */
-@@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- },
- #endif
-
-+#if 0
- /* DES_64_CBC_WITH_MD5 */
- {
- 1,
-@@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
- 56,
- 56,
- },
-+#endif
-
- /* DES_192_EDE3_CBC_WITH_MD5 */
- {
diff --git a/SOURCES/openssl-1.0.1e-doc-ciphersuites.patch b/SOURCES/openssl-1.0.1e-doc-ciphersuites.patch
deleted file mode 100644
index 418b9e1..0000000
--- a/SOURCES/openssl-1.0.1e-doc-ciphersuites.patch
+++ /dev/null
@@ -1,304 +0,0 @@
-From 87887a7a658bf305bfe6619eedcbc6c3972cc188 Mon Sep 17 00:00:00 2001
-From: Hubert Kario <hkario@redhat.com>
-Date: Tue, 10 Jun 2014 14:13:33 +0200
-Subject: [PATCH] backport changes to ciphers(1) man page
-
-Backport of the patch:
-add ECC strings to ciphers(1), point out difference between DH and ECDH
-and few other changes applicable to the 1.0.1 code base.
-
- * Make a clear distinction between DH and ECDH key exchange.
- * Group all key exchange cipher suite identifiers, first DH then ECDH
- * add descriptions for all supported *DH* identifiers
- * add ECDSA authentication descriptions
- * add example showing how to disable all suites that offer no
- authentication or encryption
- * backport listing of elliptic curve cipher suites.
- * backport listing of TLS 1.2 cipher suites, add note that DH_RSA
- and DH_DSS is not implemented in this version
- * backport of description of PSK and listing of PSK cipher suites
- * backport description of AES128, AES256 and AESGCM options
- * backport description of CAMELLIA128, CAMELLIA256 options
----
- doc/apps/ciphers.pod | 195 ++++++++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 173 insertions(+), 22 deletions(-)
-
-diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
-index f44aa00..6086d0a 100644
---- a/doc/apps/ciphers.pod
-+++ b/doc/apps/ciphers.pod
-@@ -36,7 +36,7 @@ SSL v2 and for SSL v3/TLS v1.
-
- =item B<-V>
-
--Like B<-V>, but include cipher suite codes in output (hex format).
-+Like B<-v>, but include cipher suite codes in output (hex format).
-
- =item B<-ssl3>
-
-@@ -116,8 +116,8 @@ specified.
- =item B<COMPLEMENTOFDEFAULT>
-
- the ciphers included in B<ALL>, but not enabled by default. Currently
--this is B<ADH>. Note that this rule does not cover B<eNULL>, which is
--not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
-+this is B<ADH> and B<AECDH>. Note that this rule does not cover B<eNULL>,
-+which is not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
-
- =item B<ALL>
-
-@@ -165,21 +165,58 @@ included.
- =item B<aNULL>
-
- the cipher suites offering no authentication. This is currently the anonymous
--DH algorithms. These cipher suites are vulnerable to a "man in the middle"
--attack and so their use is normally discouraged.
-+DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable
-+to a "man in the middle" attack and so their use is normally discouraged.
-
- =item B<kRSA>, B<RSA>
-
- cipher suites using RSA key exchange.
-
-+=item B<kDHr>, B<kDHd>, B<kDH>
-+
-+cipher suites using DH key agreement and DH certificates signed by CAs with RSA
-+and DSS keys or either respectively. Not implemented.
-+
- =item B<kEDH>
-
--cipher suites using ephemeral DH key agreement.
-+cipher suites using ephemeral DH key agreement, including anonymous cipher
-+suites.
-
--=item B<kDHr>, B<kDHd>
-+=item B<EDH>
-
--cipher suites using DH key agreement and DH certificates signed by CAs with RSA
--and DSS keys respectively. Not implemented.
-+cipher suites using authenticated ephemeral DH key agreement.
-+
-+=item B<ADH>
-+
-+anonymous DH cipher suites, note that this does not include anonymous Elliptic
-+Curve DH (ECDH) cipher suites.
-+
-+=item B<DH>
-+
-+cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH.
-+
-+=item B<kECDHr>, B<kECDHe>, B<kECDH>
-+
-+cipher suites using fixed ECDH key agreement signed by CAs with RSA and ECDSA
-+keys or either respectively.
-+
-+=item B<kEECDH>
-+
-+cipher suites using ephemeral ECDH key agreement, including anonymous
-+cipher suites.
-+
-+=item B<EECDHE>
-+
-+cipher suites using authenticated ephemeral ECDH key agreement.
-+
-+=item B<AECDH>
-+
-+anonymous Elliptic Curve Diffie Hellman cipher suites.
-+
-+=item B<ECDH>
-+
-+cipher suites using ECDH key exchange, including anonymous, ephemeral and
-+fixed ECDH.
-
- =item B<aRSA>
-
-@@ -194,30 +231,39 @@ cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
- cipher suites effectively using DH authentication, i.e. the certificates carry
- DH keys. Not implemented.
-
-+=item B<aECDH>
-+
-+cipher suites effectively using ECDH authentication, i.e. the certificates
-+carry ECDH keys.
-+
-+=item B<aECDSA>, B<ECDSA>
-+
-+cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA
-+keys.
-+
- =item B<kFZA>, B<aFZA>, B<eFZA>, B<FZA>
-
- ciphers suites using FORTEZZA key exchange, authentication, encryption or all
- FORTEZZA algorithms. Not implemented.
-
--=item B<TLSv1>, B<SSLv3>, B<SSLv2>
--
--TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.
-+=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
-
--=item B<DH>
--
--cipher suites using DH, including anonymous DH.
-+TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
-+there are no ciphersuites specific to TLS v1.1.
-
--=item B<ADH>
-+=item B<AES128>, B<AES256>, B<AES>
-
--anonymous DH cipher suites.
-+cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.
-
--=item B<AES>
-+=item B<AESGCM>
-
--cipher suites using AES.
-+AES in Galois Counter Mode (GCM): these ciphersuites are only supported
-+in TLS v1.2.
-
--=item B<CAMELLIA>
-+=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
-
--cipher suites using Camellia.
-+cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
-+CAMELLIA.
-
- =item B<3DES>
-
-@@ -251,6 +297,10 @@ cipher suites using MD5.
-
- cipher suites using SHA1.
-
-+=item B<SHA256>, B<SHA384>
-+
-+ciphersuites using SHA256 or SHA384.
-+
- =item B<aGOST>
-
- cipher suites using GOST R 34.10 (either 2001 or 94) for authenticaction
-@@ -277,6 +327,9 @@ cipher suites, using HMAC based on GOST R 34.11-94.
-
- cipher suites using GOST 28147-89 MAC B<instead of> HMAC.
-
-+=item B<PSK>
-+
-+cipher suites using pre-shared keys (PSK).
-
- =back
-
-@@ -423,7 +476,100 @@ Note: these ciphers can also be used in SSL v3.
- TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA
- TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA
-
--=head2 SSL v2.0 cipher suites.
-+=head2 Elliptic curve cipher suites.
-+
-+ TLS_ECDH_RSA_WITH_NULL_SHA ECDH-RSA-NULL-SHA
-+ TLS_ECDH_RSA_WITH_RC4_128_SHA ECDH-RSA-RC4-SHA
-+ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ECDH-RSA-DES-CBC3-SHA
-+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH-RSA-AES128-SHA
-+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH-RSA-AES256-SHA
-+
-+ TLS_ECDH_ECDSA_WITH_NULL_SHA ECDH-ECDSA-NULL-SHA
-+ TLS_ECDH_ECDSA_WITH_RC4_128_SHA ECDH-ECDSA-RC4-SHA
-+ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ECDH-ECDSA-DES-CBC3-SHA
-+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH-ECDSA-AES128-SHA
-+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH-ECDSA-AES256-SHA
-+
-+ TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE-RSA-NULL-SHA
-+ TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE-RSA-RC4-SHA
-+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE-RSA-DES-CBC3-SHA
-+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA
-+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA
-+
-+ TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE-ECDSA-NULL-SHA
-+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE-ECDSA-RC4-SHA
-+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE-ECDSA-DES-CBC3-SHA
-+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA
-+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA
-+
-+ TLS_ECDH_anon_WITH_NULL_SHA AECDH-NULL-SHA
-+ TLS_ECDH_anon_WITH_RC4_128_SHA AECDH-RC4-SHA
-+ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH-DES-CBC3-SHA
-+ TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH-AES128-SHA
-+ TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH-AES256-SHA
-+
-+=head2 TLS v1.2 cipher suites
-+
-+ TLS_RSA_WITH_NULL_SHA256 NULL-SHA256
-+
-+ TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256
-+ TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-SHA256
-+ TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256
-+ TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384
-+
-+ TLS_DH_RSA_WITH_AES_128_CBC_SHA256 Not implemented.
-+ TLS_DH_RSA_WITH_AES_256_CBC_SHA256 Not implemented.
-+ TLS_DH_RSA_WITH_AES_128_GCM_SHA256 Not implemented.
-+ TLS_DH_RSA_WITH_AES_256_GCM_SHA384 Not implemented.
-+
-+ TLS_DH_DSS_WITH_AES_128_CBC_SHA256 Not implemented.
-+ TLS_DH_DSS_WITH_AES_256_CBC_SHA256 Not implemented.
-+ TLS_DH_DSS_WITH_AES_128_GCM_SHA256 Not implemented.
-+ TLS_DH_DSS_WITH_AES_256_GCM_SHA384 Not implemented.
-+
-+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE-RSA-AES128-SHA256
-+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE-RSA-AES256-SHA256
-+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE-RSA-AES128-GCM-SHA256
-+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384
-+
-+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA256
-+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA256
-+ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE-DSS-AES128-GCM-SHA256
-+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE-DSS-AES256-GCM-SHA384
-+
-+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH-RSA-AES128-SHA256
-+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH-RSA-AES256-SHA384
-+ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH-RSA-AES128-GCM-SHA256
-+ TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH-RSA-AES256-GCM-SHA384
-+
-+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH-ECDSA-AES128-SHA256
-+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH-ECDSA-AES256-SHA384
-+ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH-ECDSA-AES128-GCM-SHA256
-+ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-ECDSA-AES256-GCM-SHA384
-+
-+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256
-+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-SHA384
-+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
-+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384
-+
-+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256
-+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384
-+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
-+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384
-+
-+ TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH-AES128-SHA256
-+ TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH-AES256-SHA256
-+ TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH-AES128-GCM-SHA256
-+ TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH-AES256-GCM-SHA384
-+
-+=head2 Pre shared keying (PSK) cipheruites
-+
-+ TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA
-+ TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA
-+ TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA
-+ TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA
-+
-+=head2 Deprecated SSL v2.0 cipher suites.
-
- SSL_CK_RC4_128_WITH_MD5 RC4-MD5
- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
-@@ -452,6 +598,11 @@ strength:
-
- openssl ciphers -v 'ALL:!ADH:@STRENGTH'
-
-+Include all ciphers except ones with no encryption (eNULL) or no
-+authentication (aNULL):
-+
-+ openssl ciphers -v 'ALL:!aNULL'
-+
- Include only 3DES ciphers and then place RSA ciphers last:
-
- openssl ciphers -v '3DES:+RSA'
---
-1.7.9.5
-
diff --git a/SOURCES/openssl-1.0.1e-dtls-ecc-ext.patch b/SOURCES/openssl-1.0.1e-dtls-ecc-ext.patch
deleted file mode 100644
index 2a002cc..0000000
--- a/SOURCES/openssl-1.0.1e-dtls-ecc-ext.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 2054eb771ea29378f90d3a77c2f4015b17de702d Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Tue, 15 Jul 2014 12:20:30 +0100
-Subject: [PATCH] Add ECC extensions with DTLS.
-
-PR#3449
----
- ssl/d1_clnt.c | 8 +++++++-
- ssl/d1_srvr.c | 5 +++++
- ssl/t1_lib.c | 18 ++++++------------
- 3 files changed, 18 insertions(+), 13 deletions(-)
-
-diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
-index 48e5e06..65dbb4a 100644
---- a/ssl/d1_clnt.c
-+++ b/ssl/d1_clnt.c
-@@ -876,12 +876,18 @@ int dtls1_client_hello(SSL *s)
- *(p++)=0; /* Add the NULL method */
-
- #ifndef OPENSSL_NO_TLSEXT
-+ /* TLS extensions*/
-+ if (ssl_prepare_clienthello_tlsext(s) <= 0)
-+ {
-+ SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
-+ goto err;
-+ }
- if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
- {
- SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
- goto err;
- }
--#endif
-+#endif
-
- l=(p-d);
- d=buf;
-diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
-index 1384ab0..ef9c347 100644
---- a/ssl/d1_srvr.c
-+++ b/ssl/d1_srvr.c
-@@ -980,6 +980,11 @@ int dtls1_send_server_hello(SSL *s)
- #endif
-
- #ifndef OPENSSL_NO_TLSEXT
-+ if (ssl_prepare_serverhello_tlsext(s) <= 0)
-+ {
-+ SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
-+ return -1;
-+ }
- if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
- {
- SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index f6a480d..8167a51 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -453,8 +453,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
- #endif
-
- #ifndef OPENSSL_NO_EC
-- if (s->tlsext_ecpointformatlist != NULL &&
-- s->version != DTLS1_VERSION)
-+ if (s->tlsext_ecpointformatlist != NULL)
- {
- /* Add TLS extension ECPointFormats to the ClientHello message */
- long lenmax;
-@@ -473,8 +472,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
- memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
- ret+=s->tlsext_ecpointformatlist_length;
- }
-- if (s->tlsext_ellipticcurvelist != NULL &&
-- s->version != DTLS1_VERSION)
-+ if (s->tlsext_ellipticcurvelist != NULL)
- {
- /* Add TLS extension EllipticCurves to the ClientHello message */
- long lenmax;
-@@ -750,8 +748,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
- }
-
- #ifndef OPENSSL_NO_EC
-- if (s->tlsext_ecpointformatlist != NULL &&
-- s->version != DTLS1_VERSION)
-+ if (s->tlsext_ecpointformatlist != NULL)
- {
- /* Add TLS extension ECPointFormats to the ServerHello message */
- long lenmax;
-@@ -1154,8 +1151,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
- #endif
-
- #ifndef OPENSSL_NO_EC
-- else if (type == TLSEXT_TYPE_ec_point_formats &&
-- s->version != DTLS1_VERSION)
-+ else if (type == TLSEXT_TYPE_ec_point_formats)
- {
- unsigned char *sdata = data;
- int ecpointformatlist_length = *(sdata++);
-@@ -1189,8 +1185,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
- fprintf(stderr,"\n");
- #endif
- }
-- else if (type == TLSEXT_TYPE_elliptic_curves &&
-- s->version != DTLS1_VERSION)
-+ else if (type == TLSEXT_TYPE_elliptic_curves)
- {
- unsigned char *sdata = data;
- int ellipticcurvelist_length = (*(sdata++) << 8);
-@@ -1549,8 +1544,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
- }
-
- #ifndef OPENSSL_NO_EC
-- else if (type == TLSEXT_TYPE_ec_point_formats &&
-- s->version != DTLS1_VERSION)
-+ else if (type == TLSEXT_TYPE_ec_point_formats)
- {
- unsigned char *sdata = data;
- int ecpointformatlist_length = *(sdata++);
---
-1.8.3.1
-
diff --git a/SOURCES/openssl-1.0.1e-ecc-suiteb.patch b/SOURCES/openssl-1.0.1e-ecc-suiteb.patch
deleted file mode 100644
index dc87b00..0000000
--- a/SOURCES/openssl-1.0.1e-ecc-suiteb.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-diff -up openssl-1.0.1e/apps/speed.c.suiteb openssl-1.0.1e/apps/speed.c
---- openssl-1.0.1e/apps/speed.c.suiteb 2013-11-08 18:02:53.815229706 +0100
-+++ openssl-1.0.1e/apps/speed.c 2013-11-08 18:04:47.016724297 +0100
-@@ -966,49 +966,23 @@ int MAIN(int argc, char **argv)
- else
- #endif
- #ifndef OPENSSL_NO_ECDSA
-- if (strcmp(*argv,"ecdsap160") == 0) ecdsa_doit[R_EC_P160]=2;
-- else if (strcmp(*argv,"ecdsap192") == 0) ecdsa_doit[R_EC_P192]=2;
-- else if (strcmp(*argv,"ecdsap224") == 0) ecdsa_doit[R_EC_P224]=2;
-- else if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2;
-+ if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2;
- else if (strcmp(*argv,"ecdsap384") == 0) ecdsa_doit[R_EC_P384]=2;
- else if (strcmp(*argv,"ecdsap521") == 0) ecdsa_doit[R_EC_P521]=2;
-- else if (strcmp(*argv,"ecdsak163") == 0) ecdsa_doit[R_EC_K163]=2;
-- else if (strcmp(*argv,"ecdsak233") == 0) ecdsa_doit[R_EC_K233]=2;
-- else if (strcmp(*argv,"ecdsak283") == 0) ecdsa_doit[R_EC_K283]=2;
-- else if (strcmp(*argv,"ecdsak409") == 0) ecdsa_doit[R_EC_K409]=2;
-- else if (strcmp(*argv,"ecdsak571") == 0) ecdsa_doit[R_EC_K571]=2;
-- else if (strcmp(*argv,"ecdsab163") == 0) ecdsa_doit[R_EC_B163]=2;
-- else if (strcmp(*argv,"ecdsab233") == 0) ecdsa_doit[R_EC_B233]=2;
-- else if (strcmp(*argv,"ecdsab283") == 0) ecdsa_doit[R_EC_B283]=2;
-- else if (strcmp(*argv,"ecdsab409") == 0) ecdsa_doit[R_EC_B409]=2;
-- else if (strcmp(*argv,"ecdsab571") == 0) ecdsa_doit[R_EC_B571]=2;
- else if (strcmp(*argv,"ecdsa") == 0)
- {
-- for (i=0; i < EC_NUM; i++)
-+ for (i=R_EC_P256; i <= R_EC_P521; i++)
- ecdsa_doit[i]=1;
- }
- else
- #endif
- #ifndef OPENSSL_NO_ECDH
-- if (strcmp(*argv,"ecdhp160") == 0) ecdh_doit[R_EC_P160]=2;
-- else if (strcmp(*argv,"ecdhp192") == 0) ecdh_doit[R_EC_P192]=2;
-- else if (strcmp(*argv,"ecdhp224") == 0) ecdh_doit[R_EC_P224]=2;
-- else if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2;
-+ if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2;
- else if (strcmp(*argv,"ecdhp384") == 0) ecdh_doit[R_EC_P384]=2;
- else if (strcmp(*argv,"ecdhp521") == 0) ecdh_doit[R_EC_P521]=2;
-- else if (strcmp(*argv,"ecdhk163") == 0) ecdh_doit[R_EC_K163]=2;
-- else if (strcmp(*argv,"ecdhk233") == 0) ecdh_doit[R_EC_K233]=2;
-- else if (strcmp(*argv,"ecdhk283") == 0) ecdh_doit[R_EC_K283]=2;
-- else if (strcmp(*argv,"ecdhk409") == 0) ecdh_doit[R_EC_K409]=2;
-- else if (strcmp(*argv,"ecdhk571") == 0) ecdh_doit[R_EC_K571]=2;
-- else if (strcmp(*argv,"ecdhb163") == 0) ecdh_doit[R_EC_B163]=2;
-- else if (strcmp(*argv,"ecdhb233") == 0) ecdh_doit[R_EC_B233]=2;
-- else if (strcmp(*argv,"ecdhb283") == 0) ecdh_doit[R_EC_B283]=2;
-- else if (strcmp(*argv,"ecdhb409") == 0) ecdh_doit[R_EC_B409]=2;
-- else if (strcmp(*argv,"ecdhb571") == 0) ecdh_doit[R_EC_B571]=2;
- else if (strcmp(*argv,"ecdh") == 0)
- {
-- for (i=0; i < EC_NUM; i++)
-+ for (i=R_EC_P256; i <= R_EC_P521; i++)
- ecdh_doit[i]=1;
- }
- else
-@@ -1097,15 +1071,11 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err,"dsa512 dsa1024 dsa2048\n");
- #endif
- #ifndef OPENSSL_NO_ECDSA
-- BIO_printf(bio_err,"ecdsap160 ecdsap192 ecdsap224 ecdsap256 ecdsap384 ecdsap521\n");
-- BIO_printf(bio_err,"ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
-- BIO_printf(bio_err,"ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
-+ BIO_printf(bio_err,"ecdsap256 ecdsap384 ecdsap521\n");
- BIO_printf(bio_err,"ecdsa\n");
- #endif
- #ifndef OPENSSL_NO_ECDH
-- BIO_printf(bio_err,"ecdhp160 ecdhp192 ecdhp224 ecdhp256 ecdhp384 ecdhp521\n");
-- BIO_printf(bio_err,"ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
-- BIO_printf(bio_err,"ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
-+ BIO_printf(bio_err,"ecdhp256 ecdhp384 ecdhp521\n");
- BIO_printf(bio_err,"ecdh\n");
- #endif
-
-@@ -1184,11 +1154,11 @@ int MAIN(int argc, char **argv)
- if (!FIPS_mode() || i != R_DSA_512)
- dsa_doit[i]=1;
- #ifndef OPENSSL_NO_ECDSA
-- for (i=0; i<EC_NUM; i++)
-+ for (i=R_EC_P256; i <= R_EC_P521; i++)
- ecdsa_doit[i]=1;
- #endif
- #ifndef OPENSSL_NO_ECDH
-- for (i=0; i<EC_NUM; i++)
-+ for (i=R_EC_P256; i <= R_EC_P521; i++)
- ecdh_doit[i]=1;
- #endif
- }
-diff -up openssl-1.0.1e/ssl/t1_lib.c.suiteb openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.suiteb 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/t1_lib.c 2013-11-08 18:05:27.551617554 +0100
-@@ -204,31 +204,9 @@ static int nid_list[] =
-
- static int pref_list[] =
- {
-- NID_sect571r1, /* sect571r1 (14) */
-- NID_sect571k1, /* sect571k1 (13) */
- NID_secp521r1, /* secp521r1 (25) */
-- NID_sect409k1, /* sect409k1 (11) */
-- NID_sect409r1, /* sect409r1 (12) */
- NID_secp384r1, /* secp384r1 (24) */
-- NID_sect283k1, /* sect283k1 (9) */
-- NID_sect283r1, /* sect283r1 (10) */
-- NID_secp256k1, /* secp256k1 (22) */
- NID_X9_62_prime256v1, /* secp256r1 (23) */
-- NID_sect239k1, /* sect239k1 (8) */
-- NID_sect233k1, /* sect233k1 (6) */
-- NID_sect233r1, /* sect233r1 (7) */
-- NID_secp224k1, /* secp224k1 (20) */
-- NID_secp224r1, /* secp224r1 (21) */
-- NID_sect193r1, /* sect193r1 (4) */
-- NID_sect193r2, /* sect193r2 (5) */
-- NID_secp192k1, /* secp192k1 (18) */
-- NID_X9_62_prime192v1, /* secp192r1 (19) */
-- NID_sect163k1, /* sect163k1 (1) */
-- NID_sect163r1, /* sect163r1 (2) */
-- NID_sect163r2, /* sect163r2 (3) */
-- NID_secp160k1, /* secp160k1 (15) */
-- NID_secp160r1, /* secp160r1 (16) */
-- NID_secp160r2, /* secp160r2 (17) */
- };
-
- int tls1_ec_curve_id2nid(int curve_id)
diff --git a/SOURCES/openssl-1.0.1e-ecdh-auto.patch b/SOURCES/openssl-1.0.1e-ecdh-auto.patch
deleted file mode 100644
index 2e6ac57..0000000
--- a/SOURCES/openssl-1.0.1e-ecdh-auto.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-diff -up openssl-1.0.1e/apps/s_server.c.ecdh-auto openssl-1.0.1e/apps/s_server.c
---- openssl-1.0.1e/apps/s_server.c.ecdh-auto 2014-09-17 15:52:01.659445244 +0200
-+++ openssl-1.0.1e/apps/s_server.c 2014-09-17 16:24:44.378754502 +0200
-@@ -1708,7 +1708,7 @@ bad:
- {
- EC_KEY *ecdh=NULL;
-
-- if (named_curve)
-+ if (named_curve && strcmp(named_curve, "auto"))
- {
- int nid = OBJ_sn2nid(named_curve);
-
-@@ -1731,6 +1731,8 @@ bad:
- {
- BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
- }
-+ else if (named_curve)
-+ SSL_CTX_set_ecdh_auto(ctx, 1);
- else
- {
- BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
-diff -up openssl-1.0.1e/ssl/ssl_cert.c.ecdh-auto openssl-1.0.1e/ssl/ssl_cert.c
---- openssl-1.0.1e/ssl/ssl_cert.c.ecdh-auto 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/ssl_cert.c 2014-09-17 16:20:24.355884360 +0200
-@@ -270,6 +270,7 @@ CERT *ssl_cert_dup(CERT *cert)
- }
- }
- ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
-+ ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;
- #endif
-
- for (i = 0; i < SSL_PKEY_NUM; i++)
-diff -up openssl-1.0.1e/ssl/ssl.h.ecdh-auto openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.ecdh-auto 2014-09-17 16:20:24.354884336 +0200
-+++ openssl-1.0.1e/ssl/ssl.h 2014-09-17 16:49:29.135273514 +0200
-@@ -1563,6 +1563,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
- #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
- #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
-
-+#define SSL_CTRL_SET_ECDH_AUTO 94
- #define SSL_CTRL_GET_SERVER_TMP_KEY 109
-
- #define DTLSv1_get_timeout(ssl, arg) \
-@@ -1606,6 +1607,11 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
- #define SSL_CTX_clear_extra_chain_certs(ctx) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
-
-+#define SSL_CTX_set_ecdh_auto(ctx, onoff) \
-+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
-+#define SSL_set_ecdh_auto(s, onoff) \
-+ SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
-+
- #define SSL_get_server_tmp_key(s, pk) \
- SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
-
-diff -up openssl-1.0.1e/ssl/ssl_lib.c.ecdh-auto openssl-1.0.1e/ssl/ssl_lib.c
---- openssl-1.0.1e/ssl/ssl_lib.c.ecdh-auto 2014-09-17 15:52:01.616444274 +0200
-+++ openssl-1.0.1e/ssl/ssl_lib.c 2014-09-17 16:20:24.356884383 +0200
-@@ -2045,7 +2045,7 @@ void ssl_set_cert_masks(CERT *c, const S
- #endif
-
- #ifndef OPENSSL_NO_ECDH
-- have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
-+ have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
- #endif
- cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
- rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
-diff -up openssl-1.0.1e/ssl/ssl_locl.h.ecdh-auto openssl-1.0.1e/ssl/ssl_locl.h
---- openssl-1.0.1e/ssl/ssl_locl.h.ecdh-auto 2014-09-17 15:52:01.632444635 +0200
-+++ openssl-1.0.1e/ssl/ssl_locl.h 2014-09-17 17:26:29.764405189 +0200
-@@ -511,6 +511,8 @@ typedef struct cert_st
- EC_KEY *ecdh_tmp;
- /* Callback for generating ephemeral ECDH keys */
- EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize);
-+ /* Select ECDH parameters automatically */
-+ int ecdh_tmp_auto;
- #endif
-
- CERT_PKEY pkeys[SSL_PKEY_NUM];
-@@ -1091,6 +1093,7 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_CO
- #ifndef OPENSSL_NO_EC
- int tls1_ec_curve_id2nid(int curve_id);
- int tls1_ec_nid2curve_id(int nid);
-+int tls1_shared_curve(SSL *s, int nmatch);
- #endif /* OPENSSL_NO_EC */
-
- #ifndef OPENSSL_NO_TLSEXT
-diff -up openssl-1.0.1e/ssl/s3_lib.c.ecdh-auto openssl-1.0.1e/ssl/s3_lib.c
---- openssl-1.0.1e/ssl/s3_lib.c.ecdh-auto 2014-09-17 16:20:24.352884288 +0200
-+++ openssl-1.0.1e/ssl/s3_lib.c 2014-09-17 17:37:26.274226185 +0200
-@@ -3350,6 +3350,12 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
- #endif
-
- #endif /* !OPENSSL_NO_TLSEXT */
-+
-+#ifndef OPENSSL_NO_EC
-+ case SSL_CTRL_SET_ECDH_AUTO:
-+ s->cert->ecdh_tmp_auto = larg;
-+ return 1;
-+#endif
- case SSL_CTRL_GET_SERVER_TMP_KEY:
- if (s->server || !s->session || !s->session->sess_cert)
- return 0;
-@@ -3651,6 +3657,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd
- ctx->srp_ctx.strength=larg;
- break;
- #endif
-+
-+#ifndef OPENSSL_NO_EC
-+ case SSL_CTRL_SET_ECDH_AUTO:
-+ ctx->cert->ecdh_tmp_auto = larg;
-+ return 1;
-+#endif
- #endif /* !OPENSSL_NO_TLSEXT */
-
- /* A Thawte special :-) */
-@@ -4003,6 +4015,14 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, S
- if (
- /* if we are considering an ECC cipher suite that uses an ephemeral EC key */
- (alg_k & SSL_kEECDH)
-+ && (s->cert->ecdh_tmp_auto)
-+ )
-+ {
-+ ok = ok && tls1_shared_curve(s, 0);
-+ }
-+ else if (
-+ /* if we are considering an ECC cipher suite that uses an ephemeral EC key */
-+ (alg_k & SSL_kEECDH)
- /* and we have an ephemeral EC key */
- && (s->cert->ecdh_tmp != NULL)
- /* and the client specified an EllipticCurves extension */
-diff -up openssl-1.0.1e/ssl/s3_srvr.c.ecdh-auto openssl-1.0.1e/ssl/s3_srvr.c
---- openssl-1.0.1e/ssl/s3_srvr.c.ecdh-auto 2014-09-17 15:52:01.644444906 +0200
-+++ openssl-1.0.1e/ssl/s3_srvr.c 2014-09-17 16:20:24.353884312 +0200
-@@ -1693,7 +1693,14 @@ int ssl3_send_server_key_exchange(SSL *s
- const EC_GROUP *group;
-
- ecdhp=cert->ecdh_tmp;
-- if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
-+ if (s->cert->ecdh_tmp_auto)
-+ {
-+ /* Get NID of first shared curve */
-+ int nid = tls1_shared_curve(s, 0);
-+ if (nid != NID_undef)
-+ ecdhp = EC_KEY_new_by_curve_name(nid);
-+ }
-+ else if ((ecdhp == NULL) && s->cert->ecdh_tmp_cb)
- {
- ecdhp=s->cert->ecdh_tmp_cb(s,
- SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
-@@ -1718,7 +1725,9 @@ int ssl3_send_server_key_exchange(SSL *s
- SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
- goto err;
- }
-- if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
-+ if (s->cert->ecdh_tmp_auto)
-+ ecdh = ecdhp;
-+ else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
- {
- SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
- goto err;
-diff -up openssl-1.0.1e/ssl/t1_lib.c.ecdh-auto openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.ecdh-auto 2014-09-17 16:20:24.358884427 +0200
-+++ openssl-1.0.1e/ssl/t1_lib.c 2014-09-17 17:32:04.054951942 +0200
-@@ -202,6 +202,13 @@ static int nid_list[] =
- NID_secp521r1 /* secp521r1 (25) */
- };
-
-+static const unsigned char eccurves_default[] =
-+ {
-+ 0,23, /* secp256r1 (23) */
-+ 0,24, /* secp384r1 (24) */
-+ 0,25, /* secp521r1 (25) */
-+ };
-+
- static int pref_list[] =
- {
- NID_secp521r1, /* secp521r1 (25) */
-@@ -277,6 +284,69 @@ int tls1_ec_nid2curve_id(int nid)
- return 0;
- }
- }
-+/* Get curves list, if "sess" is set return client curves otherwise
-+ * preferred list
-+ */
-+static void tls1_get_curvelist(SSL *s, int sess,
-+ const unsigned char **pcurves,
-+ size_t *pcurveslen)
-+ {
-+ if (sess)
-+ {
-+ *pcurves = s->session->tlsext_ellipticcurvelist;
-+ *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
-+ }
-+ else
-+ {
-+ *pcurves = s->tlsext_ellipticcurvelist;
-+ *pcurveslen = s->tlsext_ellipticcurvelist_length;
-+ }
-+ if (!*pcurves)
-+ {
-+ *pcurves = eccurves_default;
-+ *pcurveslen = sizeof(eccurves_default);
-+ }
-+ }
-+/* Return nth shared curve. If nmatch == -1 return number of
-+ * matches.
-+ */
-+
-+int tls1_shared_curve(SSL *s, int nmatch)
-+ {
-+ const unsigned char *pref, *supp;
-+ size_t preflen, supplen, i, j;
-+ int k;
-+ /* Can't do anything on client side */
-+ if (s->server == 0)
-+ return -1;
-+ tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
-+ &supp, &supplen);
-+ tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
-+ &pref, &preflen);
-+ preflen /= 2;
-+ supplen /= 2;
-+ k = 0;
-+ for (i = 0; i < preflen; i++, pref+=2)
-+ {
-+ const unsigned char *tsupp = supp;
-+ for (j = 0; j < supplen; j++, tsupp+=2)
-+ {
-+ if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
-+ {
-+ if (nmatch == k)
-+ {
-+ int id = (pref[0] << 8) | pref[1];
-+ return tls1_ec_curve_id2nid(id);
-+ }
-+ k++;
-+ }
-+ }
-+ }
-+ if (nmatch == -1)
-+ return k;
-+ return 0;
-+ }
-+
- #endif /* OPENSSL_NO_EC */
-
- #ifndef OPENSSL_NO_TLSEXT
diff --git a/SOURCES/openssl-1.0.1e-enc-fail.patch b/SOURCES/openssl-1.0.1e-enc-fail.patch
deleted file mode 100644
index a5a43f0..0000000
--- a/SOURCES/openssl-1.0.1e-enc-fail.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff -up openssl-1.0.1e/crypto/evp/bio_enc.c.enc-fail openssl-1.0.1e/crypto/evp/bio_enc.c
---- openssl-1.0.1e/crypto/evp/bio_enc.c.enc-fail 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/bio_enc.c 2014-03-04 15:21:12.185821738 +0100
-@@ -198,10 +198,15 @@ static int enc_read(BIO *b, char *out, i
- }
- else
- {
-- EVP_CipherUpdate(&(ctx->cipher),
-+ if (!EVP_CipherUpdate(&(ctx->cipher),
- (unsigned char *)ctx->buf,&ctx->buf_len,
-- (unsigned char *)&(ctx->buf[BUF_OFFSET]),i);
-- ctx->cont=1;
-+ (unsigned char *)&(ctx->buf[BUF_OFFSET]),i))
-+ {
-+ ctx->ok = 0;
-+ ctx->cont = 0;
-+ }
-+ else
-+ ctx->cont=1;
- /* Note: it is possible for EVP_CipherUpdate to
- * decrypt zero bytes because this is or looks like
- * the final block: if this happens we should retry
-@@ -257,9 +262,14 @@ static int enc_write(BIO *b, const char
- while (inl > 0)
- {
- n=(inl > ENC_BLOCK_SIZE)?ENC_BLOCK_SIZE:inl;
-- EVP_CipherUpdate(&(ctx->cipher),
-+ if (!EVP_CipherUpdate(&(ctx->cipher),
- (unsigned char *)ctx->buf,&ctx->buf_len,
-- (unsigned char *)in,n);
-+ (unsigned char *)in,n))
-+ {
-+ BIO_copy_next_retry(b);
-+ ctx->ok = 0;
-+ return ret - inl;
-+ }
- inl-=n;
- in+=n;
-
diff --git a/SOURCES/openssl-1.0.1e-env-zlib.patch b/SOURCES/openssl-1.0.1e-env-zlib.patch
deleted file mode 100644
index b702acb..0000000
--- a/SOURCES/openssl-1.0.1e-env-zlib.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
---- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-19 16:32:51.000000000 +0100
-@@ -47,6 +47,13 @@ Once the identities of the compression m
- been standardized, the compression API will most likely be changed. Using
- it in the current state is not recommended.
-
-+It is also not recommended to use compression if data transfered contain
-+untrusted parts that can be manipulated by an attacker as he could then
-+get information about the encrypted data. See the CRIME attack. For
-+that reason the default loading of the zlib compression method is
-+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
-+is present during the library initialization.
-+
- =head1 RETURN VALUES
-
- SSL_COMP_add_compression_method() may return the following values:
-diff -up openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib openssl-1.0.1e/ssl/ssl_ciph.c
---- openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-02-19 16:37:36.163545085 +0100
-@@ -140,6 +140,8 @@
- * OTHERWISE.
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <openssl/objects.h>
- #ifndef OPENSSL_NO_COMP
-@@ -455,7 +457,7 @@ static void load_builtin_compressions(vo
-
- MemCheck_off();
- ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
-- if (ssl_comp_methods != NULL)
-+ if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
- {
- comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
- if (comp != NULL)
diff --git a/SOURCES/openssl-1.0.1e-ephemeral-key-size.patch b/SOURCES/openssl-1.0.1e-ephemeral-key-size.patch
deleted file mode 100644
index 14f7940..0000000
--- a/SOURCES/openssl-1.0.1e-ephemeral-key-size.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-diff -up openssl-1.0.1e/apps/s_apps.h.ephemeral openssl-1.0.1e/apps/s_apps.h
---- openssl-1.0.1e/apps/s_apps.h.ephemeral 2014-02-12 14:49:14.333513753 +0100
-+++ openssl-1.0.1e/apps/s_apps.h 2014-02-12 14:49:14.417515629 +0100
-@@ -156,6 +156,7 @@ int MS_CALLBACK verify_callback(int ok,
- int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
- int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
- #endif
-+int ssl_print_tmp_key(BIO *out, SSL *s);
- int init_client(int *sock, char *server, char *port, int type);
- int should_retry(int i);
- int extract_host_port(char *str,char **host_ptr,char **port_ptr);
-diff -up openssl-1.0.1e/apps/s_cb.c.ephemeral openssl-1.0.1e/apps/s_cb.c
---- openssl-1.0.1e/apps/s_cb.c.ephemeral 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/s_cb.c 2014-02-12 14:56:25.584142499 +0100
-@@ -338,6 +338,38 @@ void MS_CALLBACK apps_ssl_info_callback(
- }
- }
-
-+int ssl_print_tmp_key(BIO *out, SSL *s)
-+ {
-+ EVP_PKEY *key;
-+ if (!SSL_get_server_tmp_key(s, &key))
-+ return 1;
-+ BIO_puts(out, "Server Temp Key: ");
-+ switch (EVP_PKEY_id(key))
-+ {
-+ case EVP_PKEY_RSA:
-+ BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
-+ break;
-+
-+ case EVP_PKEY_DH:
-+ BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
-+ break;
-+
-+ case EVP_PKEY_EC:
-+ {
-+ EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
-+ int nid;
-+ const char *cname;
-+ nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
-+ EC_KEY_free(ec);
-+ cname = OBJ_nid2sn(nid);
-+ BIO_printf(out, "ECDH, %s, %d bits\n",
-+ cname, EVP_PKEY_bits(key));
-+ }
-+ }
-+ EVP_PKEY_free(key);
-+ return 1;
-+ }
-+
-
- void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
- {
-diff -up openssl-1.0.1e/apps/s_client.c.ephemeral openssl-1.0.1e/apps/s_client.c
---- openssl-1.0.1e/apps/s_client.c.ephemeral 2014-02-12 14:49:14.407515406 +0100
-+++ openssl-1.0.1e/apps/s_client.c 2014-02-12 14:49:14.418515652 +0100
-@@ -2032,6 +2032,8 @@ static void print_stuff(BIO *bio, SSL *s
- BIO_write(bio,"\n",1);
- }
-
-+ ssl_print_tmp_key(bio, s);
-+
- BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
- BIO_number_read(SSL_get_rbio(s)),
- BIO_number_written(SSL_get_wbio(s)));
-diff -up openssl-1.0.1e/ssl/ssl.h.ephemeral openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.ephemeral 2014-02-12 14:49:14.391515049 +0100
-+++ openssl-1.0.1e/ssl/ssl.h 2014-02-12 14:49:14.418515652 +0100
-@@ -1563,6 +1563,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
- #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
- #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
-
-+#define SSL_CTRL_GET_SERVER_TMP_KEY 109
-+
- #define DTLSv1_get_timeout(ssl, arg) \
- SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
- #define DTLSv1_handle_timeout(ssl) \
-@@ -1604,6 +1606,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
- #define SSL_CTX_clear_extra_chain_certs(ctx) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
-
-+#define SSL_get_server_tmp_key(s, pk) \
-+ SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
-+
- #ifndef OPENSSL_NO_BIO
- BIO_METHOD *BIO_f_ssl(void);
- BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
-diff -up openssl-1.0.1e/ssl/s3_lib.c.ephemeral openssl-1.0.1e/ssl/s3_lib.c
---- openssl-1.0.1e/ssl/s3_lib.c.ephemeral 2014-02-12 14:49:14.412515518 +0100
-+++ openssl-1.0.1e/ssl/s3_lib.c 2014-02-12 14:49:14.418515652 +0100
-@@ -3350,6 +3350,44 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
- #endif
-
- #endif /* !OPENSSL_NO_TLSEXT */
-+ case SSL_CTRL_GET_SERVER_TMP_KEY:
-+ if (s->server || !s->session || !s->session->sess_cert)
-+ return 0;
-+ else
-+ {
-+ SESS_CERT *sc;
-+ EVP_PKEY *ptmp;
-+ int rv = 0;
-+ sc = s->session->sess_cert;
-+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
-+ if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
-+ && !sc->peer_ecdh_tmp)
-+ return 0;
-+#endif
-+ ptmp = EVP_PKEY_new();
-+ if (!ptmp)
-+ return 0;
-+ if (0);
-+#ifndef OPENSSL_NO_RSA
-+ else if (sc->peer_rsa_tmp)
-+ rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
-+#endif
-+#ifndef OPENSSL_NO_DH
-+ else if (sc->peer_dh_tmp)
-+ rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
-+#endif
-+#ifndef OPENSSL_NO_ECDH
-+ else if (sc->peer_ecdh_tmp)
-+ rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);
-+#endif
-+ if (rv)
-+ {
-+ *(EVP_PKEY **)parg = ptmp;
-+ return 1;
-+ }
-+ EVP_PKEY_free(ptmp);
-+ return 0;
-+ }
- default:
- break;
- }
diff --git a/SOURCES/openssl-1.0.1e-evp-wrap.patch b/SOURCES/openssl-1.0.1e-evp-wrap.patch
deleted file mode 100644
index ecb43a4..0000000
--- a/SOURCES/openssl-1.0.1e-evp-wrap.patch
+++ /dev/null
@@ -1,1239 +0,0 @@
-diff -up openssl-1.0.1e/crypto/aes/aes_wrap.c.wrap openssl-1.0.1e/crypto/aes/aes_wrap.c
---- openssl-1.0.1e/crypto/aes/aes_wrap.c.wrap 2013-02-11 16:02:47.000000000 +0100
-+++ openssl-1.0.1e/crypto/aes/aes_wrap.c 2014-09-09 16:12:25.852801573 +0200
-@@ -53,207 +53,18 @@
-
- #include "cryptlib.h"
- #include <openssl/aes.h>
--#include <openssl/bio.h>
--
--static const unsigned char default_iv[] = {
-- 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
--};
-+#include <openssl/modes.h>
-
- int AES_wrap_key(AES_KEY *key, const unsigned char *iv,
- unsigned char *out,
- const unsigned char *in, unsigned int inlen)
- {
-- unsigned char *A, B[16], *R;
-- unsigned int i, j, t;
-- if ((inlen & 0x7) || (inlen < 8))
-- return -1;
-- A = B;
-- t = 1;
-- memcpy(out + 8, in, inlen);
-- if (!iv)
-- iv = default_iv;
--
-- memcpy(A, iv, 8);
--
-- for (j = 0; j < 6; j++)
-- {
-- R = out + 8;
-- for (i = 0; i < inlen; i += 8, t++, R += 8)
-- {
-- memcpy(B + 8, R, 8);
-- AES_encrypt(B, B, key);
-- A[7] ^= (unsigned char)(t & 0xff);
-- if (t > 0xff)
-- {
-- A[6] ^= (unsigned char)((t >> 8) & 0xff);
-- A[5] ^= (unsigned char)((t >> 16) & 0xff);
-- A[4] ^= (unsigned char)((t >> 24) & 0xff);
-- }
-- memcpy(R, B + 8, 8);
-- }
-- }
-- memcpy(out, A, 8);
-- return inlen + 8;
-+ return CRYPTO_128_wrap(key, iv, out, in, inlen, (block128_f)AES_encrypt);
- }
-
- int AES_unwrap_key(AES_KEY *key, const unsigned char *iv,
- unsigned char *out,
- const unsigned char *in, unsigned int inlen)
- {
-- unsigned char *A, B[16], *R;
-- unsigned int i, j, t;
-- inlen -= 8;
-- if (inlen & 0x7)
-- return -1;
-- if (inlen < 8)
-- return -1;
-- A = B;
-- t = 6 * (inlen >> 3);
-- memcpy(A, in, 8);
-- memcpy(out, in + 8, inlen);
-- for (j = 0; j < 6; j++)
-- {
-- R = out + inlen - 8;
-- for (i = 0; i < inlen; i += 8, t--, R -= 8)
-- {
-- A[7] ^= (unsigned char)(t & 0xff);
-- if (t > 0xff)
-- {
-- A[6] ^= (unsigned char)((t >> 8) & 0xff);
-- A[5] ^= (unsigned char)((t >> 16) & 0xff);
-- A[4] ^= (unsigned char)((t >> 24) & 0xff);
-- }
-- memcpy(B + 8, R, 8);
-- AES_decrypt(B, B, key);
-- memcpy(R, B + 8, 8);
-- }
-- }
-- if (!iv)
-- iv = default_iv;
-- if (memcmp(A, iv, 8))
-- {
-- OPENSSL_cleanse(out, inlen);
-- return 0;
-- }
-- return inlen;
-- }
--
--#ifdef AES_WRAP_TEST
--
--int AES_wrap_unwrap_test(const unsigned char *kek, int keybits,
-- const unsigned char *iv,
-- const unsigned char *eout,
-- const unsigned char *key, int keylen)
-- {
-- unsigned char *otmp = NULL, *ptmp = NULL;
-- int r, ret = 0;
-- AES_KEY wctx;
-- otmp = OPENSSL_malloc(keylen + 8);
-- ptmp = OPENSSL_malloc(keylen);
-- if (!otmp || !ptmp)
-- return 0;
-- if (AES_set_encrypt_key(kek, keybits, &wctx))
-- goto err;
-- r = AES_wrap_key(&wctx, iv, otmp, key, keylen);
-- if (r <= 0)
-- goto err;
--
-- if (eout && memcmp(eout, otmp, keylen))
-- goto err;
--
-- if (AES_set_decrypt_key(kek, keybits, &wctx))
-- goto err;
-- r = AES_unwrap_key(&wctx, iv, ptmp, otmp, r);
--
-- if (memcmp(key, ptmp, keylen))
-- goto err;
--
-- ret = 1;
--
-- err:
-- if (otmp)
-- OPENSSL_free(otmp);
-- if (ptmp)
-- OPENSSL_free(ptmp);
--
-- return ret;
--
-+ return CRYPTO_128_unwrap(key, iv, out, in, inlen, (block128_f)AES_decrypt);
- }
--
--
--
--int main(int argc, char **argv)
--{
--
--static const unsigned char kek[] = {
-- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-- 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
--};
--
--static const unsigned char key[] = {
-- 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
-- 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
-- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
--};
--
--static const unsigned char e1[] = {
-- 0x1f, 0xa6, 0x8b, 0x0a, 0x81, 0x12, 0xb4, 0x47,
-- 0xae, 0xf3, 0x4b, 0xd8, 0xfb, 0x5a, 0x7b, 0x82,
-- 0x9d, 0x3e, 0x86, 0x23, 0x71, 0xd2, 0xcf, 0xe5
--};
--
--static const unsigned char e2[] = {
-- 0x96, 0x77, 0x8b, 0x25, 0xae, 0x6c, 0xa4, 0x35,
-- 0xf9, 0x2b, 0x5b, 0x97, 0xc0, 0x50, 0xae, 0xd2,
-- 0x46, 0x8a, 0xb8, 0xa1, 0x7a, 0xd8, 0x4e, 0x5d
--};
--
--static const unsigned char e3[] = {
-- 0x64, 0xe8, 0xc3, 0xf9, 0xce, 0x0f, 0x5b, 0xa2,
-- 0x63, 0xe9, 0x77, 0x79, 0x05, 0x81, 0x8a, 0x2a,
-- 0x93, 0xc8, 0x19, 0x1e, 0x7d, 0x6e, 0x8a, 0xe7
--};
--
--static const unsigned char e4[] = {
-- 0x03, 0x1d, 0x33, 0x26, 0x4e, 0x15, 0xd3, 0x32,
-- 0x68, 0xf2, 0x4e, 0xc2, 0x60, 0x74, 0x3e, 0xdc,
-- 0xe1, 0xc6, 0xc7, 0xdd, 0xee, 0x72, 0x5a, 0x93,
-- 0x6b, 0xa8, 0x14, 0x91, 0x5c, 0x67, 0x62, 0xd2
--};
--
--static const unsigned char e5[] = {
-- 0xa8, 0xf9, 0xbc, 0x16, 0x12, 0xc6, 0x8b, 0x3f,
-- 0xf6, 0xe6, 0xf4, 0xfb, 0xe3, 0x0e, 0x71, 0xe4,
-- 0x76, 0x9c, 0x8b, 0x80, 0xa3, 0x2c, 0xb8, 0x95,
-- 0x8c, 0xd5, 0xd1, 0x7d, 0x6b, 0x25, 0x4d, 0xa1
--};
--
--static const unsigned char e6[] = {
-- 0x28, 0xc9, 0xf4, 0x04, 0xc4, 0xb8, 0x10, 0xf4,
-- 0xcb, 0xcc, 0xb3, 0x5c, 0xfb, 0x87, 0xf8, 0x26,
-- 0x3f, 0x57, 0x86, 0xe2, 0xd8, 0x0e, 0xd3, 0x26,
-- 0xcb, 0xc7, 0xf0, 0xe7, 0x1a, 0x99, 0xf4, 0x3b,
-- 0xfb, 0x98, 0x8b, 0x9b, 0x7a, 0x02, 0xdd, 0x21
--};
--
-- AES_KEY wctx, xctx;
-- int ret;
-- ret = AES_wrap_unwrap_test(kek, 128, NULL, e1, key, 16);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 192, NULL, e2, key, 16);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 256, NULL, e3, key, 16);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 192, NULL, e4, key, 24);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 256, NULL, e5, key, 24);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 256, NULL, e6, key, 32);
-- fprintf(stderr, "Key test result %d\n", ret);
--}
--
--
--#endif
-diff -up openssl-1.0.1e/crypto/evp/c_allc.c.wrap openssl-1.0.1e/crypto/evp/c_allc.c
---- openssl-1.0.1e/crypto/evp/c_allc.c.wrap 2014-09-09 16:11:24.103379348 +0200
-+++ openssl-1.0.1e/crypto/evp/c_allc.c 2014-09-09 16:12:25.853801601 +0200
-@@ -98,6 +98,7 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_des_ecb());
- EVP_add_cipher(EVP_des_ede());
- EVP_add_cipher(EVP_des_ede3());
-+ EVP_add_cipher(EVP_des_ede3_wrap());
- #endif
-
- #ifndef OPENSSL_NO_RC4
-@@ -177,6 +178,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_128_ctr());
- EVP_add_cipher(EVP_aes_128_gcm());
- EVP_add_cipher(EVP_aes_128_xts());
-+ EVP_add_cipher(EVP_aes_128_wrap());
-+ EVP_add_cipher(EVP_aes_128_wrap_pad());
- EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
- EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
- EVP_add_cipher(EVP_aes_192_ecb());
-@@ -187,6 +190,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_192_ofb());
- EVP_add_cipher(EVP_aes_192_ctr());
- EVP_add_cipher(EVP_aes_192_gcm());
-+ EVP_add_cipher(EVP_aes_192_wrap());
-+ EVP_add_cipher(EVP_aes_192_wrap_pad());
- EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
- EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
- EVP_add_cipher(EVP_aes_256_ecb());
-@@ -198,6 +203,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_256_ctr());
- EVP_add_cipher(EVP_aes_256_gcm());
- EVP_add_cipher(EVP_aes_256_xts());
-+ EVP_add_cipher(EVP_aes_256_wrap());
-+ EVP_add_cipher(EVP_aes_256_wrap_pad());
- EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
- EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
-@@ -250,6 +257,7 @@ void OpenSSL_add_all_ciphers(void)
-
- EVP_add_cipher(EVP_des_ede());
- EVP_add_cipher(EVP_des_ede3());
-+ EVP_add_cipher(EVP_des_ede3_wrap());
- #endif
-
- #ifndef OPENSSL_NO_AES
-@@ -262,6 +270,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_128_ctr());
- EVP_add_cipher(EVP_aes_128_gcm());
- EVP_add_cipher(EVP_aes_128_xts());
-+ EVP_add_cipher(EVP_aes_128_wrap());
-+ EVP_add_cipher(EVP_aes_128_wrap_pad());
- EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
- EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
- EVP_add_cipher(EVP_aes_192_ecb());
-@@ -272,6 +282,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_192_ofb());
- EVP_add_cipher(EVP_aes_192_ctr());
- EVP_add_cipher(EVP_aes_192_gcm());
-+ EVP_add_cipher(EVP_aes_192_wrap());
-+ EVP_add_cipher(EVP_aes_192_wrap_pad());
- EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
- EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
- EVP_add_cipher(EVP_aes_256_ecb());
-@@ -283,6 +295,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_256_ctr());
- EVP_add_cipher(EVP_aes_256_gcm());
- EVP_add_cipher(EVP_aes_256_xts());
-+ EVP_add_cipher(EVP_aes_256_wrap());
-+ EVP_add_cipher(EVP_aes_256_wrap_pad());
- EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
- EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
- #endif
-diff -up openssl-1.0.1e/crypto/evp/e_aes.c.wrap openssl-1.0.1e/crypto/evp/e_aes.c
---- openssl-1.0.1e/crypto/evp/e_aes.c.wrap 2014-09-09 16:11:24.103379348 +0200
-+++ openssl-1.0.1e/crypto/evp/e_aes.c 2014-09-09 16:12:25.853801601 +0200
-@@ -1,5 +1,5 @@
- /* ====================================================================
-- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -1323,4 +1323,180 @@ BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm
- BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
- BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
-
-+typedef struct
-+ {
-+ union { double align; AES_KEY ks; } ks;
-+ /* Indicates if IV has been set */
-+ unsigned char *iv;
-+ } EVP_AES_WRAP_CTX;
-+
-+static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+ const unsigned char *iv, int enc)
-+ {
-+ EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
-+ if (!iv && !key)
-+ return 1;
-+ if (key)
-+ {
-+ if (ctx->encrypt)
-+ AES_set_encrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
-+ else
-+ AES_set_decrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
-+ if (!iv)
-+ wctx->iv = NULL;
-+ }
-+ if (iv)
-+ {
-+ memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
-+ wctx->iv = ctx->iv;
-+ }
-+ return 1;
-+ }
-+
-+static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, size_t inlen)
-+ {
-+ EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
-+ size_t rv;
-+ /* AES wrap with padding has IV length of 4, without padding 8 */
-+ int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
-+ /* No final operation so always return zero length */
-+ if (!in)
-+ return 0;
-+ /* Input length must always be non-zero */
-+ if (!inlen)
-+ return -1;
-+ /* If decrypting need at least 16 bytes and multiple of 8 */
-+ if (!ctx->encrypt && (inlen < 16 || inlen & 0x7))
-+ return -1;
-+ /* If not padding input must be multiple of 8 */
-+ if (!pad && inlen & 0x7)
-+ return -1;
-+ if (!out)
-+ {
-+ if (ctx->encrypt)
-+ {
-+ /* If padding round up to multiple of 8 */
-+ if (pad)
-+ inlen = (inlen + 7)/8 * 8;
-+ /* 8 byte prefix */
-+ return inlen + 8;
-+ }
-+ else
-+ {
-+ /* If not padding output will be exactly 8 bytes
-+ * smaller than input. If padding it will be at
-+ * least 8 bytes smaller but we don't know how
-+ * much.
-+ */
-+ return inlen - 8;
-+ }
-+ }
-+ if (pad)
-+ {
-+ if (ctx->encrypt)
-+ rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
-+ out, in, inlen,
-+ (block128_f)AES_encrypt);
-+ else
-+ rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
-+ out, in, inlen,
-+ (block128_f)AES_decrypt);
-+ }
-+ else
-+ {
-+ if (ctx->encrypt)
-+ rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
-+ out, in, inlen,
-+ (block128_f)AES_encrypt);
-+ else
-+ rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
-+ out, in, inlen,
-+ (block128_f)AES_decrypt);
-+ }
-+ return rv ? (int)rv : -1;
-+ }
-+
-+#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
-+ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
-+ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
-+
-+static const EVP_CIPHER aes_128_wrap = {
-+ NID_id_aes128_wrap,
-+ 8, 16, 8, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_128_wrap(void)
-+ {
-+ return &aes_128_wrap;
-+ }
-+
-+static const EVP_CIPHER aes_192_wrap = {
-+ NID_id_aes192_wrap,
-+ 8, 24, 8, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_192_wrap(void)
-+ {
-+ return &aes_192_wrap;
-+ }
-+
-+static const EVP_CIPHER aes_256_wrap = {
-+ NID_id_aes256_wrap,
-+ 8, 32, 8, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_256_wrap(void)
-+ {
-+ return &aes_256_wrap;
-+ }
-+
-+static const EVP_CIPHER aes_128_wrap_pad = {
-+ NID_id_aes128_wrap_pad,
-+ 8, 16, 4, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
-+ {
-+ return &aes_128_wrap_pad;
-+ }
-+
-+static const EVP_CIPHER aes_192_wrap_pad = {
-+ NID_id_aes192_wrap_pad,
-+ 8, 24, 4, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
-+ {
-+ return &aes_192_wrap_pad;
-+ }
-+
-+static const EVP_CIPHER aes_256_wrap_pad = {
-+ NID_id_aes256_wrap_pad,
-+ 8, 32, 4, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
-+ {
-+ return &aes_256_wrap_pad;
-+ }
-+
- #endif
-diff -up openssl-1.0.1e/crypto/evp/e_des3.c.wrap openssl-1.0.1e/crypto/evp/e_des3.c
---- openssl-1.0.1e/crypto/evp/e_des3.c.wrap 2014-09-09 16:11:24.104379372 +0200
-+++ openssl-1.0.1e/crypto/evp/e_des3.c 2014-09-09 16:12:25.854801627 +0200
-@@ -310,4 +310,112 @@ const EVP_CIPHER *EVP_des_ede3(void)
- {
- return &des_ede3_ecb;
- }
-+
-+#ifndef OPENSSL_NO_SHA
-+
-+#include <openssl/sha.h>
-+
-+static const unsigned char wrap_iv[8] = {0x4a,0xdd,0xa2,0x2c,0x79,0xe8,0x21,0x05};
-+
-+static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, size_t inl)
-+ {
-+ unsigned char icv[8], iv[8], sha1tmp[SHA_DIGEST_LENGTH];
-+ int rv = -1;
-+ if (inl < 24)
-+ return -1;
-+ if (!out)
-+ return inl - 16;
-+ memcpy(ctx->iv, wrap_iv, 8);
-+ /* Decrypt first block which will end up as icv */
-+ des_ede_cbc_cipher(ctx, icv, in, 8);
-+ /* Decrypt central blocks */
-+ /* If decrypting in place move whole output along a block
-+ * so the next des_ede_cbc_cipher is in place.
-+ */
-+ if (out == in)
-+ {
-+ memmove(out, out + 8, inl - 8);
-+ in -= 8;
-+ }
-+ des_ede_cbc_cipher(ctx, out, in + 8, inl - 16);
-+ /* Decrypt final block which will be IV */
-+ des_ede_cbc_cipher(ctx, iv, in + inl - 8, 8);
-+ /* Reverse order of everything */
-+ BUF_reverse(icv, NULL, 8);
-+ BUF_reverse(out, NULL, inl - 16);
-+ BUF_reverse(ctx->iv, iv, 8);
-+ /* Decrypt again using new IV */
-+ des_ede_cbc_cipher(ctx, out, out, inl - 16);
-+ des_ede_cbc_cipher(ctx, icv, icv, 8);
-+ /* Work out SHA1 hash of first portion */
-+ SHA1(out, inl - 16, sha1tmp);
-+
-+ if (!CRYPTO_memcmp(sha1tmp, icv, 8))
-+ rv = inl - 16;
-+ OPENSSL_cleanse(icv, 8);
-+ OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
-+ OPENSSL_cleanse(iv, 8);
-+ OPENSSL_cleanse(ctx->iv, 8);
-+ if (rv == -1)
-+ OPENSSL_cleanse(out, inl - 16);
-+
-+ return rv;
-+ }
-+
-+static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, size_t inl)
-+ {
-+ unsigned char sha1tmp[SHA_DIGEST_LENGTH];
-+ if (!out)
-+ return inl + 16;
-+ /* Copy input to output buffer + 8 so we have space for IV */
-+ memmove(out + 8, in, inl);
-+ /* Work out ICV */
-+ SHA1(in, inl, sha1tmp);
-+ memcpy(out + inl + 8, sha1tmp, 8);
-+ OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
-+ /* Generate random IV */
-+ RAND_bytes(ctx->iv, 8);
-+ memcpy(out, ctx->iv, 8);
-+ /* Encrypt everything after IV in place */
-+ des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8);
-+ BUF_reverse(out, NULL, inl + 16);
-+ memcpy(ctx->iv, wrap_iv, 8);
-+ des_ede_cbc_cipher(ctx, out, out, inl + 16);
-+ return inl + 16;
-+ }
-+
-+static int des_ede3_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, size_t inl)
-+ {
-+ /* Sanity check input length: we typically only wrap keys
-+ * so EVP_MAXCHUNK is more than will ever be needed. Also
-+ * input length must be a multiple of 8 bits.
-+ */
-+ if (inl >= EVP_MAXCHUNK || inl % 8)
-+ return -1;
-+ if (ctx->encrypt)
-+ return des_ede3_wrap(ctx, out, in, inl);
-+ else
-+ return des_ede3_unwrap(ctx, out, in, inl);
-+ }
-+
-+static const EVP_CIPHER des3_wrap = {
-+ NID_id_smime_alg_CMS3DESwrap,
-+ 8, 24, 0,
-+ EVP_CIPH_WRAP_MODE|EVP_CIPH_CUSTOM_IV|EVP_CIPH_FLAG_CUSTOM_CIPHER
-+ |EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_FIPS,
-+ des_ede3_init_key, des_ede3_wrap_cipher,
-+ NULL,
-+ sizeof(DES_EDE_KEY),
-+ NULL,NULL,NULL,NULL };
-+
-+
-+const EVP_CIPHER *EVP_des_ede3_wrap(void)
-+ {
-+ return &des3_wrap;
-+ }
-+
-+# endif
- #endif
-diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.wrap openssl-1.0.1e/crypto/evp/evp_enc.c
---- openssl-1.0.1e/crypto/evp/evp_enc.c.wrap 2014-09-09 16:11:24.104379372 +0200
-+++ openssl-1.0.1e/crypto/evp/evp_enc.c 2014-09-09 16:12:25.854801627 +0200
-@@ -233,7 +233,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- ctx->cipher_data = NULL;
- }
- ctx->key_len = cipher->key_len;
-- ctx->flags = 0;
-+ /* Preserve wrap enable flag, zero everything else */
-+ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
- if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT)
- {
- if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL))
-@@ -256,6 +257,13 @@ skip_to_init:
- || ctx->cipher->block_size == 8
- || ctx->cipher->block_size == 16);
-
-+ if(!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
-+ && EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE)
-+ {
-+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_WRAP_MODE_NOT_ALLOWED);
-+ return 0;
-+ }
-+
- if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
- switch(EVP_CIPHER_CTX_mode(ctx)) {
-
-diff -up openssl-1.0.1e/crypto/evp/evp_err.c.wrap openssl-1.0.1e/crypto/evp/evp_err.c
---- openssl-1.0.1e/crypto/evp/evp_err.c.wrap 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/evp_err.c 2014-09-09 16:12:25.854801627 +0200
-@@ -1,6 +1,6 @@
- /* crypto/evp/evp_err.c */
- /* ====================================================================
-- * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 1999-2013 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -220,6 +220,7 @@ static ERR_STRING_DATA EVP_str_reasons[]
- {ERR_REASON(EVP_R_UNSUPPORTED_PRF) ,"unsupported prf"},
- {ERR_REASON(EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM),"unsupported private key algorithm"},
- {ERR_REASON(EVP_R_UNSUPPORTED_SALT_TYPE) ,"unsupported salt type"},
-+{ERR_REASON(EVP_R_WRAP_MODE_NOT_ALLOWED) ,"wrap mode not allowed"},
- {ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH),"wrong final block length"},
- {ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE) ,"wrong public key type"},
- {0,NULL}
-diff -up openssl-1.0.1e/crypto/evp/evp.h.wrap openssl-1.0.1e/crypto/evp/evp.h
---- openssl-1.0.1e/crypto/evp/evp.h.wrap 2014-09-09 16:11:24.104379372 +0200
-+++ openssl-1.0.1e/crypto/evp/evp.h 2014-09-09 16:12:25.855801651 +0200
-@@ -336,6 +336,7 @@ struct evp_cipher_st
- #define EVP_CIPH_GCM_MODE 0x6
- #define EVP_CIPH_CCM_MODE 0x7
- #define EVP_CIPH_XTS_MODE 0x10001
-+#define EVP_CIPH_WRAP_MODE 0x10002
- #define EVP_CIPH_MODE 0xF0007
- /* Set if variable length cipher */
- #define EVP_CIPH_VARIABLE_LENGTH 0x8
-@@ -367,6 +368,13 @@ struct evp_cipher_st
- #define EVP_CIPH_FLAG_CUSTOM_CIPHER 0x100000
- #define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
-
-+/* Cipher context flag to indicate we can handle
-+ * wrap mode: if allowed in older applications it could
-+ * overflow buffers.
-+ */
-+
-+#define EVP_CIPHER_CTX_FLAG_WRAP_ALLOW 0x1
-+
- /* ctrl() values */
-
- #define EVP_CTRL_INIT 0x0
-@@ -729,6 +737,7 @@ const EVP_CIPHER *EVP_des_cbc(void);
- const EVP_CIPHER *EVP_des_ede_cbc(void);
- const EVP_CIPHER *EVP_des_ede3_cbc(void);
- const EVP_CIPHER *EVP_desx_cbc(void);
-+const EVP_CIPHER *EVP_des_ede3_wrap(void);
- /* This should now be supported through the dev_crypto ENGINE. But also, why are
- * rc4 and md5 declarations made here inside a "NO_DES" precompiler branch? */
- #if 0
-@@ -788,6 +797,8 @@ const EVP_CIPHER *EVP_aes_128_ctr(void);
- const EVP_CIPHER *EVP_aes_128_ccm(void);
- const EVP_CIPHER *EVP_aes_128_gcm(void);
- const EVP_CIPHER *EVP_aes_128_xts(void);
-+const EVP_CIPHER *EVP_aes_128_wrap(void);
-+const EVP_CIPHER *EVP_aes_128_wrap_pad(void);
- const EVP_CIPHER *EVP_aes_192_ecb(void);
- const EVP_CIPHER *EVP_aes_192_cbc(void);
- const EVP_CIPHER *EVP_aes_192_cfb1(void);
-@@ -798,6 +809,8 @@ const EVP_CIPHER *EVP_aes_192_ofb(void);
- const EVP_CIPHER *EVP_aes_192_ctr(void);
- const EVP_CIPHER *EVP_aes_192_ccm(void);
- const EVP_CIPHER *EVP_aes_192_gcm(void);
-+const EVP_CIPHER *EVP_aes_192_wrap(void);
-+const EVP_CIPHER *EVP_aes_192_wrap_pad(void);
- const EVP_CIPHER *EVP_aes_256_ecb(void);
- const EVP_CIPHER *EVP_aes_256_cbc(void);
- const EVP_CIPHER *EVP_aes_256_cfb1(void);
-@@ -809,6 +822,8 @@ const EVP_CIPHER *EVP_aes_256_ctr(void);
- const EVP_CIPHER *EVP_aes_256_ccm(void);
- const EVP_CIPHER *EVP_aes_256_gcm(void);
- const EVP_CIPHER *EVP_aes_256_xts(void);
-+const EVP_CIPHER *EVP_aes_256_wrap(void);
-+const EVP_CIPHER *EVP_aes_256_wrap_pad(void);
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
- const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
- const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void);
-@@ -1397,6 +1412,7 @@ void ERR_load_EVP_strings(void);
- #define EVP_R_UNSUPPORTED_PRF 125
- #define EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM 118
- #define EVP_R_UNSUPPORTED_SALT_TYPE 126
-+#define EVP_R_WRAP_MODE_NOT_ALLOWED 170
- #define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
- #define EVP_R_WRONG_PUBLIC_KEY_TYPE 110
-
-diff -up openssl-1.0.1e/crypto/evp/evp_lib.c.wrap openssl-1.0.1e/crypto/evp/evp_lib.c
---- openssl-1.0.1e/crypto/evp/evp_lib.c.wrap 2014-09-09 16:11:24.104379372 +0200
-+++ openssl-1.0.1e/crypto/evp/evp_lib.c 2014-09-09 16:12:25.855801651 +0200
-@@ -68,7 +68,15 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_
- if (c->cipher->set_asn1_parameters != NULL)
- ret=c->cipher->set_asn1_parameters(c,type);
- else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
-- ret=EVP_CIPHER_set_asn1_iv(c, type);
-+ {
-+ if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE)
-+ {
-+ ASN1_TYPE_set(type, V_ASN1_NULL, NULL);
-+ ret = 1;
-+ }
-+ else
-+ ret=EVP_CIPHER_set_asn1_iv(c, type);
-+ }
- else
- ret=-1;
- return(ret);
-@@ -81,7 +89,11 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_
- if (c->cipher->get_asn1_parameters != NULL)
- ret=c->cipher->get_asn1_parameters(c,type);
- else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
-+ {
-+ if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE)
-+ return 1;
- ret=EVP_CIPHER_get_asn1_iv(c, type);
-+ }
- else
- ret=-1;
- return(ret);
-diff -up openssl-1.0.1e/crypto/evp/evp_test.c.wrap openssl-1.0.1e/crypto/evp/evp_test.c
---- openssl-1.0.1e/crypto/evp/evp_test.c.wrap 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/evp_test.c 2014-09-09 16:12:25.856801673 +0200
-@@ -141,7 +141,7 @@ static void test1(const EVP_CIPHER *c,co
- {
- EVP_CIPHER_CTX ctx;
- unsigned char out[4096];
-- int outl,outl2;
-+ int outl,outl2,mode;
-
- printf("Testing cipher %s%s\n",EVP_CIPHER_name(c),
- (encdec == 1 ? "(encrypt)" : (encdec == 0 ? "(decrypt)" : "(encrypt/decrypt)")));
-@@ -151,6 +151,7 @@ static void test1(const EVP_CIPHER *c,co
- hexdump(stdout,"Plaintext",plaintext,pn);
- hexdump(stdout,"Ciphertext",ciphertext,cn);
-
-+ mode = EVP_CIPHER_mode(c);
- if(kn != c->key_len)
- {
- fprintf(stderr,"Key length doesn't match, got %d expected %lu\n",kn,
-@@ -158,9 +159,19 @@ static void test1(const EVP_CIPHER *c,co
- test1_exit(5);
- }
- EVP_CIPHER_CTX_init(&ctx);
-+ EVP_CIPHER_CTX_set_flags(&ctx,EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
- if (encdec != 0)
- {
-- if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
-+ if (mode == EVP_CIPH_WRAP_MODE)
-+ {
-+ if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,in ? iv : NULL))
-+ {
-+ fprintf(stderr,"EncryptInit failed\n");
-+ ERR_print_errors_fp(stderr);
-+ test1_exit(10);
-+ }
-+ }
-+ else if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
- {
- fprintf(stderr,"EncryptInit failed\n");
- ERR_print_errors_fp(stderr);
-@@ -199,7 +210,16 @@ static void test1(const EVP_CIPHER *c,co
-
- if (encdec <= 0)
- {
-- if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
-+ if (mode == EVP_CIPH_WRAP_MODE)
-+ {
-+ if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,in ? iv : NULL))
-+ {
-+ fprintf(stderr,"EncryptInit failed\n");
-+ ERR_print_errors_fp(stderr);
-+ test1_exit(10);
-+ }
-+ }
-+ else if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
- {
- fprintf(stderr,"DecryptInit failed\n");
- ERR_print_errors_fp(stderr);
-@@ -339,7 +359,7 @@ int main(int argc,char **argv)
- perror(szTestFile);
- EXIT(2);
- }
--
-+ ERR_load_crypto_strings();
- /* Load up the software EVP_CIPHER and EVP_MD definitions */
- OpenSSL_add_all_ciphers();
- OpenSSL_add_all_digests();
-diff -up openssl-1.0.1e/crypto/evp/evptests.txt.wrap openssl-1.0.1e/crypto/evp/evptests.txt
---- openssl-1.0.1e/crypto/evp/evptests.txt.wrap 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/evptests.txt 2014-09-09 16:12:25.856801673 +0200
-@@ -332,3 +332,15 @@ SEED-ECB:0000000000000000000000000000000
- SEED-ECB:000102030405060708090A0B0C0D0E0F::00000000000000000000000000000000:C11F22F20140505084483597E4370F43:1
- SEED-ECB:4706480851E61BE85D74BFB3FD956185::83A2F8A288641FB9A4E9A5CC2F131C7D:EE54D13EBCAE706D226BC3142CD40D4A:1
- SEED-ECB:28DBC3BC49FFD87DCFA509B11D422BE7::B41E6BE2EBA84A148E2EED84593C5EC7:9B9B7BFCD1813CB95D0B3618F40F5122:1
-+
-+# AES wrap tests from RFC3394
-+id-aes128-wrap:000102030405060708090A0B0C0D0E0F::00112233445566778899AABBCCDDEEFF:1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5
-+id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF:96778B25AE6CA435F92B5B97C050AED2468AB8A17AD84E5D
-+id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF:64E8C3F9CE0F5BA263E9777905818A2A93C8191E7D6E8AE7
-+id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2
-+id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1
-+id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F:28C9F404C4B810F4CBCCB35CFB87F8263F5786E2D80ED326CBC7F0E71A99F43BFB988B9B7A02DD21
-+# AES wrap tests from RFC5649
-+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a
-+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f
-+
-diff -up openssl-1.0.1e/crypto/modes/Makefile.wrap openssl-1.0.1e/crypto/modes/Makefile
---- openssl-1.0.1e/crypto/modes/Makefile.wrap 2014-09-09 16:11:24.079378796 +0200
-+++ openssl-1.0.1e/crypto/modes/Makefile 2014-09-09 16:12:25.856801673 +0200
-@@ -22,9 +22,9 @@ APPS=
-
- LIB=$(TOP)/libcrypto.a
- LIBSRC= cbc128.c ctr128.c cts128.c cfb128.c ofb128.c gcm128.c \
-- ccm128.c xts128.c
-+ ccm128.c xts128.c wrap128.c
- LIBOBJ= cbc128.o ctr128.o cts128.o cfb128.o ofb128.o gcm128.o \
-- ccm128.o xts128.o $(MODES_ASM_OBJ)
-+ ccm128.o xts128.o wrap128.o $(MODES_ASM_OBJ)
-
- SRC= $(LIBSRC)
-
-diff -up openssl-1.0.1e/crypto/modes/modes.h.wrap openssl-1.0.1e/crypto/modes/modes.h
---- openssl-1.0.1e/crypto/modes/modes.h.wrap 2014-09-09 16:11:23.726370665 +0200
-+++ openssl-1.0.1e/crypto/modes/modes.h 2014-09-09 16:12:25.857801695 +0200
-@@ -133,3 +133,17 @@ typedef struct xts128_context XTS128_CON
-
- int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
- const unsigned char *inp, unsigned char *out, size_t len, int enc);
-+
-+size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block);
-+
-+size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block);
-+size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block);
-+size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block);
-diff -up openssl-1.0.1e/crypto/modes/wrap128.c.wrap openssl-1.0.1e/crypto/modes/wrap128.c
---- openssl-1.0.1e/crypto/modes/wrap128.c.wrap 2014-09-09 16:12:25.857801695 +0200
-+++ openssl-1.0.1e/crypto/modes/wrap128.c 2014-09-09 16:12:25.857801695 +0200
-@@ -0,0 +1,372 @@
-+/* crypto/modes/wrap128.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ * Mode with padding contributed by Petr Spacek (pspacek@redhat.com).
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+/** Beware!
-+ *
-+ * Following wrapping modes were designed for AES but this implementation
-+ * allows you to use them for any 128 bit block cipher.
-+ */
-+
-+#include "cryptlib.h"
-+#include <openssl/modes.h>
-+
-+/** RFC 3394 section 2.2.3.1 Default Initial Value */
-+static const unsigned char default_iv[] = {
-+ 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
-+};
-+
-+/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
-+static const unsigned char default_aiv[] = {
-+ 0xA6, 0x59, 0x59, 0xA6
-+};
-+
-+/** Input size limit: lower than maximum of standards but far larger than
-+ * anything that will be used in practice.
-+ */
-+#define CRYPTO128_WRAP_MAX (1UL << 31)
-+
-+/** Wrapping according to RFC 3394 section 2.2.1.
-+ *
-+ * @param[in] key Key value.
-+ * @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
-+ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
-+ * @param[in] inlen Length of in.
-+ * @param[out] out Cipher text. Minimal buffer length = (inlen + 8) bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
-+ * or if inlen > CRYPTO128_WRAP_MAX.
-+ * Output length if wrapping succeeded.
-+ */
-+size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block)
-+ {
-+ unsigned char *A, B[16], *R;
-+ size_t i, j, t;
-+ if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
-+ return 0;
-+ A = B;
-+ t = 1;
-+ memmove(out + 8, in, inlen);
-+ if (!iv)
-+ iv = default_iv;
-+
-+ memcpy(A, iv, 8);
-+
-+ for (j = 0; j < 6; j++)
-+ {
-+ R = out + 8;
-+ for (i = 0; i < inlen; i += 8, t++, R += 8)
-+ {
-+ memcpy(B + 8, R, 8);
-+ block(B, B, key);
-+ A[7] ^= (unsigned char)(t & 0xff);
-+ if (t > 0xff)
-+ {
-+ A[6] ^= (unsigned char)((t >> 8) & 0xff);
-+ A[5] ^= (unsigned char)((t >> 16) & 0xff);
-+ A[4] ^= (unsigned char)((t >> 24) & 0xff);
-+ }
-+ memcpy(R, B + 8, 8);
-+ }
-+ }
-+ memcpy(out, A, 8);
-+ return inlen + 8;
-+ }
-+
-+
-+/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
-+ * IV check (step 3) is responsibility of the caller.
-+ *
-+ * @param[in] key Key value.
-+ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
-+ * @param[out] out Plain text without IV.
-+ * Minimal buffer length = (inlen - 8) bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] in Ciphertext text as n 64-bit blocks
-+ * @param[in] inlen Length of in.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
-+ * or if inlen is not multiply of 8.
-+ * Output length otherwise.
-+ */
-+static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
-+ unsigned char *out, const unsigned char *in,
-+ size_t inlen, block128_f block)
-+ {
-+ unsigned char *A, B[16], *R;
-+ size_t i, j, t;
-+ inlen -= 8;
-+ if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
-+ return 0;
-+ A = B;
-+ t = 6 * (inlen >> 3);
-+ memcpy(A, in, 8);
-+ memmove(out, in + 8, inlen);
-+ for (j = 0; j < 6; j++)
-+ {
-+ R = out + inlen - 8;
-+ for (i = 0; i < inlen; i += 8, t--, R -= 8)
-+ {
-+ A[7] ^= (unsigned char)(t & 0xff);
-+ if (t > 0xff)
-+ {
-+ A[6] ^= (unsigned char)((t >> 8) & 0xff);
-+ A[5] ^= (unsigned char)((t >> 16) & 0xff);
-+ A[4] ^= (unsigned char)((t >> 24) & 0xff);
-+ }
-+ memcpy(B + 8, R, 8);
-+ block(B, B, key);
-+ memcpy(R, B + 8, 8);
-+ }
-+ }
-+ memcpy(iv, A, 8);
-+ return inlen;
-+ }
-+
-+/** Unwrapping according to RFC 3394 section 2.2.2 including IV check.
-+ * First block of plain text have to match supplied IV otherwise an error is
-+ * returned.
-+ *
-+ * @param[in] key Key value.
-+ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
-+ * @param[out] out Plain text without IV.
-+ * Minimal buffer length = (inlen - 8) bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] in Ciphertext text as n 64-bit blocks
-+ * @param[in] inlen Length of in.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
-+ * or if inlen is not multiply of 8
-+ * or if IV doesn't match expected value.
-+ * Output length otherwise.
-+ */
-+size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
-+ unsigned char *out, const unsigned char *in, size_t inlen,
-+ block128_f block)
-+ {
-+ size_t ret;
-+ unsigned char got_iv[8];
-+
-+ ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
-+ if (ret == 0)
-+ return 0;
-+
-+ if (!iv)
-+ iv = default_iv;
-+ if (CRYPTO_memcmp(got_iv, iv, 8))
-+ {
-+ OPENSSL_cleanse(out, ret);
-+ return 0;
-+ }
-+ return ret;
-+ }
-+
-+/** Wrapping according to RFC 5649 section 4.1.
-+ *
-+ * @param[in] key Key value.
-+ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
-+ * @param[out] out Cipher text. Minimal buffer length = (inlen + 15) bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
-+ * @param[in] inlen Length of in.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
-+ * Output length if wrapping succeeded.
-+ */
-+size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block)
-+ {
-+ /* n: number of 64-bit blocks in the padded key data */
-+ const size_t blocks_padded = (inlen + 7) / 8;
-+ const size_t padded_len = blocks_padded * 8;
-+ const size_t padding_len = padded_len - inlen;
-+ /* RFC 5649 section 3: Alternative Initial Value */
-+ unsigned char aiv[8];
-+ int ret;
-+
-+ /* Section 1: use 32-bit fixed field for plaintext octet length */
-+ if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
-+ return 0;
-+
-+ /* Section 3: Alternative Initial Value */
-+ if (!icv)
-+ memcpy(aiv, default_aiv, 4);
-+ else
-+ memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
-+
-+ aiv[4] = (inlen >> 24) & 0xFF;
-+ aiv[5] = (inlen >> 16) & 0xFF;
-+ aiv[6] = (inlen >> 8) & 0xFF;
-+ aiv[7] = inlen & 0xFF;
-+
-+ if (padded_len == 8)
-+ {
-+ /* Section 4.1 - special case in step 2:
-+ * If the padded plaintext contains exactly eight octets, then
-+ * prepend the AIV and encrypt the resulting 128-bit block
-+ * using AES in ECB mode. */
-+ memmove(out + 8, in, inlen);
-+ memcpy(out, aiv, 8);
-+ memset(out + 8 + inlen, 0, padding_len);
-+ block(out, out, key);
-+ ret = 16; /* AIV + padded input */
-+ }
-+ else
-+ {
-+ memmove(out, in, inlen);
-+ memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
-+ ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
-+ }
-+
-+ return ret;
-+ }
-+
-+/** Unwrapping according to RFC 5649 section 4.2.
-+ *
-+ * @param[in] key Key value.
-+ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
-+ * @param[out] out Plain text. Minimal buffer length = inlen bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] in Ciphertext text as n 64-bit blocks
-+ * @param[in] inlen Length of in.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
-+ * or if inlen is not multiply of 8
-+ * or if IV and message length indicator doesn't match.
-+ * Output length if unwrapping succeeded and IV matches.
-+ */
-+size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block)
-+ {
-+ /* n: number of 64-bit blocks in the padded key data */
-+ size_t n = inlen / 8 - 1;
-+ size_t padded_len;
-+ size_t padding_len;
-+ size_t ptext_len;
-+ /* RFC 5649 section 3: Alternative Initial Value */
-+ unsigned char aiv[8];
-+ static unsigned char zeros[8] = {0x0};
-+ size_t ret;
-+
-+ /* Section 4.2: Cipher text length has to be (n+1) 64-bit blocks. */
-+ if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
-+ return 0;
-+
-+ memmove(out, in, inlen);
-+ if (inlen == 16)
-+ {
-+ /* Section 4.2 - special case in step 1:
-+ * When n=1, the ciphertext contains exactly two 64-bit
-+ * blocks and they are decrypted as a single AES
-+ * block using AES in ECB mode:
-+ * AIV | P[1] = DEC(K, C[0] | C[1])
-+ */
-+ block(out, out, key);
-+ memcpy(aiv, out, 8);
-+ /* Remove AIV */
-+ memmove(out, out + 8, 8);
-+ padded_len = 8;
-+ }
-+ else
-+ {
-+ padded_len = inlen - 8;
-+ ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block);
-+ if (padded_len != ret)
-+ {
-+ OPENSSL_cleanse(out, inlen);
-+ return 0;
-+ }
-+ }
-+
-+ /* Section 3: AIV checks: Check that MSB(32,A) = A65959A6.
-+ * Optionally a user-supplied value can be used
-+ * (even if standard doesn't mention this). */
-+ if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
-+ || (icv && CRYPTO_memcmp(aiv, icv, 4)))
-+ {
-+ OPENSSL_cleanse(out, inlen);
-+ return 0;
-+ }
-+
-+ /* Check that 8*(n-1) < LSB(32,AIV) <= 8*n.
-+ * If so, let ptext_len = LSB(32,AIV). */
-+
-+ ptext_len = (aiv[4] << 24) | (aiv[5] << 16) | (aiv[6] << 8) | aiv[7];
-+ if (8*(n-1) >= ptext_len || ptext_len > 8*n)
-+ {
-+ OPENSSL_cleanse(out, inlen);
-+ return 0;
-+ }
-+
-+ /* Check that the rightmost padding_len octets of the output data
-+ * are zero. */
-+ padding_len = padded_len - ptext_len;
-+ if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0)
-+ {
-+ OPENSSL_cleanse(out, inlen);
-+ return 0;
-+ }
-+
-+ /* Section 4.2 step 3: Remove padding */
-+ return ptext_len;
-+ }
diff --git a/SOURCES/openssl-1.0.1e-fallback-scsv.patch b/SOURCES/openssl-1.0.1e-fallback-scsv.patch
deleted file mode 100644
index 0c307c3..0000000
--- a/SOURCES/openssl-1.0.1e-fallback-scsv.patch
+++ /dev/null
@@ -1,466 +0,0 @@
-diff -up openssl-1.0.1e/apps/s_client.c.fallback-scsv openssl-1.0.1e/apps/s_client.c
---- openssl-1.0.1e/apps/s_client.c.fallback-scsv 2014-10-15 17:06:01.000000000 +0200
-+++ openssl-1.0.1e/apps/s_client.c 2014-10-15 17:07:36.392502320 +0200
-@@ -336,6 +336,7 @@ static void sc_usage(void)
- BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
- BIO_printf(bio_err," -tls1 - just use TLSv1\n");
- BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
-+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
- BIO_printf(bio_err," -mtu - set the link layer MTU\n");
- BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
- BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
-@@ -616,6 +617,7 @@ int MAIN(int argc, char **argv)
- char *sess_out = NULL;
- struct sockaddr peer;
- int peerlen = sizeof(peer);
-+ int fallback_scsv = 0;
- int enable_timeouts = 0 ;
- long socket_mtu = 0;
- #ifndef OPENSSL_NO_JPAKE
-@@ -829,6 +831,10 @@ int MAIN(int argc, char **argv)
- socket_mtu = atol(*(++argv));
- }
- #endif
-+ else if (strcmp(*argv,"-fallback_scsv") == 0)
-+ {
-+ fallback_scsv = 1;
-+ }
- else if (strcmp(*argv,"-bugs") == 0)
- bugs=1;
- else if (strcmp(*argv,"-keyform") == 0)
-@@ -1240,6 +1246,10 @@ bad:
- SSL_set_session(con, sess);
- SSL_SESSION_free(sess);
- }
-+
-+ if (fallback_scsv)
-+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
-+
- #ifndef OPENSSL_NO_TLSEXT
- if (servername != NULL)
- {
-diff -up openssl-1.0.1e/doc/apps/s_client.pod.fallback-scsv openssl-1.0.1e/doc/apps/s_client.pod
---- openssl-1.0.1e/doc/apps/s_client.pod.fallback-scsv 2014-10-15 17:06:01.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/s_client.pod 2014-10-15 17:08:17.354427053 +0200
-@@ -41,6 +41,7 @@ B<openssl> B<s_client>
- [B<-no_tls1>]
- [B<-no_tls1_1>]
- [B<-no_tls1_2>]
-+[B<-fallback_scsv>]
- [B<-bugs>]
- [B<-cipher cipherlist>]
- [B<-starttls protocol>]
-@@ -200,6 +201,10 @@ cannot handle this technique and will fa
- work if TLS is turned off with the B<-no_tls> option others will only
- support SSL v2 and may need the B<-ssl2> option.
-
-+=item B<-fallback_scsv>
-+
-+Send TLS_FALLBACK_SCSV in the ClientHello.
-+
- =item B<-bugs>
-
- there are several known bug in SSL and TLS implementations. Adding this
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod 2014-10-15 17:09:57.577689637 +0200
-@@ -71,6 +71,12 @@ SSL_CTX->freelist_max_len, which default
- save around 34k per idle SSL connection.
- This flag has no effect on SSL v2 connections, or on DTLS connections.
-
-+=item SSL_MODE_SEND_FALLBACK_SCSV
-+
-+Send TLS_FALLBACK_SCSV in the ClientHello.
-+To be set by applications that reconnect with a downgraded protocol
-+version; see draft-ietf-tls-downgrade-scsv-00 for details.
-+
- =back
-
- =head1 RETURN VALUES
-diff -up openssl-1.0.1e/ssl/dtls1.h.fallback-scsv openssl-1.0.1e/ssl/dtls1.h
---- openssl-1.0.1e/ssl/dtls1.h.fallback-scsv 2014-10-15 14:45:25.492913542 +0200
-+++ openssl-1.0.1e/ssl/dtls1.h 2014-10-15 14:45:25.596915890 +0200
-@@ -84,6 +84,8 @@ extern "C" {
- #endif
-
- #define DTLS1_VERSION 0xFEFF
-+#define DTLS_MAX_VERSION DTLS1_VERSION
-+
- #define DTLS1_BAD_VER 0x0100
-
- #if 0
-@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st
- }
- #endif
- #endif
--
-diff -up openssl-1.0.1e/ssl/d1_lib.c.fallback-scsv openssl-1.0.1e/ssl/d1_lib.c
---- openssl-1.0.1e/ssl/d1_lib.c.fallback-scsv 2014-10-15 14:45:25.539914603 +0200
-+++ openssl-1.0.1e/ssl/d1_lib.c 2014-10-15 14:45:25.596915890 +0200
-@@ -263,6 +263,16 @@ long dtls1_ctrl(SSL *s, int cmd, long la
- case DTLS_CTRL_LISTEN:
- ret = dtls1_listen(s, parg);
- break;
-+ case SSL_CTRL_CHECK_PROTO_VERSION:
-+ /* For library-internal use; checks that the current protocol
-+ * is the highest enabled version (according to s->ctx->method,
-+ * as version negotiation may have changed s->method). */
-+#if DTLS_MAX_VERSION != DTLS1_VERSION
-+# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
-+#endif
-+ /* Just one protocol version is supported so far;
-+ * fail closed if the version is not as expected. */
-+ return s->version == DTLS_MAX_VERSION;
-
- default:
- ret = ssl3_ctrl(s, cmd, larg, parg);
-diff -up openssl-1.0.1e/ssl/ssl_err.c.fallback-scsv openssl-1.0.1e/ssl/ssl_err.c
---- openssl-1.0.1e/ssl/ssl_err.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/ssl_err.c 2014-10-15 14:45:25.596915890 +0200
-@@ -382,6 +382,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
- {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
- {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
- {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
-+{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
- {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
- {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
- {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
-@@ -528,6 +529,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
- {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
-+{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
-diff -up openssl-1.0.1e/ssl/ssl.h.fallback-scsv openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.fallback-scsv 2014-10-15 14:45:25.588915709 +0200
-+++ openssl-1.0.1e/ssl/ssl.h 2014-10-15 14:47:04.423146935 +0200
-@@ -638,6 +638,10 @@ struct ssl_session_st
- * TLS only.) "Released" buffers are put onto a free-list in the context
- * or just freed (depending on the context's setting for freelist_max_len). */
- #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
-+/* Send TLS_FALLBACK_SCSV in the ClientHello.
-+ * To be set by applications that reconnect with a downgraded protocol
-+ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
-+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
-
- /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
- * they cannot be used to clear bits. */
-@@ -1453,6 +1457,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
- #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
- #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
- #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
-+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
-
- #define SSL_ERROR_NONE 0
- #define SSL_ERROR_SSL 1
-@@ -1566,6 +1571,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
- #define SSL_CTRL_SET_ECDH_AUTO 94
- #define SSL_CTRL_GET_SERVER_TMP_KEY 109
-
-+#define SSL_CTRL_CHECK_PROTO_VERSION 119
-+
- #define DTLSv1_get_timeout(ssl, arg) \
- SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
- #define DTLSv1_handle_timeout(ssl) \
-@@ -2304,6 +2311,7 @@ void ERR_load_SSL_strings(void);
- #define SSL_R_HTTPS_PROXY_REQUEST 155
- #define SSL_R_HTTP_REQUEST 156
- #define SSL_R_ILLEGAL_PADDING 283
-+#define SSL_R_INAPPROPRIATE_FALLBACK 373
- #define SSL_R_INCONSISTENT_COMPRESSION 340
- #define SSL_R_INVALID_CHALLENGE_LENGTH 158
- #define SSL_R_INVALID_COMMAND 280
-@@ -2450,6 +2458,7 @@ void ERR_load_SSL_strings(void);
- #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
- #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
- #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
-+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
- #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
- #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
- #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
-diff -up openssl-1.0.1e/ssl/ssl_lib.c.fallback-scsv openssl-1.0.1e/ssl/ssl_lib.c
---- openssl-1.0.1e/ssl/ssl_lib.c.fallback-scsv 2014-10-15 14:45:25.589915731 +0200
-+++ openssl-1.0.1e/ssl/ssl_lib.c 2014-10-15 14:45:25.597915912 +0200
-@@ -1383,6 +1383,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
-
- if (sk == NULL) return(0);
- q=p;
-+ if (put_cb == NULL)
-+ put_cb = s->method->put_cipher_by_char;
-
- for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
- {
-@@ -1402,24 +1404,36 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
- s->psk_client_callback == NULL)
- continue;
- #endif /* OPENSSL_NO_PSK */
-- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
-+ j = put_cb(c,p);
- p+=j;
- }
-- /* If p == q, no ciphers and caller indicates an error. Otherwise
-- * add SCSV if not renegotiating.
-- */
-- if (p != q && !s->renegotiate)
-+ /* If p == q, no ciphers; caller indicates an error.
-+ * Otherwise, add applicable SCSVs. */
-+ if (p != q)
- {
-- static SSL_CIPHER scsv =
-+ if (!s->renegotiate)
- {
-- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-- };
-- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
-- p+=j;
-+ static SSL_CIPHER scsv =
-+ {
-+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-+ };
-+ j = put_cb(&scsv,p);
-+ p+=j;
- #ifdef OPENSSL_RI_DEBUG
-- fprintf(stderr, "SCSV sent by client\n");
-+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
- #endif
-- }
-+ }
-+
-+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
-+ {
-+ static SSL_CIPHER scsv =
-+ {
-+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-+ };
-+ j = put_cb(&scsv,p);
-+ p+=j;
-+ }
-+ }
-
- return(p-q);
- }
-@@ -1430,11 +1444,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
- const SSL_CIPHER *c;
- STACK_OF(SSL_CIPHER) *sk;
- int i,n;
-+
- if (s->s3)
- s->s3->send_connection_binding = 0;
-
- n=ssl_put_cipher_by_char(s,NULL,NULL);
-- if ((num%n) != 0)
-+ if (n == 0 || (num%n) != 0)
- {
- SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
- return(NULL);
-@@ -1449,7 +1464,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
-
- for (i=0; i<num; i+=n)
- {
-- /* Check for SCSV */
-+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
- if (s->s3 && (n != 3 || !p[0]) &&
- (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
- (p[n-1] == (SSL3_CK_SCSV & 0xff)))
-@@ -1469,6 +1484,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
- continue;
- }
-
-+ /* Check for TLS_FALLBACK_SCSV */
-+ if ((n != 3 || !p[0]) &&
-+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
-+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
-+ {
-+ /* The SCSV indicates that the client previously tried a higher version.
-+ * Fail if the current version is an unexpected downgrade. */
-+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
-+ {
-+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
-+ if (s->s3)
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
-+ goto err;
-+ }
-+ continue;
-+ }
-+
- c=ssl_get_cipher_by_char(s,p);
- p+=n;
- if (c != NULL)
-diff -up openssl-1.0.1e/ssl/ssl3.h.fallback-scsv openssl-1.0.1e/ssl/ssl3.h
---- openssl-1.0.1e/ssl/ssl3.h.fallback-scsv 2014-10-15 14:45:25.570915303 +0200
-+++ openssl-1.0.1e/ssl/ssl3.h 2014-10-15 14:45:25.598915935 +0200
-@@ -128,9 +128,14 @@
- extern "C" {
- #endif
-
--/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
-+/* Signalling cipher suite value from RFC 5746
-+ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
- #define SSL3_CK_SCSV 0x030000FF
-
-+/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
-+ * (TLS_FALLBACK_SCSV) */
-+#define SSL3_CK_FALLBACK_SCSV 0x03005600
-+
- #define SSL3_CK_RSA_NULL_MD5 0x03000001
- #define SSL3_CK_RSA_NULL_SHA 0x03000002
- #define SSL3_CK_RSA_RC4_40_MD5 0x03000003
-diff -up openssl-1.0.1e/ssl/s2_lib.c.fallback-scsv openssl-1.0.1e/ssl/s2_lib.c
---- openssl-1.0.1e/ssl/s2_lib.c.fallback-scsv 2014-10-15 14:45:25.526914309 +0200
-+++ openssl-1.0.1e/ssl/s2_lib.c 2014-10-15 14:45:25.598915935 +0200
-@@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long lar
- case SSL_CTRL_GET_SESSION_REUSED:
- ret=s->hit;
- break;
-+ case SSL_CTRL_CHECK_PROTO_VERSION:
-+ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
- default:
- break;
- }
-@@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CI
- if (p != NULL)
- {
- l=c->id;
-- if ((l & 0xff000000) != 0x02000000) return(0);
-+ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
- p[0]=((unsigned char)(l>>16L))&0xFF;
- p[1]=((unsigned char)(l>> 8L))&0xFF;
- p[2]=((unsigned char)(l ))&0xFF;
-diff -up openssl-1.0.1e/ssl/s23_clnt.c.fallback-scsv openssl-1.0.1e/ssl/s23_clnt.c
---- openssl-1.0.1e/ssl/s23_clnt.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s23_clnt.c 2014-10-15 14:45:25.598915935 +0200
-@@ -715,6 +715,9 @@ static int ssl23_get_server_hello(SSL *s
- goto err;
- }
-
-+ /* ensure that TLS_MAX_VERSION is up-to-date */
-+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
-+
- if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
- {
- /* fatal alert */
-diff -up openssl-1.0.1e/ssl/s23_srvr.c.fallback-scsv openssl-1.0.1e/ssl/s23_srvr.c
---- openssl-1.0.1e/ssl/s23_srvr.c.fallback-scsv 2014-10-15 14:45:25.584915619 +0200
-+++ openssl-1.0.1e/ssl/s23_srvr.c 2014-10-15 14:45:25.598915935 +0200
-@@ -421,6 +421,9 @@ int ssl23_get_client_hello(SSL *s)
- }
- }
-
-+ /* ensure that TLS_MAX_VERSION is up-to-date */
-+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
-+
- #ifdef OPENSSL_FIPS
- if (FIPS_mode() && (s->version < TLS1_VERSION))
- {
-diff -up openssl-1.0.1e/ssl/s3_enc.c.fallback-scsv openssl-1.0.1e/ssl/s3_enc.c
---- openssl-1.0.1e/ssl/s3_enc.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s3_enc.c 2014-10-15 14:45:25.598915935 +0200
-@@ -892,7 +892,7 @@ int ssl3_alert_code(int code)
- case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
- case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
- case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
-+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
- default: return(-1);
- }
- }
--
-diff -up openssl-1.0.1e/ssl/s3_lib.c.fallback-scsv openssl-1.0.1e/ssl/s3_lib.c
---- openssl-1.0.1e/ssl/s3_lib.c.fallback-scsv 2014-10-15 14:45:25.590915754 +0200
-+++ openssl-1.0.1e/ssl/s3_lib.c 2014-10-15 14:45:25.599915957 +0200
-@@ -3394,6 +3394,33 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
- EVP_PKEY_free(ptmp);
- return 0;
- }
-+
-+ case SSL_CTRL_CHECK_PROTO_VERSION:
-+ /* For library-internal use; checks that the current protocol
-+ * is the highest enabled version (according to s->ctx->method,
-+ * as version negotiation may have changed s->method). */
-+ if (s->version == s->ctx->method->version)
-+ return 1;
-+ /* Apparently we're using a version-flexible SSL_METHOD
-+ * (not at its highest protocol version). */
-+ if (s->ctx->method->version == SSLv23_method()->version)
-+ {
-+#if TLS_MAX_VERSION != TLS1_2_VERSION
-+# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
-+#endif
-+ if (!(s->options & SSL_OP_NO_TLSv1_2))
-+ return s->version == TLS1_2_VERSION;
-+ if (!(s->options & SSL_OP_NO_TLSv1_1))
-+ return s->version == TLS1_1_VERSION;
-+ if (!(s->options & SSL_OP_NO_TLSv1))
-+ return s->version == TLS1_VERSION;
-+ if (!(s->options & SSL_OP_NO_SSLv3))
-+ return s->version == SSL3_VERSION;
-+ if (!(s->options & SSL_OP_NO_SSLv2))
-+ return s->version == SSL2_VERSION;
-+ }
-+ return 0; /* Unexpected state; fail closed. */
-+
- default:
- break;
- }
-@@ -3759,6 +3786,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx
- break;
- #endif
- #endif
-+
- default:
- return(0);
- }
-@@ -4337,4 +4365,3 @@ long ssl_get_algorithm2(SSL *s)
- return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
- return alg2;
- }
--
-diff -up openssl-1.0.1e/ssl/tls1.h.fallback-scsv openssl-1.0.1e/ssl/tls1.h
---- openssl-1.0.1e/ssl/tls1.h.fallback-scsv 2014-10-15 14:45:25.382911058 +0200
-+++ openssl-1.0.1e/ssl/tls1.h 2014-10-15 14:45:25.599915957 +0200
-@@ -159,17 +159,19 @@ extern "C" {
-
- #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
-
-+#define TLS1_VERSION 0x0301
-+#define TLS1_1_VERSION 0x0302
- #define TLS1_2_VERSION 0x0303
--#define TLS1_2_VERSION_MAJOR 0x03
--#define TLS1_2_VERSION_MINOR 0x03
-+#define TLS_MAX_VERSION TLS1_2_VERSION
-+
-+#define TLS1_VERSION_MAJOR 0x03
-+#define TLS1_VERSION_MINOR 0x01
-
--#define TLS1_1_VERSION 0x0302
- #define TLS1_1_VERSION_MAJOR 0x03
- #define TLS1_1_VERSION_MINOR 0x02
-
--#define TLS1_VERSION 0x0301
--#define TLS1_VERSION_MAJOR 0x03
--#define TLS1_VERSION_MINOR 0x01
-+#define TLS1_2_VERSION_MAJOR 0x03
-+#define TLS1_2_VERSION_MINOR 0x03
-
- #define TLS1_get_version(s) \
- ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
-@@ -187,6 +189,7 @@ extern "C" {
- #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
- #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
- #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
-+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
- #define TLS1_AD_USER_CANCELLED 90
- #define TLS1_AD_NO_RENEGOTIATION 100
- /* codes 110-114 are from RFC3546 */
-diff -up openssl-1.0.1e/ssl/t1_enc.c.fallback-scsv openssl-1.0.1e/ssl/t1_enc.c
---- openssl-1.0.1e/ssl/t1_enc.c.fallback-scsv 2014-10-15 14:45:25.557915009 +0200
-+++ openssl-1.0.1e/ssl/t1_enc.c 2014-10-15 14:45:25.599915957 +0200
-@@ -1265,6 +1265,7 @@ int tls1_alert_code(int code)
- case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
- case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
- case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
-+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
- #if 0 /* not appropriate for TLS, not used for DTLS */
- case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
- (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
diff --git a/SOURCES/openssl-1.0.1e-fips-ctor.patch b/SOURCES/openssl-1.0.1e-fips-ctor.patch
deleted file mode 100644
index 44576ef..0000000
--- a/SOURCES/openssl-1.0.1e-fips-ctor.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
---- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-26 13:52:30.767885457 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-26 14:01:29.406010187 +0200
-@@ -60,6 +60,8 @@
- #include <dlfcn.h>
- #include <stdio.h>
- #include <stdlib.h>
-+#include <unistd.h>
-+#include <errno.h>
- #include "fips_locl.h"
-
- #ifdef OPENSSL_FIPS
-@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
- return hex;
- }
-
--#define HMAC_PREFIX "."
--#define HMAC_SUFFIX ".hmac"
-+#define HMAC_PREFIX "."
-+#ifndef HMAC_SUFFIX
-+#define HMAC_SUFFIX ".hmac"
-+#endif
- #define READ_BUFFER_LENGTH 16384
-
- static char *
-@@ -279,19 +283,13 @@ end:
- }
-
- static int
--FIPSCHECK_verify(const char *libname, const char *symbolname)
-+FIPSCHECK_verify(const char *path)
- {
-- char path[PATH_MAX+1];
-- int rv;
-+ int rv = 0;
- FILE *hf;
- char *hmacpath, *p;
- char *hmac = NULL;
- size_t n;
--
-- rv = get_library_path(libname, symbolname, path, sizeof(path));
--
-- if (rv < 0)
-- return 0;
-
- hmacpath = make_hmac_path(path);
- if (hmacpath == NULL)
-@@ -341,6 +339,53 @@ end:
- return 1;
- }
-
-+static int
-+verify_checksums(void)
-+ {
-+ int rv;
-+ char path[PATH_MAX+1];
-+ char *p;
-+
-+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
-+ are in the same directory */
-+
-+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
-+ if (rv < 0)
-+ return 0;
-+
-+ rv = FIPSCHECK_verify(path);
-+ if (!rv)
-+ return 0;
-+
-+ /* replace libcrypto with libssl */
-+ while ((p = strstr(path, "libcrypto.so")) != NULL)
-+ {
-+ p = stpcpy(p, "libssl");
-+ memmove(p, p+3, strlen(p+2));
-+ }
-+
-+ rv = FIPSCHECK_verify(path);
-+ if (!rv)
-+ return 0;
-+ return 1;
-+ }
-+
-+#ifndef FIPS_MODULE_PATH
-+#define FIPS_MODULE_PATH "/etc/system-fips"
-+#endif
-+
-+int
-+FIPS_module_installed(void)
-+ {
-+ int rv;
-+ rv = access(FIPS_MODULE_PATH, F_OK);
-+ if (rv < 0 && errno != ENOENT)
-+ rv = 0;
-+
-+ /* Installed == true */
-+ return !rv;
-+ }
-+
- int FIPS_module_mode_set(int onoff, const char *auth)
- {
- int ret = 0;
-@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
- }
- #endif
-
-- if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
-- {
-- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
-- fips_selftest_fail = 1;
-- ret = 0;
-- goto end;
-- }
--
-- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
-+ if(!verify_checksums())
- {
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
-diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
---- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-26 13:52:30.814886515 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-26 13:52:30.816886560 +0200
-@@ -74,6 +74,7 @@ struct hmac_ctx_st;
-
- int FIPS_module_mode_set(int onoff, const char *auth);
- int FIPS_module_mode(void);
-+int FIPS_module_installed(void);
- const void *FIPS_rand_check(void);
- int FIPS_selftest(void);
- int FIPS_selftest_failed(void);
-diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
---- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-26 13:52:30.807886357 +0200
-+++ openssl-1.0.1e/crypto/o_init.c 2013-09-26 14:00:21.000000000 +0200
-@@ -71,6 +71,9 @@ static void init_fips_mode(void)
- char buf[2] = "0";
- int fd;
-
-+ /* Ensure the selftests always run */
-+ FIPS_mode_set(1);
-+
- if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
- {
- buf[0] = '1';
-@@ -85,9 +88,15 @@ static void init_fips_mode(void)
- * otherwise.
- */
-
-- if (buf[0] == '1')
-+ if (buf[0] != '1')
-+ {
-+ /* drop down to non-FIPS mode if it is not requested */
-+ FIPS_mode_set(0);
-+ }
-+ else
- {
-- FIPS_mode_set(1);
-+ /* abort if selftest failed */
-+ FIPS_selftest_check();
- }
- }
- #endif
-@@ -96,13 +105,17 @@ static void init_fips_mode(void)
- * Currently only sets FIPS callbacks
- */
-
--void OPENSSL_init_library(void)
-+void __attribute__ ((constructor)) OPENSSL_init_library(void)
- {
- static int done = 0;
- if (done)
- return;
- done = 1;
- #ifdef OPENSSL_FIPS
-+ if (!FIPS_module_installed())
-+ {
-+ return;
-+ }
- RAND_init_fips();
- init_fips_mode();
- if (!FIPS_mode())
diff --git a/SOURCES/openssl-1.0.1e-fips-ec.patch b/SOURCES/openssl-1.0.1e-fips-ec.patch
deleted file mode 100644
index e1f648c..0000000
--- a/SOURCES/openssl-1.0.1e-fips-ec.patch
+++ /dev/null
@@ -1,2039 +0,0 @@
-diff -up openssl-1.0.1e/crypto/ecdh/ecdh.h.fips-ec openssl-1.0.1e/crypto/ecdh/ecdh.h
---- openssl-1.0.1e/crypto/ecdh/ecdh.h.fips-ec 2013-11-08 17:59:42.755019363 +0100
-+++ openssl-1.0.1e/crypto/ecdh/ecdh.h 2013-11-08 17:59:43.147028002 +0100
-@@ -85,6 +85,8 @@
- extern "C" {
- #endif
-
-+#define EC_FLAG_COFACTOR_ECDH 0x1000
-+
- const ECDH_METHOD *ECDH_OpenSSL(void);
-
- void ECDH_set_default_method(const ECDH_METHOD *);
-diff -up openssl-1.0.1e/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.1e/crypto/ecdh/ecdhtest.c
---- openssl-1.0.1e/crypto/ecdh/ecdhtest.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ecdh/ecdhtest.c 2013-11-08 17:59:54.712282862 +0100
-@@ -323,8 +323,10 @@ int main(int argc, char *argv[])
- if ((ctx=BN_CTX_new()) == NULL) goto err;
-
- /* NIST PRIME CURVES TESTS */
-+#if 0
- if (!test_ecdh_curve(NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) goto err;
- if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) goto err;
-+#endif
- if (!test_ecdh_curve(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) goto err;
- if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out)) goto err;
- if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out)) goto err;
-diff -up openssl-1.0.1e/crypto/ecdh/ech_lib.c.fips-ec openssl-1.0.1e/crypto/ecdh/ech_lib.c
---- openssl-1.0.1e/crypto/ecdh/ech_lib.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ecdh/ech_lib.c 2013-11-08 17:59:43.148028024 +0100
-@@ -94,14 +94,7 @@ const ECDH_METHOD *ECDH_get_default_meth
- {
- if(!default_ECDH_method)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_ecdh_openssl();
-- else
-- return ECDH_OpenSSL();
--#else
- default_ECDH_method = ECDH_OpenSSL();
--#endif
- }
- return default_ECDH_method;
- }
-diff -up openssl-1.0.1e/crypto/ecdh/ech_ossl.c.fips-ec openssl-1.0.1e/crypto/ecdh/ech_ossl.c
---- openssl-1.0.1e/crypto/ecdh/ech_ossl.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ecdh/ech_ossl.c 2013-11-08 17:59:43.148028024 +0100
-@@ -79,6 +79,10 @@
- #include <openssl/obj_mac.h>
- #include <openssl/bn.h>
-
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
- static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key,
- EC_KEY *ecdh,
- void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
-@@ -90,7 +94,7 @@ static ECDH_METHOD openssl_ecdh_meth = {
- NULL, /* init */
- NULL, /* finish */
- #endif
-- 0, /* flags */
-+ ECDH_FLAG_FIPS_METHOD, /* flags */
- NULL /* app_data */
- };
-
-@@ -118,6 +122,14 @@ static int ecdh_compute_key(void *out, s
- size_t buflen, len;
- unsigned char *buf=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+#endif
-+
- if (outlen > INT_MAX)
- {
- ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */
-@@ -137,6 +149,18 @@ static int ecdh_compute_key(void *out, s
- }
-
- group = EC_KEY_get0_group(ecdh);
-+
-+ if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH)
-+ {
-+ if (!EC_GROUP_get_cofactor(group, x, ctx) ||
-+ !BN_mul(x, x, priv_key, ctx))
-+ {
-+ ECDHerr(ECDH_F_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
-+ goto err;
-+ }
-+ priv_key = x;
-+ }
-+
- if ((tmp=EC_POINT_new(group)) == NULL)
- {
- ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
-diff -up openssl-1.0.1e/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.1e/crypto/ecdsa/ecdsatest.c
---- openssl-1.0.1e/crypto/ecdsa/ecdsatest.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ecdsa/ecdsatest.c 2013-11-08 17:59:43.148028024 +0100
-@@ -138,11 +138,14 @@ int restore_rand(void)
- }
-
- static int fbytes_counter = 0;
--static const char *numbers[8] = {
-+static const char *numbers[10] = {
-+ "651056770906015076056810763456358567190100156695615665659",
- "651056770906015076056810763456358567190100156695615665659",
- "6140507067065001063065065565667405560006161556565665656654",
- "8763001015071075675010661307616710783570106710677817767166"
- "71676178726717",
-+ "8763001015071075675010661307616710783570106710677817767166"
-+ "71676178726717",
- "7000000175690566466555057817571571075705015757757057795755"
- "55657156756655",
- "1275552191113212300012030439187146164646146646466749494799",
-@@ -157,7 +160,7 @@ int fbytes(unsigned char *buf, int num)
- int ret;
- BIGNUM *tmp = NULL;
-
-- if (fbytes_counter >= 8)
-+ if (fbytes_counter >= 10)
- return 0;
- tmp = BN_new();
- if (!tmp)
-@@ -550,7 +553,9 @@ int main(void)
- RAND_seed(rnd_seed, sizeof(rnd_seed));
-
- /* the tests */
-+#if 0
- if (!x9_62_tests(out)) goto err;
-+#endif
- if (!test_builtin(out)) goto err;
-
- ret = 0;
-diff -up openssl-1.0.1e/crypto/ecdsa/ecs_lib.c.fips-ec openssl-1.0.1e/crypto/ecdsa/ecs_lib.c
---- openssl-1.0.1e/crypto/ecdsa/ecs_lib.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ecdsa/ecs_lib.c 2013-11-08 17:59:43.148028024 +0100
-@@ -81,14 +81,7 @@ const ECDSA_METHOD *ECDSA_get_default_me
- {
- if(!default_ECDSA_method)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_ecdsa_openssl();
-- else
-- return ECDSA_OpenSSL();
--#else
- default_ECDSA_method = ECDSA_OpenSSL();
--#endif
- }
- return default_ECDSA_method;
- }
-diff -up openssl-1.0.1e/crypto/ecdsa/ecs_ossl.c.fips-ec openssl-1.0.1e/crypto/ecdsa/ecs_ossl.c
---- openssl-1.0.1e/crypto/ecdsa/ecs_ossl.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ecdsa/ecs_ossl.c 2013-11-08 17:59:43.148028024 +0100
-@@ -60,6 +60,9 @@
- #include <openssl/err.h>
- #include <openssl/obj_mac.h>
- #include <openssl/bn.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
- const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
-@@ -77,7 +80,7 @@ static ECDSA_METHOD openssl_ecdsa_meth =
- NULL, /* init */
- NULL, /* finish */
- #endif
-- 0, /* flags */
-+ ECDSA_FLAG_FIPS_METHOD, /* flags */
- NULL /* app_data */
- };
-
-@@ -231,6 +234,14 @@ static ECDSA_SIG *ecdsa_do_sign(const un
- ECDSA_DATA *ecdsa;
- const BIGNUM *priv_key;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
-+ }
-+#endif
-+
- ecdsa = ecdsa_check(eckey);
- group = EC_KEY_get0_group(eckey);
- priv_key = EC_KEY_get0_private_key(eckey);
-@@ -360,6 +371,14 @@ static int ecdsa_do_verify(const unsigne
- const EC_GROUP *group;
- const EC_POINT *pub_key;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+#endif
-+
- /* check input values */
- if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
- (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
-diff -up openssl-1.0.1e/crypto/ec/ec_key.c.fips-ec openssl-1.0.1e/crypto/ec/ec_key.c
---- openssl-1.0.1e/crypto/ec/ec_key.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ec/ec_key.c 2013-11-08 17:59:43.148028024 +0100
-@@ -64,9 +64,6 @@
- #include <string.h>
- #include "ec_lcl.h"
- #include <openssl/err.h>
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
-
- EC_KEY *EC_KEY_new(void)
- {
-@@ -234,6 +231,39 @@ int EC_KEY_up_ref(EC_KEY *r)
- return ((i > 1) ? 1 : 0);
- }
-
-+#ifdef OPENSSL_FIPS
-+
-+#include <openssl/evp.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+
-+static int fips_check_ec(EC_KEY *key)
-+ {
-+ EVP_PKEY *pk;
-+ unsigned char tbs[] = "ECDSA Pairwise Check Data";
-+ int ret = 0;
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_EC_KEY(pk, key);
-+
-+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
-+ ret = 1;
-+
-+ err:
-+ if (ret == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_CHECK_EC,FIPS_R_PAIRWISE_TEST_FAILED);
-+ fips_set_selftest_fail();
-+ }
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ return ret;
-+ }
-+
-+#endif
-+
- int EC_KEY_generate_key(EC_KEY *eckey)
- {
- int ok = 0;
-@@ -242,8 +272,11 @@ int EC_KEY_generate_key(EC_KEY *eckey)
- EC_POINT *pub_key = NULL;
-
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_ec_key_generate_key(eckey);
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
- #endif
-
- if (!eckey || !eckey->group)
-@@ -287,6 +320,15 @@ int EC_KEY_generate_key(EC_KEY *eckey)
- eckey->priv_key = priv_key;
- eckey->pub_key = pub_key;
-
-+#ifdef OPENSSL_FIPS
-+ if(!fips_check_ec(eckey))
-+ {
-+ eckey->priv_key = NULL;
-+ eckey->pub_key = NULL;
-+ goto err;
-+ }
-+#endif
-+
- ok=1;
-
- err:
-@@ -429,10 +471,12 @@ int EC_KEY_set_public_key_affine_coordin
- tx, ty, ctx))
- goto err;
- }
-- /* Check if retrieved coordinates match originals: if not values
-- * are out of range.
-+ /* Check if retrieved coordinates match originals and are less than
-+ * field order: if not values are out of range.
- */
-- if (BN_cmp(x, tx) || BN_cmp(y, ty))
-+ if (BN_cmp(x, tx) || BN_cmp(y, ty)
-+ || (BN_cmp(x, &key->group->field) >= 0)
-+ || (BN_cmp(y, &key->group->field) >= 0))
- {
- ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
- EC_R_COORDINATES_OUT_OF_RANGE);
-diff -up openssl-1.0.1e/crypto/ec/ecp_mont.c.fips-ec openssl-1.0.1e/crypto/ec/ecp_mont.c
---- openssl-1.0.1e/crypto/ec/ecp_mont.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ec/ecp_mont.c 2013-11-08 17:59:43.149028046 +0100
-@@ -63,18 +63,11 @@
-
- #include <openssl/err.h>
-
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
--
- #include "ec_lcl.h"
-
-
- const EC_METHOD *EC_GFp_mont_method(void)
- {
--#ifdef OPENSSL_FIPS
-- return fips_ec_gfp_mont_method();
--#else
- static const EC_METHOD ret = {
- EC_FLAGS_DEFAULT_OCT,
- NID_X9_62_prime_field,
-@@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_mont_method(void
- ec_GFp_mont_field_set_to_one };
-
- return &ret;
--#endif
- }
-
-
-diff -up openssl-1.0.1e/crypto/ec/ecp_nist.c.fips-ec openssl-1.0.1e/crypto/ec/ecp_nist.c
---- openssl-1.0.1e/crypto/ec/ecp_nist.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ec/ecp_nist.c 2013-11-08 17:59:43.149028046 +0100
-@@ -67,15 +67,8 @@
- #include <openssl/obj_mac.h>
- #include "ec_lcl.h"
-
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
--
- const EC_METHOD *EC_GFp_nist_method(void)
- {
--#ifdef OPENSSL_FIPS
-- return fips_ec_gfp_nist_method();
--#else
- static const EC_METHOD ret = {
- EC_FLAGS_DEFAULT_OCT,
- NID_X9_62_prime_field,
-@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void
- 0 /* field_set_to_one */ };
-
- return &ret;
--#endif
- }
-
- int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
-diff -up openssl-1.0.1e/crypto/ec/ecp_smpl.c.fips-ec openssl-1.0.1e/crypto/ec/ecp_smpl.c
---- openssl-1.0.1e/crypto/ec/ecp_smpl.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ec/ecp_smpl.c 2013-11-08 17:59:43.149028046 +0100
-@@ -65,17 +65,10 @@
- #include <openssl/err.h>
- #include <openssl/symhacks.h>
-
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
--
- #include "ec_lcl.h"
-
- const EC_METHOD *EC_GFp_simple_method(void)
- {
--#ifdef OPENSSL_FIPS
-- return fips_ec_gfp_simple_method();
--#else
- static const EC_METHOD ret = {
- EC_FLAGS_DEFAULT_OCT,
- NID_X9_62_prime_field,
-@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_simple_method(vo
- 0 /* field_set_to_one */ };
-
- return &ret;
--#endif
- }
-
-
-@@ -186,6 +178,12 @@ int ec_GFp_simple_group_set_curve(EC_GRO
- return 0;
- }
-
-+ if (BN_num_bits(p) < 256)
-+ {
-+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
-+ return 0;
-+ }
-+
- if (ctx == NULL)
- {
- ctx = new_ctx = BN_CTX_new();
-diff -up openssl-1.0.1e/crypto/evp/m_ecdsa.c.fips-ec openssl-1.0.1e/crypto/evp/m_ecdsa.c
---- openssl-1.0.1e/crypto/evp/m_ecdsa.c.fips-ec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/m_ecdsa.c 2013-11-08 17:59:43.149028046 +0100
-@@ -116,7 +116,6 @@
- #include <openssl/x509.h>
-
- #ifndef OPENSSL_NO_SHA
--#ifndef OPENSSL_FIPS
-
- static int init(EVP_MD_CTX *ctx)
- { return SHA1_Init(ctx->md_data); }
-@@ -132,7 +131,7 @@ static const EVP_MD ecdsa_md=
- NID_ecdsa_with_SHA1,
- NID_ecdsa_with_SHA1,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_DIGEST,
-+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -148,4 +147,3 @@ const EVP_MD *EVP_ecdsa(void)
- return(&ecdsa_md);
- }
- #endif
--#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_ecdhvs.c.fips-ec openssl-1.0.1e/crypto/fips/cavs/fips_ecdhvs.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_ecdhvs.c.fips-ec 2013-11-08 17:59:43.149028046 +0100
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_ecdhvs.c 2013-11-08 17:59:43.149028046 +0100
-@@ -0,0 +1,496 @@
-+/* fips/ecdh/fips_ecdhvs.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS ECDH support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/crypto.h>
-+#include <openssl/bn.h>
-+#include <openssl/ecdh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static const EVP_MD *eparse_md(char *line)
-+ {
-+ char *p;
-+ if (line[0] != '[' || line[1] != 'E')
-+ return NULL;
-+ p = strchr(line, '-');
-+ if (!p)
-+ return NULL;
-+ line = p + 1;
-+ p = strchr(line, ']');
-+ if (!p)
-+ return NULL;
-+ *p = 0;
-+ p = line;
-+ while(isspace(*p))
-+ p++;
-+ if (!strcmp(p, "SHA1"))
-+ return EVP_sha1();
-+ else if (!strcmp(p, "SHA224"))
-+ return EVP_sha224();
-+ else if (!strcmp(p, "SHA256"))
-+ return EVP_sha256();
-+ else if (!strcmp(p, "SHA384"))
-+ return EVP_sha384();
-+ else if (!strcmp(p, "SHA512"))
-+ return EVP_sha512();
-+ else
-+ return NULL;
-+ }
-+
-+static int lookup_curve2(char *cname)
-+ {
-+ char *p;
-+ p = strchr(cname, ']');
-+ if (!p)
-+ {
-+ fprintf(stderr, "Parse error: missing ]\n");
-+ return NID_undef;
-+ }
-+ *p = 0;
-+
-+ if (!strcmp(cname, "B-163"))
-+ return NID_sect163r2;
-+ if (!strcmp(cname, "B-233"))
-+ return NID_sect233r1;
-+ if (!strcmp(cname, "B-283"))
-+ return NID_sect283r1;
-+ if (!strcmp(cname, "B-409"))
-+ return NID_sect409r1;
-+ if (!strcmp(cname, "B-571"))
-+ return NID_sect571r1;
-+ if (!strcmp(cname, "K-163"))
-+ return NID_sect163k1;
-+ if (!strcmp(cname, "K-233"))
-+ return NID_sect233k1;
-+ if (!strcmp(cname, "K-283"))
-+ return NID_sect283k1;
-+ if (!strcmp(cname, "K-409"))
-+ return NID_sect409k1;
-+ if (!strcmp(cname, "K-571"))
-+ return NID_sect571k1;
-+ if (!strcmp(cname, "P-192"))
-+ return NID_X9_62_prime192v1;
-+ if (!strcmp(cname, "P-224"))
-+ return NID_secp224r1;
-+ if (!strcmp(cname, "P-256"))
-+ return NID_X9_62_prime256v1;
-+ if (!strcmp(cname, "P-384"))
-+ return NID_secp384r1;
-+ if (!strcmp(cname, "P-521"))
-+ return NID_secp521r1;
-+
-+ fprintf(stderr, "Unknown Curve name %s\n", cname);
-+ return NID_undef;
-+ }
-+
-+static int lookup_curve(char *cname)
-+ {
-+ char *p;
-+ p = strchr(cname, ':');
-+ if (!p)
-+ {
-+ fprintf(stderr, "Parse error: missing :\n");
-+ return NID_undef;
-+ }
-+ cname = p + 1;
-+ while(isspace(*cname))
-+ cname++;
-+ return lookup_curve2(cname);
-+ }
-+
-+static EC_POINT *make_peer(EC_GROUP *group, BIGNUM *x, BIGNUM *y)
-+ {
-+ EC_POINT *peer;
-+ int rv;
-+ BN_CTX *c;
-+ peer = EC_POINT_new(group);
-+ if (!peer)
-+ return NULL;
-+ c = BN_CTX_new();
-+ if (EC_METHOD_get_field_type(EC_GROUP_method_of(group))
-+ == NID_X9_62_prime_field)
-+ rv = EC_POINT_set_affine_coordinates_GFp(group, peer, x, y, c);
-+ else
-+#ifdef OPENSSL_NO_EC2M
-+ {
-+ fprintf(stderr, "ERROR: GF2m not supported\n");
-+ exit(1);
-+ }
-+#else
-+ rv = EC_POINT_set_affine_coordinates_GF2m(group, peer, x, y, c);
-+#endif
-+
-+ BN_CTX_free(c);
-+ if (rv)
-+ return peer;
-+ EC_POINT_free(peer);
-+ return NULL;
-+ }
-+
-+static int ec_print_key(FILE *out, EC_KEY *key, int add_e, int exout)
-+ {
-+ const EC_POINT *pt;
-+ const EC_GROUP *grp;
-+ const EC_METHOD *meth;
-+ int rv;
-+ BIGNUM *tx, *ty;
-+ const BIGNUM *d = NULL;
-+ BN_CTX *ctx;
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ tx = BN_CTX_get(ctx);
-+ ty = BN_CTX_get(ctx);
-+ if (!tx || !ty)
-+ return 0;
-+ grp = EC_KEY_get0_group(key);
-+ pt = EC_KEY_get0_public_key(key);
-+ if (exout)
-+ d = EC_KEY_get0_private_key(key);
-+ meth = EC_GROUP_method_of(grp);
-+ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
-+ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, tx, ty, ctx);
-+ else
-+#ifdef OPENSSL_NO_EC2M
-+ {
-+ fprintf(stderr, "ERROR: GF2m not supported\n");
-+ exit(1);
-+ }
-+#else
-+ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, tx, ty, ctx);
-+#endif
-+
-+ if (add_e)
-+ {
-+ do_bn_print_name(out, "QeIUTx", tx);
-+ do_bn_print_name(out, "QeIUTy", ty);
-+ if (d)
-+ do_bn_print_name(out, "QeIUTd", d);
-+ }
-+ else
-+ {
-+ do_bn_print_name(out, "QIUTx", tx);
-+ do_bn_print_name(out, "QIUTy", ty);
-+ if (d)
-+ do_bn_print_name(out, "QIUTd", d);
-+ }
-+
-+ BN_CTX_free(ctx);
-+
-+ return rv;
-+
-+ }
-+
-+static void ec_output_Zhash(FILE *out, int exout, EC_GROUP *group,
-+ BIGNUM *ix, BIGNUM *iy, BIGNUM *id, BIGNUM *cx,
-+ BIGNUM *cy, const EVP_MD *md,
-+ unsigned char *rhash, size_t rhashlen)
-+ {
-+ EC_KEY *ec = NULL;
-+ EC_POINT *peerkey = NULL;
-+ unsigned char *Z;
-+ unsigned char chash[EVP_MAX_MD_SIZE];
-+ int Zlen;
-+ ec = EC_KEY_new();
-+ EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
-+ EC_KEY_set_group(ec, group);
-+ peerkey = make_peer(group, cx, cy);
-+ if (rhash == NULL)
-+ {
-+ if (md)
-+ rhashlen = M_EVP_MD_size(md);
-+ EC_KEY_generate_key(ec);
-+ ec_print_key(out, ec, md ? 1 : 0, exout);
-+ }
-+ else
-+ {
-+ EC_KEY_set_public_key_affine_coordinates(ec, ix, iy);
-+ EC_KEY_set_private_key(ec, id);
-+ }
-+ Zlen = (EC_GROUP_get_degree(group) + 7)/8;
-+ Z = OPENSSL_malloc(Zlen);
-+ if (!Z)
-+ exit(1);
-+ ECDH_compute_key(Z, Zlen, peerkey, ec, 0);
-+ if (md)
-+ {
-+ if (exout)
-+ OutputValue("Z", Z, Zlen, out, 0);
-+ FIPS_digest(Z, Zlen, chash, NULL, md);
-+ OutputValue(rhash ? "IUTHashZZ" : "HashZZ",
-+ chash, rhashlen, out, 0);
-+ if (rhash)
-+ {
-+ fprintf(out, "Result = %s\n",
-+ memcmp(chash, rhash, rhashlen) ? "F" : "P");
-+ }
-+ }
-+ else
-+ OutputValue("ZIUT", Z, Zlen, out, 0);
-+ OPENSSL_cleanse(Z, Zlen);
-+ OPENSSL_free(Z);
-+ EC_KEY_free(ec);
-+ EC_POINT_free(peerkey);
-+ }
-+
-+#ifdef FIPS_ALGVS
-+int fips_ecdhvs_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ char **args = argv + 1;
-+ int argn = argc - 1;
-+ FILE *in, *out;
-+ char buf[2048], lbuf[2048];
-+ unsigned char *rhash = NULL;
-+ long rhashlen;
-+ BIGNUM *cx = NULL, *cy = NULL;
-+ BIGNUM *id = NULL, *ix = NULL, *iy = NULL;
-+ const EVP_MD *md = NULL;
-+ EC_GROUP *group = NULL;
-+ char *keyword = NULL, *value = NULL;
-+ int do_verify = -1, exout = 0;
-+ int rv = 1;
-+
-+ int curve_nids[5] = {0,0,0,0,0};
-+ int param_set = -1;
-+
-+ fips_algtest_init();
-+
-+ if (argn && !strcmp(*args, "ecdhver"))
-+ {
-+ do_verify = 1;
-+ args++;
-+ argn--;
-+ }
-+ else if (argn && !strcmp(*args, "ecdhgen"))
-+ {
-+ do_verify = 0;
-+ args++;
-+ argn--;
-+ }
-+
-+ if (argn && !strcmp(*args, "-exout"))
-+ {
-+ exout = 1;
-+ args++;
-+ argn--;
-+ }
-+
-+ if (do_verify == -1)
-+ {
-+ fprintf(stderr,"%s [ecdhver|ecdhgen|] [-exout] (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ if (argn == 2)
-+ {
-+ in = fopen(*args, "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(args[1], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argn == 0)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+ else
-+ {
-+ fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ while (fgets(buf, sizeof(buf), in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (buf[0] == '[' && buf[1] == 'E')
-+ {
-+ int c = buf[2];
-+ if (c < 'A' || c > 'E')
-+ goto parse_error;
-+ param_set = c - 'A';
-+ /* If just [E?] then initial paramset */
-+ if (buf[3] == ']')
-+ continue;
-+ if (group)
-+ EC_GROUP_free(group);
-+ group = EC_GROUP_new_by_curve_name(curve_nids[c - 'A']);
-+ }
-+ if (strlen(buf) > 10 && !strncmp(buf, "[Curve", 6))
-+ {
-+ int nid;
-+ if (param_set == -1)
-+ goto parse_error;
-+ nid = lookup_curve(buf);
-+ if (nid == NID_undef)
-+ goto parse_error;
-+ curve_nids[param_set] = nid;
-+ }
-+
-+ if (strlen(buf) > 4 && buf[0] == '[' && buf[2] == '-')
-+ {
-+ int nid = lookup_curve2(buf + 1);
-+ if (nid == NID_undef)
-+ goto parse_error;
-+ if (group)
-+ EC_GROUP_free(group);
-+ group = EC_GROUP_new_by_curve_name(nid);
-+ if (!group)
-+ {
-+ fprintf(stderr, "ERROR: unsupported curve %s\n", buf + 1);
-+ return 1;
-+ }
-+ }
-+
-+ if (strlen(buf) > 6 && !strncmp(buf, "[E", 2))
-+ {
-+ md = eparse_md(buf);
-+ if (md == NULL)
-+ goto parse_error;
-+ continue;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "QeCAVSx") || !strcmp(keyword, "QCAVSx"))
-+ {
-+ if (!do_hex2bn(&cx, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "QeCAVSy") || !strcmp(keyword, "QCAVSy"))
-+ {
-+ if (!do_hex2bn(&cy, value))
-+ goto parse_error;
-+ if (do_verify == 0)
-+ ec_output_Zhash(out, exout, group,
-+ NULL, NULL, NULL,
-+ cx, cy, md, rhash, rhashlen);
-+ }
-+ else if (!strcmp(keyword, "deIUT"))
-+ {
-+ if (!do_hex2bn(&id, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "QeIUTx"))
-+ {
-+ if (!do_hex2bn(&ix, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "QeIUTy"))
-+ {
-+ if (!do_hex2bn(&iy, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "CAVSHashZZ"))
-+ {
-+ if (!md)
-+ goto parse_error;
-+ rhash = hex2bin_m(value, &rhashlen);
-+ if (!rhash || rhashlen != M_EVP_MD_size(md))
-+ goto parse_error;
-+ ec_output_Zhash(out, exout, group, ix, iy, id, cx, cy,
-+ md, rhash, rhashlen);
-+ }
-+ }
-+ rv = 0;
-+ parse_error:
-+ if (id)
-+ BN_free(id);
-+ if (ix)
-+ BN_free(ix);
-+ if (iy)
-+ BN_free(iy);
-+ if (cx)
-+ BN_free(cx);
-+ if (cy)
-+ BN_free(cy);
-+ if (group)
-+ EC_GROUP_free(group);
-+ if (in && in != stdin)
-+ fclose(in);
-+ if (out && out != stdout)
-+ fclose(out);
-+ if (rv)
-+ fprintf(stderr, "Error Parsing request file\n");
-+ return rv;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_ecdsavs.c.fips-ec openssl-1.0.1e/crypto/fips/cavs/fips_ecdsavs.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_ecdsavs.c.fips-ec 2013-11-08 17:59:43.150028068 +0100
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_ecdsavs.c 2013-11-08 17:59:43.150028068 +0100
-@@ -0,0 +1,533 @@
-+/* fips/ecdsa/fips_ecdsavs.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+#include <stdio.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS ECDSA support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <string.h>
-+#include <ctype.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/ecdsa.h>
-+#include <openssl/evp.h>
-+#include "fips_utl.h"
-+
-+#include <openssl/objects.h>
-+
-+
-+static int elookup_curve(char *in, char *curve_name, const EVP_MD **pmd)
-+ {
-+ char *cname, *p;
-+ /* Copy buffer as we will change it */
-+ strcpy(curve_name, in);
-+ cname = curve_name + 1;
-+ p = strchr(cname, ']');
-+ if (!p)
-+ {
-+ fprintf(stderr, "Parse error: missing ]\n");
-+ return NID_undef;
-+ }
-+ *p = 0;
-+ p = strchr(cname, ',');
-+ if (p)
-+ {
-+ if (!pmd)
-+ {
-+ fprintf(stderr, "Parse error: unexpected digest\n");
-+ return NID_undef;
-+ }
-+ *p = 0;
-+ p++;
-+
-+ if (!strcmp(p, "SHA-1"))
-+ *pmd = EVP_sha1();
-+ else if (!strcmp(p, "SHA-224"))
-+ *pmd = EVP_sha224();
-+ else if (!strcmp(p, "SHA-256"))
-+ *pmd = EVP_sha256();
-+ else if (!strcmp(p, "SHA-384"))
-+ *pmd = EVP_sha384();
-+ else if (!strcmp(p, "SHA-512"))
-+ *pmd = EVP_sha512();
-+ else
-+ {
-+ fprintf(stderr, "Unknown digest %s\n", p);
-+ return NID_undef;
-+ }
-+ }
-+ else if(pmd)
-+ *pmd = EVP_sha1();
-+
-+ if (!strcmp(cname, "B-163"))
-+ return NID_sect163r2;
-+ if (!strcmp(cname, "B-233"))
-+ return NID_sect233r1;
-+ if (!strcmp(cname, "B-283"))
-+ return NID_sect283r1;
-+ if (!strcmp(cname, "B-409"))
-+ return NID_sect409r1;
-+ if (!strcmp(cname, "B-571"))
-+ return NID_sect571r1;
-+ if (!strcmp(cname, "K-163"))
-+ return NID_sect163k1;
-+ if (!strcmp(cname, "K-233"))
-+ return NID_sect233k1;
-+ if (!strcmp(cname, "K-283"))
-+ return NID_sect283k1;
-+ if (!strcmp(cname, "K-409"))
-+ return NID_sect409k1;
-+ if (!strcmp(cname, "K-571"))
-+ return NID_sect571k1;
-+ if (!strcmp(cname, "P-192"))
-+ return NID_X9_62_prime192v1;
-+ if (!strcmp(cname, "P-224"))
-+ return NID_secp224r1;
-+ if (!strcmp(cname, "P-256"))
-+ return NID_X9_62_prime256v1;
-+ if (!strcmp(cname, "P-384"))
-+ return NID_secp384r1;
-+ if (!strcmp(cname, "P-521"))
-+ return NID_secp521r1;
-+
-+ fprintf(stderr, "Unknown Curve name %s\n", cname);
-+ return NID_undef;
-+ }
-+
-+static int ec_get_pubkey(EC_KEY *key, BIGNUM *x, BIGNUM *y)
-+ {
-+ const EC_POINT *pt;
-+ const EC_GROUP *grp;
-+ const EC_METHOD *meth;
-+ int rv;
-+ BN_CTX *ctx;
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ grp = EC_KEY_get0_group(key);
-+ pt = EC_KEY_get0_public_key(key);
-+ meth = EC_GROUP_method_of(grp);
-+ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
-+ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, x, y, ctx);
-+ else
-+#ifdef OPENSSL_NO_EC2M
-+ {
-+ fprintf(stderr, "ERROR: GF2m not supported\n");
-+ exit(1);
-+ }
-+#else
-+ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, x, y, ctx);
-+#endif
-+
-+ BN_CTX_free(ctx);
-+
-+ return rv;
-+
-+ }
-+
-+static int KeyPair(FILE *in, FILE *out)
-+ {
-+ char buf[2048], lbuf[2048];
-+ char *keyword, *value;
-+ int curve_nid = NID_undef;
-+ int i, count;
-+ BIGNUM *Qx = NULL, *Qy = NULL;
-+ const BIGNUM *d = NULL;
-+ EC_KEY *key = NULL;
-+ Qx = BN_new();
-+ Qy = BN_new();
-+ while(fgets(buf, sizeof buf, in) != NULL)
-+ {
-+ if (*buf == '[' && buf[2] == '-')
-+ {
-+ if (buf[2] == '-')
-+ curve_nid = elookup_curve(buf, lbuf, NULL);
-+ fputs(buf, out);
-+ continue;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf, out);
-+ continue;
-+ }
-+ if (!strcmp(keyword, "N"))
-+ {
-+ count = atoi(value);
-+
-+ for (i = 0; i < count; i++)
-+ {
-+
-+ key = EC_KEY_new_by_curve_name(curve_nid);
-+ if (!EC_KEY_generate_key(key))
-+ {
-+ fprintf(stderr, "Error generating key\n");
-+ return 0;
-+ }
-+
-+ if (!ec_get_pubkey(key, Qx, Qy))
-+ {
-+ fprintf(stderr, "Error getting public key\n");
-+ return 0;
-+ }
-+
-+ d = EC_KEY_get0_private_key(key);
-+
-+ do_bn_print_name(out, "d", d);
-+ do_bn_print_name(out, "Qx", Qx);
-+ do_bn_print_name(out, "Qy", Qy);
-+ fputs(RESP_EOL, out);
-+ EC_KEY_free(key);
-+
-+ }
-+
-+ }
-+
-+ }
-+ BN_free(Qx);
-+ BN_free(Qy);
-+ return 1;
-+ }
-+
-+static int PKV(FILE *in, FILE *out)
-+ {
-+
-+ char buf[2048], lbuf[2048];
-+ char *keyword, *value;
-+ int curve_nid = NID_undef;
-+ BIGNUM *Qx = NULL, *Qy = NULL;
-+ EC_KEY *key = NULL;
-+ while(fgets(buf, sizeof buf, in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (*buf == '[' && buf[2] == '-')
-+ {
-+ curve_nid = elookup_curve(buf, lbuf, NULL);
-+ if (curve_nid == NID_undef)
-+ return 0;
-+
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "Qx"))
-+ {
-+ if (!do_hex2bn(&Qx, value))
-+ {
-+ fprintf(stderr, "Invalid Qx value\n");
-+ return 0;
-+ }
-+ }
-+ if (!strcmp(keyword, "Qy"))
-+ {
-+ int rv;
-+ if (!do_hex2bn(&Qy, value))
-+ {
-+ fprintf(stderr, "Invalid Qy value\n");
-+ return 0;
-+ }
-+ key = EC_KEY_new_by_curve_name(curve_nid);
-+ no_err = 1;
-+ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy);
-+ no_err = 0;
-+ EC_KEY_free(key);
-+ fprintf(out, "Result = %s" RESP_EOL, rv ? "P":"F");
-+ }
-+
-+ }
-+ BN_free(Qx);
-+ BN_free(Qy);
-+ return 1;
-+ }
-+
-+static int SigGen(FILE *in, FILE *out)
-+ {
-+ char buf[2048], lbuf[2048];
-+ char *keyword, *value;
-+ unsigned char *msg;
-+ int curve_nid = NID_undef;
-+ long mlen;
-+ BIGNUM *Qx = NULL, *Qy = NULL;
-+ EC_KEY *key = NULL;
-+ ECDSA_SIG *sig = NULL;
-+ const EVP_MD *digest = NULL;
-+ Qx = BN_new();
-+ Qy = BN_new();
-+ while(fgets(buf, sizeof buf, in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (*buf == '[')
-+ {
-+ curve_nid = elookup_curve(buf, lbuf, &digest);
-+ if (curve_nid == NID_undef)
-+ return 0;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "Msg"))
-+ {
-+ msg = hex2bin_m(value, &mlen);
-+ if (!msg)
-+ {
-+ fprintf(stderr, "Invalid Message\n");
-+ return 0;
-+ }
-+
-+ key = EC_KEY_new_by_curve_name(curve_nid);
-+ if (!EC_KEY_generate_key(key))
-+ {
-+ fprintf(stderr, "Error generating key\n");
-+ return 0;
-+ }
-+
-+ if (!ec_get_pubkey(key, Qx, Qy))
-+ {
-+ fprintf(stderr, "Error getting public key\n");
-+ return 0;
-+ }
-+
-+ sig = FIPS_ecdsa_sign(key, msg, mlen, digest);
-+
-+ if (!sig)
-+ {
-+ fprintf(stderr, "Error signing message\n");
-+ return 0;
-+ }
-+
-+ do_bn_print_name(out, "Qx", Qx);
-+ do_bn_print_name(out, "Qy", Qy);
-+ do_bn_print_name(out, "R", sig->r);
-+ do_bn_print_name(out, "S", sig->s);
-+
-+ EC_KEY_free(key);
-+ OPENSSL_free(msg);
-+ FIPS_ecdsa_sig_free(sig);
-+
-+ }
-+
-+ }
-+ BN_free(Qx);
-+ BN_free(Qy);
-+ return 1;
-+ }
-+
-+static int SigVer(FILE *in, FILE *out)
-+ {
-+ char buf[2048], lbuf[2048];
-+ char *keyword, *value;
-+ unsigned char *msg = NULL;
-+ int curve_nid = NID_undef;
-+ long mlen;
-+ BIGNUM *Qx = NULL, *Qy = NULL;
-+ EC_KEY *key = NULL;
-+ ECDSA_SIG sg, *sig = &sg;
-+ const EVP_MD *digest = NULL;
-+ sig->r = NULL;
-+ sig->s = NULL;
-+ while(fgets(buf, sizeof buf, in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (*buf == '[')
-+ {
-+ curve_nid = elookup_curve(buf, lbuf, &digest);
-+ if (curve_nid == NID_undef)
-+ return 0;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "Msg"))
-+ {
-+ msg = hex2bin_m(value, &mlen);
-+ if (!msg)
-+ {
-+ fprintf(stderr, "Invalid Message\n");
-+ return 0;
-+ }
-+ }
-+
-+ if (!strcmp(keyword, "Qx"))
-+ {
-+ if (!do_hex2bn(&Qx, value))
-+ {
-+ fprintf(stderr, "Invalid Qx value\n");
-+ return 0;
-+ }
-+ }
-+ if (!strcmp(keyword, "Qy"))
-+ {
-+ if (!do_hex2bn(&Qy, value))
-+ {
-+ fprintf(stderr, "Invalid Qy value\n");
-+ return 0;
-+ }
-+ }
-+ if (!strcmp(keyword, "R"))
-+ {
-+ if (!do_hex2bn(&sig->r, value))
-+ {
-+ fprintf(stderr, "Invalid R value\n");
-+ return 0;
-+ }
-+ }
-+ if (!strcmp(keyword, "S"))
-+ {
-+ int rv;
-+ if (!do_hex2bn(&sig->s, value))
-+ {
-+ fprintf(stderr, "Invalid S value\n");
-+ return 0;
-+ }
-+ key = EC_KEY_new_by_curve_name(curve_nid);
-+ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy);
-+
-+ if (rv != 1)
-+ {
-+ fprintf(stderr, "Error setting public key\n");
-+ return 0;
-+ }
-+
-+ no_err = 1;
-+ rv = FIPS_ecdsa_verify(key, msg, mlen, digest, sig);
-+ EC_KEY_free(key);
-+ if (msg)
-+ OPENSSL_free(msg);
-+ no_err = 0;
-+
-+ fprintf(out, "Result = %s" RESP_EOL, rv ? "P":"F");
-+ }
-+
-+ }
-+ if (sig->r)
-+ BN_free(sig->r);
-+ if (sig->s)
-+ BN_free(sig->s);
-+ if (Qx)
-+ BN_free(Qx);
-+ if (Qy)
-+ BN_free(Qy);
-+ return 1;
-+ }
-+#ifdef FIPS_ALGVS
-+int fips_ecdsavs_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ FILE *in = NULL, *out = NULL;
-+ const char *cmd = argv[1];
-+ int rv = 0;
-+ fips_algtest_init();
-+
-+ if (argc == 4)
-+ {
-+ in = fopen(argv[2], "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(argv[3], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argc == 2)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+
-+ if (!cmd)
-+ {
-+ fprintf(stderr, "fips_ecdsavs [KeyPair|PKV|SigGen|SigVer]\n");
-+ return 1;
-+ }
-+ if (!strcmp(cmd, "KeyPair"))
-+ rv = KeyPair(in, out);
-+ else if (!strcmp(cmd, "PKV"))
-+ rv = PKV(in, out);
-+ else if (!strcmp(cmd, "SigVer"))
-+ rv = SigVer(in, out);
-+ else if (!strcmp(cmd, "SigGen"))
-+ rv = SigGen(in, out);
-+ else
-+ {
-+ fprintf(stderr, "Unknown command %s\n", cmd);
-+ return 1;
-+ }
-+
-+ if (argc == 4)
-+ {
-+ fclose(in);
-+ fclose(out);
-+ }
-+
-+ if (rv <= 0)
-+ {
-+ fprintf(stderr, "Error running %s\n", cmd);
-+ return 1;
-+ }
-+
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_ecdh_selftest.c.fips-ec openssl-1.0.1e/crypto/fips/fips_ecdh_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_ecdh_selftest.c.fips-ec 2013-11-08 17:59:43.150028068 +0100
-+++ openssl-1.0.1e/crypto/fips/fips_ecdh_selftest.c 2013-11-08 17:59:43.150028068 +0100
-@@ -0,0 +1,252 @@
-+/* fips/ecdh/fips_ecdh_selftest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2011.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/ec.h>
-+#include <openssl/ecdh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+#include "fips_locl.h"
-+
-+static const unsigned char p256_qcavsx[] = {
-+ 0x52,0xc6,0xa5,0x75,0xf3,0x04,0x98,0xb3,0x29,0x66,0x0c,0x62,
-+ 0x18,0x60,0x55,0x41,0x59,0xd4,0x60,0x85,0x99,0xc1,0x51,0x13,
-+ 0x6f,0x97,0x85,0x93,0x33,0x34,0x07,0x50
-+};
-+static const unsigned char p256_qcavsy[] = {
-+ 0x6f,0x69,0x24,0xeb,0xe9,0x3b,0xa7,0xcc,0x47,0x17,0xaa,0x3f,
-+ 0x70,0xfc,0x10,0x73,0x0a,0xcd,0x21,0xee,0x29,0x19,0x1f,0xaf,
-+ 0xb4,0x1c,0x1e,0xc2,0x8e,0x97,0x81,0x6e
-+};
-+static const unsigned char p256_qiutx[] = {
-+ 0x71,0x46,0x88,0x08,0x92,0x21,0x1b,0x10,0x21,0x74,0xff,0x0c,
-+ 0x94,0xde,0x34,0x7c,0x86,0x74,0xbe,0x67,0x41,0x68,0xd4,0xc1,
-+ 0xe5,0x75,0x63,0x9c,0xa7,0x46,0x93,0x6f
-+};
-+static const unsigned char p256_qiuty[] = {
-+ 0x33,0x40,0xa9,0x6a,0xf5,0x20,0xb5,0x9e,0xfc,0x60,0x1a,0xae,
-+ 0x3d,0xf8,0x21,0xd2,0xa7,0xca,0x52,0x34,0xb9,0x5f,0x27,0x75,
-+ 0x6c,0x81,0xbe,0x32,0x4d,0xba,0xbb,0xf8
-+};
-+static const unsigned char p256_qiutd[] = {
-+ 0x1a,0x48,0x55,0x6b,0x11,0xbe,0x92,0xd4,0x1c,0xd7,0x45,0xc3,
-+ 0x82,0x81,0x51,0xf1,0x23,0x40,0xb7,0x83,0xfd,0x01,0x6d,0xbc,
-+ 0xa1,0x66,0xaf,0x0a,0x03,0x23,0xcd,0xc8
-+};
-+static const unsigned char p256_ziut[] = {
-+ 0x77,0x2a,0x1e,0x37,0xee,0xe6,0x51,0x02,0x71,0x40,0xf8,0x6a,
-+ 0x36,0xf8,0x65,0x61,0x2b,0x18,0x71,0x82,0x23,0xe6,0xf2,0x77,
-+ 0xce,0xec,0xb8,0x49,0xc7,0xbf,0x36,0x4f
-+};
-+
-+
-+typedef struct
-+ {
-+ int curve;
-+ const unsigned char *x1;
-+ size_t x1len;
-+ const unsigned char *y1;
-+ size_t y1len;
-+ const unsigned char *d1;
-+ size_t d1len;
-+ const unsigned char *x2;
-+ size_t x2len;
-+ const unsigned char *y2;
-+ size_t y2len;
-+ const unsigned char *z;
-+ size_t zlen;
-+ } ECDH_SELFTEST_DATA;
-+
-+#define make_ecdh_test(nid, pr) { nid, \
-+ pr##_qiutx, sizeof(pr##_qiutx), \
-+ pr##_qiuty, sizeof(pr##_qiuty), \
-+ pr##_qiutd, sizeof(pr##_qiutd), \
-+ pr##_qcavsx, sizeof(pr##_qcavsx), \
-+ pr##_qcavsy, sizeof(pr##_qcavsy), \
-+ pr##_ziut, sizeof(pr##_ziut) }
-+
-+static ECDH_SELFTEST_DATA test_ecdh_data[] =
-+ {
-+ make_ecdh_test(NID_X9_62_prime256v1, p256),
-+ };
-+
-+int FIPS_selftest_ecdh(void)
-+ {
-+ EC_KEY *ec1 = NULL, *ec2 = NULL;
-+ const EC_POINT *ecp = NULL;
-+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
-+ unsigned char *ztmp = NULL;
-+ int rv = 1;
-+ size_t i;
-+
-+ for (i = 0; i < sizeof(test_ecdh_data)/sizeof(ECDH_SELFTEST_DATA); i++)
-+ {
-+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
-+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
-+ continue;
-+ ztmp = OPENSSL_malloc(ecd->zlen);
-+
-+ x = BN_bin2bn(ecd->x1, ecd->x1len, x);
-+ y = BN_bin2bn(ecd->y1, ecd->y1len, y);
-+ d = BN_bin2bn(ecd->d1, ecd->d1len, d);
-+
-+ if (!x || !y || !d || !ztmp)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ ec1 = EC_KEY_new_by_curve_name(ecd->curve);
-+ if (!ec1)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
-+
-+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!EC_KEY_set_private_key(ec1, d))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ x = BN_bin2bn(ecd->x2, ecd->x2len, x);
-+ y = BN_bin2bn(ecd->y2, ecd->y2len, y);
-+
-+ if (!x || !y)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ ec2 = EC_KEY_new_by_curve_name(ecd->curve);
-+ if (!ec2)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
-+
-+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ ecp = EC_KEY_get0_public_key(ec2);
-+ if (!ecp)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
-+ ztmp[0] ^= 0x1;
-+
-+ if (memcmp(ztmp, ecd->z, ecd->zlen))
-+ {
-+ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
-+ rv = 0;
-+ }
-+ else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
-+ goto err;
-+
-+ EC_KEY_free(ec1);
-+ ec1 = NULL;
-+ EC_KEY_free(ec2);
-+ ec2 = NULL;
-+ OPENSSL_free(ztmp);
-+ ztmp = NULL;
-+ }
-+
-+ err:
-+
-+ if (x)
-+ BN_clear_free(x);
-+ if (y)
-+ BN_clear_free(y);
-+ if (d)
-+ BN_clear_free(d);
-+ if (ec1)
-+ EC_KEY_free(ec1);
-+ if (ec2)
-+ EC_KEY_free(ec2);
-+ if (ztmp)
-+ OPENSSL_free(ztmp);
-+
-+ return rv;
-+
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_ecdsa_selftest.c.fips-ec openssl-1.0.1e/crypto/fips/fips_ecdsa_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_ecdsa_selftest.c.fips-ec 2013-11-08 17:59:43.150028068 +0100
-+++ openssl-1.0.1e/crypto/fips/fips_ecdsa_selftest.c 2013-11-08 17:59:43.150028068 +0100
-@@ -0,0 +1,167 @@
-+/* fips/ecdsa/fips_ecdsa_selftest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2011.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/ec.h>
-+#include <openssl/ecdsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const char P_256_name[] = "ECDSA P-256";
-+
-+static const unsigned char P_256_d[] = {
-+ 0x51,0xbd,0x06,0xa1,0x1c,0xda,0xe2,0x12,0x99,0xc9,0x52,0x3f,
-+ 0xea,0xa4,0xd2,0xd1,0xf4,0x7f,0xd4,0x3e,0xbd,0xf8,0xfc,0x87,
-+ 0xdc,0x82,0x53,0x21,0xee,0xa0,0xdc,0x64
-+};
-+static const unsigned char P_256_qx[] = {
-+ 0x23,0x89,0xe0,0xf4,0x69,0xe0,0x49,0xe5,0xc7,0xe5,0x40,0x6e,
-+ 0x8f,0x25,0xdd,0xad,0x11,0x16,0x14,0x9b,0xab,0x44,0x06,0x31,
-+ 0xbf,0x5e,0xa6,0x44,0xac,0x86,0x00,0x07
-+};
-+static const unsigned char P_256_qy[] = {
-+ 0xb3,0x05,0x0d,0xd0,0xdc,0xf7,0x40,0xe6,0xf9,0xd8,0x6d,0x7b,
-+ 0x63,0xca,0x97,0xe6,0x12,0xf9,0xd4,0x18,0x59,0xbe,0xb2,0x5e,
-+ 0x4a,0x6a,0x77,0x23,0xf4,0x11,0x9d,0xeb
-+};
-+
-+typedef struct
-+ {
-+ int curve;
-+ const char *name;
-+ const unsigned char *x;
-+ size_t xlen;
-+ const unsigned char *y;
-+ size_t ylen;
-+ const unsigned char *d;
-+ size_t dlen;
-+ } EC_SELFTEST_DATA;
-+
-+#define make_ecdsa_test(nid, pr) { nid, pr##_name, \
-+ pr##_qx, sizeof(pr##_qx), \
-+ pr##_qy, sizeof(pr##_qy), \
-+ pr##_d, sizeof(pr##_d)}
-+
-+static EC_SELFTEST_DATA test_ec_data[] =
-+ {
-+ make_ecdsa_test(NID_X9_62_prime256v1, P_256),
-+ };
-+
-+int FIPS_selftest_ecdsa()
-+ {
-+ EC_KEY *ec = NULL;
-+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
-+ EVP_PKEY *pk = NULL;
-+ int rv = 0;
-+ size_t i;
-+
-+ for (i = 0; i < sizeof(test_ec_data)/sizeof(EC_SELFTEST_DATA); i++)
-+ {
-+ EC_SELFTEST_DATA *ecd = test_ec_data + i;
-+
-+ x = BN_bin2bn(ecd->x, ecd->xlen, x);
-+ y = BN_bin2bn(ecd->y, ecd->ylen, y);
-+ d = BN_bin2bn(ecd->d, ecd->dlen, d);
-+
-+ if (!x || !y || !d)
-+ goto err;
-+
-+ ec = EC_KEY_new_by_curve_name(ecd->curve);
-+ if (!ec)
-+ goto err;
-+
-+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
-+ goto err;
-+
-+ if (!EC_KEY_set_private_key(ec, d))
-+ goto err;
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_EC_KEY(pk, ec);
-+
-+ if (!fips_pkey_signature_test(pk, NULL, 0,
-+ NULL, 0, EVP_sha256(), 0,
-+ ecd->name))
-+ goto err;
-+ }
-+
-+ rv = 1;
-+
-+ err:
-+
-+ if (x)
-+ BN_clear_free(x);
-+ if (y)
-+ BN_clear_free(y);
-+ if (d)
-+ BN_clear_free(d);
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (ec)
-+ EC_KEY_free(ec);
-+
-+ return rv;
-+
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ec openssl-1.0.1e/crypto/fips/fips.h
---- openssl-1.0.1e/crypto/fips/fips.h.fips-ec 2013-11-08 17:59:43.116027318 +0100
-+++ openssl-1.0.1e/crypto/fips/fips.h 2013-11-08 17:59:43.150028068 +0100
-@@ -93,6 +93,8 @@ int FIPS_selftest_rsa(void);
- void FIPS_corrupt_dsa(void);
- void FIPS_corrupt_dsa_keygen(void);
- int FIPS_selftest_dsa(void);
-+int FIPS_selftest_ecdsa(void);
-+int FIPS_selftest_ecdh(void);
- void FIPS_corrupt_rng(void);
- void FIPS_rng_stick(void);
- void FIPS_x931_stick(int onoff);
-diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips-ec openssl-1.0.1e/crypto/fips/fips_post.c
---- openssl-1.0.1e/crypto/fips/fips_post.c.fips-ec 2013-11-08 17:59:43.117027340 +0100
-+++ openssl-1.0.1e/crypto/fips/fips_post.c 2013-11-08 17:59:43.150028068 +0100
-@@ -95,8 +95,12 @@ int FIPS_selftest(void)
- rv = 0;
- if (!FIPS_selftest_rsa())
- rv = 0;
-+ if (!FIPS_selftest_ecdsa())
-+ rv = 0;
- if (!FIPS_selftest_dsa())
- rv = 0;
-+ if (!FIPS_selftest_ecdh())
-+ rv = 0;
- return rv;
- }
-
-diff -up openssl-1.0.1e/crypto/fips/Makefile.fips-ec openssl-1.0.1e/crypto/fips/Makefile
---- openssl-1.0.1e/crypto/fips/Makefile.fips-ec 2013-11-08 17:59:43.119027384 +0100
-+++ openssl-1.0.1e/crypto/fips/Makefile 2013-11-08 17:59:43.151028090 +0100
-@@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_self
- fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
- fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
- fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-- fips_cmac_selftest.c fips_enc.c fips_md.c
-+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c
-
- LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
- fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
- fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
- fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
-- fips_cmac_selftest.o fips_enc.o fips_md.o
-+ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o
-
- LIBCRYPTO=-L.. -lcrypto
-
-@@ -118,6 +118,21 @@ fips_aes_selftest.o: ../../include/opens
- fips_aes_selftest.o: ../../include/openssl/safestack.h
- fips_aes_selftest.o: ../../include/openssl/stack.h
- fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
-+fips_cmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_cmac_selftest.o: ../../include/openssl/cmac.h
-+fips_cmac_selftest.o: ../../include/openssl/crypto.h
-+fips_cmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_cmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_cmac_selftest.o: ../../include/openssl/lhash.h
-+fips_cmac_selftest.o: ../../include/openssl/obj_mac.h
-+fips_cmac_selftest.o: ../../include/openssl/objects.h
-+fips_cmac_selftest.o: ../../include/openssl/opensslconf.h
-+fips_cmac_selftest.o: ../../include/openssl/opensslv.h
-+fips_cmac_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_cmac_selftest.o: ../../include/openssl/safestack.h
-+fips_cmac_selftest.o: ../../include/openssl/stack.h
-+fips_cmac_selftest.o: ../../include/openssl/symhacks.h fips_cmac_selftest.c
-+fips_cmac_selftest.o: fips_locl.h
- fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
- fips_des_selftest.o: ../../include/openssl/crypto.h
- fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-@@ -231,6 +246,46 @@ fips_dsa_selftest.o: ../../include/opens
- fips_dsa_selftest.o: ../../include/openssl/stack.h
- fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
- fips_dsa_selftest.o: fips_locl.h
-+fips_ecdh_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_ecdh_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_ecdh_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-+fips_ecdh_selftest.o: ../../include/openssl/ecdh.h ../../include/openssl/err.h
-+fips_ecdh_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_ecdh_selftest.o: ../../include/openssl/lhash.h
-+fips_ecdh_selftest.o: ../../include/openssl/obj_mac.h
-+fips_ecdh_selftest.o: ../../include/openssl/objects.h
-+fips_ecdh_selftest.o: ../../include/openssl/opensslconf.h
-+fips_ecdh_selftest.o: ../../include/openssl/opensslv.h
-+fips_ecdh_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_ecdh_selftest.o: ../../include/openssl/safestack.h
-+fips_ecdh_selftest.o: ../../include/openssl/stack.h
-+fips_ecdh_selftest.o: ../../include/openssl/symhacks.h fips_ecdh_selftest.c
-+fips_ecdh_selftest.o: fips_locl.h
-+fips_ecdsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_ecdsa_selftest.o: ../../include/openssl/bn.h
-+fips_ecdsa_selftest.o: ../../include/openssl/crypto.h
-+fips_ecdsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-+fips_ecdsa_selftest.o: ../../include/openssl/ecdsa.h
-+fips_ecdsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_ecdsa_selftest.o: ../../include/openssl/fips.h
-+fips_ecdsa_selftest.o: ../../include/openssl/lhash.h
-+fips_ecdsa_selftest.o: ../../include/openssl/obj_mac.h
-+fips_ecdsa_selftest.o: ../../include/openssl/objects.h
-+fips_ecdsa_selftest.o: ../../include/openssl/opensslconf.h
-+fips_ecdsa_selftest.o: ../../include/openssl/opensslv.h
-+fips_ecdsa_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_ecdsa_selftest.o: ../../include/openssl/safestack.h
-+fips_ecdsa_selftest.o: ../../include/openssl/stack.h
-+fips_ecdsa_selftest.o: ../../include/openssl/symhacks.h fips_ecdsa_selftest.c
-+fips_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_enc.o: ../../include/openssl/opensslconf.h
-+fips_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-+fips_enc.o: ../../include/openssl/symhacks.h fips_enc.c
- fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
- fips_hmac_selftest.o: ../../include/openssl/crypto.h
- fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-@@ -245,6 +300,15 @@ fips_hmac_selftest.o: ../../include/open
- fips_hmac_selftest.o: ../../include/openssl/safestack.h
- fips_hmac_selftest.o: ../../include/openssl/stack.h
- fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
-+fips_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_md.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_md.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-+fips_md.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-+fips_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_md.o: fips_md.c
- fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
- fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
- fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-diff -up openssl-1.0.1e/version.map.fips-ec openssl-1.0.1e/version.map
---- openssl-1.0.1e/version.map.fips-ec 2013-11-08 17:59:43.131027649 +0100
-+++ openssl-1.0.1e/version.map 2013-11-08 17:59:43.151028090 +0100
-@@ -6,3 +6,7 @@ OPENSSL_1.0.1 {
- _original*;
- _current*;
- };
-+OPENSSL_1.0.1_EC {
-+ global:
-+ EC*;
-+};
diff --git a/SOURCES/openssl-1.0.1e-fips.patch b/SOURCES/openssl-1.0.1e-fips.patch
deleted file mode 100644
index d1a7e7f..0000000
--- a/SOURCES/openssl-1.0.1e-fips.patch
+++ /dev/null
@@ -1,20452 +0,0 @@
-diff -up openssl-1.0.1e/apps/pkcs12.c.fips openssl-1.0.1e/apps/pkcs12.c
---- openssl-1.0.1e/apps/pkcs12.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/pkcs12.c 2013-10-04 11:48:04.172693955 +0200
-@@ -67,6 +67,9 @@
- #include <openssl/err.h>
- #include <openssl/pem.h>
- #include <openssl/pkcs12.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- #define PROG pkcs12_main
-
-@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
-
- apps_startup();
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
-+#endif
-+
- enc = EVP_des_ede3_cbc();
- if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
-
-diff -up openssl-1.0.1e/apps/speed.c.fips openssl-1.0.1e/apps/speed.c
---- openssl-1.0.1e/apps/speed.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/speed.c 2013-10-04 11:49:56.384227859 +0200
-@@ -195,7 +195,6 @@
- #ifdef OPENSSL_DOING_MAKEDEPEND
- #undef AES_set_encrypt_key
- #undef AES_set_decrypt_key
--#undef DES_set_key_unchecked
- #endif
- #define BF_set_key private_BF_set_key
- #define CAST_set_key private_CAST_set_key
-@@ -203,7 +202,6 @@
- #define SEED_set_key private_SEED_set_key
- #define RC2_set_key private_RC2_set_key
- #define RC4_set_key private_RC4_set_key
--#define DES_set_key_unchecked private_DES_set_key_unchecked
- #define AES_set_encrypt_key private_AES_set_encrypt_key
- #define AES_set_decrypt_key private_AES_set_decrypt_key
- #define Camellia_set_key private_Camellia_set_key
-@@ -941,7 +939,12 @@ int MAIN(int argc, char **argv)
- #ifndef OPENSSL_NO_RSA
- if (strcmp(*argv,"rsa") == 0)
- {
-+#ifdef OPENSSL_FIPS
-+ if (!FIPS_mode())
-+#endif
-+ {
- rsa_doit[R_RSA_512]=1;
-+ }
- rsa_doit[R_RSA_1024]=1;
- rsa_doit[R_RSA_2048]=1;
- rsa_doit[R_RSA_4096]=1;
-@@ -951,7 +954,12 @@ int MAIN(int argc, char **argv)
- #ifndef OPENSSL_NO_DSA
- if (strcmp(*argv,"dsa") == 0)
- {
-+#ifdef OPENSSL_FIPS
-+ if (!FIPS_mode())
-+#endif
-+ {
- dsa_doit[R_DSA_512]=1;
-+ }
- dsa_doit[R_DSA_1024]=1;
- dsa_doit[R_DSA_2048]=1;
- }
-@@ -1162,12 +1170,18 @@ int MAIN(int argc, char **argv)
- {
- for (i=0; i<ALGOR_NUM; i++)
- {
-- if (i != D_EVP)
-+ if (i != D_EVP &&
-+ (!FIPS_mode() || (i != D_WHIRLPOOL &&
-+ i != D_MD2 && i != D_MD4 &&
-+ i != D_MD5 && i != D_MDC2 &&
-+ i != D_RMD160)))
- doit[i]=1;
- }
- for (i=0; i<RSA_NUM; i++)
-+ if (!FIPS_mode() || i != R_RSA_512)
- rsa_doit[i]=1;
- for (i=0; i<DSA_NUM; i++)
-+ if (!FIPS_mode() || i != R_DSA_512)
- dsa_doit[i]=1;
- #ifndef OPENSSL_NO_ECDSA
- for (i=0; i<EC_NUM; i++)
-@@ -1226,30 +1240,54 @@ int MAIN(int argc, char **argv)
- AES_set_encrypt_key(key32,256,&aes_ks3);
- #endif
- #ifndef OPENSSL_NO_CAMELLIA
-+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
-+ {
- Camellia_set_key(key16,128,&camellia_ks1);
- Camellia_set_key(ckey24,192,&camellia_ks2);
- Camellia_set_key(ckey32,256,&camellia_ks3);
-+ }
- #endif
- #ifndef OPENSSL_NO_IDEA
-+ if (doit[D_CBC_IDEA])
-+ {
- idea_set_encrypt_key(key16,&idea_ks);
-+ }
- #endif
- #ifndef OPENSSL_NO_SEED
-+ if (doit[D_CBC_SEED])
-+ {
- SEED_set_key(key16,&seed_ks);
-+ }
- #endif
- #ifndef OPENSSL_NO_RC4
-+ if (doit[D_RC4])
-+ {
- RC4_set_key(&rc4_ks,16,key16);
-+ }
- #endif
- #ifndef OPENSSL_NO_RC2
-+ if (doit[D_CBC_RC2])
-+ {
- RC2_set_key(&rc2_ks,16,key16,128);
-+ }
- #endif
- #ifndef OPENSSL_NO_RC5
-+ if (doit[D_CBC_RC5])
-+ {
- RC5_32_set_key(&rc5_ks,16,key16,12);
-+ }
- #endif
- #ifndef OPENSSL_NO_BF
-+ if (doit[D_CBC_BF])
-+ {
- BF_set_key(&bf_ks,16,key16);
-+ }
- #endif
- #ifndef OPENSSL_NO_CAST
-+ if (doit[D_CBC_CAST])
-+ {
- CAST_set_key(&cast_ks,16,key16);
-+ }
- #endif
- #ifndef OPENSSL_NO_RSA
- memset(rsa_c,0,sizeof(rsa_c));
-@@ -1564,6 +1602,7 @@ int MAIN(int argc, char **argv)
- HMAC_CTX hctx;
-
- HMAC_CTX_init(&hctx);
-+ HMAC_CTX_set_flags(&hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- HMAC_Init_ex(&hctx,(unsigned char *)"This is a key...",
- 16,EVP_md5(), NULL);
-
-diff -up openssl-1.0.1e/Configure.fips openssl-1.0.1e/Configure
---- openssl-1.0.1e/Configure.fips 2013-10-04 11:48:04.153693526 +0200
-+++ openssl-1.0.1e/Configure 2013-10-04 11:48:04.173693978 +0200
-@@ -995,11 +995,6 @@ if (defined($disabled{"md5"}) || defined
- $disabled{"ssl2"} = "forced";
- }
-
--if ($fips && $fipslibdir eq "")
-- {
-- $fipslibdir = $fipsdir . "/lib/";
-- }
--
- # RSAX ENGINE sets default non-FIPS RSA method.
- if ($fips)
- {
-@@ -1474,7 +1469,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b
- if ($fips)
- {
- $openssl_other_defines.="#define OPENSSL_FIPS\n";
-- $cflags .= " -I\$(FIPSDIR)/include";
- }
-
- $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
-@@ -1661,9 +1655,12 @@ while (<IN>)
-
- s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
- s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
-- s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
- s/^BASEADDR=.*/BASEADDR=$baseaddr/;
-
-+ if ($fips)
-+ {
-+ s/^FIPS=.*/FIPS=yes/;
-+ }
- s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
- s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
- s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
-diff -up openssl-1.0.1e/crypto/aes/aes_misc.c.fips openssl-1.0.1e/crypto/aes/aes_misc.c
---- openssl-1.0.1e/crypto/aes/aes_misc.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/aes/aes_misc.c 2013-10-04 11:48:04.173693978 +0200
-@@ -69,17 +69,11 @@ const char *AES_options(void) {
- int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
- AES_KEY *key)
- {
--#ifdef OPENSSL_FIPS
-- fips_cipher_abort(AES);
--#endif
- return private_AES_set_encrypt_key(userKey, bits, key);
- }
-
- int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
- AES_KEY *key)
- {
--#ifdef OPENSSL_FIPS
-- fips_cipher_abort(AES);
--#endif
- return private_AES_set_decrypt_key(userKey, bits, key);
- }
-diff -up openssl-1.0.1e/crypto/cmac/cmac.c.fips openssl-1.0.1e/crypto/cmac/cmac.c
---- openssl-1.0.1e/crypto/cmac/cmac.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/cmac/cmac.c 2013-10-04 11:48:04.173693978 +0200
-@@ -107,13 +107,6 @@ CMAC_CTX *CMAC_CTX_new(void)
-
- void CMAC_CTX_cleanup(CMAC_CTX *ctx)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->cctx.engine)
-- {
-- FIPS_cmac_ctx_cleanup(ctx);
-- return;
-- }
--#endif
- EVP_CIPHER_CTX_cleanup(&ctx->cctx);
- OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
- OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
-@@ -164,11 +157,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void
- EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
- return 0;
- }
-- /* Other algorithm blocking will be done in FIPS_cmac_init,
-- * via FIPS_cipherinit().
-- */
-- if (!impl && !ctx->cctx.engine)
-- return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
- }
- #endif
- /* All zeros means restart */
-@@ -216,10 +204,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
- {
- const unsigned char *data = in;
- size_t bl;
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->cctx.engine)
-- return FIPS_cmac_update(ctx, in, dlen);
--#endif
- if (ctx->nlast_block == -1)
- return 0;
- if (dlen == 0)
-@@ -261,10 +245,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
- int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
- {
- int i, bl, lb;
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->cctx.engine)
-- return FIPS_cmac_final(ctx, out, poutlen);
--#endif
- if (ctx->nlast_block == -1)
- return 0;
- bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
-diff -up openssl-1.0.1e/crypto/crypto.h.fips openssl-1.0.1e/crypto/crypto.h
---- openssl-1.0.1e/crypto/crypto.h.fips 2013-10-04 11:48:04.058691381 +0200
-+++ openssl-1.0.1e/crypto/crypto.h 2013-10-04 11:48:04.173693978 +0200
-@@ -553,24 +553,29 @@ int FIPS_mode_set(int r);
- void OPENSSL_init(void);
-
- #define fips_md_init(alg) fips_md_init_ctx(alg, alg)
-+#define nonfips_md_init(alg) nonfips_md_init_ctx(alg, alg)
-+#define fips_md_init_ctx(alg, cx) \
-+ int alg##_Init(cx##_CTX *c)
-
- #ifdef OPENSSL_FIPS
--#define fips_md_init_ctx(alg, cx) \
-+#define nonfips_md_init_ctx(alg, cx) \
- int alg##_Init(cx##_CTX *c) \
- { \
- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
-- "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
-+ "Digest " #alg " forbidden in FIPS mode!"); \
- return private_##alg##_Init(c); \
- } \
- int private_##alg##_Init(cx##_CTX *c)
-
- #define fips_cipher_abort(alg) \
- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
-- "Low level API call to cipher " #alg " forbidden in FIPS mode!")
-+ "Cipher " #alg " forbidden in FIPS mode!")
-+
-+/* die if FIPS selftest failed */
-+void FIPS_selftest_check(void);
-
- #else
--#define fips_md_init_ctx(alg, cx) \
-- int alg##_Init(cx##_CTX *c)
-+#define nonfips_md_init_ctx(alg, cx) fips_md_init_ctx(alg, cx)
- #define fips_cipher_abort(alg) while(0)
- #endif
-
-@@ -587,6 +592,9 @@ int CRYPTO_memcmp(const void *a, const v
- */
- void ERR_load_CRYPTO_strings(void);
-
-+#define OPENSSL_HAVE_INIT 1
-+void OPENSSL_init_library(void);
-+
- /* Error codes for the CRYPTO functions. */
-
- /* Function codes. */
-diff -up openssl-1.0.1e/crypto/des/des.h.fips openssl-1.0.1e/crypto/des/des.h
---- openssl-1.0.1e/crypto/des/des.h.fips 2013-10-04 11:48:04.088692058 +0200
-+++ openssl-1.0.1e/crypto/des/des.h 2013-10-04 11:48:04.173693978 +0200
-@@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DE
- int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule);
- int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule);
- void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
--#ifdef OPENSSL_FIPS
--void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
--#endif
- void DES_string_to_key(const char *str,DES_cblock *key);
- void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2);
- void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
-diff -up openssl-1.0.1e/crypto/des/set_key.c.fips openssl-1.0.1e/crypto/des/set_key.c
---- openssl-1.0.1e/crypto/des/set_key.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/des/set_key.c 2013-10-04 11:48:04.174694001 +0200
-@@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock
- }
-
- void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
--#ifdef OPENSSL_FIPS
-- {
-- fips_cipher_abort(DES);
-- private_DES_set_key_unchecked(key, schedule);
-- }
--void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
--#endif
- {
- static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
- register DES_LONG c,d,t,s,t2;
-diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips openssl-1.0.1e/crypto/dh/dh_gen.c
---- openssl-1.0.1e/crypto/dh/dh_gen.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dh/dh_gen.c 2013-10-04 11:48:04.174694001 +0200
-@@ -84,11 +84,6 @@ int DH_generate_parameters_ex(DH *ret, i
- #endif
- if(ret->meth->generate_params)
- return ret->meth->generate_params(ret, prime_len, generator, cb);
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dh_generate_parameters_ex(ret, prime_len,
-- generator, cb);
--#endif
- return dh_builtin_genparams(ret, prime_len, generator, cb);
- }
-
-@@ -123,6 +118,20 @@ static int dh_builtin_genparams(DH *ret,
- int g,ok= -1;
- BN_CTX *ctx=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-+
- ctx=BN_CTX_new();
- if (ctx == NULL) goto err;
- BN_CTX_start(ctx);
-diff -up openssl-1.0.1e/crypto/dh/dh.h.fips openssl-1.0.1e/crypto/dh/dh.h
---- openssl-1.0.1e/crypto/dh/dh.h.fips 2014-02-06 18:04:19.000000000 +0100
-+++ openssl-1.0.1e/crypto/dh/dh.h 2014-02-11 16:01:17.039345356 +0100
-@@ -77,6 +77,8 @@
- # define OPENSSL_DH_MAX_MODULUS_BITS 10000
- #endif
-
-+#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
-+
- #define DH_FLAG_CACHE_MONT_P 0x01
- #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
- * implementation now uses constant time
-@@ -210,6 +212,7 @@ int DH_check(const DH *dh,int *codes);
- int DH_check_pub_key(const DH *dh,const BIGNUM *pub_key, int *codes);
- int DH_generate_key(DH *dh);
- int DH_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
-+int DH_compute_key_padded(unsigned char *key,const BIGNUM *pub_key,DH *dh);
- DH * d2i_DHparams(DH **a,const unsigned char **pp, long length);
- int i2d_DHparams(const DH *a,unsigned char **pp);
- #ifndef OPENSSL_NO_FP_API
-diff -up openssl-1.0.1e/crypto/dh/dh_key.c.fips openssl-1.0.1e/crypto/dh/dh_key.c
---- openssl-1.0.1e/crypto/dh/dh_key.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dh/dh_key.c 2014-02-11 15:57:55.266840301 +0100
-@@ -61,6 +61,9 @@
- #include <openssl/bn.h>
- #include <openssl/rand.h>
- #include <openssl/dh.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- static int generate_key(DH *dh);
- static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
-@@ -97,6 +100,21 @@ int DH_compute_key(unsigned char *key, c
- return dh->meth->compute_key(key, pub_key, dh);
- }
-
-+int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
-+ {
-+ int rv, pad;
-+ rv = DH_compute_key(key, pub_key, dh);
-+ if (rv <= 0)
-+ return rv;
-+ pad = BN_num_bytes(dh->p) - rv;
-+ if (pad > 0)
-+ {
-+ memmove(key + pad, key, rv);
-+ memset(key, 0, pad);
-+ }
-+ return rv + pad;
-+ }
-+
- static DH_METHOD dh_ossl = {
- "OpenSSL DH Method",
- generate_key,
-@@ -104,7 +122,7 @@ compute_key,
- dh_bn_mod_exp,
- dh_init,
- dh_finish,
--0,
-+DH_FLAG_FIPS_METHOD,
- NULL,
- NULL
- };
-@@ -123,6 +141,14 @@ static int generate_key(DH *dh)
- BN_MONT_CTX *mont=NULL;
- BIGNUM *pub_key=NULL,*priv_key=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
-+ return 0;
-+ }
-+#endif
-+
- ctx = BN_CTX_new();
- if (ctx == NULL) goto err;
-
-@@ -213,6 +239,13 @@ static int compute_key(unsigned char *ke
- DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
- goto err;
- }
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-
- ctx = BN_CTX_new();
- if (ctx == NULL) goto err;
-@@ -280,6 +313,9 @@ static int dh_bn_mod_exp(const DH *dh, B
-
- static int dh_init(DH *dh)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- dh->flags |= DH_FLAG_CACHE_MONT_P;
- return(1);
- }
-diff -up openssl-1.0.1e/crypto/dh/dh_lib.c.fips openssl-1.0.1e/crypto/dh/dh_lib.c
---- openssl-1.0.1e/crypto/dh/dh_lib.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dh/dh_lib.c 2013-10-04 11:48:04.174694001 +0200
-@@ -81,14 +81,7 @@ const DH_METHOD *DH_get_default_method(v
- {
- if(!default_DH_method)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dh_openssl();
-- else
-- return DH_OpenSSL();
--#else
- default_DH_method = DH_OpenSSL();
--#endif
- }
- return default_DH_method;
- }
-diff -up openssl-1.0.1e/crypto/dsa/dsa_err.c.fips openssl-1.0.1e/crypto/dsa/dsa_err.c
---- openssl-1.0.1e/crypto/dsa/dsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_err.c 2013-10-04 11:48:04.174694001 +0200
-@@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]=
- {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"},
- {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
- {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
-+{ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
-+{ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
- {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
- {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
- {ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"},
-@@ -106,6 +108,8 @@ static ERR_STRING_DATA DSA_str_reasons[]
- {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
- {ERR_REASON(DSA_R_DECODE_ERROR) ,"decode error"},
- {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"},
-+{ERR_REASON(DSA_R_KEY_SIZE_INVALID) ,"key size invalid"},
-+{ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
- {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
- {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
- {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
-diff -up openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips openssl-1.0.1e/crypto/dsa/dsa_gen.c
---- openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_gen.c 2013-10-04 11:48:04.175694023 +0200
-@@ -85,6 +85,14 @@
- #include <openssl/fips.h>
- #endif
-
-+#ifndef OPENSSL_FIPS
-+static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
-+ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
-+static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
-+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
-+#endif
-+
- int DSA_generate_parameters_ex(DSA *ret, int bits,
- const unsigned char *seed_in, int seed_len,
- int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
-@@ -100,14 +108,6 @@ int DSA_generate_parameters_ex(DSA *ret,
- if(ret->meth->dsa_paramgen)
- return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
- counter_ret, h_ret, cb);
--#ifdef OPENSSL_FIPS
-- else if (FIPS_mode())
-- {
-- return FIPS_dsa_generate_parameters_ex(ret, bits,
-- seed_in, seed_len,
-- counter_ret, h_ret, cb);
-- }
--#endif
- else
- {
- const EVP_MD *evpmd;
-@@ -125,27 +125,119 @@ int DSA_generate_parameters_ex(DSA *ret,
- }
-
- return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
-- seed_in, seed_len, NULL, counter_ret, h_ret, cb);
-+ seed_in, seed_len, counter_ret, h_ret, cb);
- }
- }
-
-+#ifdef OPENSSL_FIPS
-+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
-+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
-+ {
-+ return dsa_builtin_paramgen(ret, bits, qbits,
-+ evpmd, seed_in, seed_len,
-+ counter_ret, h_ret, cb);
-+ }
-+#endif
-+
- int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
- const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
-- unsigned char *seed_out,
- int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
- {
- int ok=0;
- unsigned char seed[SHA256_DIGEST_LENGTH];
-+ BIGNUM *g=NULL,*q=NULL,*p=NULL;
-+ size_t qsize = qbits >> 3;
-+ BN_CTX *ctx=NULL;
-+
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (FIPS_module_mode() &&
-+ (bits != 1024 || qbits != 160) &&
-+ (bits != 2048 || qbits != 224) &&
-+ (bits != 2048 || qbits != 256) &&
-+ (bits != 3072 || qbits != 256))
-+ {
-+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
-+ goto err;
-+ }
-+#endif
-+ if (seed_len && (seed_len < (size_t)qsize))
-+ seed_in = NULL; /* seed buffer too small -- ignore */
-+ if (seed_len > sizeof(seed))
-+ seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
-+ * but our internal buffers are restricted to 256 bits*/
-+ if (seed_in != NULL)
-+ memcpy(seed, seed_in, seed_len);
-+ else
-+ seed_len = 0;
-+
-+ if ((ctx=BN_CTX_new()) == NULL)
-+ goto err;
-+
-+ BN_CTX_start(ctx);
-+
-+ if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
-+ seed, seed_len, &p, &q, counter_ret, cb))
-+ goto err;
-+
-+ if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
-+ goto err;
-+
-+ ok=1;
-+err:
-+ if (ok)
-+ {
-+ if(ret->p)
-+ {
-+ BN_free(ret->p);
-+ ret->p = NULL;
-+ }
-+ if(ret->q)
-+ {
-+ BN_free(ret->q);
-+ ret->q = NULL;
-+ }
-+ if(ret->g)
-+ {
-+ BN_free(ret->g);
-+ ret->g = NULL;
-+ }
-+ ret->p=BN_dup(p);
-+ ret->q=BN_dup(q);
-+ ret->g=BN_dup(g);
-+ if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
-+ ok=0;
-+ }
-+ if(ctx)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+ return ok;
-+ }
-+
-+#ifndef OPENSSL_FIPS
-+static
-+#endif
-+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
-+ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb)
-+ {
-+ int ok=0;
- unsigned char md[SHA256_DIGEST_LENGTH];
-- unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
-+ unsigned char buf[SHA256_DIGEST_LENGTH];
- BIGNUM *r0,*W,*X,*c,*test;
-- BIGNUM *g=NULL,*q=NULL,*p=NULL;
-- BN_MONT_CTX *mont=NULL;
-- int i, k, n=0, m=0, qsize = qbits >> 3;
-+ BIGNUM *q=NULL,*p=NULL;
-+ int i, k, b, n=0, m=0, qsize = qbits >> 3;
- int counter=0;
- int r=0;
-- BN_CTX *ctx=NULL;
-- unsigned int h=2;
-
- if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
- qsize != SHA256_DIGEST_LENGTH)
-@@ -153,51 +245,43 @@ int dsa_builtin_paramgen(DSA *ret, size_
- return 0;
-
- if (evpmd == NULL)
-- /* use SHA1 as default */
-- evpmd = EVP_sha1();
-+ {
-+ if (qbits <= 160)
-+ evpmd = EVP_sha1();
-+ else if (qbits <= 224)
-+ evpmd = EVP_sha224();
-+ else
-+ evpmd = EVP_sha256();
-+ }
-
- if (bits < 512)
- bits = 512;
-
- bits = (bits+63)/64*64;
-
-- /* NB: seed_len == 0 is special case: copy generated seed to
-- * seed_in if it is not NULL.
-- */
-- if (seed_len && (seed_len < (size_t)qsize))
-- seed_in = NULL; /* seed buffer too small -- ignore */
-- if (seed_len > (size_t)qsize)
-- seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
-- * but our internal buffers are restricted to 160 bits*/
-- if (seed_in != NULL)
-- memcpy(seed, seed_in, seed_len);
--
-- if ((ctx=BN_CTX_new()) == NULL)
-- goto err;
--
-- if ((mont=BN_MONT_CTX_new()) == NULL)
-- goto err;
--
-- BN_CTX_start(ctx);
- r0 = BN_CTX_get(ctx);
-- g = BN_CTX_get(ctx);
- W = BN_CTX_get(ctx);
-- q = BN_CTX_get(ctx);
-+ *q_ret = q = BN_CTX_get(ctx);
- X = BN_CTX_get(ctx);
- c = BN_CTX_get(ctx);
-- p = BN_CTX_get(ctx);
-+ *p_ret = p = BN_CTX_get(ctx);
- test = BN_CTX_get(ctx);
-
- if (!BN_lshift(test,BN_value_one(),bits-1))
- goto err;
-
-+ /* step 3 n = \lceil bits / qbits \rceil - 1 */
-+ n = (bits+qbits-1)/qbits - 1;
-+ /* step 4 b = bits - 1 - n * qbits */
-+ b = bits - 1 - n*qbits;
-+
- for (;;)
- {
- for (;;) /* find q */
- {
- int seed_is_random;
-
-- /* step 1 */
-+ /* step 5 generate seed */
- if(!BN_GENCB_call(cb, 0, m++))
- goto err;
-
-@@ -212,30 +296,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
- seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
- }
- memcpy(buf , seed, qsize);
-- memcpy(buf2, seed, qsize);
-- /* precompute "SEED + 1" for step 7: */
-- for (i = qsize-1; i >= 0; i--)
-- {
-- buf[i]++;
-- if (buf[i] != 0)
-- break;
-- }
-
-- /* step 2 */
-+ /* step 6 U = hash(seed) */
- if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
- goto err;
-- if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
-- goto err;
-- for (i = 0; i < qsize; i++)
-- md[i]^=buf2[i];
-
-- /* step 3 */
-+ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
- md[0] |= 0x80;
- md[qsize-1] |= 0x01;
- if (!BN_bin2bn(md, qsize, q))
- goto err;
-
-- /* step 4 */
-+ /* step 8 test for prime (64 round of Rabin-Miller) */
- r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
- seed_is_random, cb);
- if (r > 0)
-@@ -243,27 +315,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
- if (r != 0)
- goto err;
-
-- /* do a callback call */
-- /* step 5 */
- }
-
- if(!BN_GENCB_call(cb, 2, 0)) goto err;
- if(!BN_GENCB_call(cb, 3, 0)) goto err;
-
-- /* step 6 */
-+ /* step 11 */
- counter=0;
-- /* "offset = 2" */
--
-- n=(bits-1)/160;
-+ /* "offset = 1" */
-
- for (;;)
- {
- if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
- goto err;
-
-- /* step 7 */
-+ /* step 11.1, 11.2 obtain W */
- BN_zero(W);
-- /* now 'buf' contains "SEED + offset - 1" */
- for (k=0; k<=n; k++)
- {
- /* obtain "SEED + offset + k" by incrementing: */
-@@ -278,28 +345,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
- NULL))
- goto err;
-
-- /* step 8 */
- if (!BN_bin2bn(md, qsize, r0))
- goto err;
-- if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
-+ if (k == n)
-+ BN_mask_bits(r0,b);
-+ if (!BN_lshift(r0,r0,qbits*k)) goto err;
- if (!BN_add(W,W,r0)) goto err;
- }
-
-- /* more of step 8 */
-- if (!BN_mask_bits(W,bits-1)) goto err;
-+ /* step 11.3 X = W + 2^(L-1) */
- if (!BN_copy(X,W)) goto err;
- if (!BN_add(X,X,test)) goto err;
-
-- /* step 9 */
-+ /* step 11.4 c = X mod 2*q */
- if (!BN_lshift1(r0,q)) goto err;
- if (!BN_mod(c,X,r0,ctx)) goto err;
-+
-+ /* step 11.5 p = X - (c - 1) */
- if (!BN_sub(r0,c,BN_value_one())) goto err;
- if (!BN_sub(p,X,r0)) goto err;
-
-- /* step 10 */
-+ /* step 11.6 */
- if (BN_cmp(p,test) >= 0)
- {
-- /* step 11 */
-+ /* step 11.7 */
- r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
- ctx, 1, cb);
- if (r > 0)
-@@ -308,19 +377,45 @@ int dsa_builtin_paramgen(DSA *ret, size_
- goto err;
- }
-
-- /* step 13 */
-+ /* step 11.9 */
- counter++;
- /* "offset = offset + n + 1" */
-
-- /* step 14 */
-- if (counter >= 4096) break;
-+ /* step 12 */
-+ if (counter >= 4*bits) break;
- }
- }
- end:
- if(!BN_GENCB_call(cb, 2, 1))
- goto err;
-
-- /* We now need to generate g */
-+ ok=1;
-+err:
-+ if (ok)
-+ {
-+ if (counter_ret != NULL) *counter_ret=counter;
-+ }
-+ return ok;
-+ }
-+
-+#ifndef OPENSSL_FIPS
-+static
-+#endif
-+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
-+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
-+ {
-+ int ok=0;
-+ BIGNUM *r0, *test, *g = NULL;
-+ BN_MONT_CTX *mont;
-+ unsigned int h=2;
-+
-+ if ((mont=BN_MONT_CTX_new()) == NULL)
-+ goto err;
-+
-+ r0 = BN_CTX_get(ctx);
-+ *g_ret = g = BN_CTX_get(ctx);
-+ test = BN_CTX_get(ctx);
-+
- /* Set r0=(p-1)/q */
- if (!BN_sub(test,p,BN_value_one())) goto err;
- if (!BN_div(r0,NULL,test,q,ctx)) goto err;
-@@ -344,26 +439,7 @@ end:
- err:
- if (ok)
- {
-- if(ret->p) BN_free(ret->p);
-- if(ret->q) BN_free(ret->q);
-- if(ret->g) BN_free(ret->g);
-- ret->p=BN_dup(p);
-- ret->q=BN_dup(q);
-- ret->g=BN_dup(g);
-- if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
-- {
-- ok=0;
-- goto err;
-- }
-- if (counter_ret != NULL) *counter_ret=counter;
- if (h_ret != NULL) *h_ret=h;
-- if (seed_out)
-- memcpy(seed_out, seed, qsize);
-- }
-- if(ctx)
-- {
-- BN_CTX_end(ctx);
-- BN_CTX_free(ctx);
- }
- if (mont != NULL) BN_MONT_CTX_free(mont);
- return ok;
-diff -up openssl-1.0.1e/crypto/dsa/dsa.h.fips openssl-1.0.1e/crypto/dsa/dsa.h
---- openssl-1.0.1e/crypto/dsa/dsa.h.fips 2013-10-04 11:48:03.956689078 +0200
-+++ openssl-1.0.1e/crypto/dsa/dsa.h 2013-10-04 11:48:04.175694023 +0200
-@@ -88,6 +88,8 @@
- # define OPENSSL_DSA_MAX_MODULUS_BITS 10000
- #endif
-
-+#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
-+
- #define DSA_FLAG_CACHE_MONT_P 0x01
- #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
- * implementation now uses constant time
-@@ -264,6 +266,17 @@ int DSA_print_fp(FILE *bp, const DSA *x,
- DH *DSA_dup_DH(const DSA *r);
- #endif
-
-+#ifdef OPENSSL_FIPS
-+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
-+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
-+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
-+ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
-+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
-+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
-+#endif
-+
- #define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
- EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
- EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
-@@ -285,10 +298,13 @@ void ERR_load_DSA_strings(void);
- #define DSA_F_DO_DSA_PRINT 104
- #define DSA_F_DSAPARAMS_PRINT 100
- #define DSA_F_DSAPARAMS_PRINT_FP 101
-+#define DSA_F_DSA_BUILTIN_KEYGEN 124
-+#define DSA_F_DSA_BUILTIN_PARAMGEN 123
- #define DSA_F_DSA_DO_SIGN 112
- #define DSA_F_DSA_DO_VERIFY 113
--#define DSA_F_DSA_GENERATE_KEY 124
--#define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
-+#define DSA_F_DSA_GENERATE_KEY 126
-+#define DSA_F_DSA_GENERATE_PARAMETERS_EX 127
-+#define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125
- #define DSA_F_DSA_NEW_METHOD 103
- #define DSA_F_DSA_PARAM_DECODE 119
- #define DSA_F_DSA_PRINT_FP 105
-@@ -314,11 +330,15 @@ void ERR_load_DSA_strings(void);
- #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
- #define DSA_R_DECODE_ERROR 104
- #define DSA_R_INVALID_DIGEST_TYPE 106
-+#define DSA_R_KEY_SIZE_INVALID 113
-+#define DSA_R_KEY_SIZE_TOO_SMALL 110
- #define DSA_R_MISSING_PARAMETERS 101
- #define DSA_R_MODULUS_TOO_LARGE 103
--#define DSA_R_NEED_NEW_SETUP_VALUES 110
-+#define DSA_R_NEED_NEW_SETUP_VALUES 112
- #define DSA_R_NON_FIPS_DSA_METHOD 111
-+#define DSA_R_NON_FIPS_METHOD 111
- #define DSA_R_NO_PARAMETERS_SET 107
-+#define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112
- #define DSA_R_PARAMETER_ENCODING_ERROR 105
-
- #ifdef __cplusplus
-diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.fips openssl-1.0.1e/crypto/dsa/dsa_key.c
---- openssl-1.0.1e/crypto/dsa/dsa_key.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-10-04 11:48:04.175694023 +0200
-@@ -66,6 +66,35 @@
-
- #ifdef OPENSSL_FIPS
- #include <openssl/fips.h>
-+#include <openssl/evp.h>
-+
-+static int fips_check_dsa(DSA *dsa)
-+ {
-+ EVP_PKEY *pk;
-+ unsigned char tbs[] = "DSA Pairwise Check Data";
-+ int ret = 0;
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_DSA(pk, dsa);
-+
-+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
-+ ret = 1;
-+
-+ err:
-+ if (ret == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
-+ fips_set_selftest_fail();
-+ }
-+
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+
-+ return ret;
-+ }
-+
- #endif
-
- static int dsa_builtin_keygen(DSA *dsa);
-@@ -82,10 +111,6 @@ int DSA_generate_key(DSA *dsa)
- #endif
- if(dsa->meth->dsa_keygen)
- return dsa->meth->dsa_keygen(dsa);
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dsa_generate_key(dsa);
--#endif
- return dsa_builtin_keygen(dsa);
- }
-
-@@ -95,6 +120,15 @@ static int dsa_builtin_keygen(DSA *dsa)
- BN_CTX *ctx=NULL;
- BIGNUM *pub_key=NULL,*priv_key=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-+
- if ((ctx=BN_CTX_new()) == NULL) goto err;
-
- if (dsa->priv_key == NULL)
-@@ -133,6 +167,14 @@ static int dsa_builtin_keygen(DSA *dsa)
-
- dsa->priv_key=priv_key;
- dsa->pub_key=pub_key;
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_mode() && !fips_check_dsa(dsa))
-+ {
-+ dsa->pub_key = NULL;
-+ dsa->priv_key = NULL;
-+ goto err;
-+ }
-+#endif
- ok=1;
-
- err:
-diff -up openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips openssl-1.0.1e/crypto/dsa/dsa_lib.c
---- openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_lib.c 2013-10-04 11:48:04.175694023 +0200
-@@ -87,14 +87,7 @@ const DSA_METHOD *DSA_get_default_method
- {
- if(!default_DSA_method)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dsa_openssl();
-- else
-- return DSA_OpenSSL();
--#else
- default_DSA_method = DSA_OpenSSL();
--#endif
- }
- return default_DSA_method;
- }
-diff -up openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips openssl-1.0.1e/crypto/dsa/dsa_locl.h
---- openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips 2013-10-04 11:48:03.958689123 +0200
-+++ openssl-1.0.1e/crypto/dsa/dsa_locl.h 2013-10-04 11:48:04.175694023 +0200
-@@ -56,5 +56,4 @@
-
- int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
- const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
-- unsigned char *seed_out,
- int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
-diff -up openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1e/crypto/dsa/dsa_ossl.c
---- openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_ossl.c 2013-10-04 11:48:04.175694023 +0200
-@@ -65,6 +65,9 @@
- #include <openssl/dsa.h>
- #include <openssl/rand.h>
- #include <openssl/asn1.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
- static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
-@@ -82,7 +85,7 @@ NULL, /* dsa_mod_exp, */
- NULL, /* dsa_bn_mod_exp, */
- dsa_init,
- dsa_finish,
--0,
-+DSA_FLAG_FIPS_METHOD,
- NULL,
- NULL,
- NULL
-@@ -138,6 +141,21 @@ static DSA_SIG *dsa_do_sign(const unsign
- DSA_SIG *ret=NULL;
- int noredo = 0;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
-+ }
-+
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
-+ return NULL;
-+ }
-+#endif
-+
- BN_init(&m);
- BN_init(&xr);
-
-@@ -325,6 +343,21 @@ static int dsa_do_verify(const unsigned
- return -1;
- }
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+#endif
-+
- if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
- {
- DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
-@@ -399,6 +432,9 @@ static int dsa_do_verify(const unsigned
-
- static int dsa_init(DSA *dsa)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- dsa->flags|=DSA_FLAG_CACHE_MONT_P;
- return(1);
- }
-diff -up openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1e/crypto/dsa/dsa_pmeth.c
---- openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_pmeth.c 2013-10-04 11:48:04.175694023 +0200
-@@ -255,7 +255,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
- if (!dsa)
- return 0;
- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
-- NULL, 0, NULL, NULL, NULL, pcb);
-+ NULL, 0, NULL, NULL, pcb);
- if (ret)
- EVP_PKEY_assign_DSA(pkey, dsa);
- else
-diff -up openssl-1.0.1e/crypto/dsa/dsatest.c.fips openssl-1.0.1e/crypto/dsa/dsatest.c
---- openssl-1.0.1e/crypto/dsa/dsatest.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsatest.c 2013-10-04 11:48:04.176694045 +0200
-@@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
- /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
- * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
- static unsigned char seed[20]={
-- 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
-- 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
-+ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
-+ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
- };
-
- static unsigned char out_p[]={
-- 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
-- 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
-- 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
-- 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
-- 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
-- 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
-- 0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
-- 0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
-+ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
-+ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
-+ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
-+ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
-+ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
-+ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
-+ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
-+ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
-+ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
-+ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
-+ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
- };
-
- static unsigned char out_q[]={
-- 0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
-- 0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
-- 0xda,0xce,0x91,0x5f,
-+ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
-+ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
- };
-
- static unsigned char out_g[]={
-- 0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
-- 0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
-- 0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
-- 0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
-- 0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
-- 0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
-- 0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
-- 0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
-+ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
-+ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
-+ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
-+ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
-+ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
-+ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
-+ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
-+ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
-+ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
-+ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
-+ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
- };
-
- static const unsigned char str1[]="12345678901234567890";
-@@ -157,7 +162,7 @@ int main(int argc, char **argv)
- BIO_printf(bio_err,"test generation of DSA parameters\n");
-
- BN_GENCB_set(&cb, dsa_cb, bio_err);
-- if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
-+ if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
- seed, 20, &counter, &h, &cb))
- goto end;
-
-@@ -170,9 +175,9 @@ int main(int argc, char **argv)
- BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
-
- DSA_print(bio_err,dsa,0);
-- if (counter != 105)
-+ if (counter != 239)
- {
-- BIO_printf(bio_err,"counter should be 105\n");
-+ BIO_printf(bio_err,"counter should be 239\n");
- goto end;
- }
- if (h != 2)
-diff -up openssl-1.0.1e/crypto/engine/eng_all.c.fips openssl-1.0.1e/crypto/engine/eng_all.c
---- openssl-1.0.1e/crypto/engine/eng_all.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/engine/eng_all.c 2013-10-04 11:48:04.176694045 +0200
-@@ -58,11 +58,25 @@
-
- #include "cryptlib.h"
- #include "eng_int.h"
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- void ENGINE_load_builtin_engines(void)
- {
- /* Some ENGINEs need this */
- OPENSSL_cpuid_setup();
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (FIPS_mode()) {
-+ /* We allow loading dynamic engine as a third party
-+ engine might be FIPS validated.
-+ User is disallowed to load non-validated engines
-+ by security policy. */
-+ ENGINE_load_dynamic();
-+ return;
-+ }
-+#endif
- #if 0
- /* There's no longer any need for an "openssl" ENGINE unless, one day,
- * it is the *only* way for standard builtin implementations to be be
-diff -up openssl-1.0.1e/crypto/evp/c_allc.c.fips openssl-1.0.1e/crypto/evp/c_allc.c
---- openssl-1.0.1e/crypto/evp/c_allc.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/c_allc.c 2013-10-04 11:48:04.176694045 +0200
-@@ -65,6 +65,11 @@
- void OpenSSL_add_all_ciphers(void)
- {
-
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if(!FIPS_mode())
-+ {
-+#endif
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cfb());
- EVP_add_cipher(EVP_des_cfb1());
-@@ -227,4 +232,60 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
- EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
- #endif
-+#ifdef OPENSSL_FIPS
-+ }
-+ else
-+ {
-+#ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede_cfb());
-+ EVP_add_cipher(EVP_des_ede3_cfb());
-+
-+ EVP_add_cipher(EVP_des_ede_ofb());
-+ EVP_add_cipher(EVP_des_ede3_ofb());
-+
-+ EVP_add_cipher(EVP_des_ede_cbc());
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
-+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
-+
-+ EVP_add_cipher(EVP_des_ede());
-+ EVP_add_cipher(EVP_des_ede3());
-+#endif
-+
-+#ifndef OPENSSL_NO_AES
-+ EVP_add_cipher(EVP_aes_128_ecb());
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_128_cfb());
-+ EVP_add_cipher(EVP_aes_128_cfb1());
-+ EVP_add_cipher(EVP_aes_128_cfb8());
-+ EVP_add_cipher(EVP_aes_128_ofb());
-+ EVP_add_cipher(EVP_aes_128_ctr());
-+ EVP_add_cipher(EVP_aes_128_gcm());
-+ EVP_add_cipher(EVP_aes_128_xts());
-+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
-+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
-+ EVP_add_cipher(EVP_aes_192_ecb());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_192_cfb());
-+ EVP_add_cipher(EVP_aes_192_cfb1());
-+ EVP_add_cipher(EVP_aes_192_cfb8());
-+ EVP_add_cipher(EVP_aes_192_ofb());
-+ EVP_add_cipher(EVP_aes_192_ctr());
-+ EVP_add_cipher(EVP_aes_192_gcm());
-+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
-+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
-+ EVP_add_cipher(EVP_aes_256_ecb());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_256_cfb());
-+ EVP_add_cipher(EVP_aes_256_cfb1());
-+ EVP_add_cipher(EVP_aes_256_cfb8());
-+ EVP_add_cipher(EVP_aes_256_ofb());
-+ EVP_add_cipher(EVP_aes_256_ctr());
-+ EVP_add_cipher(EVP_aes_256_gcm());
-+ EVP_add_cipher(EVP_aes_256_xts());
-+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
-+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-+#endif
-+ }
-+#endif
- }
-diff -up openssl-1.0.1e/crypto/evp/c_alld.c.fips openssl-1.0.1e/crypto/evp/c_alld.c
---- openssl-1.0.1e/crypto/evp/c_alld.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/c_alld.c 2013-10-04 11:48:04.176694045 +0200
-@@ -64,6 +64,11 @@
-
- void OpenSSL_add_all_digests(void)
- {
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (!FIPS_mode())
-+ {
-+#endif
- #ifndef OPENSSL_NO_MD4
- EVP_add_digest(EVP_md4());
- #endif
-@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
- #ifndef OPENSSL_NO_WHIRLPOOL
- EVP_add_digest(EVP_whirlpool());
- #endif
-+#ifdef OPENSSL_FIPS
-+ }
-+ else
-+ {
-+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
-+ EVP_add_digest(EVP_sha1());
-+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-+#ifndef OPENSSL_NO_DSA
-+ EVP_add_digest(EVP_dss1());
-+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
-+#endif
-+#ifndef OPENSSL_NO_ECDSA
-+ EVP_add_digest(EVP_ecdsa());
-+#endif
-+#endif
-+#ifndef OPENSSL_NO_SHA256
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+#endif
-+#ifndef OPENSSL_NO_SHA512
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+#endif
-+ }
-+#endif
- }
-diff -up openssl-1.0.1e/crypto/evp/digest.c.fips openssl-1.0.1e/crypto/evp/digest.c
---- openssl-1.0.1e/crypto/evp/digest.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/digest.c 2013-10-04 11:48:04.176694045 +0200
-@@ -142,9 +142,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
- return EVP_DigestInit_ex(ctx, type, NULL);
- }
-
-+#ifdef OPENSSL_FIPS
-+
-+/* The purpose of these is to trap programs that attempt to use non FIPS
-+ * algorithms in FIPS mode and ignore the errors.
-+ */
-+
-+static int bad_init(EVP_MD_CTX *ctx)
-+ { FIPS_ERROR_IGNORED("Digest init"); return 0;}
-+
-+static int bad_update(EVP_MD_CTX *ctx,const void *data,size_t count)
-+ { FIPS_ERROR_IGNORED("Digest update"); return 0;}
-+
-+static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
-+ { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
-+
-+static const EVP_MD bad_md =
-+ {
-+ 0,
-+ 0,
-+ 0,
-+ 0,
-+ bad_init,
-+ bad_update,
-+ bad_final,
-+ NULL,
-+ NULL,
-+ NULL,
-+ 0,
-+ {0,0,0,0},
-+ };
-+
-+#endif
-+
- int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
- {
- EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
-+ ctx->digest = &bad_md;
-+ return 0;
-+ }
-+#endif
- #ifndef OPENSSL_NO_ENGINE
- /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
- * so this context may already have an ENGINE! Try to avoid releasing
-@@ -201,6 +242,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
- #endif
- if (ctx->digest != type)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ {
-+ if (!(type->flags & EVP_MD_FLAG_FIPS)
-+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
-+ {
-+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
-+ ctx->digest = &bad_md;
-+ return 0;
-+ }
-+ }
-+#endif
- if (ctx->digest && ctx->digest->ctx_size)
- OPENSSL_free(ctx->md_data);
- ctx->digest=type;
-@@ -229,26 +282,15 @@ skip_to_init:
- }
- if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
- return 1;
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- {
-- if (FIPS_digestinit(ctx, type))
-- return 1;
-- OPENSSL_free(ctx->md_data);
-- ctx->md_data = NULL;
-- return 0;
-- }
--#endif
- return ctx->digest->init(ctx);
- }
-
- int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
- {
- #ifdef OPENSSL_FIPS
-- return FIPS_digestupdate(ctx, data, count);
--#else
-- return ctx->update(ctx,data,count);
-+ FIPS_selftest_check();
- #endif
-+ return ctx->update(ctx,data,count);
- }
-
- /* The caller can assume that this removes any secret data from the context */
-@@ -263,11 +305,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns
- /* The caller can assume that this removes any secret data from the context */
- int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
- {
--#ifdef OPENSSL_FIPS
-- return FIPS_digestfinal(ctx, md, size);
--#else
- int ret;
-
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
- ret=ctx->digest->final(ctx,md);
- if (size != NULL)
-@@ -279,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
- }
- memset(ctx->md_data,0,ctx->digest->ctx_size);
- return ret;
--#endif
- }
-
- int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
-@@ -373,7 +414,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
- /* This call frees resources associated with the context */
- int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
- {
--#ifndef OPENSSL_FIPS
- /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
- * because sometimes only copies of the context are ever finalised.
- */
-@@ -386,7 +426,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
- OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
- OPENSSL_free(ctx->md_data);
- }
--#endif
- if (ctx->pctx)
- EVP_PKEY_CTX_free(ctx->pctx);
- #ifndef OPENSSL_NO_ENGINE
-@@ -395,9 +434,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
- * functional reference we held for this reason. */
- ENGINE_finish(ctx->engine);
- #endif
--#ifdef OPENSSL_FIPS
-- FIPS_md_ctx_cleanup(ctx);
--#endif
- memset(ctx,'\0',sizeof *ctx);
-
- return 1;
-diff -up openssl-1.0.1e/crypto/evp/e_aes.c.fips openssl-1.0.1e/crypto/evp/e_aes.c
---- openssl-1.0.1e/crypto/evp/e_aes.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/e_aes.c 2013-10-04 11:48:04.177694068 +0200
-@@ -56,7 +56,6 @@
- #include <assert.h>
- #include <openssl/aes.h>
- #include "evp_locl.h"
--#ifndef OPENSSL_FIPS
- #include "modes_lcl.h"
- #include <openssl/rand.h>
-
-@@ -716,7 +715,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
- if (arg <= 0)
- return 0;
- #ifdef OPENSSL_FIPS
-- if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
-+ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
- && arg < 12)
- return 0;
- #endif
-@@ -1128,7 +1127,7 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
- return 0;
- #ifdef OPENSSL_FIPS
- /* Requirement of SP800-38E */
-- if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
-+ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
- (len > (1UL<<20)*16))
- {
- EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
-@@ -1311,4 +1310,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm
- BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
-
- #endif
--#endif
-diff -up openssl-1.0.1e/crypto/evp/e_des3.c.fips openssl-1.0.1e/crypto/evp/e_des3.c
---- openssl-1.0.1e/crypto/evp/e_des3.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/e_des3.c 2013-10-04 11:48:04.177694068 +0200
-@@ -65,8 +65,6 @@
- #include <openssl/des.h>
- #include <openssl/rand.h>
-
--#ifndef OPENSSL_FIPS
--
- static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
- const unsigned char *iv,int enc);
-
-@@ -208,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH
- }
-
- BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
-- EVP_CIPH_RAND_KEY, des_ede_init_key, NULL,
-- EVP_CIPHER_set_asn1_iv,
-- EVP_CIPHER_get_asn1_iv,
-+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-+ des_ede_init_key,
-+ NULL, NULL, NULL,
- des3_ctrl)
-
- #define des_ede3_cfb64_cipher des_ede_cfb64_cipher
-@@ -219,21 +217,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
- #define des_ede3_ecb_cipher des_ede_ecb_cipher
-
- BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
-- EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL,
-- EVP_CIPHER_set_asn1_iv,
-- EVP_CIPHER_get_asn1_iv,
-+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-+ des_ede3_init_key,
-+ NULL, NULL, NULL,
- des3_ctrl)
-
- BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
-- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
-- EVP_CIPHER_set_asn1_iv,
-- EVP_CIPHER_get_asn1_iv,
-+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-+ des_ede3_init_key,
-+ NULL, NULL, NULL,
- des3_ctrl)
-
- BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
-- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
-- EVP_CIPHER_set_asn1_iv,
-- EVP_CIPHER_get_asn1_iv,
-+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-+ des_ede3_init_key,
-+ NULL, NULL, NULL,
- des3_ctrl)
-
- static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-@@ -313,4 +311,3 @@ const EVP_CIPHER *EVP_des_ede3(void)
- return &des_ede3_ecb;
- }
- #endif
--#endif
-diff -up openssl-1.0.1e/crypto/evp/e_null.c.fips openssl-1.0.1e/crypto/evp/e_null.c
---- openssl-1.0.1e/crypto/evp/e_null.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/e_null.c 2013-10-04 11:48:04.177694068 +0200
-@@ -61,8 +61,6 @@
- #include <openssl/evp.h>
- #include <openssl/objects.h>
-
--#ifndef OPENSSL_FIPS
--
- static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
- const unsigned char *iv,int enc);
- static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-@@ -71,7 +69,7 @@ static const EVP_CIPHER n_cipher=
- {
- NID_undef,
- 1,0,0,
-- 0,
-+ EVP_CIPH_FLAG_FIPS,
- null_init_key,
- null_cipher,
- NULL,
-@@ -101,4 +99,3 @@ static int null_cipher(EVP_CIPHER_CTX *c
- memcpy((char *)out,(const char *)in,inl);
- return 1;
- }
--#endif
-diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.fips openssl-1.0.1e/crypto/evp/evp_enc.c
---- openssl-1.0.1e/crypto/evp/evp_enc.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/evp_enc.c 2013-10-04 11:48:04.177694068 +0200
-@@ -69,17 +69,58 @@
- #endif
- #include "evp_locl.h"
-
--#ifdef OPENSSL_FIPS
--#define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
--#else
- #define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
--#endif
-
-
- const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
-
-+#ifdef OPENSSL_FIPS
-+
-+/* The purpose of these is to trap programs that attempt to use non FIPS
-+ * algorithms in FIPS mode and ignore the errors.
-+ */
-+
-+static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+ const unsigned char *iv, int enc)
-+ { FIPS_ERROR_IGNORED("Cipher init"); return 0;}
-+
-+static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, unsigned int inl)
-+ { FIPS_ERROR_IGNORED("Cipher update"); return 0;}
-+
-+/* NB: no cleanup because it is allowed after failed init */
-+
-+static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
-+ { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;}
-+static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
-+ { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;}
-+static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
-+ { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;}
-+
-+static const EVP_CIPHER bad_cipher =
-+ {
-+ 0,
-+ 0,
-+ 0,
-+ 0,
-+ 0,
-+ bad_init,
-+ bad_do_cipher,
-+ NULL,
-+ 0,
-+ bad_set_asn1,
-+ bad_get_asn1,
-+ bad_ctrl,
-+ NULL
-+ };
-+
-+#endif
-+
- void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- memset(ctx,0,sizeof(EVP_CIPHER_CTX));
- /* ctx->cipher=NULL; */
- }
-@@ -111,6 +152,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- enc = 1;
- ctx->encrypt = enc;
- }
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
-+ ctx->cipher = &bad_cipher;
-+ return 0;
-+ }
-+#endif
- #ifndef OPENSSL_NO_ENGINE
- /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
- * so this context may already have an ENGINE! Try to avoid releasing
-@@ -169,10 +218,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- ctx->engine = NULL;
- #endif
-
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
--#endif
- ctx->cipher=cipher;
- if (ctx->cipher->ctx_size)
- {
-@@ -206,10 +251,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- #ifndef OPENSSL_NO_ENGINE
- skip_to_init:
- #endif
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
--#endif
- /* we assume block size is a power of 2 in *cryptUpdate */
- OPENSSL_assert(ctx->cipher->block_size == 1
- || ctx->cipher->block_size == 8
-@@ -249,6 +290,22 @@ skip_to_init:
- }
- }
-
-+#ifdef OPENSSL_FIPS
-+ /* After 'key' is set no further parameters changes are permissible.
-+ * So only check for non FIPS enabling at this point.
-+ */
-+ if (key && FIPS_mode())
-+ {
-+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
-+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
-+ {
-+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
-+ ctx->cipher = &bad_cipher;
-+ return 0;
-+ }
-+ }
-+#endif
-+
- if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
- if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
- }
-@@ -568,7 +625,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX
-
- int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
- {
--#ifndef OPENSSL_FIPS
- if (c->cipher != NULL)
- {
- if(c->cipher->cleanup && !c->cipher->cleanup(c))
-@@ -579,16 +635,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
- }
- if (c->cipher_data)
- OPENSSL_free(c->cipher_data);
--#endif
- #ifndef OPENSSL_NO_ENGINE
- if (c->engine)
- /* The EVP_CIPHER we used belongs to an ENGINE, release the
- * functional reference we held for this reason. */
- ENGINE_finish(c->engine);
- #endif
--#ifdef OPENSSL_FIPS
-- FIPS_cipher_ctx_cleanup(c);
--#endif
- memset(c,0,sizeof(EVP_CIPHER_CTX));
- return 1;
- }
-diff -up openssl-1.0.1e/crypto/evp/evp.h.fips openssl-1.0.1e/crypto/evp/evp.h
---- openssl-1.0.1e/crypto/evp/evp.h.fips 2013-10-04 11:48:04.071691675 +0200
-+++ openssl-1.0.1e/crypto/evp/evp.h 2013-10-04 11:48:04.177694068 +0200
-@@ -75,6 +75,10 @@
- #include <openssl/bio.h>
- #endif
-
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
- /*
- #define EVP_RC2_KEY_SIZE 16
- #define EVP_RC4_KEY_SIZE 16
-@@ -282,10 +286,6 @@ struct env_md_ctx_st
- * cleaned */
- #define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
- * in EVP_MD_CTX_cleanup */
--/* FIPS and pad options are ignored in 1.0.0, definitions are here
-- * so we don't accidentally reuse the values for other purposes.
-- */
--
- #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
- * in FIPS mode */
-
-@@ -297,6 +297,10 @@ struct env_md_ctx_st
- #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */
- #define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */
- #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */
-+#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
-+ ((ctx->flags>>16) &0xFFFF) /* seed length */
-+#define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF /* salt len same as digest */
-+#define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE /* salt max or auto recovered */
-
- #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */
-
-@@ -348,15 +352,15 @@ struct evp_cipher_st
- /* cipher handles random key generation */
- #define EVP_CIPH_RAND_KEY 0x200
- /* cipher has its own additional copying logic */
--#define EVP_CIPH_CUSTOM_COPY 0x400
-+#define EVP_CIPH_CUSTOM_COPY 0x4000
- /* Allow use default ASN1 get/set iv */
- #define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
- /* Buffer length in bits not bytes: CFB1 mode only */
- #define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
- /* Note if suitable for use in FIPS mode */
--#define EVP_CIPH_FLAG_FIPS 0x4000
-+#define EVP_CIPH_FLAG_FIPS 0x400
- /* Allow non FIPS cipher in FIPS mode */
--#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
-+#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
- /* Cipher handles any and all padding logic as well
- * as finalisation.
- */
-diff -up openssl-1.0.1e/crypto/evp/evp_lib.c.fips openssl-1.0.1e/crypto/evp/evp_lib.c
---- openssl-1.0.1e/crypto/evp/evp_lib.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/evp_lib.c 2013-10-04 11:48:04.177694068 +0200
-@@ -190,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_
-
- int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- return ctx->cipher->do_cipher(ctx,out,in,inl);
- }
-
-diff -up openssl-1.0.1e/crypto/evp/evp_locl.h.fips openssl-1.0.1e/crypto/evp/evp_locl.h
---- openssl-1.0.1e/crypto/evp/evp_locl.h.fips 2013-10-04 11:48:04.067691584 +0200
-+++ openssl-1.0.1e/crypto/evp/evp_locl.h 2013-10-04 11:48:04.178694091 +0200
-@@ -258,10 +258,9 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
- BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
- BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
- NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
-- 0, cipher##_init_key, NULL, \
-- EVP_CIPHER_set_asn1_iv, \
-- EVP_CIPHER_get_asn1_iv, \
-- NULL)
-+ EVP_CIPH_FLAG_DEFAULT_ASN1, \
-+ cipher##_init_key, NULL, NULL, NULL, NULL)
-+
-
- struct evp_pkey_ctx_st
- {
-@@ -367,11 +366,6 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_
- #define MD2_Init private_MD2_Init
- #define MDC2_Init private_MDC2_Init
- #define SHA_Init private_SHA_Init
--#define SHA1_Init private_SHA1_Init
--#define SHA224_Init private_SHA224_Init
--#define SHA256_Init private_SHA256_Init
--#define SHA384_Init private_SHA384_Init
--#define SHA512_Init private_SHA512_Init
-
- #define BF_set_key private_BF_set_key
- #define CAST_set_key private_CAST_set_key
-@@ -379,7 +373,6 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_
- #define SEED_set_key private_SEED_set_key
- #define RC2_set_key private_RC2_set_key
- #define RC4_set_key private_RC4_set_key
--#define DES_set_key_unchecked private_DES_set_key_unchecked
- #define Camellia_set_key private_Camellia_set_key
-
- #endif
-diff -up openssl-1.0.1e/crypto/evp/Makefile.fips openssl-1.0.1e/crypto/evp/Makefile
---- openssl-1.0.1e/crypto/evp/Makefile.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/Makefile 2013-10-04 11:48:04.178694091 +0200
-@@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_
- bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
- c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
- evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
-- e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
-+ e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
- e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
-
- LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
-@@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_
- bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
- c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
- evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
-- e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
-+ e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
- e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
-
- SRC= $(LIBSRC)
-diff -up openssl-1.0.1e/crypto/evp/m_dss.c.fips openssl-1.0.1e/crypto/evp/m_dss.c
---- openssl-1.0.1e/crypto/evp/m_dss.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/m_dss.c 2013-10-04 11:48:04.178694091 +0200
-@@ -66,7 +66,6 @@
- #endif
-
- #ifndef OPENSSL_NO_SHA
--#ifndef OPENSSL_FIPS
-
- static int init(EVP_MD_CTX *ctx)
- { return SHA1_Init(ctx->md_data); }
-@@ -82,7 +81,7 @@ static const EVP_MD dsa_md=
- NID_dsaWithSHA,
- NID_dsaWithSHA,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_DIGEST,
-+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -98,4 +97,3 @@ const EVP_MD *EVP_dss(void)
- return(&dsa_md);
- }
- #endif
--#endif
-diff -up openssl-1.0.1e/crypto/evp/m_dss1.c.fips openssl-1.0.1e/crypto/evp/m_dss1.c
---- openssl-1.0.1e/crypto/evp/m_dss1.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/m_dss1.c 2013-10-04 11:48:04.178694091 +0200
-@@ -68,8 +68,6 @@
- #include <openssl/dsa.h>
- #endif
-
--#ifndef OPENSSL_FIPS
--
- static int init(EVP_MD_CTX *ctx)
- { return SHA1_Init(ctx->md_data); }
-
-@@ -84,7 +82,7 @@ static const EVP_MD dss1_md=
- NID_dsa,
- NID_dsaWithSHA1,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_DIGEST,
-+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -100,4 +98,3 @@ const EVP_MD *EVP_dss1(void)
- return(&dss1_md);
- }
- #endif
--#endif
-diff -up openssl-1.0.1e/crypto/evp/m_md2.c.fips openssl-1.0.1e/crypto/evp/m_md2.c
---- openssl-1.0.1e/crypto/evp/m_md2.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/m_md2.c 2013-10-04 11:48:04.178694091 +0200
-@@ -68,6 +68,7 @@
- #ifndef OPENSSL_NO_RSA
- #include <openssl/rsa.h>
- #endif
-+#include "evp_locl.h"
-
- static int init(EVP_MD_CTX *ctx)
- { return MD2_Init(ctx->md_data); }
-diff -up openssl-1.0.1e/crypto/evp/m_sha1.c.fips openssl-1.0.1e/crypto/evp/m_sha1.c
---- openssl-1.0.1e/crypto/evp/m_sha1.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/m_sha1.c 2013-10-04 11:48:04.178694091 +0200
-@@ -59,8 +59,6 @@
- #include <stdio.h>
- #include "cryptlib.h"
-
--#ifndef OPENSSL_FIPS
--
- #ifndef OPENSSL_NO_SHA
-
- #include <openssl/evp.h>
-@@ -85,7 +83,8 @@ static const EVP_MD sha1_md=
- NID_sha1,
- NID_sha1WithRSAEncryption,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -122,7 +121,8 @@ static const EVP_MD sha224_md=
- NID_sha224,
- NID_sha224WithRSAEncryption,
- SHA224_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init224,
- update256,
- final256,
-@@ -141,7 +141,8 @@ static const EVP_MD sha256_md=
- NID_sha256,
- NID_sha256WithRSAEncryption,
- SHA256_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init256,
- update256,
- final256,
-@@ -172,7 +173,8 @@ static const EVP_MD sha384_md=
- NID_sha384,
- NID_sha384WithRSAEncryption,
- SHA384_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init384,
- update512,
- final512,
-@@ -191,7 +193,8 @@ static const EVP_MD sha512_md=
- NID_sha512,
- NID_sha512WithRSAEncryption,
- SHA512_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init512,
- update512,
- final512,
-@@ -206,4 +209,3 @@ const EVP_MD *EVP_sha512(void)
- { return(&sha512_md); }
- #endif /* ifndef OPENSSL_NO_SHA512 */
-
--#endif
-diff -up openssl-1.0.1e/crypto/evp/p_sign.c.fips openssl-1.0.1e/crypto/evp/p_sign.c
---- openssl-1.0.1e/crypto/evp/p_sign.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/p_sign.c 2013-10-04 11:48:04.179694114 +0200
-@@ -61,6 +61,7 @@
- #include <openssl/evp.h>
- #include <openssl/objects.h>
- #include <openssl/x509.h>
-+#include <openssl/rsa.h>
-
- #ifdef undef
- void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
-@@ -103,6 +104,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
- goto err;
- if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
- goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
-+ goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
-+ {
-+ int saltlen;
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
-+ goto err;
-+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
-+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
-+ saltlen = -1;
-+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
-+ saltlen = -2;
-+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
-+ goto err;
-+ }
- if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
- goto err;
- *siglen = sltmp;
-diff -up openssl-1.0.1e/crypto/evp/p_verify.c.fips openssl-1.0.1e/crypto/evp/p_verify.c
---- openssl-1.0.1e/crypto/evp/p_verify.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/p_verify.c 2013-10-04 11:48:04.179694114 +0200
-@@ -61,6 +61,7 @@
- #include <openssl/evp.h>
- #include <openssl/objects.h>
- #include <openssl/x509.h>
-+#include <openssl/rsa.h>
-
- int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
- unsigned int siglen, EVP_PKEY *pkey)
-@@ -88,6 +89,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
- goto err;
- if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
- goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
-+ goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
-+ {
-+ int saltlen;
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
-+ goto err;
-+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
-+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
-+ saltlen = -1;
-+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
-+ saltlen = -2;
-+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
-+ goto err;
-+ }
- i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
- err:
- EVP_PKEY_CTX_free(pkctx);
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips 2013-10-04 11:48:04.179694114 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c 2013-10-04 11:48:04.179694114 +0200
-@@ -0,0 +1,939 @@
-+/* ====================================================================
-+ * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+/*---------------------------------------------
-+ NIST AES Algorithm Validation Suite
-+ Test Program
-+
-+ Donated to OpenSSL by:
-+ V-ONE Corporation
-+ 20250 Century Blvd, Suite 300
-+ Germantown, MD 20874
-+ U.S.A.
-+ ----------------------------------------------*/
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <errno.h>
-+#include <assert.h>
-+#include <ctype.h>
-+#include <openssl/aes.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#include <openssl/err.h>
-+#include "e_os.h"
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS AES support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include <openssl/fips.h>
-+#include "fips_utl.h"
-+
-+#define AES_BLOCK_SIZE 16
-+
-+#define VERBOSE 0
-+
-+/*-----------------------------------------------*/
-+
-+int AESTest(EVP_CIPHER_CTX *ctx,
-+ char *amode, int akeysz, unsigned char *aKey,
-+ unsigned char *iVec,
-+ int dir, /* 0 = decrypt, 1 = encrypt */
-+ unsigned char *plaintext, unsigned char *ciphertext, int len)
-+ {
-+ const EVP_CIPHER *cipher = NULL;
-+
-+ if (strcasecmp(amode, "CBC") == 0)
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_cbc();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_cbc();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_cbc();
-+ break;
-+ }
-+
-+ }
-+ else if (strcasecmp(amode, "ECB") == 0)
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_ecb();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_ecb();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_ecb();
-+ break;
-+ }
-+ }
-+ else if (strcasecmp(amode, "CFB128") == 0)
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_cfb128();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_cfb128();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_cfb128();
-+ break;
-+ }
-+
-+ }
-+ else if (strncasecmp(amode, "OFB", 3) == 0)
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_ofb();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_ofb();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_ofb();
-+ break;
-+ }
-+ }
-+ else if(!strcasecmp(amode,"CFB1"))
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_cfb1();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_cfb1();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_cfb1();
-+ break;
-+ }
-+ }
-+ else if(!strcasecmp(amode,"CFB8"))
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_cfb8();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_cfb8();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_cfb8();
-+ break;
-+ }
-+ }
-+ else
-+ {
-+ printf("Unknown mode: %s\n", amode);
-+ return 0;
-+ }
-+ if (!cipher)
-+ {
-+ printf("Invalid key size: %d\n", akeysz);
-+ return 0;
-+ }
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
-+ return 0;
-+ if(!strcasecmp(amode,"CFB1"))
-+ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
-+ if (dir)
-+ EVP_Cipher(ctx, ciphertext, plaintext, len);
-+ else
-+ EVP_Cipher(ctx, plaintext, ciphertext, len);
-+ return 1;
-+ }
-+
-+/*-----------------------------------------------*/
-+char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
-+char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB128"};
-+enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB128};
-+enum XCrypt {XDECRYPT, XENCRYPT};
-+
-+/*=============================*/
-+/* Monte Carlo Tests */
-+/*-----------------------------*/
-+
-+/*#define gb(a,b) (((a)[(b)/8] >> ((b)%8))&1)*/
-+/*#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << ((b)%8)))|(!!(v) << ((b)%8)))*/
-+
-+#define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1)
-+#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8)))
-+
-+int do_mct(char *amode,
-+ int akeysz, unsigned char *aKey,unsigned char *iVec,
-+ int dir, unsigned char *text, int len,
-+ FILE *rfp)
-+ {
-+ int ret = 0;
-+ unsigned char key[101][32];
-+ unsigned char iv[101][AES_BLOCK_SIZE];
-+ unsigned char ptext[1001][32];
-+ unsigned char ctext[1001][32];
-+ unsigned char ciphertext[64+4];
-+ int i, j, n, n1, n2;
-+ int imode = 0, nkeysz = akeysz/8;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ if (len > 32)
-+ {
-+ printf("\n>>>> Length exceeds 32 for %s %d <<<<\n\n",
-+ amode, akeysz);
-+ return -1;
-+ }
-+ for (imode = 0; imode < 6; ++imode)
-+ if (strcmp(amode, t_mode[imode]) == 0)
-+ break;
-+ if (imode == 6)
-+ {
-+ printf("Unrecognized mode: %s\n", amode);
-+ return -1;
-+ }
-+
-+ memcpy(key[0], aKey, nkeysz);
-+ if (iVec)
-+ memcpy(iv[0], iVec, AES_BLOCK_SIZE);
-+ if (dir == XENCRYPT)
-+ memcpy(ptext[0], text, len);
-+ else
-+ memcpy(ctext[0], text, len);
-+ for (i = 0; i < 100; ++i)
-+ {
-+ /* printf("Iteration %d\n", i); */
-+ if (i > 0)
-+ {
-+ fprintf(rfp,"COUNT = %d\n",i);
-+ OutputValue("KEY",key[i],nkeysz,rfp,0);
-+ if (imode != ECB) /* ECB */
-+ OutputValue("IV",iv[i],AES_BLOCK_SIZE,rfp,0);
-+ /* Output Ciphertext | Plaintext */
-+ OutputValue(t_tag[dir^1],dir ? ptext[0] : ctext[0],len,rfp,
-+ imode == CFB1);
-+ }
-+ for (j = 0; j < 1000; ++j)
-+ {
-+ switch (imode)
-+ {
-+ case ECB:
-+ if (j == 0)
-+ { /* set up encryption */
-+ ret = AESTest(&ctx, amode, akeysz, key[i], NULL,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ ptext[j], ctext[j], len);
-+ if (dir == XENCRYPT)
-+ memcpy(ptext[j+1], ctext[j], len);
-+ else
-+ memcpy(ctext[j+1], ptext[j], len);
-+ }
-+ else
-+ {
-+ if (dir == XENCRYPT)
-+ {
-+ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
-+ memcpy(ptext[j+1], ctext[j], len);
-+ }
-+ else
-+ {
-+ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
-+ memcpy(ctext[j+1], ptext[j], len);
-+ }
-+ }
-+ break;
-+
-+ case CBC:
-+ case OFB:
-+ case CFB128:
-+ if (j == 0)
-+ {
-+ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ ptext[j], ctext[j], len);
-+ if (dir == XENCRYPT)
-+ memcpy(ptext[j+1], iv[i], len);
-+ else
-+ memcpy(ctext[j+1], iv[i], len);
-+ }
-+ else
-+ {
-+ if (dir == XENCRYPT)
-+ {
-+ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
-+ memcpy(ptext[j+1], ctext[j-1], len);
-+ }
-+ else
-+ {
-+ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
-+ memcpy(ctext[j+1], ptext[j-1], len);
-+ }
-+ }
-+ break;
-+
-+ case CFB8:
-+ if (j == 0)
-+ {
-+ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ ptext[j], ctext[j], len);
-+ }
-+ else
-+ {
-+ if (dir == XENCRYPT)
-+ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
-+ else
-+ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
-+ }
-+ if (dir == XENCRYPT)
-+ {
-+ if (j < 16)
-+ memcpy(ptext[j+1], &iv[i][j], len);
-+ else
-+ memcpy(ptext[j+1], ctext[j-16], len);
-+ }
-+ else
-+ {
-+ if (j < 16)
-+ memcpy(ctext[j+1], &iv[i][j], len);
-+ else
-+ memcpy(ctext[j+1], ptext[j-16], len);
-+ }
-+ break;
-+
-+ case CFB1:
-+ if(j == 0)
-+ {
-+#if 0
-+ /* compensate for wrong endianness of input file */
-+ if(i == 0)
-+ ptext[0][0]<<=7;
-+#endif
-+ ret = AESTest(&ctx,amode,akeysz,key[i],iv[i],dir,
-+ ptext[j], ctext[j], len);
-+ }
-+ else
-+ {
-+ if (dir == XENCRYPT)
-+ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
-+ else
-+ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
-+
-+ }
-+ if(dir == XENCRYPT)
-+ {
-+ if(j < 128)
-+ sb(ptext[j+1],0,gb(iv[i],j));
-+ else
-+ sb(ptext[j+1],0,gb(ctext[j-128],0));
-+ }
-+ else
-+ {
-+ if(j < 128)
-+ sb(ctext[j+1],0,gb(iv[i],j));
-+ else
-+ sb(ctext[j+1],0,gb(ptext[j-128],0));
-+ }
-+ break;
-+ }
-+ }
-+ --j; /* reset to last of range */
-+ /* Output Ciphertext | Plaintext */
-+ OutputValue(t_tag[dir],dir ? ctext[j] : ptext[j],len,rfp,
-+ imode == CFB1);
-+ fprintf(rfp, "\n"); /* add separator */
-+
-+ /* Compute next KEY */
-+ if (dir == XENCRYPT)
-+ {
-+ if (imode == CFB8)
-+ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
-+ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
-+ ciphertext[n1] = ctext[j-n2][0];
-+ }
-+ else if(imode == CFB1)
-+ {
-+ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
-+ sb(ciphertext,n1,gb(ctext[j-n2],0));
-+ }
-+ else
-+ switch (akeysz)
-+ {
-+ case 128:
-+ memcpy(ciphertext, ctext[j], 16);
-+ break;
-+ case 192:
-+ memcpy(ciphertext, ctext[j-1]+8, 8);
-+ memcpy(ciphertext+8, ctext[j], 16);
-+ break;
-+ case 256:
-+ memcpy(ciphertext, ctext[j-1], 16);
-+ memcpy(ciphertext+16, ctext[j], 16);
-+ break;
-+ }
-+ }
-+ else
-+ {
-+ if (imode == CFB8)
-+ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
-+ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
-+ ciphertext[n1] = ptext[j-n2][0];
-+ }
-+ else if(imode == CFB1)
-+ {
-+ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
-+ sb(ciphertext,n1,gb(ptext[j-n2],0));
-+ }
-+ else
-+ switch (akeysz)
-+ {
-+ case 128:
-+ memcpy(ciphertext, ptext[j], 16);
-+ break;
-+ case 192:
-+ memcpy(ciphertext, ptext[j-1]+8, 8);
-+ memcpy(ciphertext+8, ptext[j], 16);
-+ break;
-+ case 256:
-+ memcpy(ciphertext, ptext[j-1], 16);
-+ memcpy(ciphertext+16, ptext[j], 16);
-+ break;
-+ }
-+ }
-+ /* Compute next key: Key[i+1] = Key[i] xor ct */
-+ for (n = 0; n < nkeysz; ++n)
-+ key[i+1][n] = key[i][n] ^ ciphertext[n];
-+
-+ /* Compute next IV and text */
-+ if (dir == XENCRYPT)
-+ {
-+ switch (imode)
-+ {
-+ case ECB:
-+ memcpy(ptext[0], ctext[j], AES_BLOCK_SIZE);
-+ break;
-+ case CBC:
-+ case OFB:
-+ case CFB128:
-+ memcpy(iv[i+1], ctext[j], AES_BLOCK_SIZE);
-+ memcpy(ptext[0], ctext[j-1], AES_BLOCK_SIZE);
-+ break;
-+ case CFB8:
-+ /* IV[i+1] = ct */
-+ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
-+ iv[i+1][n1] = ctext[j-n2][0];
-+ ptext[0][0] = ctext[j-16][0];
-+ break;
-+ case CFB1:
-+ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
-+ sb(iv[i+1],n1,gb(ctext[j-n2],0));
-+ ptext[0][0]=ctext[j-128][0]&0x80;
-+ break;
-+ }
-+ }
-+ else
-+ {
-+ switch (imode)
-+ {
-+ case ECB:
-+ memcpy(ctext[0], ptext[j], AES_BLOCK_SIZE);
-+ break;
-+ case CBC:
-+ case OFB:
-+ case CFB128:
-+ memcpy(iv[i+1], ptext[j], AES_BLOCK_SIZE);
-+ memcpy(ctext[0], ptext[j-1], AES_BLOCK_SIZE);
-+ break;
-+ case CFB8:
-+ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
-+ iv[i+1][n1] = ptext[j-n2][0];
-+ ctext[0][0] = ptext[j-16][0];
-+ break;
-+ case CFB1:
-+ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
-+ sb(iv[i+1],n1,gb(ptext[j-n2],0));
-+ ctext[0][0]=ptext[j-128][0]&0x80;
-+ break;
-+ }
-+ }
-+ }
-+
-+ return ret;
-+ }
-+
-+/*================================================*/
-+/*----------------------------
-+ # Config info for v-one
-+ # AESVS MMT test data for ECB
-+ # State : Encrypt and Decrypt
-+ # Key Length : 256
-+ # Fri Aug 30 04:07:22 PM
-+ ----------------------------*/
-+
-+int proc_file(char *rqfile, char *rspfile)
-+ {
-+ char afn[256], rfn[256];
-+ FILE *afp = NULL, *rfp = NULL;
-+ char ibuf[2048];
-+ char tbuf[2048];
-+ int ilen, len, ret = 0;
-+ char algo[8] = "";
-+ char amode[8] = "";
-+ char atest[8] = "";
-+ int akeysz = 0;
-+ unsigned char iVec[20], aKey[40];
-+ int dir = -1, err = 0, step = 0;
-+ unsigned char plaintext[2048];
-+ unsigned char ciphertext[2048];
-+ char *rp;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ if (!rqfile || !(*rqfile))
-+ {
-+ printf("No req file\n");
-+ return -1;
-+ }
-+ strcpy(afn, rqfile);
-+
-+ if ((afp = fopen(afn, "r")) == NULL)
-+ {
-+ printf("Cannot open file: %s, %s\n",
-+ afn, strerror(errno));
-+ return -1;
-+ }
-+ if (!rspfile)
-+ {
-+ strcpy(rfn,afn);
-+ rp=strstr(rfn,"req/");
-+#ifdef OPENSSL_SYS_WIN32
-+ if (!rp)
-+ rp=strstr(rfn,"req\\");
-+#endif
-+ assert(rp);
-+ memcpy(rp,"rsp",3);
-+ rp = strstr(rfn, ".req");
-+ memcpy(rp, ".rsp", 4);
-+ rspfile = rfn;
-+ }
-+ if ((rfp = fopen(rspfile, "w")) == NULL)
-+ {
-+ printf("Cannot open file: %s, %s\n",
-+ rfn, strerror(errno));
-+ fclose(afp);
-+ afp = NULL;
-+ return -1;
-+ }
-+ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
-+ {
-+ tidy_line(tbuf, ibuf);
-+ ilen = strlen(ibuf);
-+ /* printf("step=%d ibuf=%s",step,ibuf); */
-+ switch (step)
-+ {
-+ case 0: /* read preamble */
-+ if (ibuf[0] == '\n')
-+ { /* end of preamble */
-+ if ((*algo == '\0') ||
-+ (*amode == '\0') ||
-+ (akeysz == 0))
-+ {
-+ printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n",
-+ algo,amode,akeysz);
-+ err = 1;
-+ }
-+ else
-+ {
-+ fputs(ibuf, rfp);
-+ ++ step;
-+ }
-+ }
-+ else if (ibuf[0] != '#')
-+ {
-+ printf("Invalid preamble item: %s\n", ibuf);
-+ err = 1;
-+ }
-+ else
-+ { /* process preamble */
-+ char *xp, *pp = ibuf+2;
-+ int n;
-+ if (akeysz)
-+ { /* insert current time & date */
-+ time_t rtim = time(0);
-+ fprintf(rfp, "# %s", ctime(&rtim));
-+ }
-+ else
-+ {
-+ fputs(ibuf, rfp);
-+ if (strncmp(pp, "AESVS ", 6) == 0)
-+ {
-+ strcpy(algo, "AES");
-+ /* get test type */
-+ pp += 6;
-+ xp = strchr(pp, ' ');
-+ n = xp-pp;
-+ strncpy(atest, pp, n);
-+ atest[n] = '\0';
-+ /* get mode */
-+ xp = strrchr(pp, ' '); /* get mode" */
-+ n = strlen(xp+1)-1;
-+ strncpy(amode, xp+1, n);
-+ amode[n] = '\0';
-+ /* amode[3] = '\0'; */
-+ if (VERBOSE)
-+ printf("Test = %s, Mode = %s\n", atest, amode);
-+ }
-+ else if (strncasecmp(pp, "Key Length : ", 13) == 0)
-+ {
-+ akeysz = atoi(pp+13);
-+ if (VERBOSE)
-+ printf("Key size = %d\n", akeysz);
-+ }
-+ }
-+ }
-+ break;
-+
-+ case 1: /* [ENCRYPT] | [DECRYPT] */
-+ if (ibuf[0] == '[')
-+ {
-+ fputs(ibuf, rfp);
-+ ++step;
-+ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
-+ dir = 1;
-+ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
-+ dir = 0;
-+ else
-+ {
-+ printf("Invalid keyword: %s\n", ibuf);
-+ err = 1;
-+ }
-+ break;
-+ }
-+ else if (dir == -1)
-+ {
-+ err = 1;
-+ printf("Missing ENCRYPT/DECRYPT keyword\n");
-+ break;
-+ }
-+ else
-+ step = 2;
-+
-+ case 2: /* KEY = xxxx */
-+ fputs(ibuf, rfp);
-+ if(*ibuf == '\n')
-+ break;
-+ if(!strncasecmp(ibuf,"COUNT = ",8))
-+ break;
-+
-+ if (strncasecmp(ibuf, "KEY = ", 6) != 0)
-+ {
-+ printf("Missing KEY\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ len = hex2bin((char*)ibuf+6, aKey);
-+ if (len < 0)
-+ {
-+ printf("Invalid KEY\n");
-+ err =1;
-+ break;
-+ }
-+ PrintValue("KEY", aKey, len);
-+ if (strcmp(amode, "ECB") == 0)
-+ {
-+ memset(iVec, 0, sizeof(iVec));
-+ step = (dir)? 4: 5; /* no ivec for ECB */
-+ }
-+ else
-+ ++step;
-+ }
-+ break;
-+
-+ case 3: /* IV = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "IV = ", 5) != 0)
-+ {
-+ printf("Missing IV\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ len = hex2bin((char*)ibuf+5, iVec);
-+ if (len < 0)
-+ {
-+ printf("Invalid IV\n");
-+ err =1;
-+ break;
-+ }
-+ PrintValue("IV", iVec, len);
-+ step = (dir)? 4: 5;
-+ }
-+ break;
-+
-+ case 4: /* PLAINTEXT = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
-+ {
-+ printf("Missing PLAINTEXT\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ int nn = strlen(ibuf+12);
-+ if(!strcmp(amode,"CFB1"))
-+ len=bint2bin(ibuf+12,nn-1,plaintext);
-+ else
-+ len=hex2bin(ibuf+12, plaintext);
-+ if (len < 0)
-+ {
-+ printf("Invalid PLAINTEXT: %s", ibuf+12);
-+ err =1;
-+ break;
-+ }
-+ if (len >= sizeof(plaintext))
-+ {
-+ printf("Buffer overflow\n");
-+ }
-+ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
-+ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
-+ {
-+ if(do_mct(amode, akeysz, aKey, iVec,
-+ dir, (unsigned char*)plaintext, len,
-+ rfp) < 0)
-+ EXIT(1);
-+ }
-+ else
-+ {
-+ ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ plaintext, ciphertext, len);
-+ OutputValue("CIPHERTEXT",ciphertext,len,rfp,
-+ !strcmp(amode,"CFB1"));
-+ }
-+ step = 6;
-+ }
-+ break;
-+
-+ case 5: /* CIPHERTEXT = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
-+ {
-+ printf("Missing KEY\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ if(!strcmp(amode,"CFB1"))
-+ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
-+ else
-+ len = hex2bin(ibuf+13,ciphertext);
-+ if (len < 0)
-+ {
-+ printf("Invalid CIPHERTEXT\n");
-+ err =1;
-+ break;
-+ }
-+
-+ PrintValue("CIPHERTEXT", ciphertext, len);
-+ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
-+ {
-+ do_mct(amode, akeysz, aKey, iVec,
-+ dir, ciphertext, len, rfp);
-+ }
-+ else
-+ {
-+ ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ plaintext, ciphertext, len);
-+ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
-+ !strcmp(amode,"CFB1"));
-+ }
-+ step = 6;
-+ }
-+ break;
-+
-+ case 6:
-+ if (ibuf[0] != '\n')
-+ {
-+ err = 1;
-+ printf("Missing terminator\n");
-+ }
-+ else if (strcmp(atest, "MCT") != 0)
-+ { /* MCT already added terminating nl */
-+ fputs(ibuf, rfp);
-+ }
-+ step = 1;
-+ break;
-+ }
-+ }
-+ if (rfp)
-+ fclose(rfp);
-+ if (afp)
-+ fclose(afp);
-+ return err;
-+ }
-+
-+/*--------------------------------------------------
-+ Processes either a single file or
-+ a set of files whose names are passed in a file.
-+ A single file is specified as:
-+ aes_test -f xxx.req
-+ A set of files is specified as:
-+ aes_test -d xxxxx.xxx
-+ The default is: -d req.txt
-+--------------------------------------------------*/
-+int main(int argc, char **argv)
-+ {
-+ char *rqlist = "req.txt", *rspfile = NULL;
-+ FILE *fp = NULL;
-+ char fn[250] = "", rfn[256] = "";
-+ int f_opt = 0, d_opt = 1;
-+
-+#ifdef OPENSSL_FIPS
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ EXIT(1);
-+ }
-+#endif
-+ if (argc > 1)
-+ {
-+ if (strcasecmp(argv[1], "-d") == 0)
-+ {
-+ d_opt = 1;
-+ }
-+ else if (strcasecmp(argv[1], "-f") == 0)
-+ {
-+ f_opt = 1;
-+ d_opt = 0;
-+ }
-+ else
-+ {
-+ printf("Invalid parameter: %s\n", argv[1]);
-+ return 0;
-+ }
-+ if (argc < 3)
-+ {
-+ printf("Missing parameter\n");
-+ return 0;
-+ }
-+ if (d_opt)
-+ rqlist = argv[2];
-+ else
-+ {
-+ strcpy(fn, argv[2]);
-+ rspfile = argv[3];
-+ }
-+ }
-+ if (d_opt)
-+ { /* list of files (directory) */
-+ if (!(fp = fopen(rqlist, "r")))
-+ {
-+ printf("Cannot open req list file\n");
-+ return -1;
-+ }
-+ while (fgets(fn, sizeof(fn), fp))
-+ {
-+ strtok(fn, "\r\n");
-+ strcpy(rfn, fn);
-+ if (VERBOSE)
-+ printf("Processing: %s\n", rfn);
-+ if (proc_file(rfn, rspfile))
-+ {
-+ printf(">>> Processing failed for: %s <<<\n", rfn);
-+ EXIT(1);
-+ }
-+ }
-+ fclose(fp);
-+ }
-+ else /* single file */
-+ {
-+ if (VERBOSE)
-+ printf("Processing: %s\n", fn);
-+ if (proc_file(fn, rspfile))
-+ {
-+ printf(">>> Processing failed for: %s <<<\n", fn);
-+ }
-+ }
-+ EXIT(0);
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips 2013-10-04 11:48:04.179694114 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c 2013-10-04 11:48:04.179694114 +0200
-@@ -0,0 +1,517 @@
-+/* fips_cmactest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/cmac.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS CMAC support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include <openssl/fips.h>
-+#include "fips_utl.h"
-+
-+static int cmac_test(const EVP_CIPHER *cipher, FILE *out, FILE *in,
-+ int mode, int Klen_counts_keys, int known_keylen);
-+static int print_cmac_gen(const EVP_CIPHER *cipher, FILE *out,
-+ unsigned char *Key, int Klen,
-+ unsigned char *Msg, int Msglen,
-+ int Tlen);
-+static int print_cmac_ver(const EVP_CIPHER *cipher, FILE *out,
-+ unsigned char *Key, int Klen,
-+ unsigned char *Msg, int Msglen,
-+ unsigned char *Mac, int Maclen,
-+ int Tlen);
-+
-+#ifdef FIPS_ALGVS
-+int fips_cmactest_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ FILE *in = NULL, *out = NULL;
-+ int mode = 0; /* 0 => Generate, 1 => Verify */
-+ int Klen_counts_keys = 0; /* 0 => Klen is size of one key
-+ 1 => Klen is amount of keys
-+ */
-+ int known_keylen = 0; /* Only set when Klen_counts_keys = 1 */
-+ const EVP_CIPHER *cipher = 0;
-+ int ret = 1;
-+ fips_algtest_init();
-+
-+ while (argc > 1 && argv[1][0] == '-')
-+ {
-+ switch (argv[1][1])
-+ {
-+ case 'a':
-+ {
-+ char *p = &argv[1][2];
-+ if (*p == '\0')
-+ {
-+ if (argc <= 2)
-+ {
-+ fprintf(stderr, "Option %s needs a value\n", argv[1]);
-+ goto end;
-+ }
-+ argv++;
-+ argc--;
-+ p = &argv[1][0];
-+ }
-+ if (!strcmp(p, "aes128"))
-+ cipher = EVP_aes_128_cbc();
-+ else if (!strcmp(p, "aes192"))
-+ cipher = EVP_aes_192_cbc();
-+ else if (!strcmp(p, "aes256"))
-+ cipher = EVP_aes_256_cbc();
-+ else if (!strcmp(p, "tdea3") || !strcmp(p, "tdes3"))
-+ {
-+ cipher = EVP_des_ede3_cbc();
-+ Klen_counts_keys = 1;
-+ known_keylen = 8;
-+ }
-+ else
-+ {
-+ fprintf(stderr, "Unknown algorithm %s\n", p);
-+ goto end;
-+ }
-+ }
-+ break;
-+ case 'g':
-+ mode = 0;
-+ break;
-+ case 'v':
-+ mode = 1;
-+ break;
-+ default:
-+ fprintf(stderr, "Unknown option %s\n", argv[1]);
-+ goto end;
-+ }
-+ argv++;
-+ argc--;
-+ }
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!cmac_test(cipher, out, in, mode,
-+ Klen_counts_keys, known_keylen))
-+ {
-+ fprintf(stderr, "FATAL cmac file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define CMAC_TEST_MAXLINELEN 150000
-+
-+int cmac_test(const EVP_CIPHER *cipher, FILE *out, FILE *in,
-+ int mode, int Klen_counts_keys, int known_keylen)
-+ {
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ unsigned char **Keys = NULL, *Msg = NULL, *Mac = NULL;
-+ unsigned char *Key = NULL;
-+ int Count, Klen, Mlen, Tlen;
-+ long Keylen, Msglen, Maclen;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(CMAC_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(CMAC_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+ Count = -1;
-+ Klen = -1;
-+ Mlen = -1;
-+ Tlen = -1;
-+
-+ while (fgets(olinebuf, CMAC_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Skip comments */
-+ if (keyword[0] == '#')
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = or starts with [ (for [L=20] line) just copy */
-+ if (!p)
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ if (!strcmp(keyword, "Count"))
-+ {
-+ if (Count != -1)
-+ goto parse_error;
-+ Count = atoi(value);
-+ if (Count < 0)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Klen"))
-+ {
-+ if (Klen != -1)
-+ goto parse_error;
-+ Klen = atoi(value);
-+ if (Klen < 0)
-+ goto parse_error;
-+ if (Klen_counts_keys)
-+ {
-+ Keys = OPENSSL_malloc(sizeof(*Keys) * Klen);
-+ memset(Keys, '\0', sizeof(*Keys) * Klen);
-+ }
-+ else
-+ {
-+ Keys = OPENSSL_malloc(sizeof(*Keys));
-+ memset(Keys, '\0', sizeof(*Keys));
-+ }
-+ }
-+ else if (!strcmp(keyword, "Mlen"))
-+ {
-+ if (Mlen != -1)
-+ goto parse_error;
-+ Mlen = atoi(value);
-+ if (Mlen < 0)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Tlen"))
-+ {
-+ if (Tlen != -1)
-+ goto parse_error;
-+ Tlen = atoi(value);
-+ if (Tlen < 0)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Key") && !Klen_counts_keys)
-+ {
-+ if (Keys[0])
-+ goto parse_error;
-+ Keys[0] = hex2bin_m(value, &Keylen);
-+ if (!Keys[0])
-+ goto parse_error;
-+ }
-+ else if (!strncmp(keyword, "Key", 3) && Klen_counts_keys)
-+ {
-+ int keynum = atoi(keyword + 3);
-+ if (!keynum || keynum > Klen || Keys[keynum-1])
-+ goto parse_error;
-+ Keys[keynum-1] = hex2bin_m(value, &Keylen);
-+ if (!Keys[keynum-1])
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Msg"))
-+ {
-+ if (Msg)
-+ goto parse_error;
-+ Msg = hex2bin_m(value, &Msglen);
-+ if (!Msg)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Mac"))
-+ {
-+ if (mode == 0)
-+ continue;
-+ if (Mac)
-+ goto parse_error;
-+ Mac = hex2bin_m(value, &Maclen);
-+ if (!Mac)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Result"))
-+ {
-+ if (mode == 1)
-+ continue;
-+ goto parse_error;
-+ }
-+ else
-+ goto parse_error;
-+
-+ fputs(olinebuf, out);
-+
-+ if (Keys && Msg && (!mode || Mac) && (Tlen > 0) && (Klen > 0))
-+ {
-+ if (Klen_counts_keys)
-+ {
-+ int x;
-+ Key = OPENSSL_malloc(Klen * known_keylen);
-+ for (x = 0; x < Klen; x++)
-+ {
-+ memcpy(Key + x * known_keylen,
-+ Keys[x], known_keylen);
-+ OPENSSL_free(Keys[x]);
-+ }
-+ Klen *= known_keylen;
-+ }
-+ else
-+ {
-+ Key = OPENSSL_malloc(Klen);
-+ memcpy(Key, Keys[0], Klen);
-+ OPENSSL_free(Keys[0]);
-+ }
-+ OPENSSL_free(Keys);
-+
-+ switch(mode)
-+ {
-+ case 0:
-+ if (!print_cmac_gen(cipher, out,
-+ Key, Klen,
-+ Msg, Mlen,
-+ Tlen))
-+ goto error;
-+ break;
-+ case 1:
-+ if (!print_cmac_ver(cipher, out,
-+ Key, Klen,
-+ Msg, Mlen,
-+ Mac, Maclen,
-+ Tlen))
-+ goto error;
-+ break;
-+ }
-+
-+ OPENSSL_free(Key);
-+ Key = NULL;
-+ OPENSSL_free(Msg);
-+ Msg = NULL;
-+ OPENSSL_free(Mac);
-+ Mac = NULL;
-+ Klen = -1;
-+ Mlen = -1;
-+ Tlen = -1;
-+ Count = -1;
-+ }
-+ }
-+
-+
-+ ret = 1;
-+
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+ if (Key)
-+ OPENSSL_free(Key);
-+ if (Msg)
-+ OPENSSL_free(Msg);
-+ if (Mac)
-+ OPENSSL_free(Mac);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int print_cmac_gen(const EVP_CIPHER *cipher, FILE *out,
-+ unsigned char *Key, int Klen,
-+ unsigned char *Msg, int Mlen,
-+ int Tlen)
-+ {
-+ int rc, i;
-+ size_t reslen;
-+ unsigned char res[128];
-+ CMAC_CTX *cmac_ctx = CMAC_CTX_new();
-+
-+ CMAC_Init(cmac_ctx, Key, Klen, cipher, 0);
-+ CMAC_Update(cmac_ctx, Msg, Mlen);
-+ if (!CMAC_Final(cmac_ctx, res, &reslen))
-+ {
-+ fputs("Error calculating CMAC\n", stderr);
-+ rc = 0;
-+ }
-+ else if (Tlen > (int)reslen)
-+ {
-+ fputs("Parameter error, Tlen > CMAC length\n", stderr);
-+ rc = 0;
-+ }
-+ else
-+ {
-+ fputs("Mac = ", out);
-+ for (i = 0; i < Tlen; i++)
-+ fprintf(out, "%02x", res[i]);
-+ fputs(RESP_EOL, out);
-+ rc = 1;
-+ }
-+ CMAC_CTX_free(cmac_ctx);
-+ return rc;
-+ }
-+
-+static int print_cmac_ver(const EVP_CIPHER *cipher, FILE *out,
-+ unsigned char *Key, int Klen,
-+ unsigned char *Msg, int Mlen,
-+ unsigned char *Mac, int Maclen,
-+ int Tlen)
-+ {
-+ int rc = 1;
-+ size_t reslen;
-+ unsigned char res[128];
-+ CMAC_CTX *cmac_ctx = CMAC_CTX_new();
-+
-+ CMAC_Init(cmac_ctx, Key, Klen, cipher, 0);
-+ CMAC_Update(cmac_ctx, Msg, Mlen);
-+ if (!CMAC_Final(cmac_ctx, res, &reslen))
-+ {
-+ fputs("Error calculating CMAC\n", stderr);
-+ rc = 0;
-+ }
-+ else if (Tlen > (int)reslen)
-+ {
-+ fputs("Parameter error, Tlen > CMAC length\n", stderr);
-+ rc = 0;
-+ }
-+ else if (Tlen != Maclen)
-+ {
-+ fputs("Parameter error, Tlen != resulting Mac length\n", stderr);
-+ rc = 0;
-+ }
-+ else
-+ {
-+ if (!memcmp(Mac, res, Maclen))
-+ fputs("Result = P" RESP_EOL, out);
-+ else
-+ fputs("Result = F" RESP_EOL, out);
-+ }
-+ CMAC_CTX_free(cmac_ctx);
-+ return rc;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips 2013-10-04 11:48:04.180694136 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c 2013-10-04 11:48:04.180694136 +0200
-@@ -0,0 +1,702 @@
-+/* ====================================================================
-+ * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+/*---------------------------------------------
-+ NIST DES Modes of Operation Validation System
-+ Test Program
-+
-+ Based on the AES Validation Suite, which was:
-+ Donated to OpenSSL by:
-+ V-ONE Corporation
-+ 20250 Century Blvd, Suite 300
-+ Germantown, MD 20874
-+ U.S.A.
-+ ----------------------------------------------*/
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <errno.h>
-+#include <assert.h>
-+#include <ctype.h>
-+#include <openssl/des.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#include <openssl/err.h>
-+#include "e_os.h"
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS DES support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include <openssl/fips.h>
-+#include "fips_utl.h"
-+
-+#define DES_BLOCK_SIZE 8
-+
-+#define VERBOSE 0
-+
-+int DESTest(EVP_CIPHER_CTX *ctx,
-+ char *amode, int akeysz, unsigned char *aKey,
-+ unsigned char *iVec,
-+ int dir, /* 0 = decrypt, 1 = encrypt */
-+ unsigned char *out, unsigned char *in, int len)
-+ {
-+ const EVP_CIPHER *cipher = NULL;
-+
-+ if (akeysz != 192)
-+ {
-+ printf("Invalid key size: %d\n", akeysz);
-+ EXIT(1);
-+ }
-+
-+ if (strcasecmp(amode, "CBC") == 0)
-+ cipher = EVP_des_ede3_cbc();
-+ else if (strcasecmp(amode, "ECB") == 0)
-+ cipher = EVP_des_ede3_ecb();
-+ else if (strcasecmp(amode, "CFB64") == 0)
-+ cipher = EVP_des_ede3_cfb64();
-+ else if (strncasecmp(amode, "OFB", 3) == 0)
-+ cipher = EVP_des_ede3_ofb();
-+ else if(!strcasecmp(amode,"CFB8"))
-+ cipher = EVP_des_ede3_cfb8();
-+ else if(!strcasecmp(amode,"CFB1"))
-+ cipher = EVP_des_ede3_cfb1();
-+ else
-+ {
-+ printf("Unknown mode: %s\n", amode);
-+ EXIT(1);
-+ }
-+
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
-+ return 0;
-+ if(!strcasecmp(amode,"CFB1"))
-+ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
-+ EVP_Cipher(ctx, out, in, len);
-+
-+ return 1;
-+ }
-+
-+void DebugValue(char *tag, unsigned char *val, int len)
-+ {
-+ char obuf[2048];
-+ int olen;
-+ olen = bin2hex(val, len, obuf);
-+ printf("%s = %.*s\n", tag, olen, obuf);
-+ }
-+
-+void shiftin(unsigned char *dst,unsigned char *src,int nbits)
-+ {
-+ int n;
-+
-+ /* move the bytes... */
-+ memmove(dst,dst+nbits/8,3*8-nbits/8);
-+ /* append new data */
-+ memcpy(dst+3*8-nbits/8,src,(nbits+7)/8);
-+ /* left shift the bits */
-+ if(nbits%8)
-+ for(n=0 ; n < 3*8 ; ++n)
-+ dst[n]=(dst[n] << (nbits%8))|(dst[n+1] >> (8-nbits%8));
-+ }
-+
-+/*-----------------------------------------------*/
-+char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
-+char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"};
-+enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64};
-+int Sizes[6]={64,64,64,1,8,64};
-+
-+void do_mct(char *amode,
-+ int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec,
-+ int dir, unsigned char *text, int len,
-+ FILE *rfp)
-+ {
-+ int i,imode;
-+ unsigned char nk[4*8]; /* longest key+8 */
-+ unsigned char text0[8];
-+
-+ for (imode=0 ; imode < 6 ; ++imode)
-+ if(!strcmp(amode,t_mode[imode]))
-+ break;
-+ if (imode == 6)
-+ {
-+ printf("Unrecognized mode: %s\n", amode);
-+ EXIT(1);
-+ }
-+
-+ for(i=0 ; i < 400 ; ++i)
-+ {
-+ int j;
-+ int n;
-+ int kp=akeysz/64;
-+ unsigned char old_iv[8];
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ fprintf(rfp,"\nCOUNT = %d\n",i);
-+ if(kp == 1)
-+ OutputValue("KEY",akey,8,rfp,0);
-+ else
-+ for(n=0 ; n < kp ; ++n)
-+ {
-+ fprintf(rfp,"KEY%d",n+1);
-+ OutputValue("",akey+n*8,8,rfp,0);
-+ }
-+
-+ if(imode != ECB)
-+ OutputValue("IV",ivec,8,rfp,0);
-+ OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1);
-+#if 0
-+ /* compensate for endianness */
-+ if(imode == CFB1)
-+ text[0]<<=7;
-+#endif
-+ memcpy(text0,text,8);
-+
-+ for(j=0 ; j < 10000 ; ++j)
-+ {
-+ unsigned char old_text[8];
-+
-+ memcpy(old_text,text,8);
-+ if(j == 0)
-+ {
-+ memcpy(old_iv,ivec,8);
-+ DESTest(&ctx,amode,akeysz,akey,ivec,dir,text,text,len);
-+ }
-+ else
-+ {
-+ memcpy(old_iv,ctx.iv,8);
-+ EVP_Cipher(&ctx,text,text,len);
-+ }
-+ if(j == 9999)
-+ {
-+ OutputValue(t_tag[dir],text,len,rfp,imode == CFB1);
-+ /* memcpy(ivec,text,8); */
-+ }
-+ /* DebugValue("iv",ctx.iv,8); */
-+ /* accumulate material for the next key */
-+ shiftin(nk,text,Sizes[imode]);
-+ /* DebugValue("nk",nk,24);*/
-+ if((dir && (imode == CFB1 || imode == CFB8 || imode == CFB64
-+ || imode == CBC)) || imode == OFB)
-+ memcpy(text,old_iv,8);
-+
-+ if(!dir && (imode == CFB1 || imode == CFB8 || imode == CFB64))
-+ {
-+ /* the test specifies using the output of the raw DES operation
-+ which we don't have, so reconstruct it... */
-+ for(n=0 ; n < 8 ; ++n)
-+ text[n]^=old_text[n];
-+ }
-+ }
-+ for(n=0 ; n < 8 ; ++n)
-+ akey[n]^=nk[16+n];
-+ for(n=0 ; n < 8 ; ++n)
-+ akey[8+n]^=nk[8+n];
-+ for(n=0 ; n < 8 ; ++n)
-+ akey[16+n]^=nk[n];
-+ if(numkeys < 3)
-+ memcpy(&akey[2*8],akey,8);
-+ if(numkeys < 2)
-+ memcpy(&akey[8],akey,8);
-+ DES_set_odd_parity((DES_cblock *)akey);
-+ DES_set_odd_parity((DES_cblock *)(akey+8));
-+ DES_set_odd_parity((DES_cblock *)(akey+16));
-+ memcpy(ivec,ctx.iv,8);
-+
-+ /* pointless exercise - the final text doesn't depend on the
-+ initial text in OFB mode, so who cares what it is? (Who
-+ designed these tests?) */
-+ if(imode == OFB)
-+ for(n=0 ; n < 8 ; ++n)
-+ text[n]=text0[n]^old_iv[n];
-+ }
-+ }
-+
-+int proc_file(char *rqfile, char *rspfile)
-+ {
-+ char afn[256], rfn[256];
-+ FILE *afp = NULL, *rfp = NULL;
-+ char ibuf[2048], tbuf[2048];
-+ int ilen, len, ret = 0;
-+ char amode[8] = "";
-+ char atest[100] = "";
-+ int akeysz=0;
-+ unsigned char iVec[20], aKey[40];
-+ int dir = -1, err = 0, step = 0;
-+ unsigned char plaintext[2048];
-+ unsigned char ciphertext[2048];
-+ char *rp;
-+ EVP_CIPHER_CTX ctx;
-+ int numkeys=1;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ if (!rqfile || !(*rqfile))
-+ {
-+ printf("No req file\n");
-+ return -1;
-+ }
-+ strcpy(afn, rqfile);
-+
-+ if ((afp = fopen(afn, "r")) == NULL)
-+ {
-+ printf("Cannot open file: %s, %s\n",
-+ afn, strerror(errno));
-+ return -1;
-+ }
-+ if (!rspfile)
-+ {
-+ strcpy(rfn,afn);
-+ rp=strstr(rfn,"req/");
-+#ifdef OPENSSL_SYS_WIN32
-+ if (!rp)
-+ rp=strstr(rfn,"req\\");
-+#endif
-+ assert(rp);
-+ memcpy(rp,"rsp",3);
-+ rp = strstr(rfn, ".req");
-+ memcpy(rp, ".rsp", 4);
-+ rspfile = rfn;
-+ }
-+ if ((rfp = fopen(rspfile, "w")) == NULL)
-+ {
-+ printf("Cannot open file: %s, %s\n",
-+ rfn, strerror(errno));
-+ fclose(afp);
-+ afp = NULL;
-+ return -1;
-+ }
-+ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
-+ {
-+ tidy_line(tbuf, ibuf);
-+ ilen = strlen(ibuf);
-+ /* printf("step=%d ibuf=%s",step,ibuf);*/
-+ if(step == 3 && !strcmp(amode,"ECB"))
-+ {
-+ memset(iVec, 0, sizeof(iVec));
-+ step = (dir)? 4: 5; /* no ivec for ECB */
-+ }
-+ switch (step)
-+ {
-+ case 0: /* read preamble */
-+ if (ibuf[0] == '\n')
-+ { /* end of preamble */
-+ if (*amode == '\0')
-+ {
-+ printf("Missing Mode\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ fputs(ibuf, rfp);
-+ ++ step;
-+ }
-+ }
-+ else if (ibuf[0] != '#')
-+ {
-+ printf("Invalid preamble item: %s\n", ibuf);
-+ err = 1;
-+ }
-+ else
-+ { /* process preamble */
-+ char *xp, *pp = ibuf+2;
-+ int n;
-+ if(*amode)
-+ { /* insert current time & date */
-+ time_t rtim = time(0);
-+ fprintf(rfp, "# %s", ctime(&rtim));
-+ }
-+ else
-+ {
-+ fputs(ibuf, rfp);
-+ if(!strncmp(pp,"INVERSE ",8) || !strncmp(pp,"DES ",4)
-+ || !strncmp(pp,"TDES ",5)
-+ || !strncmp(pp,"PERMUTATION ",12)
-+ || !strncmp(pp,"SUBSTITUTION ",13)
-+ || !strncmp(pp,"VARIABLE ",9))
-+ {
-+ /* get test type */
-+ if(!strncmp(pp,"DES ",4))
-+ pp+=4;
-+ else if(!strncmp(pp,"TDES ",5))
-+ pp+=5;
-+ xp = strchr(pp, ' ');
-+ n = xp-pp;
-+ strncpy(atest, pp, n);
-+ atest[n] = '\0';
-+ /* get mode */
-+ xp = strrchr(pp, ' '); /* get mode" */
-+ n = strlen(xp+1)-1;
-+ strncpy(amode, xp+1, n);
-+ amode[n] = '\0';
-+ /* amode[3] = '\0'; */
-+ if (VERBOSE)
-+ printf("Test=%s, Mode=%s\n",atest,amode);
-+ }
-+ }
-+ }
-+ break;
-+
-+ case 1: /* [ENCRYPT] | [DECRYPT] */
-+ if(ibuf[0] == '\n')
-+ break;
-+ if (ibuf[0] == '[')
-+ {
-+ fputs(ibuf, rfp);
-+ ++step;
-+ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
-+ dir = 1;
-+ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
-+ dir = 0;
-+ else
-+ {
-+ printf("Invalid keyword: %s\n", ibuf);
-+ err = 1;
-+ }
-+ break;
-+ }
-+ else if (dir == -1)
-+ {
-+ err = 1;
-+ printf("Missing ENCRYPT/DECRYPT keyword\n");
-+ break;
-+ }
-+ else
-+ step = 2;
-+
-+ case 2: /* KEY = xxxx */
-+ if(*ibuf == '\n')
-+ {
-+ fputs(ibuf, rfp);
-+ break;
-+ }
-+ if(!strncasecmp(ibuf,"COUNT = ",8))
-+ {
-+ fputs(ibuf, rfp);
-+ break;
-+ }
-+ if(!strncasecmp(ibuf,"COUNT=",6))
-+ {
-+ fputs(ibuf, rfp);
-+ break;
-+ }
-+ if(!strncasecmp(ibuf,"NumKeys = ",10))
-+ {
-+ numkeys=atoi(ibuf+10);
-+ break;
-+ }
-+
-+ fputs(ibuf, rfp);
-+ if(!strncasecmp(ibuf,"KEY = ",6))
-+ {
-+ akeysz=64;
-+ len = hex2bin((char*)ibuf+6, aKey);
-+ if (len < 0)
-+ {
-+ printf("Invalid KEY\n");
-+ err=1;
-+ break;
-+ }
-+ PrintValue("KEY", aKey, len);
-+ ++step;
-+ }
-+ else if(!strncasecmp(ibuf,"KEYs = ",7))
-+ {
-+ akeysz=64*3;
-+ len=hex2bin(ibuf+7,aKey);
-+ if(len != 8)
-+ {
-+ printf("Invalid KEY\n");
-+ err=1;
-+ break;
-+ }
-+ memcpy(aKey+8,aKey,8);
-+ memcpy(aKey+16,aKey,8);
-+ ibuf[4]='\0';
-+ PrintValue("KEYs",aKey,len);
-+ ++step;
-+ }
-+ else if(!strncasecmp(ibuf,"KEY",3))
-+ {
-+ int n=ibuf[3]-'1';
-+
-+ akeysz=64*3;
-+ len=hex2bin(ibuf+7,aKey+n*8);
-+ if(len != 8)
-+ {
-+ printf("Invalid KEY\n");
-+ err=1;
-+ break;
-+ }
-+ ibuf[4]='\0';
-+ PrintValue(ibuf,aKey,len);
-+ if(n == 2)
-+ ++step;
-+ }
-+ else
-+ {
-+ printf("Missing KEY\n");
-+ err = 1;
-+ }
-+ break;
-+
-+ case 3: /* IV = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "IV = ", 5) != 0)
-+ {
-+ printf("Missing IV\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ len = hex2bin((char*)ibuf+5, iVec);
-+ if (len < 0)
-+ {
-+ printf("Invalid IV\n");
-+ err =1;
-+ break;
-+ }
-+ PrintValue("IV", iVec, len);
-+ step = (dir)? 4: 5;
-+ }
-+ break;
-+
-+ case 4: /* PLAINTEXT = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
-+ {
-+ printf("Missing PLAINTEXT\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ int nn = strlen(ibuf+12);
-+ if(!strcmp(amode,"CFB1"))
-+ len=bint2bin(ibuf+12,nn-1,plaintext);
-+ else
-+ len=hex2bin(ibuf+12, plaintext);
-+ if (len < 0)
-+ {
-+ printf("Invalid PLAINTEXT: %s", ibuf+12);
-+ err =1;
-+ break;
-+ }
-+ if (len >= sizeof(plaintext))
-+ {
-+ printf("Buffer overflow\n");
-+ }
-+ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
-+ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
-+ {
-+ do_mct(amode,akeysz,numkeys,aKey,iVec,dir,plaintext,len,rfp);
-+ }
-+ else
-+ {
-+ assert(dir == 1);
-+ ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ ciphertext, plaintext, len);
-+ OutputValue("CIPHERTEXT",ciphertext,len,rfp,
-+ !strcmp(amode,"CFB1"));
-+ }
-+ step = 6;
-+ }
-+ break;
-+
-+ case 5: /* CIPHERTEXT = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
-+ {
-+ printf("Missing KEY\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ if(!strcmp(amode,"CFB1"))
-+ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
-+ else
-+ len = hex2bin(ibuf+13,ciphertext);
-+ if (len < 0)
-+ {
-+ printf("Invalid CIPHERTEXT\n");
-+ err =1;
-+ break;
-+ }
-+
-+ PrintValue("CIPHERTEXT", ciphertext, len);
-+ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
-+ {
-+ do_mct(amode, akeysz, numkeys, aKey, iVec,
-+ dir, ciphertext, len, rfp);
-+ }
-+ else
-+ {
-+ assert(dir == 0);
-+ ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ plaintext, ciphertext, len);
-+ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
-+ !strcmp(amode,"CFB1"));
-+ }
-+ step = 6;
-+ }
-+ break;
-+
-+ case 6:
-+ if (ibuf[0] != '\n')
-+ {
-+ err = 1;
-+ printf("Missing terminator\n");
-+ }
-+ else if (strcmp(atest, "MCT") != 0)
-+ { /* MCT already added terminating nl */
-+ fputs(ibuf, rfp);
-+ }
-+ step = 1;
-+ break;
-+ }
-+ }
-+ if (rfp)
-+ fclose(rfp);
-+ if (afp)
-+ fclose(afp);
-+ return err;
-+ }
-+
-+/*--------------------------------------------------
-+ Processes either a single file or
-+ a set of files whose names are passed in a file.
-+ A single file is specified as:
-+ aes_test -f xxx.req
-+ A set of files is specified as:
-+ aes_test -d xxxxx.xxx
-+ The default is: -d req.txt
-+--------------------------------------------------*/
-+int main(int argc, char **argv)
-+ {
-+ char *rqlist = "req.txt", *rspfile = NULL;
-+ FILE *fp = NULL;
-+ char fn[250] = "", rfn[256] = "";
-+ int f_opt = 0, d_opt = 1;
-+
-+#ifdef OPENSSL_FIPS
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ EXIT(1);
-+ }
-+#endif
-+ if (argc > 1)
-+ {
-+ if (strcasecmp(argv[1], "-d") == 0)
-+ {
-+ d_opt = 1;
-+ }
-+ else if (strcasecmp(argv[1], "-f") == 0)
-+ {
-+ f_opt = 1;
-+ d_opt = 0;
-+ }
-+ else
-+ {
-+ printf("Invalid parameter: %s\n", argv[1]);
-+ return 0;
-+ }
-+ if (argc < 3)
-+ {
-+ printf("Missing parameter\n");
-+ return 0;
-+ }
-+ if (d_opt)
-+ rqlist = argv[2];
-+ else
-+ {
-+ strcpy(fn, argv[2]);
-+ rspfile = argv[3];
-+ }
-+ }
-+ if (d_opt)
-+ { /* list of files (directory) */
-+ if (!(fp = fopen(rqlist, "r")))
-+ {
-+ printf("Cannot open req list file\n");
-+ return -1;
-+ }
-+ while (fgets(fn, sizeof(fn), fp))
-+ {
-+ strtok(fn, "\r\n");
-+ strcpy(rfn, fn);
-+ printf("Processing: %s\n", rfn);
-+ if (proc_file(rfn, rspfile))
-+ {
-+ printf(">>> Processing failed for: %s <<<\n", rfn);
-+ EXIT(1);
-+ }
-+ }
-+ fclose(fp);
-+ }
-+ else /* single file */
-+ {
-+ if (VERBOSE)
-+ printf("Processing: %s\n", fn);
-+ if (proc_file(fn, rspfile))
-+ {
-+ printf(">>> Processing failed for: %s <<<\n", fn);
-+ }
-+ }
-+ EXIT(0);
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips 2013-10-04 11:48:04.180694136 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c 2013-10-04 11:48:04.180694136 +0200
-@@ -0,0 +1,292 @@
-+/* fips/dh/fips_dhvs.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS DH support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/crypto.h>
-+#include <openssl/bn.h>
-+#include <openssl/dh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static const EVP_MD *parse_md(char *line)
-+ {
-+ char *p;
-+ if (line[0] != '[' || line[1] != 'F')
-+ return NULL;
-+ p = strchr(line, '-');
-+ if (!p)
-+ return NULL;
-+ line = p + 1;
-+ p = strchr(line, ']');
-+ if (!p)
-+ return NULL;
-+ *p = 0;
-+ p = line;
-+ while(isspace(*p))
-+ p++;
-+ if (!strcmp(p, "SHA1"))
-+ return EVP_sha1();
-+ else if (!strcmp(p, "SHA224"))
-+ return EVP_sha224();
-+ else if (!strcmp(p, "SHA256"))
-+ return EVP_sha256();
-+ else if (!strcmp(p, "SHA384"))
-+ return EVP_sha384();
-+ else if (!strcmp(p, "SHA512"))
-+ return EVP_sha512();
-+ else
-+ return NULL;
-+ }
-+
-+static void output_Zhash(FILE *out, int exout,
-+ DH *dh, BIGNUM *peerkey, const EVP_MD *md,
-+ unsigned char *rhash, size_t rhashlen)
-+ {
-+ unsigned char *Z;
-+ unsigned char chash[EVP_MAX_MD_SIZE];
-+ int Zlen;
-+ if (rhash == NULL)
-+ {
-+ rhashlen = M_EVP_MD_size(md);
-+ if (!DH_generate_key(dh))
-+ exit (1);
-+ do_bn_print_name(out, "YephemIUT", dh->pub_key);
-+ if (exout)
-+ do_bn_print_name(out, "XephemIUT", dh->priv_key);
-+ }
-+ Z = OPENSSL_malloc(BN_num_bytes(dh->p));
-+ if (!Z)
-+ exit(1);
-+ Zlen = DH_compute_key_padded(Z, peerkey, dh);
-+ if (exout)
-+ OutputValue("Z", Z, Zlen, out, 0);
-+ FIPS_digest(Z, Zlen, chash, NULL, md);
-+ OutputValue(rhash ? "IUTHashZZ" : "HashZZ", chash, rhashlen, out, 0);
-+ if (rhash)
-+ {
-+ fprintf(out, "Result = %s\n",
-+ memcmp(chash, rhash, rhashlen) ? "F" : "P");
-+ }
-+ else
-+ {
-+ BN_clear_free(dh->priv_key);
-+ BN_clear_free(dh->pub_key);
-+ dh->priv_key = NULL;
-+ dh->pub_key = NULL;
-+ }
-+ OPENSSL_cleanse(Z, Zlen);
-+ OPENSSL_free(Z);
-+ }
-+
-+#ifdef FIPS_ALGVS
-+int fips_dhvs_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ char **args = argv + 1;
-+ int argn = argc - 1;
-+ FILE *in, *out;
-+ char buf[2048], lbuf[2048];
-+ unsigned char *rhash;
-+ long rhashlen;
-+ DH *dh = NULL;
-+ const EVP_MD *md = NULL;
-+ BIGNUM *peerkey = NULL;
-+ char *keyword = NULL, *value = NULL;
-+ int do_verify = -1, exout = 0;
-+
-+ fips_algtest_init();
-+
-+ if (argn && !strcmp(*args, "dhver"))
-+ {
-+ do_verify = 1;
-+ args++;
-+ argn--;
-+ }
-+ else if (argn && !strcmp(*args, "dhgen"))
-+ {
-+ do_verify = 0;
-+ args++;
-+ argn--;
-+ }
-+
-+ if (argn && !strcmp(*args, "-exout"))
-+ {
-+ exout = 1;
-+ args++;
-+ argn--;
-+ }
-+
-+ if (do_verify == -1)
-+ {
-+ fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ if (argn == 2)
-+ {
-+ in = fopen(*args, "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(args[1], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argn == 0)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+ else
-+ {
-+ fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ dh = FIPS_dh_new();
-+
-+ while (fgets(buf, sizeof(buf), in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (strlen(buf) > 6 && !strncmp(buf, "[F", 2))
-+ {
-+ md = parse_md(buf);
-+ if (md == NULL)
-+ goto parse_error;
-+ if (dh)
-+ FIPS_dh_free(dh);
-+ dh = FIPS_dh_new();
-+ continue;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "P"))
-+ {
-+ if (!do_hex2bn(&dh->p, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Q"))
-+ {
-+ if (!do_hex2bn(&dh->q, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "G"))
-+ {
-+ if (!do_hex2bn(&dh->g, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "XephemIUT"))
-+ {
-+ if (!do_hex2bn(&dh->priv_key, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "YephemIUT"))
-+ {
-+ if (!do_hex2bn(&dh->pub_key, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "YephemCAVS"))
-+ {
-+ if (!do_hex2bn(&peerkey, value))
-+ goto parse_error;
-+ if (do_verify == 0)
-+ output_Zhash(out, exout, dh, peerkey, md,
-+ NULL, 0);
-+ }
-+ else if (!strcmp(keyword, "CAVSHashZZ"))
-+ {
-+ if (!md)
-+ goto parse_error;
-+ rhash = hex2bin_m(value, &rhashlen);
-+ if (!rhash || rhashlen != M_EVP_MD_size(md))
-+ goto parse_error;
-+ output_Zhash(out, exout, dh, peerkey, md,
-+ rhash, rhashlen);
-+ }
-+ }
-+ if (in && in != stdin)
-+ fclose(in);
-+ if (out && out != stdout)
-+ fclose(out);
-+ return 0;
-+ parse_error:
-+ fprintf(stderr, "Error Parsing request file\n");
-+ exit(1);
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips 2013-10-04 11:48:04.180694136 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c 2013-10-04 11:48:04.180694136 +0200
-@@ -0,0 +1,416 @@
-+/* fips/rand/fips_drbgvs.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS DRBG support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/bn.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static int dparse_md(char *str)
-+ {
-+ switch(atoi(str + 5))
-+ {
-+ case 1:
-+ return NID_sha1;
-+
-+ case 224:
-+ return NID_sha224;
-+
-+ case 256:
-+ return NID_sha256;
-+
-+ case 384:
-+ return NID_sha384;
-+
-+ case 512:
-+ return NID_sha512;
-+
-+ }
-+
-+ return NID_undef;
-+ }
-+
-+static int parse_ec(char *str)
-+ {
-+ int curve_nid, md_nid;
-+ char *md;
-+ md = strchr(str, ' ');
-+ if (!md)
-+ return NID_undef;
-+ if (!strncmp(str, "[P-256", 6))
-+ curve_nid = NID_X9_62_prime256v1;
-+ else if (!strncmp(str, "[P-384", 6))
-+ curve_nid = NID_secp384r1;
-+ else if (!strncmp(str, "[P-521", 6))
-+ curve_nid = NID_secp521r1;
-+ else
-+ return NID_undef;
-+ md_nid = dparse_md(md);
-+ if (md_nid == NID_undef)
-+ return NID_undef;
-+ return (curve_nid << 16) | md_nid;
-+ }
-+
-+static int parse_aes(char *str, int *pdf)
-+ {
-+
-+ if (!strncmp(str + 9, "no", 2))
-+ *pdf = 0;
-+ else
-+ *pdf = DRBG_FLAG_CTR_USE_DF;
-+
-+ switch(atoi(str + 5))
-+ {
-+ case 128:
-+ return NID_aes_128_ctr;
-+
-+ case 192:
-+ return NID_aes_192_ctr;
-+
-+ case 256:
-+ return NID_aes_256_ctr;
-+
-+ default:
-+ return NID_undef;
-+
-+ }
-+ }
-+
-+typedef struct
-+ {
-+ unsigned char *ent;
-+ size_t entlen;
-+ unsigned char *nonce;
-+ size_t noncelen;
-+ } TEST_ENT;
-+
-+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->ent;
-+ return t->entlen;
-+ }
-+
-+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->nonce;
-+ return t->noncelen;
-+ }
-+
-+#ifdef FIPS_ALGVS
-+int fips_drbgvs_main(int argc,char **argv)
-+#else
-+int main(int argc,char **argv)
-+#endif
-+ {
-+ FILE *in = NULL, *out = NULL;
-+ DRBG_CTX *dctx = NULL;
-+ TEST_ENT t;
-+ int r, nid = 0;
-+ int pr = 0;
-+ char buf[2048], lbuf[2048];
-+ unsigned char randout[2048];
-+ char *keyword = NULL, *value = NULL;
-+
-+ unsigned char *ent = NULL, *nonce = NULL, *pers = NULL, *adin = NULL;
-+ long entlen, noncelen, perslen, adinlen;
-+ int df = 0;
-+
-+ enum dtype { DRBG_NONE, DRBG_CTR, DRBG_HASH, DRBG_HMAC, DRBG_DUAL_EC }
-+ drbg_type = DRBG_NONE;
-+
-+ int randoutlen = 0;
-+
-+ int gen = 0;
-+
-+ fips_algtest_init();
-+
-+ if (argc == 3)
-+ {
-+ in = fopen(argv[1], "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(argv[2], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argc == 1)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+ else
-+ {
-+ fprintf(stderr,"%s (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ while (fgets(buf, sizeof(buf), in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (drbg_type == DRBG_NONE)
-+ {
-+ if (strstr(buf, "CTR_DRBG"))
-+ drbg_type = DRBG_CTR;
-+ else if (strstr(buf, "Hash_DRBG"))
-+ drbg_type = DRBG_HASH;
-+ else if (strstr(buf, "HMAC_DRBG"))
-+ drbg_type = DRBG_HMAC;
-+ else if (strstr(buf, "Dual_EC_DRBG"))
-+ drbg_type = DRBG_DUAL_EC;
-+ else
-+ continue;
-+ }
-+ if (strlen(buf) > 4 && !strncmp(buf, "[SHA-", 5))
-+ {
-+ nid = dparse_md(buf);
-+ if (nid == NID_undef)
-+ exit(1);
-+ if (drbg_type == DRBG_HMAC)
-+ {
-+ switch (nid)
-+ {
-+ case NID_sha1:
-+ nid = NID_hmacWithSHA1;
-+ break;
-+
-+ case NID_sha224:
-+ nid = NID_hmacWithSHA224;
-+ break;
-+
-+ case NID_sha256:
-+ nid = NID_hmacWithSHA256;
-+ break;
-+
-+ case NID_sha384:
-+ nid = NID_hmacWithSHA384;
-+ break;
-+
-+ case NID_sha512:
-+ nid = NID_hmacWithSHA512;
-+ break;
-+
-+ default:
-+ exit(1);
-+ }
-+ }
-+ }
-+ if (strlen(buf) > 12 && !strncmp(buf, "[AES-", 5))
-+ {
-+ nid = parse_aes(buf, &df);
-+ if (nid == NID_undef)
-+ exit(1);
-+ }
-+ if (strlen(buf) > 12 && !strncmp(buf, "[P-", 3))
-+ {
-+ nid = parse_ec(buf);
-+ if (nid == NID_undef)
-+ exit(1);
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+
-+ if (!strcmp(keyword, "[PredictionResistance"))
-+ {
-+ if (!strcmp(value, "True]"))
-+ pr = 1;
-+ else if (!strcmp(value, "False]"))
-+ pr = 0;
-+ else
-+ exit(1);
-+ }
-+
-+ if (!strcmp(keyword, "EntropyInput"))
-+ {
-+ ent = hex2bin_m(value, &entlen);
-+ t.ent = ent;
-+ t.entlen = entlen;
-+ }
-+
-+ if (!strcmp(keyword, "Nonce"))
-+ {
-+ nonce = hex2bin_m(value, &noncelen);
-+ t.nonce = nonce;
-+ t.noncelen = noncelen;
-+ }
-+
-+ if (!strcmp(keyword, "PersonalizationString"))
-+ {
-+ pers = hex2bin_m(value, &perslen);
-+ if (nid == 0)
-+ {
-+ fprintf(stderr, "DRBG type not recognised!\n");
-+ exit (1);
-+ }
-+ dctx = FIPS_drbg_new(nid, df | DRBG_FLAG_TEST);
-+ if (!dctx)
-+ exit (1);
-+ FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0,
-+ test_nonce, 0);
-+ FIPS_drbg_set_app_data(dctx, &t);
-+ randoutlen = (int)FIPS_drbg_get_blocklength(dctx);
-+ r = FIPS_drbg_instantiate(dctx, pers, perslen);
-+ if (!r)
-+ {
-+ fprintf(stderr, "Error instantiating DRBG\n");
-+ exit(1);
-+ }
-+ OPENSSL_free(pers);
-+ OPENSSL_free(ent);
-+ OPENSSL_free(nonce);
-+ ent = nonce = pers = NULL;
-+ gen = 0;
-+ }
-+
-+ if (!strcmp(keyword, "AdditionalInput"))
-+ {
-+ adin = hex2bin_m(value, &adinlen);
-+ if (pr)
-+ continue;
-+ r = FIPS_drbg_generate(dctx, randout, randoutlen, 0,
-+ adin, adinlen);
-+ if (!r)
-+ {
-+ fprintf(stderr, "Error generating DRBG bits\n");
-+ exit(1);
-+ }
-+ if (!r)
-+ exit(1);
-+ OPENSSL_free(adin);
-+ adin = NULL;
-+ gen++;
-+ }
-+
-+ if (pr)
-+ {
-+ if (!strcmp(keyword, "EntropyInputPR"))
-+ {
-+ ent = hex2bin_m(value, &entlen);
-+ t.ent = ent;
-+ t.entlen = entlen;
-+ r = FIPS_drbg_generate(dctx,
-+ randout, randoutlen,
-+ 1, adin, adinlen);
-+ if (!r)
-+ {
-+ fprintf(stderr,
-+ "Error generating DRBG bits\n");
-+ exit(1);
-+ }
-+ OPENSSL_free(adin);
-+ OPENSSL_free(ent);
-+ adin = ent = NULL;
-+ gen++;
-+ }
-+ }
-+ if (!strcmp(keyword, "EntropyInputReseed"))
-+ {
-+ ent = hex2bin_m(value, &entlen);
-+ t.ent = ent;
-+ t.entlen = entlen;
-+ }
-+ if (!strcmp(keyword, "AdditionalInputReseed"))
-+ {
-+ adin = hex2bin_m(value, &adinlen);
-+ FIPS_drbg_reseed(dctx, adin, adinlen);
-+ OPENSSL_free(ent);
-+ OPENSSL_free(adin);
-+ ent = adin = NULL;
-+ }
-+ if (gen == 2)
-+ {
-+ OutputValue("ReturnedBits", randout, randoutlen,
-+ out, 0);
-+ FIPS_drbg_free(dctx);
-+ dctx = NULL;
-+ gen = 0;
-+ }
-+
-+ }
-+ if (in && in != stdin)
-+ fclose(in);
-+ if (out && out != stdout)
-+ fclose(out);
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips 2013-10-04 11:48:04.180694136 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c 2013-10-04 11:48:04.180694136 +0200
-@@ -0,0 +1,537 @@
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS DSA support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/bn.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static void pbn(const char *name, BIGNUM *bn)
-+ {
-+ int len, i;
-+ unsigned char *tmp;
-+ len = BN_num_bytes(bn);
-+ tmp = OPENSSL_malloc(len);
-+ if (!tmp)
-+ {
-+ fprintf(stderr, "Memory allocation error\n");
-+ return;
-+ }
-+ BN_bn2bin(bn, tmp);
-+ printf("%s = ", name);
-+ for (i = 0; i < len; i++)
-+ printf("%02X", tmp[i]);
-+ fputs("\n", stdout);
-+ OPENSSL_free(tmp);
-+ return;
-+ }
-+
-+void primes()
-+ {
-+ char buf[10240];
-+ char lbuf[10240];
-+ char *keyword, *value;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ fputs(buf,stdout);
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if(!strcmp(keyword,"Prime"))
-+ {
-+ BIGNUM *pp;
-+
-+ pp=BN_new();
-+ do_hex2bn(&pp,value);
-+ printf("result= %c\n",
-+ BN_is_prime_ex(pp,20,NULL,NULL) ? 'P' : 'F');
-+ }
-+ }
-+ }
-+
-+void pqg()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ int nmod=0;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ nmod=atoi(value);
-+ else if(!strcmp(keyword,"N"))
-+ {
-+ int n=atoi(value);
-+
-+ printf("[mod = %d]\n\n",nmod);
-+
-+ while(n--)
-+ {
-+ unsigned char seed[20];
-+ DSA *dsa;
-+ int counter;
-+ unsigned long h;
-+ dsa = FIPS_dsa_new();
-+
-+ if (!DSA_generate_parameters_ex(dsa, nmod,seed,0,&counter,&h,NULL))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ pbn("P",dsa->p);
-+ pbn("Q",dsa->q);
-+ pbn("G",dsa->g);
-+ pv("Seed",seed,20);
-+ printf("c = %d\n",counter);
-+ printf("H = %lx\n",h);
-+ putc('\n',stdout);
-+ }
-+ }
-+ else
-+ fputs(buf,stdout);
-+ }
-+ }
-+
-+void pqgver()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ BIGNUM *p = NULL, *q = NULL, *g = NULL;
-+ int counter, counter2;
-+ unsigned long h, h2;
-+ DSA *dsa=NULL;
-+ int nmod=0;
-+ unsigned char seed[1024];
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ fputs(buf, stdout);
-+ if(!strcmp(keyword,"[mod"))
-+ nmod=atoi(value);
-+ else if(!strcmp(keyword,"P"))
-+ p=hex2bn(value);
-+ else if(!strcmp(keyword,"Q"))
-+ q=hex2bn(value);
-+ else if(!strcmp(keyword,"G"))
-+ g=hex2bn(value);
-+ else if(!strcmp(keyword,"Seed"))
-+ {
-+ int slen = hex2bin(value, seed);
-+ if (slen != 20)
-+ {
-+ fprintf(stderr, "Seed parse length error\n");
-+ exit (1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"c"))
-+ counter =atoi(buf+4);
-+ else if(!strcmp(keyword,"H"))
-+ {
-+ h = atoi(value);
-+ if (!p || !q || !g)
-+ {
-+ fprintf(stderr, "Parse Error\n");
-+ exit (1);
-+ }
-+ dsa = FIPS_dsa_new();
-+ if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g)
-+ || (counter != counter2) || (h != h2))
-+ printf("Result = F\n");
-+ else
-+ printf("Result = P\n");
-+ BN_free(p);
-+ BN_free(q);
-+ BN_free(g);
-+ p = NULL;
-+ q = NULL;
-+ g = NULL;
-+ FIPS_dsa_free(dsa);
-+ dsa = NULL;
-+ }
-+ }
-+ }
-+
-+/* Keypair verification routine. NB: this isn't part of the standard FIPS140-2
-+ * algorithm tests. It is an additional test to perform sanity checks on the
-+ * output of the KeyPair test.
-+ */
-+
-+static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
-+ BN_CTX *ctx)
-+ {
-+ BIGNUM *rem = NULL;
-+ if (BN_num_bits(p) != nmod)
-+ return 0;
-+ if (BN_num_bits(q) != 160)
-+ return 0;
-+ if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1)
-+ return 0;
-+ if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1)
-+ return 0;
-+ rem = BN_new();
-+ if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem)
-+ || (BN_cmp(g, BN_value_one()) <= 0)
-+ || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem))
-+ {
-+ BN_free(rem);
-+ return 0;
-+ }
-+ /* Todo: check g */
-+ BN_free(rem);
-+ return 1;
-+ }
-+
-+void keyver()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL;
-+ BIGNUM *Y2;
-+ BN_CTX *ctx = NULL;
-+ int nmod=0, paramcheck = 0;
-+
-+ ctx = BN_CTX_new();
-+ Y2 = BN_new();
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ {
-+ if (p)
-+ BN_free(p);
-+ p = NULL;
-+ if (q)
-+ BN_free(q);
-+ q = NULL;
-+ if (g)
-+ BN_free(g);
-+ g = NULL;
-+ paramcheck = 0;
-+ nmod=atoi(value);
-+ }
-+ else if(!strcmp(keyword,"P"))
-+ p=hex2bn(value);
-+ else if(!strcmp(keyword,"Q"))
-+ q=hex2bn(value);
-+ else if(!strcmp(keyword,"G"))
-+ g=hex2bn(value);
-+ else if(!strcmp(keyword,"X"))
-+ X=hex2bn(value);
-+ else if(!strcmp(keyword,"Y"))
-+ {
-+ Y=hex2bn(value);
-+ if (!p || !q || !g || !X || !Y)
-+ {
-+ fprintf(stderr, "Parse Error\n");
-+ exit (1);
-+ }
-+ pbn("P",p);
-+ pbn("Q",q);
-+ pbn("G",g);
-+ pbn("X",X);
-+ pbn("Y",Y);
-+ if (!paramcheck)
-+ {
-+ if (dss_paramcheck(nmod, p, q, g, ctx))
-+ paramcheck = 1;
-+ else
-+ paramcheck = -1;
-+ }
-+ if (paramcheck != 1)
-+ printf("Result = F\n");
-+ else
-+ {
-+ if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y))
-+ printf("Result = F\n");
-+ else
-+ printf("Result = P\n");
-+ }
-+ BN_free(X);
-+ BN_free(Y);
-+ X = NULL;
-+ Y = NULL;
-+ }
-+ }
-+ if (p)
-+ BN_free(p);
-+ if (q)
-+ BN_free(q);
-+ if (g)
-+ BN_free(g);
-+ if (Y2)
-+ BN_free(Y2);
-+ }
-+
-+void keypair()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ int nmod=0;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ nmod=atoi(value);
-+ else if(!strcmp(keyword,"N"))
-+ {
-+ DSA *dsa;
-+ int n=atoi(value);
-+
-+ printf("[mod = %d]\n\n",nmod);
-+ dsa = FIPS_dsa_new();
-+ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ pbn("P",dsa->p);
-+ pbn("Q",dsa->q);
-+ pbn("G",dsa->g);
-+ putc('\n',stdout);
-+
-+ while(n--)
-+ {
-+ if (!DSA_generate_key(dsa))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+
-+ pbn("X",dsa->priv_key);
-+ pbn("Y",dsa->pub_key);
-+ putc('\n',stdout);
-+ }
-+ }
-+ }
-+ }
-+
-+void siggen()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ int nmod=0;
-+ DSA *dsa=NULL;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ {
-+ nmod=atoi(value);
-+ printf("[mod = %d]\n\n",nmod);
-+ if (dsa)
-+ FIPS_dsa_free(dsa);
-+ dsa = FIPS_dsa_new();
-+ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ pbn("P",dsa->p);
-+ pbn("Q",dsa->q);
-+ pbn("G",dsa->g);
-+ putc('\n',stdout);
-+ }
-+ else if(!strcmp(keyword,"Msg"))
-+ {
-+ unsigned char msg[1024];
-+ unsigned char sbuf[60];
-+ unsigned int slen;
-+ int n;
-+ EVP_PKEY pk;
-+ EVP_MD_CTX mctx;
-+ DSA_SIG *sig;
-+ EVP_MD_CTX_init(&mctx);
-+
-+ n=hex2bin(value,msg);
-+ pv("Msg",msg,n);
-+
-+ if (!DSA_generate_key(dsa))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ pk.type = EVP_PKEY_DSA;
-+ pk.pkey.dsa = dsa;
-+ pbn("Y",dsa->pub_key);
-+
-+ EVP_SignInit_ex(&mctx, EVP_dss1(), NULL);
-+ EVP_SignUpdate(&mctx, msg, n);
-+ EVP_SignFinal(&mctx, sbuf, &slen, &pk);
-+
-+ sig = DSA_SIG_new();
-+ FIPS_dsa_sig_decode(sig, sbuf, slen);
-+
-+ pbn("R",sig->r);
-+ pbn("S",sig->s);
-+ putc('\n',stdout);
-+ DSA_SIG_free(sig);
-+ EVP_MD_CTX_cleanup(&mctx);
-+ }
-+ }
-+ if (dsa)
-+ FIPS_dsa_free(dsa);
-+ }
-+
-+void sigver()
-+ {
-+ DSA *dsa=NULL;
-+ char buf[1024];
-+ char lbuf[1024];
-+ unsigned char msg[1024];
-+ char *keyword, *value;
-+ int nmod=0, n=0;
-+ DSA_SIG sg, *sig = &sg;
-+
-+ sig->r = NULL;
-+ sig->s = NULL;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ {
-+ nmod=atoi(value);
-+ if(dsa)
-+ FIPS_dsa_free(dsa);
-+ dsa=FIPS_dsa_new();
-+ }
-+ else if(!strcmp(keyword,"P"))
-+ dsa->p=hex2bn(value);
-+ else if(!strcmp(keyword,"Q"))
-+ dsa->q=hex2bn(value);
-+ else if(!strcmp(keyword,"G"))
-+ {
-+ dsa->g=hex2bn(value);
-+
-+ printf("[mod = %d]\n\n",nmod);
-+ pbn("P",dsa->p);
-+ pbn("Q",dsa->q);
-+ pbn("G",dsa->g);
-+ putc('\n',stdout);
-+ }
-+ else if(!strcmp(keyword,"Msg"))
-+ {
-+ n=hex2bin(value,msg);
-+ pv("Msg",msg,n);
-+ }
-+ else if(!strcmp(keyword,"Y"))
-+ dsa->pub_key=hex2bn(value);
-+ else if(!strcmp(keyword,"R"))
-+ sig->r=hex2bn(value);
-+ else if(!strcmp(keyword,"S"))
-+ {
-+ EVP_MD_CTX mctx;
-+ EVP_PKEY pk;
-+ unsigned char sigbuf[60];
-+ unsigned int slen;
-+ int r;
-+ EVP_MD_CTX_init(&mctx);
-+ pk.type = EVP_PKEY_DSA;
-+ pk.pkey.dsa = dsa;
-+ sig->s=hex2bn(value);
-+
-+ pbn("Y",dsa->pub_key);
-+ pbn("R",sig->r);
-+ pbn("S",sig->s);
-+
-+ slen = FIPS_dsa_sig_encode(sigbuf, sig);
-+ EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL);
-+ EVP_VerifyUpdate(&mctx, msg, n);
-+ r = EVP_VerifyFinal(&mctx, sigbuf, slen, &pk);
-+ EVP_MD_CTX_cleanup(&mctx);
-+
-+ printf("Result = %c\n", r == 1 ? 'P' : 'F');
-+ putc('\n',stdout);
-+ }
-+ }
-+ }
-+
-+int main(int argc,char **argv)
-+ {
-+ if(argc != 2)
-+ {
-+ fprintf(stderr,"%s [prime|pqg|pqgver|keypair|siggen|sigver]\n",argv[0]);
-+ exit(1);
-+ }
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ if(!strcmp(argv[1],"prime"))
-+ primes();
-+ else if(!strcmp(argv[1],"pqg"))
-+ pqg();
-+ else if(!strcmp(argv[1],"pqgver"))
-+ pqgver();
-+ else if(!strcmp(argv[1],"keypair"))
-+ keypair();
-+ else if(!strcmp(argv[1],"keyver"))
-+ keyver();
-+ else if(!strcmp(argv[1],"siggen"))
-+ siggen();
-+ else if(!strcmp(argv[1],"sigver"))
-+ sigver();
-+ else
-+ {
-+ fprintf(stderr,"Don't know how to %s.\n",argv[1]);
-+ exit(1);
-+ }
-+
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips 2013-10-04 11:48:04.181694158 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c 2013-10-04 11:48:04.181694158 +0200
-@@ -0,0 +1,571 @@
-+/* fips/aes/fips_gcmtest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS GCM support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/bn.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static void gcmtest(FILE *in, FILE *out, int encrypt)
-+ {
-+ char buf[2048];
-+ char lbuf[2048];
-+ char *keyword, *value;
-+ int keylen = -1, ivlen = -1, aadlen = -1, taglen = -1, ptlen = -1;
-+ int rv;
-+ long l;
-+ unsigned char *key = NULL, *iv = NULL, *aad = NULL, *tag = NULL;
-+ unsigned char *ct = NULL, *pt = NULL;
-+ EVP_CIPHER_CTX ctx;
-+ const EVP_CIPHER *gcm = NULL;
-+ FIPS_cipher_ctx_init(&ctx);
-+
-+ while(fgets(buf,sizeof buf,in) != NULL)
-+ {
-+ fputs(buf,out);
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if(!strcmp(keyword,"[Keylen"))
-+ {
-+ keylen = atoi(value);
-+ if (keylen == 128)
-+ gcm = EVP_aes_128_gcm();
-+ else if (keylen == 192)
-+ gcm = EVP_aes_192_gcm();
-+ else if (keylen == 256)
-+ gcm = EVP_aes_256_gcm();
-+ else
-+ {
-+ fprintf(stderr, "Unsupported keylen %d\n",
-+ keylen);
-+ }
-+ keylen >>= 3;
-+ }
-+ else if (!strcmp(keyword, "[IVlen"))
-+ ivlen = atoi(value) >> 3;
-+ else if (!strcmp(keyword, "[AADlen"))
-+ aadlen = atoi(value) >> 3;
-+ else if (!strcmp(keyword, "[Taglen"))
-+ taglen = atoi(value) >> 3;
-+ else if (!strcmp(keyword, "[PTlen"))
-+ ptlen = atoi(value) >> 3;
-+ else if(!strcmp(keyword,"Key"))
-+ {
-+ key = hex2bin_m(value, &l);
-+ if (l != keylen)
-+ {
-+ fprintf(stderr, "Inconsistent Key length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"IV"))
-+ {
-+ iv = hex2bin_m(value, &l);
-+ if (l != ivlen)
-+ {
-+ fprintf(stderr, "Inconsistent IV length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"PT"))
-+ {
-+ pt = hex2bin_m(value, &l);
-+ if (l != ptlen)
-+ {
-+ fprintf(stderr, "Inconsistent PT length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"CT"))
-+ {
-+ ct = hex2bin_m(value, &l);
-+ if (l != ptlen)
-+ {
-+ fprintf(stderr, "Inconsistent CT length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"AAD"))
-+ {
-+ aad = hex2bin_m(value, &l);
-+ if (l != aadlen)
-+ {
-+ fprintf(stderr, "Inconsistent AAD length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"Tag"))
-+ {
-+ tag = hex2bin_m(value, &l);
-+ if (l != taglen)
-+ {
-+ fprintf(stderr, "Inconsistent Tag length\n");
-+ exit(1);
-+ }
-+ }
-+ if (encrypt && pt && aad && (iv || encrypt==1))
-+ {
-+ tag = OPENSSL_malloc(taglen);
-+ FIPS_cipherinit(&ctx, gcm, NULL, NULL, 1);
-+ /* Relax FIPS constraints for testing */
-+ M_EVP_CIPHER_CTX_set_flags(&ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, 0);
-+ if (encrypt == 1)
-+ {
-+ static unsigned char iv_fixed[4] = {1,2,3,4};
-+ if (!iv)
-+ iv = OPENSSL_malloc(ivlen);
-+ FIPS_cipherinit(&ctx, NULL, key, NULL, 1);
-+ FIPS_cipher_ctx_ctrl(&ctx,
-+ EVP_CTRL_GCM_SET_IV_FIXED,
-+ 4, iv_fixed);
-+ if (!FIPS_cipher_ctx_ctrl(&ctx,
-+ EVP_CTRL_GCM_IV_GEN, 0, iv))
-+ {
-+ fprintf(stderr, "IV gen error\n");
-+ exit(1);
-+ }
-+ OutputValue("IV", iv, ivlen, out, 0);
-+ }
-+ else
-+ FIPS_cipherinit(&ctx, NULL, key, iv, 1);
-+
-+
-+ if (aadlen)
-+ FIPS_cipher(&ctx, NULL, aad, aadlen);
-+ if (ptlen)
-+ {
-+ ct = OPENSSL_malloc(ptlen);
-+ rv = FIPS_cipher(&ctx, ct, pt, ptlen);
-+ }
-+ FIPS_cipher(&ctx, NULL, NULL, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG,
-+ taglen, tag);
-+ OutputValue("CT", ct, ptlen, out, 0);
-+ OutputValue("Tag", tag, taglen, out, 0);
-+ if (iv)
-+ OPENSSL_free(iv);
-+ if (aad)
-+ OPENSSL_free(aad);
-+ if (ct)
-+ OPENSSL_free(ct);
-+ if (pt)
-+ OPENSSL_free(pt);
-+ if (key)
-+ OPENSSL_free(key);
-+ if (tag)
-+ OPENSSL_free(tag);
-+ iv = aad = ct = pt = key = tag = NULL;
-+ }
-+ if (!encrypt && tag)
-+ {
-+ FIPS_cipherinit(&ctx, gcm, NULL, NULL, 0);
-+ /* Relax FIPS constraints for testing */
-+ M_EVP_CIPHER_CTX_set_flags(&ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, 0);
-+ FIPS_cipherinit(&ctx, NULL, key, iv, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, taglen, tag);
-+ if (aadlen)
-+ FIPS_cipher(&ctx, NULL, aad, aadlen);
-+ if (ptlen)
-+ {
-+ pt = OPENSSL_malloc(ptlen);
-+ rv = FIPS_cipher(&ctx, pt, ct, ptlen);
-+ }
-+ rv = FIPS_cipher(&ctx, NULL, NULL, 0);
-+ if (rv < 0)
-+ fprintf(out, "FAIL" RESP_EOL);
-+ else
-+ OutputValue("PT", pt, ptlen, out, 0);
-+ if (iv)
-+ OPENSSL_free(iv);
-+ if (aad)
-+ OPENSSL_free(aad);
-+ if (ct)
-+ OPENSSL_free(ct);
-+ if (pt)
-+ OPENSSL_free(pt);
-+ if (key)
-+ OPENSSL_free(key);
-+ if (tag)
-+ OPENSSL_free(tag);
-+ iv = aad = ct = pt = key = tag = NULL;
-+ }
-+ }
-+ FIPS_cipher_ctx_cleanup(&ctx);
-+ }
-+
-+static void xtstest(FILE *in, FILE *out)
-+ {
-+ char buf[204800];
-+ char lbuf[204800];
-+ char *keyword, *value;
-+ int inlen = 0;
-+ int encrypt = 0;
-+ long l;
-+ unsigned char *key = NULL, *iv = NULL;
-+ unsigned char *inbuf = NULL, *outbuf = NULL;
-+ EVP_CIPHER_CTX ctx;
-+ const EVP_CIPHER *xts = NULL;
-+ FIPS_cipher_ctx_init(&ctx);
-+
-+ while(fgets(buf,sizeof buf,in) != NULL)
-+ {
-+ fputs(buf,out);
-+ if (buf[0] == '[' && strlen(buf) >= 9)
-+ {
-+ if(!strncmp(buf,"[ENCRYPT]", 9))
-+ encrypt = 1;
-+ else if(!strncmp(buf,"[DECRYPT]", 9))
-+ encrypt = 0;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ else if(!strcmp(keyword,"Key"))
-+ {
-+ key = hex2bin_m(value, &l);
-+ if (l == 32)
-+ xts = EVP_aes_128_xts();
-+ else if (l == 64)
-+ xts = EVP_aes_256_xts();
-+ else
-+ {
-+ fprintf(stderr, "Inconsistent Key length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"i"))
-+ {
-+ iv = hex2bin_m(value, &l);
-+ if (l != 16)
-+ {
-+ fprintf(stderr, "Inconsistent i length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(encrypt && !strcmp(keyword,"PT"))
-+ {
-+ inbuf = hex2bin_m(value, &l);
-+ inlen = l;
-+ }
-+ else if(!encrypt && !strcmp(keyword,"CT"))
-+ {
-+ inbuf = hex2bin_m(value, &l);
-+ inlen = l;
-+ }
-+ if (inbuf)
-+ {
-+ FIPS_cipherinit(&ctx, xts, key, iv, encrypt);
-+ outbuf = OPENSSL_malloc(inlen);
-+ FIPS_cipher(&ctx, outbuf, inbuf, inlen);
-+ OutputValue(encrypt ? "CT":"PT", outbuf, inlen, out, 0);
-+ OPENSSL_free(inbuf);
-+ OPENSSL_free(outbuf);
-+ OPENSSL_free(key);
-+ OPENSSL_free(iv);
-+ iv = key = inbuf = outbuf = NULL;
-+ }
-+ }
-+ FIPS_cipher_ctx_cleanup(&ctx);
-+ }
-+
-+static void ccmtest(FILE *in, FILE *out)
-+ {
-+ char buf[200048];
-+ char lbuf[200048];
-+ char *keyword, *value;
-+ long l;
-+ unsigned char *Key = NULL, *Nonce = NULL;
-+ unsigned char *Adata = NULL, *Payload = NULL;
-+ unsigned char *CT = NULL;
-+ int Plen = -1, Nlen = -1, Tlen = -1, Alen = -1;
-+ int decr = 0;
-+ EVP_CIPHER_CTX ctx;
-+ const EVP_CIPHER *ccm = NULL;
-+ FIPS_cipher_ctx_init(&ctx);
-+
-+ while(fgets(buf,sizeof buf,in) != NULL)
-+ {
-+ char *p;
-+ fputs(buf,out);
-+ redo:
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+
-+ /* If surrounded by square brackets zap them */
-+ if (keyword[0] == '[')
-+ {
-+ keyword++;
-+ p = strchr(value, ']');
-+ if (p)
-+ *p = 0;
-+ }
-+ /* See if we have a comma separated list of parameters
-+ * if so copy rest of line back to buffer and redo later.
-+ */
-+ p = strchr(value, ',');
-+ if (p)
-+ {
-+ *p = 0;
-+ strcpy(buf, p + 1);
-+ strcat(buf, "\n");
-+ decr = 1;
-+ }
-+ if (!strcmp(keyword,"Plen"))
-+ Plen = atoi(value);
-+ else if (!strcmp(keyword,"Nlen"))
-+ Nlen = atoi(value);
-+ else if (!strcmp(keyword,"Tlen"))
-+ Tlen = atoi(value);
-+ else if (!strcmp(keyword,"Alen"))
-+ Alen = atoi(value);
-+ if (p)
-+ goto redo;
-+ if (!strcmp(keyword,"Key"))
-+ {
-+ if (Key)
-+ OPENSSL_free(Key);
-+ Key = hex2bin_m(value, &l);
-+ if (l == 16)
-+ ccm = EVP_aes_128_ccm();
-+ else if (l == 24)
-+ ccm = EVP_aes_192_ccm();
-+ else if (l == 32)
-+ ccm = EVP_aes_256_ccm();
-+ else
-+ {
-+ fprintf(stderr, "Inconsistent Key length\n");
-+ exit(1);
-+ }
-+ }
-+ else if (!strcmp(keyword,"Nonce"))
-+ {
-+ if (Nonce)
-+ OPENSSL_free(Nonce);
-+ Nonce = hex2bin_m(value, &l);
-+ if (l != Nlen)
-+ {
-+ fprintf(stderr, "Inconsistent nonce length\n");
-+ exit(1);
-+ }
-+ }
-+ else if (!strcmp(keyword,"Payload") && !decr)
-+ {
-+ Payload = hex2bin_m(value, &l);
-+ if (Plen && l != Plen)
-+ {
-+ fprintf(stderr, "Inconsistent Payload length\n");
-+ exit(1);
-+ }
-+ }
-+ else if (!strcmp(keyword,"Adata"))
-+ {
-+ if (Adata)
-+ OPENSSL_free(Adata);
-+ Adata = hex2bin_m(value, &l);
-+ if (Alen && l != Alen)
-+ {
-+ fprintf(stderr, "Inconsistent Payload length\n");
-+ exit(1);
-+ }
-+ }
-+ else if (!strcmp(keyword,"CT") && decr)
-+ {
-+ CT = hex2bin_m(value, &l);
-+ if (l != (Plen + Tlen))
-+ {
-+ fprintf(stderr, "Inconsistent CT length\n");
-+ exit(1);
-+ }
-+ }
-+ if (Payload)
-+ {
-+ FIPS_cipherinit(&ctx, ccm, NULL, NULL, 1);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, Nlen, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, Tlen, 0);
-+ FIPS_cipherinit(&ctx, NULL, Key, Nonce, 1);
-+
-+ FIPS_cipher(&ctx, NULL, NULL, Plen);
-+ FIPS_cipher(&ctx, NULL, Adata, Alen);
-+ CT = OPENSSL_malloc(Plen + Tlen);
-+ FIPS_cipher(&ctx, CT, Payload, Plen);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, Tlen,
-+ CT + Plen);
-+ OutputValue("CT", CT, Plen + Tlen, out, 0);
-+ OPENSSL_free(CT);
-+ OPENSSL_free(Payload);
-+ CT = Payload = NULL;
-+ }
-+ if (CT)
-+ {
-+ int rv;
-+ int len = Plen == 0 ? 1: Plen;
-+ FIPS_cipherinit(&ctx, ccm, NULL, NULL, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, Nlen, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
-+ Tlen, CT + Plen);
-+ FIPS_cipherinit(&ctx, NULL, Key, Nonce, 0);
-+ FIPS_cipher(&ctx, NULL, NULL, Plen);
-+ FIPS_cipher(&ctx, NULL, Adata, Alen);
-+ Payload = OPENSSL_malloc(len);
-+ rv = FIPS_cipher(&ctx, Payload, CT, Plen);
-+ if (rv >= 0)
-+ {
-+ if (rv == 0)
-+ Payload[0] = 0;
-+ fputs("Result = Pass" RESP_EOL, out);
-+ OutputValue("Payload", Payload, len, out, 0);
-+ }
-+ else
-+ fputs("Result = Fail" RESP_EOL, out);
-+ OPENSSL_free(CT);
-+ OPENSSL_free(Payload);
-+ CT = Payload = NULL;
-+ }
-+ }
-+ if (Key)
-+ OPENSSL_free(Key);
-+ if (Nonce)
-+ OPENSSL_free(Nonce);
-+ if (Adata)
-+ OPENSSL_free(Adata);
-+ FIPS_cipher_ctx_cleanup(&ctx);
-+ }
-+
-+#ifdef FIPS_ALGVS
-+int fips_gcmtest_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ int encrypt;
-+ int xts = 0, ccm = 0;
-+ FILE *in, *out;
-+ if (argc == 4)
-+ {
-+ in = fopen(argv[2], "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(argv[3], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argc == 2)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+ else
-+ {
-+ fprintf(stderr,"%s [-encrypt|-decrypt]\n",argv[0]);
-+ exit(1);
-+ }
-+ fips_algtest_init();
-+ if(!strcmp(argv[1],"-encrypt"))
-+ encrypt = 1;
-+ else if(!strcmp(argv[1],"-encryptIVext"))
-+ encrypt = 2;
-+ else if(!strcmp(argv[1],"-decrypt"))
-+ encrypt = 0;
-+ else if(!strcmp(argv[1],"-ccm"))
-+ ccm = 1;
-+ else if(!strcmp(argv[1],"-xts"))
-+ xts = 1;
-+ else
-+ {
-+ fprintf(stderr,"Don't know how to %s.\n",argv[1]);
-+ exit(1);
-+ }
-+
-+ if (ccm)
-+ ccmtest(in, out);
-+ else if (xts)
-+ xtstest(in, out);
-+ else
-+ gcmtest(in, out, encrypt);
-+
-+ if (argc == 4)
-+ {
-+ fclose(in);
-+ fclose(out);
-+ }
-+
-+ return 0;
-+}
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips 2013-10-04 11:48:04.181694158 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c 2013-10-04 11:48:04.181694158 +0200
-@@ -0,0 +1,230 @@
-+/*
-+ * Crude test driver for processing the VST and MCT testvector files
-+ * generated by the CMVP RNGVS product.
-+ *
-+ * Note the input files are assumed to have a _very_ specific format
-+ * as described in the NIST document "The Random Number Generator
-+ * Validation System (RNGVS)", May 25, 2004.
-+ *
-+ */
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS RNG support\n");
-+ return 0;
-+}
-+#else
-+
-+#include <openssl/bn.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/x509v3.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+void vst()
-+ {
-+ unsigned char *key = NULL;
-+ unsigned char *v = NULL;
-+ unsigned char *dt = NULL;
-+ unsigned char ret[16];
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ long i, keylen;
-+
-+ keylen = 0;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ fputs(buf,stdout);
-+ if(!strncmp(buf,"[AES 128-Key]", 13))
-+ keylen = 16;
-+ else if(!strncmp(buf,"[AES 192-Key]", 13))
-+ keylen = 24;
-+ else if(!strncmp(buf,"[AES 256-Key]", 13))
-+ keylen = 32;
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if(!strcmp(keyword,"Key"))
-+ {
-+ key=hex2bin_m(value,&i);
-+ if (i != keylen)
-+ {
-+ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
-+ return;
-+ }
-+ }
-+ else if(!strcmp(keyword,"DT"))
-+ {
-+ dt=hex2bin_m(value,&i);
-+ if (i != 16)
-+ {
-+ fprintf(stderr, "Invalid DT length\n");
-+ return;
-+ }
-+ }
-+ else if(!strcmp(keyword,"V"))
-+ {
-+ v=hex2bin_m(value,&i);
-+ if (i != 16)
-+ {
-+ fprintf(stderr, "Invalid V length\n");
-+ return;
-+ }
-+
-+ if (!key || !dt)
-+ {
-+ fprintf(stderr, "Missing key or DT\n");
-+ return;
-+ }
-+
-+ FIPS_x931_set_key(key, keylen);
-+ FIPS_x931_seed(v,16);
-+ FIPS_x931_set_dt(dt);
-+ if (FIPS_x931_bytes(ret,16) <= 0)
-+ {
-+ fprintf(stderr, "Error getting PRNG value\n");
-+ return;
-+ }
-+
-+ pv("R",ret,16);
-+ OPENSSL_free(key);
-+ key = NULL;
-+ OPENSSL_free(dt);
-+ dt = NULL;
-+ OPENSSL_free(v);
-+ v = NULL;
-+ }
-+ }
-+ }
-+
-+void mct()
-+ {
-+ unsigned char *key = NULL;
-+ unsigned char *v = NULL;
-+ unsigned char *dt = NULL;
-+ unsigned char ret[16];
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ long i, keylen;
-+ int j;
-+
-+ keylen = 0;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ fputs(buf,stdout);
-+ if(!strncmp(buf,"[AES 128-Key]", 13))
-+ keylen = 16;
-+ else if(!strncmp(buf,"[AES 192-Key]", 13))
-+ keylen = 24;
-+ else if(!strncmp(buf,"[AES 256-Key]", 13))
-+ keylen = 32;
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if(!strcmp(keyword,"Key"))
-+ {
-+ key=hex2bin_m(value,&i);
-+ if (i != keylen)
-+ {
-+ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
-+ return;
-+ }
-+ }
-+ else if(!strcmp(keyword,"DT"))
-+ {
-+ dt=hex2bin_m(value,&i);
-+ if (i != 16)
-+ {
-+ fprintf(stderr, "Invalid DT length\n");
-+ return;
-+ }
-+ }
-+ else if(!strcmp(keyword,"V"))
-+ {
-+ v=hex2bin_m(value,&i);
-+ if (i != 16)
-+ {
-+ fprintf(stderr, "Invalid V length\n");
-+ return;
-+ }
-+
-+ if (!key || !dt)
-+ {
-+ fprintf(stderr, "Missing key or DT\n");
-+ return;
-+ }
-+
-+ FIPS_x931_set_key(key, keylen);
-+ FIPS_x931_seed(v,16);
-+ for (i = 0; i < 10000; i++)
-+ {
-+ FIPS_x931_set_dt(dt);
-+ if (FIPS_x931_bytes(ret,16) <= 0)
-+ {
-+ fprintf(stderr, "Error getting PRNG value\n");
-+ return;
-+ }
-+ /* Increment DT */
-+ for (j = 15; j >= 0; j--)
-+ {
-+ dt[j]++;
-+ if (dt[j])
-+ break;
-+ }
-+ }
-+
-+ pv("R",ret,16);
-+ OPENSSL_free(key);
-+ key = NULL;
-+ OPENSSL_free(dt);
-+ dt = NULL;
-+ OPENSSL_free(v);
-+ v = NULL;
-+ }
-+ }
-+ }
-+
-+int main(int argc,char **argv)
-+ {
-+ if(argc != 2)
-+ {
-+ fprintf(stderr,"%s [mct|vst]\n",argv[0]);
-+ exit(1);
-+ }
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ FIPS_x931_reset();
-+ if (!FIPS_x931_test_mode())
-+ {
-+ fprintf(stderr, "Error setting PRNG test mode\n");
-+ do_print_errors();
-+ exit(1);
-+ }
-+ if(!strcmp(argv[1],"mct"))
-+ mct();
-+ else if(!strcmp(argv[1],"vst"))
-+ vst();
-+ else
-+ {
-+ fprintf(stderr,"Don't know how to %s.\n",argv[1]);
-+ exit(1);
-+ }
-+
-+ return 0;
-+ }
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips 2013-10-04 11:48:04.181694158 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c 2013-10-04 11:48:04.181694158 +0200
-@@ -0,0 +1,390 @@
-+/* fips_rsagtest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005,2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+#include <openssl/rsa.h>
-+#include <openssl/bn.h>
-+#include <openssl/x509v3.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RSA support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+
-+int rsa_test(FILE *out, FILE *in);
-+static int rsa_printkey1(FILE *out, RSA *rsa,
-+ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
-+ BIGNUM *e);
-+static int rsa_printkey2(FILE *out, RSA *rsa,
-+ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq);
-+
-+int main(int argc, char **argv)
-+ {
-+ FILE *in = NULL, *out = NULL;
-+
-+ int ret = 1;
-+
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ goto end;
-+ }
-+
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!rsa_test(out, in))
-+ {
-+ fprintf(stderr, "FATAL RSAGTEST file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (ret)
-+ do_print_errors();
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define RSA_TEST_MAXLINELEN 10240
-+
-+int rsa_test(FILE *out, FILE *in)
-+ {
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ RSA *rsa = NULL;
-+ BIGNUM *Xp1 = NULL, *Xp2 = NULL, *Xp = NULL;
-+ BIGNUM *Xq1 = NULL, *Xq2 = NULL, *Xq = NULL;
-+ BIGNUM *e = NULL;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = or starts with [ (for [foo = bar] line) just copy */
-+ if (!p || *keyword=='[')
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ if (!strcmp(keyword, "xp1"))
-+ {
-+ if (Xp1 || !do_hex2bn(&Xp1,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "xp2"))
-+ {
-+ if (Xp2 || !do_hex2bn(&Xp2,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Xp"))
-+ {
-+ if (Xp || !do_hex2bn(&Xp,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "xq1"))
-+ {
-+ if (Xq1 || !do_hex2bn(&Xq1,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "xq2"))
-+ {
-+ if (Xq2 || !do_hex2bn(&Xq2,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Xq"))
-+ {
-+ if (Xq || !do_hex2bn(&Xq,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "e"))
-+ {
-+ if (e || !do_hex2bn(&e,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "p1"))
-+ continue;
-+ else if (!strcmp(keyword, "p2"))
-+ continue;
-+ else if (!strcmp(keyword, "p"))
-+ continue;
-+ else if (!strcmp(keyword, "q1"))
-+ continue;
-+ else if (!strcmp(keyword, "q2"))
-+ continue;
-+ else if (!strcmp(keyword, "q"))
-+ continue;
-+ else if (!strcmp(keyword, "n"))
-+ continue;
-+ else if (!strcmp(keyword, "d"))
-+ continue;
-+ else
-+ goto parse_error;
-+
-+ fputs(olinebuf, out);
-+
-+ if (e && Xp1 && Xp2 && Xp)
-+ {
-+ rsa = FIPS_rsa_new();
-+ if (!rsa)
-+ goto error;
-+ if (!rsa_printkey1(out, rsa, Xp1, Xp2, Xp, e))
-+ goto error;
-+ BN_free(Xp1);
-+ Xp1 = NULL;
-+ BN_free(Xp2);
-+ Xp2 = NULL;
-+ BN_free(Xp);
-+ Xp = NULL;
-+ BN_free(e);
-+ e = NULL;
-+ }
-+
-+ if (rsa && Xq1 && Xq2 && Xq)
-+ {
-+ if (!rsa_printkey2(out, rsa, Xq1, Xq2, Xq))
-+ goto error;
-+ BN_free(Xq1);
-+ Xq1 = NULL;
-+ BN_free(Xq2);
-+ Xq2 = NULL;
-+ BN_free(Xq);
-+ Xq = NULL;
-+ FIPS_rsa_free(rsa);
-+ rsa = NULL;
-+ }
-+ }
-+
-+ ret = 1;
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+
-+ if (Xp1)
-+ BN_free(Xp1);
-+ if (Xp2)
-+ BN_free(Xp2);
-+ if (Xp)
-+ BN_free(Xp);
-+ if (Xq1)
-+ BN_free(Xq1);
-+ if (Xq1)
-+ BN_free(Xq1);
-+ if (Xq2)
-+ BN_free(Xq2);
-+ if (Xq)
-+ BN_free(Xq);
-+ if (e)
-+ BN_free(e);
-+ if (rsa)
-+ FIPS_rsa_free(rsa);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int rsa_printkey1(FILE *out, RSA *rsa,
-+ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
-+ BIGNUM *e)
-+ {
-+ int ret = 0;
-+ BIGNUM *p1 = NULL, *p2 = NULL;
-+ p1 = BN_new();
-+ p2 = BN_new();
-+ if (!p1 || !p2)
-+ goto error;
-+
-+ if (!RSA_X931_derive_ex(rsa, p1, p2, NULL, NULL, Xp1, Xp2, Xp,
-+ NULL, NULL, NULL, e, NULL))
-+ goto error;
-+
-+ do_bn_print_name(out, "p1", p1);
-+ do_bn_print_name(out, "p2", p2);
-+ do_bn_print_name(out, "p", rsa->p);
-+
-+ ret = 1;
-+
-+ error:
-+ if (p1)
-+ BN_free(p1);
-+ if (p2)
-+ BN_free(p2);
-+
-+ return ret;
-+ }
-+
-+static int rsa_printkey2(FILE *out, RSA *rsa,
-+ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq)
-+ {
-+ int ret = 0;
-+ BIGNUM *q1 = NULL, *q2 = NULL;
-+ q1 = BN_new();
-+ q2 = BN_new();
-+ if (!q1 || !q2)
-+ goto error;
-+
-+ if (!RSA_X931_derive_ex(rsa, NULL, NULL, q1, q2, NULL, NULL, NULL,
-+ Xq1, Xq2, Xq, NULL, NULL))
-+ goto error;
-+
-+ do_bn_print_name(out, "q1", q1);
-+ do_bn_print_name(out, "q2", q2);
-+ do_bn_print_name(out, "q", rsa->q);
-+ do_bn_print_name(out, "n", rsa->n);
-+ do_bn_print_name(out, "d", rsa->d);
-+
-+ ret = 1;
-+
-+ error:
-+ if (q1)
-+ BN_free(q1);
-+ if (q2)
-+ BN_free(q2);
-+
-+ return ret;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips 2013-10-04 11:48:04.181694158 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c 2013-10-04 11:48:04.181694158 +0200
-@@ -0,0 +1,370 @@
-+/* fips_rsastest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+#include <openssl/rsa.h>
-+#include <openssl/bn.h>
-+#include <openssl/x509v3.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RSA support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+
-+static int rsa_stest(FILE *out, FILE *in, int Saltlen);
-+static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
-+ unsigned char *Msg, long Msglen, int Saltlen);
-+
-+int main(int argc, char **argv)
-+ {
-+ FILE *in = NULL, *out = NULL;
-+
-+ int ret = 1, Saltlen = -1;
-+
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ goto end;
-+ }
-+
-+ if ((argc > 2) && !strcmp("-saltlen", argv[1]))
-+ {
-+ Saltlen = atoi(argv[2]);
-+ if (Saltlen < 0)
-+ {
-+ fprintf(stderr, "FATAL: Invalid salt length\n");
-+ goto end;
-+ }
-+ argc -= 2;
-+ argv += 2;
-+ }
-+ else if ((argc > 1) && !strcmp("-x931", argv[1]))
-+ {
-+ Saltlen = -2;
-+ argc--;
-+ argv++;
-+ }
-+
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!rsa_stest(out, in, Saltlen))
-+ {
-+ fprintf(stderr, "FATAL RSASTEST file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (ret)
-+ do_print_errors();
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define RSA_TEST_MAXLINELEN 10240
-+
-+int rsa_stest(FILE *out, FILE *in, int Saltlen)
-+ {
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ RSA *rsa = NULL;
-+ const EVP_MD *dgst = NULL;
-+ unsigned char *Msg = NULL;
-+ long Msglen = -1;
-+ int keylen = -1, current_keylen = -1;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = just copy */
-+ if (!p)
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ /* Look for [mod = XXX] for key length */
-+
-+ if (!strcmp(keyword, "[mod"))
-+ {
-+ p = value + strlen(value) - 1;
-+ if (*p != ']')
-+ goto parse_error;
-+ *p = 0;
-+ keylen = atoi(value);
-+ if (keylen < 0)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "SHAAlg"))
-+ {
-+ if (!strcmp(value, "SHA1"))
-+ dgst = EVP_sha1();
-+ else if (!strcmp(value, "SHA224"))
-+ dgst = EVP_sha224();
-+ else if (!strcmp(value, "SHA256"))
-+ dgst = EVP_sha256();
-+ else if (!strcmp(value, "SHA384"))
-+ dgst = EVP_sha384();
-+ else if (!strcmp(value, "SHA512"))
-+ dgst = EVP_sha512();
-+ else
-+ {
-+ fprintf(stderr,
-+ "FATAL: unsupported algorithm \"%s\"\n",
-+ value);
-+ goto parse_error;
-+ }
-+ }
-+ else if (!strcmp(keyword, "Msg"))
-+ {
-+ if (Msg)
-+ goto parse_error;
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ Msg = hex2bin_m(value, &Msglen);
-+ if (!Msg)
-+ goto parse_error;
-+ }
-+
-+ fputs(olinebuf, out);
-+
-+ /* If key length has changed, generate and output public
-+ * key components of new RSA private key.
-+ */
-+
-+ if (keylen != current_keylen)
-+ {
-+ BIGNUM *bn_e;
-+ if (rsa)
-+ FIPS_rsa_free(rsa);
-+ rsa = FIPS_rsa_new();
-+ if (!rsa)
-+ goto error;
-+ bn_e = BN_new();
-+ if (!bn_e || !BN_set_word(bn_e, 0x1001))
-+ goto error;
-+ if (!RSA_X931_generate_key_ex(rsa, keylen, bn_e, NULL))
-+ goto error;
-+ BN_free(bn_e);
-+ fputs("n = ", out);
-+ do_bn_print(out, rsa->n);
-+ fputs("\ne = ", out);
-+ do_bn_print(out, rsa->e);
-+ fputs("\n", out);
-+ current_keylen = keylen;
-+ }
-+
-+ if (Msg && dgst)
-+ {
-+ if (!rsa_printsig(out, rsa, dgst, Msg, Msglen,
-+ Saltlen))
-+ goto error;
-+ OPENSSL_free(Msg);
-+ Msg = NULL;
-+ }
-+
-+ }
-+
-+ ret = 1;
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+ if (rsa)
-+ FIPS_rsa_free(rsa);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
-+ unsigned char *Msg, long Msglen, int Saltlen)
-+ {
-+ int ret = 0;
-+ unsigned char *sigbuf = NULL;
-+ int i, siglen;
-+ /* EVP_PKEY structure */
-+ EVP_PKEY pk;
-+ EVP_MD_CTX ctx;
-+ pk.type = EVP_PKEY_RSA;
-+ pk.pkey.rsa = rsa;
-+
-+ siglen = RSA_size(rsa);
-+ sigbuf = OPENSSL_malloc(siglen);
-+ if (!sigbuf)
-+ goto error;
-+
-+ EVP_MD_CTX_init(&ctx);
-+
-+ if (Saltlen >= 0)
-+ {
-+ M_EVP_MD_CTX_set_flags(&ctx,
-+ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
-+ }
-+ else if (Saltlen == -2)
-+ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
-+ if (!EVP_SignInit_ex(&ctx, dgst, NULL))
-+ goto error;
-+ if (!EVP_SignUpdate(&ctx, Msg, Msglen))
-+ goto error;
-+ if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, &pk))
-+ goto error;
-+
-+ EVP_MD_CTX_cleanup(&ctx);
-+
-+ fputs("S = ", out);
-+
-+ for (i = 0; i < siglen; i++)
-+ fprintf(out, "%02X", sigbuf[i]);
-+
-+ fputs("\n", out);
-+
-+ ret = 1;
-+
-+ error:
-+
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips 2013-10-04 11:48:04.181694158 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c 2013-10-04 11:48:04.181694158 +0200
-@@ -0,0 +1,377 @@
-+/* fips_rsavtest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+#include <openssl/x509v3.h>
-+#include <openssl/bn.h>
-+#include <openssl/rsa.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RSA support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+
-+int rsa_test(FILE *out, FILE *in, int saltlen);
-+static int rsa_printver(FILE *out,
-+ BIGNUM *n, BIGNUM *e,
-+ const EVP_MD *dgst,
-+ unsigned char *Msg, long Msglen,
-+ unsigned char *S, long Slen, int Saltlen);
-+
-+int main(int argc, char **argv)
-+ {
-+ FILE *in = NULL, *out = NULL;
-+
-+ int ret = 1;
-+ int Saltlen = -1;
-+
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ goto end;
-+ }
-+
-+ if ((argc > 2) && !strcmp("-saltlen", argv[1]))
-+ {
-+ Saltlen = atoi(argv[2]);
-+ if (Saltlen < 0)
-+ {
-+ fprintf(stderr, "FATAL: Invalid salt length\n");
-+ goto end;
-+ }
-+ argc -= 2;
-+ argv += 2;
-+ }
-+ else if ((argc > 1) && !strcmp("-x931", argv[1]))
-+ {
-+ Saltlen = -2;
-+ argc--;
-+ argv++;
-+ }
-+
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!rsa_test(out, in, Saltlen))
-+ {
-+ fprintf(stderr, "FATAL RSAVTEST file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (ret)
-+ do_print_errors();
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define RSA_TEST_MAXLINELEN 10240
-+
-+int rsa_test(FILE *out, FILE *in, int Saltlen)
-+ {
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ const EVP_MD *dgst = NULL;
-+ BIGNUM *n = NULL, *e = NULL;
-+ unsigned char *Msg = NULL, *S = NULL;
-+ long Msglen, Slen;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = or starts with [ (for [foo = bar] line) just copy */
-+ if (!p || *keyword=='[')
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ if (!strcmp(keyword, "n"))
-+ {
-+ if (!do_hex2bn(&n,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "e"))
-+ {
-+ if (!do_hex2bn(&e,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "SHAAlg"))
-+ {
-+ if (!strcmp(value, "SHA1"))
-+ dgst = EVP_sha1();
-+ else if (!strcmp(value, "SHA224"))
-+ dgst = EVP_sha224();
-+ else if (!strcmp(value, "SHA256"))
-+ dgst = EVP_sha256();
-+ else if (!strcmp(value, "SHA384"))
-+ dgst = EVP_sha384();
-+ else if (!strcmp(value, "SHA512"))
-+ dgst = EVP_sha512();
-+ else
-+ {
-+ fprintf(stderr,
-+ "FATAL: unsupported algorithm \"%s\"\n",
-+ value);
-+ goto parse_error;
-+ }
-+ }
-+ else if (!strcmp(keyword, "Msg"))
-+ {
-+ if (Msg)
-+ goto parse_error;
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ Msg = hex2bin_m(value, &Msglen);
-+ if (!Msg)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "S"))
-+ {
-+ if (S)
-+ goto parse_error;
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ S = hex2bin_m(value, &Slen);
-+ if (!S)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Result"))
-+ continue;
-+ else
-+ goto parse_error;
-+
-+ fputs(olinebuf, out);
-+
-+ if (n && e && Msg && S && dgst)
-+ {
-+ if (!rsa_printver(out, n, e, dgst,
-+ Msg, Msglen, S, Slen, Saltlen))
-+ goto error;
-+ OPENSSL_free(Msg);
-+ Msg = NULL;
-+ OPENSSL_free(S);
-+ S = NULL;
-+ }
-+
-+ }
-+
-+
-+ ret = 1;
-+
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+ if (n)
-+ BN_free(n);
-+ if (e)
-+ BN_free(e);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int rsa_printver(FILE *out,
-+ BIGNUM *n, BIGNUM *e,
-+ const EVP_MD *dgst,
-+ unsigned char *Msg, long Msglen,
-+ unsigned char *S, long Slen, int Saltlen)
-+ {
-+ int ret = 0, r;
-+ /* Setup RSA and EVP_PKEY structures */
-+ RSA *rsa_pubkey = NULL;
-+ EVP_PKEY pk;
-+ EVP_MD_CTX ctx;
-+ unsigned char *buf = NULL;
-+ rsa_pubkey = FIPS_rsa_new();
-+ if (!rsa_pubkey)
-+ goto error;
-+ rsa_pubkey->n = BN_dup(n);
-+ rsa_pubkey->e = BN_dup(e);
-+ if (!rsa_pubkey->n || !rsa_pubkey->e)
-+ goto error;
-+ pk.type = EVP_PKEY_RSA;
-+ pk.pkey.rsa = rsa_pubkey;
-+
-+ EVP_MD_CTX_init(&ctx);
-+
-+ if (Saltlen >= 0)
-+ {
-+ M_EVP_MD_CTX_set_flags(&ctx,
-+ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
-+ }
-+ else if (Saltlen == -2)
-+ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
-+ if (!EVP_VerifyInit_ex(&ctx, dgst, NULL))
-+ goto error;
-+ if (!EVP_VerifyUpdate(&ctx, Msg, Msglen))
-+ goto error;
-+
-+ r = EVP_VerifyFinal(&ctx, S, Slen, &pk);
-+
-+
-+ EVP_MD_CTX_cleanup(&ctx);
-+
-+ if (r < 0)
-+ goto error;
-+ ERR_clear_error();
-+
-+ if (r == 0)
-+ fputs("Result = F\n", out);
-+ else
-+ fputs("Result = P\n", out);
-+
-+ ret = 1;
-+
-+ error:
-+ if (rsa_pubkey)
-+ FIPS_rsa_free(rsa_pubkey);
-+ if (buf)
-+ OPENSSL_free(buf);
-+
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c
---- openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips 2013-10-04 11:48:04.182694181 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c 2013-10-04 11:48:04.182694181 +0200
-@@ -0,0 +1,388 @@
-+/* fips_shatest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/x509v3.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS SHAXXX support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+
-+static int dgst_test(FILE *out, FILE *in);
-+static int print_dgst(const EVP_MD *md, FILE *out,
-+ unsigned char *Msg, int Msglen);
-+static int print_monte(const EVP_MD *md, FILE *out,
-+ unsigned char *Seed, int SeedLen);
-+
-+int main(int argc, char **argv)
-+ {
-+ FILE *in = NULL, *out = NULL;
-+
-+ int ret = 1;
-+
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ goto end;
-+ }
-+
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!dgst_test(out, in))
-+ {
-+ fprintf(stderr, "FATAL digest file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (ret)
-+ do_print_errors();
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define SHA_TEST_MAX_BITS 102400
-+#define SHA_TEST_MAXLINELEN (((SHA_TEST_MAX_BITS >> 3) * 2) + 100)
-+
-+int dgst_test(FILE *out, FILE *in)
-+ {
-+ const EVP_MD *md = NULL;
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ unsigned char *Msg = NULL, *Seed = NULL;
-+ long MsgLen = -1, Len = -1, SeedLen = -1;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+
-+ while (fgets(olinebuf, SHA_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = or starts with [ (for [L=20] line) just copy */
-+ if (!p)
-+ {
-+ fputs(olinebuf, out);
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ if (!strcmp(keyword,"[L") && *p==']')
-+ {
-+ switch (atoi(value))
-+ {
-+ case 20: md=EVP_sha1(); break;
-+ case 28: md=EVP_sha224(); break;
-+ case 32: md=EVP_sha256(); break;
-+ case 48: md=EVP_sha384(); break;
-+ case 64: md=EVP_sha512(); break;
-+ default: goto parse_error;
-+ }
-+ }
-+ else if (!strcmp(keyword, "Len"))
-+ {
-+ if (Len != -1)
-+ goto parse_error;
-+ Len = atoi(value);
-+ if (Len < 0)
-+ goto parse_error;
-+ /* Only handle multiples of 8 bits */
-+ if (Len & 0x7)
-+ goto parse_error;
-+ if (Len > SHA_TEST_MAX_BITS)
-+ goto parse_error;
-+ MsgLen = Len >> 3;
-+ }
-+
-+ else if (!strcmp(keyword, "Msg"))
-+ {
-+ long tmplen;
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ if (Msg)
-+ goto parse_error;
-+ Msg = hex2bin_m(value, &tmplen);
-+ if (!Msg)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Seed"))
-+ {
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ if (Seed)
-+ goto parse_error;
-+ Seed = hex2bin_m(value, &SeedLen);
-+ if (!Seed)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "MD"))
-+ continue;
-+ else
-+ goto parse_error;
-+
-+ fputs(olinebuf, out);
-+
-+ if (md && Msg && (MsgLen >= 0))
-+ {
-+ if (!print_dgst(md, out, Msg, MsgLen))
-+ goto error;
-+ OPENSSL_free(Msg);
-+ Msg = NULL;
-+ MsgLen = -1;
-+ Len = -1;
-+ }
-+ else if (md && Seed && (SeedLen > 0))
-+ {
-+ if (!print_monte(md, out, Seed, SeedLen))
-+ goto error;
-+ OPENSSL_free(Seed);
-+ Seed = NULL;
-+ SeedLen = -1;
-+ }
-+
-+
-+ }
-+
-+
-+ ret = 1;
-+
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+ if (Msg)
-+ OPENSSL_free(Msg);
-+ if (Seed)
-+ OPENSSL_free(Seed);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int print_dgst(const EVP_MD *emd, FILE *out,
-+ unsigned char *Msg, int Msglen)
-+ {
-+ int i, mdlen;
-+ unsigned char md[EVP_MAX_MD_SIZE];
-+ if (!EVP_Digest(Msg, Msglen, md, (unsigned int *)&mdlen, emd, NULL))
-+ {
-+ fputs("Error calculating HASH\n", stderr);
-+ return 0;
-+ }
-+ fputs("MD = ", out);
-+ for (i = 0; i < mdlen; i++)
-+ fprintf(out, "%02x", md[i]);
-+ fputs("\n", out);
-+ return 1;
-+ }
-+
-+static int print_monte(const EVP_MD *md, FILE *out,
-+ unsigned char *Seed, int SeedLen)
-+ {
-+ unsigned int i, j, k;
-+ int ret = 0;
-+ EVP_MD_CTX ctx;
-+ unsigned char *m1, *m2, *m3, *p;
-+ unsigned int mlen, m1len, m2len, m3len;
-+
-+ EVP_MD_CTX_init(&ctx);
-+
-+ if (SeedLen > EVP_MAX_MD_SIZE)
-+ mlen = SeedLen;
-+ else
-+ mlen = EVP_MAX_MD_SIZE;
-+
-+ m1 = OPENSSL_malloc(mlen);
-+ m2 = OPENSSL_malloc(mlen);
-+ m3 = OPENSSL_malloc(mlen);
-+
-+ if (!m1 || !m2 || !m3)
-+ goto mc_error;
-+
-+ m1len = m2len = m3len = SeedLen;
-+ memcpy(m1, Seed, SeedLen);
-+ memcpy(m2, Seed, SeedLen);
-+ memcpy(m3, Seed, SeedLen);
-+
-+ fputs("\n", out);
-+
-+ for (j = 0; j < 100; j++)
-+ {
-+ for (i = 0; i < 1000; i++)
-+ {
-+ EVP_DigestInit_ex(&ctx, md, NULL);
-+ EVP_DigestUpdate(&ctx, m1, m1len);
-+ EVP_DigestUpdate(&ctx, m2, m2len);
-+ EVP_DigestUpdate(&ctx, m3, m3len);
-+ p = m1;
-+ m1 = m2;
-+ m1len = m2len;
-+ m2 = m3;
-+ m2len = m3len;
-+ m3 = p;
-+ EVP_DigestFinal_ex(&ctx, m3, &m3len);
-+ }
-+ fprintf(out, "COUNT = %d\n", j);
-+ fputs("MD = ", out);
-+ for (k = 0; k < m3len; k++)
-+ fprintf(out, "%02x", m3[k]);
-+ fputs("\n\n", out);
-+ memcpy(m1, m3, m3len);
-+ memcpy(m2, m3, m3len);
-+ m1len = m2len = m3len;
-+ }
-+
-+ ret = 1;
-+
-+ mc_error:
-+ if (m1)
-+ OPENSSL_free(m1);
-+ if (m2)
-+ OPENSSL_free(m2);
-+ if (m3)
-+ OPENSSL_free(m3);
-+
-+ EVP_MD_CTX_cleanup(&ctx);
-+
-+ return ret;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1e/crypto/fips/cavs/fips_utl.h
---- openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips 2013-10-04 11:48:04.182694181 +0200
-+++ openssl-1.0.1e/crypto/fips/cavs/fips_utl.h 2013-10-04 11:48:04.182694181 +0200
-@@ -0,0 +1,343 @@
-+/* ====================================================================
-+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+void do_print_errors(void)
-+ {
-+ const char *file, *data;
-+ int line, flags;
-+ unsigned long l;
-+ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)))
-+ {
-+ fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d"
-+ ":file=%s:line=%d:%s\n",
-+ l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l),
-+ file, line, flags & ERR_TXT_STRING ? data : "");
-+ }
-+ }
-+
-+int hex2bin(const char *in, unsigned char *out)
-+ {
-+ int n1, n2;
-+ unsigned char ch;
-+
-+ for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; )
-+ { /* first byte */
-+ if ((in[n1] >= '0') && (in[n1] <= '9'))
-+ ch = in[n1++] - '0';
-+ else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
-+ ch = in[n1++] - 'A' + 10;
-+ else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
-+ ch = in[n1++] - 'a' + 10;
-+ else
-+ return -1;
-+ if(!in[n1])
-+ {
-+ out[n2++]=ch;
-+ break;
-+ }
-+ out[n2] = ch << 4;
-+ /* second byte */
-+ if ((in[n1] >= '0') && (in[n1] <= '9'))
-+ ch = in[n1++] - '0';
-+ else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
-+ ch = in[n1++] - 'A' + 10;
-+ else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
-+ ch = in[n1++] - 'a' + 10;
-+ else
-+ return -1;
-+ out[n2++] |= ch;
-+ }
-+ return n2;
-+ }
-+
-+unsigned char *hex2bin_m(const char *in, long *plen)
-+ {
-+ unsigned char *p;
-+ p = OPENSSL_malloc((strlen(in) + 1)/2);
-+ *plen = hex2bin(in, p);
-+ return p;
-+ }
-+
-+int do_hex2bn(BIGNUM **pr, const char *in)
-+ {
-+ unsigned char *p;
-+ long plen;
-+ int r = 0;
-+ p = hex2bin_m(in, &plen);
-+ if (!p)
-+ return 0;
-+ if (!*pr)
-+ *pr = BN_new();
-+ if (!*pr)
-+ return 0;
-+ if (BN_bin2bn(p, plen, *pr))
-+ r = 1;
-+ OPENSSL_free(p);
-+ return r;
-+ }
-+
-+int do_bn_print(FILE *out, BIGNUM *bn)
-+ {
-+ int len, i;
-+ unsigned char *tmp;
-+ len = BN_num_bytes(bn);
-+ if (len == 0)
-+ {
-+ fputs("00", out);
-+ return 1;
-+ }
-+
-+ tmp = OPENSSL_malloc(len);
-+ if (!tmp)
-+ {
-+ fprintf(stderr, "Memory allocation error\n");
-+ return 0;
-+ }
-+ BN_bn2bin(bn, tmp);
-+ for (i = 0; i < len; i++)
-+ fprintf(out, "%02x", tmp[i]);
-+ OPENSSL_free(tmp);
-+ return 1;
-+ }
-+
-+int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn)
-+ {
-+ int r;
-+ fprintf(out, "%s = ", name);
-+ r = do_bn_print(out, bn);
-+ if (!r)
-+ return 0;
-+ fputs("\n", out);
-+ return 1;
-+ }
-+
-+int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf)
-+ {
-+ char *keyword, *value, *p, *q;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no '=' exit */
-+ if (!p)
-+ return 0;
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ *pkw = keyword;
-+ *pval = value;
-+ return 1;
-+ }
-+
-+BIGNUM *hex2bn(const char *in)
-+ {
-+ BIGNUM *p=NULL;
-+
-+ if (!do_hex2bn(&p, in))
-+ return NULL;
-+
-+ return p;
-+ }
-+
-+int bin2hex(const unsigned char *in,int len,char *out)
-+ {
-+ int n1, n2;
-+ unsigned char ch;
-+
-+ for (n1=0,n2=0 ; n1 < len ; ++n1)
-+ {
-+ ch=in[n1] >> 4;
-+ if (ch <= 0x09)
-+ out[n2++]=ch+'0';
-+ else
-+ out[n2++]=ch-10+'a';
-+ ch=in[n1] & 0x0f;
-+ if(ch <= 0x09)
-+ out[n2++]=ch+'0';
-+ else
-+ out[n2++]=ch-10+'a';
-+ }
-+ out[n2]='\0';
-+ return n2;
-+ }
-+
-+void pv(const char *tag,const unsigned char *val,int len)
-+ {
-+ char obuf[2048];
-+
-+ bin2hex(val,len,obuf);
-+ printf("%s = %s\n",tag,obuf);
-+ }
-+
-+/* To avoid extensive changes to test program at this stage just convert
-+ * the input line into an acceptable form. Keyword lines converted to form
-+ * "keyword = value\n" no matter what white space present, all other lines
-+ * just have leading and trailing space removed.
-+ */
-+
-+int tidy_line(char *linebuf, char *olinebuf)
-+ {
-+ char *keyword, *value, *p, *q;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no '=' just chop leading, trailing ws */
-+ if (!p)
-+ {
-+ p = keyword + strlen(keyword) - 1;
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+ strcpy(olinebuf, keyword);
-+ strcat(olinebuf, "\n");
-+ return 1;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ strcpy(olinebuf, keyword);
-+ strcat(olinebuf, " = ");
-+ strcat(olinebuf, value);
-+ strcat(olinebuf, "\n");
-+
-+ return 1;
-+ }
-+
-+/* NB: this return the number of _bits_ read */
-+int bint2bin(const char *in, int len, unsigned char *out)
-+ {
-+ int n;
-+
-+ memset(out,0,len);
-+ for(n=0 ; n < len ; ++n)
-+ if(in[n] == '1')
-+ out[n/8]|=(0x80 >> (n%8));
-+ return len;
-+ }
-+
-+int bin2bint(const unsigned char *in,int len,char *out)
-+ {
-+ int n;
-+
-+ for(n=0 ; n < len ; ++n)
-+ out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0';
-+ return n;
-+ }
-+
-+/*-----------------------------------------------*/
-+
-+void PrintValue(char *tag, unsigned char *val, int len)
-+{
-+#if VERBOSE
-+ char obuf[2048];
-+ int olen;
-+ olen = bin2hex(val, len, obuf);
-+ printf("%s = %.*s\n", tag, olen, obuf);
-+#endif
-+}
-+
-+void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode)
-+ {
-+ char obuf[2048];
-+ int olen;
-+
-+ if(bitmode)
-+ olen=bin2bint(val,len,obuf);
-+ else
-+ olen=bin2hex(val,len,obuf);
-+
-+ fprintf(rfp, "%s = %.*s\n", tag, olen, obuf);
-+#if VERBOSE
-+ printf("%s = %.*s\n", tag, olen, obuf);
-+#endif
-+ }
-+
-diff -up openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_aes_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips 2013-10-04 11:48:04.182694181 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_aes_selftest.c 2013-10-04 11:48:04.182694181 +0200
-@@ -0,0 +1,359 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+
-+#ifdef OPENSSL_FIPS
-+static const struct
-+ {
-+ const unsigned char key[16];
-+ const unsigned char plaintext[16];
-+ const unsigned char ciphertext[16];
-+ } tests[]=
-+ {
-+ {
-+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-+ 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F },
-+ { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
-+ 0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF },
-+ { 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30,
-+ 0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A },
-+ },
-+ };
-+
-+static int corrupt_aes;
-+
-+void FIPS_corrupt_aes()
-+ {
-+ corrupt_aes = 1;
-+ }
-+
-+int FIPS_selftest_aes()
-+ {
-+ int n;
-+ int ret = 0;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ for(n=0 ; n < 1 ; ++n)
-+ {
-+ unsigned char key[16];
-+
-+ memcpy(key, tests[n].key, sizeof(key));
-+ if (corrupt_aes)
-+ key[0]++;
-+ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(),
-+ key, NULL,
-+ tests[n].plaintext,
-+ tests[n].ciphertext,
-+ 16) <= 0)
-+ goto err;
-+ }
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED);
-+ return ret;
-+ }
-+
-+/* AES-CCM test data from NIST public test vectors */
-+
-+static const unsigned char ccm_key[] = {
-+ 0xce,0xb0,0x09,0xae,0xa4,0x45,0x44,0x51,0xfe,0xad,0xf0,0xe6,
-+ 0xb3,0x6f,0x45,0x55,0x5d,0xd0,0x47,0x23,0xba,0xa4,0x48,0xe8
-+};
-+static const unsigned char ccm_nonce[] = {
-+ 0x76,0x40,0x43,0xc4,0x94,0x60,0xb7
-+};
-+static const unsigned char ccm_adata[] = {
-+ 0x6e,0x80,0xdd,0x7f,0x1b,0xad,0xf3,0xa1,0xc9,0xab,0x25,0xc7,
-+ 0x5f,0x10,0xbd,0xe7,0x8c,0x23,0xfa,0x0e,0xb8,0xf9,0xaa,0xa5,
-+ 0x3a,0xde,0xfb,0xf4,0xcb,0xf7,0x8f,0xe4
-+};
-+static const unsigned char ccm_pt[] = {
-+ 0xc8,0xd2,0x75,0xf9,0x19,0xe1,0x7d,0x7f,0xe6,0x9c,0x2a,0x1f,
-+ 0x58,0x93,0x9d,0xfe,0x4d,0x40,0x37,0x91,0xb5,0xdf,0x13,0x10
-+};
-+static const unsigned char ccm_ct[] = {
-+ 0x8a,0x0f,0x3d,0x82,0x29,0xe4,0x8e,0x74,0x87,0xfd,0x95,0xa2,
-+ 0x8a,0xd3,0x92,0xc8,0x0b,0x36,0x81,0xd4,0xfb,0xc7,0xbb,0xfd
-+};
-+static const unsigned char ccm_tag[] = {
-+ 0x2d,0xd6,0xef,0x1c,0x45,0xd4,0xcc,0xb7,0x23,0xdc,0x07,0x44,
-+ 0x14,0xdb,0x50,0x6d
-+};
-+
-+int FIPS_selftest_aes_ccm(void)
-+ {
-+ int ret = 0;
-+ unsigned char out[128], tag[16];
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ memset(out, 0, sizeof(out));
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(),NULL, NULL, NULL, 1))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
-+ sizeof(ccm_nonce), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
-+ sizeof(ccm_tag), NULL))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
-+ goto err;
-+
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
-+ goto err;
-+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
-+ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
-+ sizeof(ccm_nonce), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
-+ goto err;
-+
-+ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+
-+ if (ret == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ else
-+ return ret;
-+
-+ }
-+
-+/* AES-GCM test data from NIST public test vectors */
-+
-+static const unsigned char gcm_key[] = {
-+ 0xee,0xbc,0x1f,0x57,0x48,0x7f,0x51,0x92,0x1c,0x04,0x65,0x66,
-+ 0x5f,0x8a,0xe6,0xd1,0x65,0x8b,0xb2,0x6d,0xe6,0xf8,0xa0,0x69,
-+ 0xa3,0x52,0x02,0x93,0xa5,0x72,0x07,0x8f
-+};
-+static const unsigned char gcm_iv[] = {
-+ 0x99,0xaa,0x3e,0x68,0xed,0x81,0x73,0xa0,0xee,0xd0,0x66,0x84
-+};
-+static const unsigned char gcm_pt[] = {
-+ 0xf5,0x6e,0x87,0x05,0x5b,0xc3,0x2d,0x0e,0xeb,0x31,0xb2,0xea,
-+ 0xcc,0x2b,0xf2,0xa5
-+};
-+static const unsigned char gcm_aad[] = {
-+ 0x4d,0x23,0xc3,0xce,0xc3,0x34,0xb4,0x9b,0xdb,0x37,0x0c,0x43,
-+ 0x7f,0xec,0x78,0xde
-+};
-+static const unsigned char gcm_ct[] = {
-+ 0xf7,0x26,0x44,0x13,0xa8,0x4c,0x0e,0x7c,0xd5,0x36,0x86,0x7e,
-+ 0xb9,0xf2,0x17,0x36
-+};
-+static const unsigned char gcm_tag[] = {
-+ 0x67,0xba,0x05,0x10,0x26,0x2a,0xe4,0x87,0xd7,0x37,0xee,0x62,
-+ 0x98,0xf7,0x7e,0x0c
-+};
-+
-+int FIPS_selftest_aes_gcm(void)
-+ {
-+ int ret = 0;
-+ unsigned char out[128], tag[16];
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ memset(out, 0, sizeof(out));
-+ memset(tag, 0, sizeof(tag));
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
-+ sizeof(gcm_iv), NULL))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 1))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
-+ goto err;
-+
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
-+ goto err;
-+
-+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
-+ sizeof(gcm_iv), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 0))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
-+ goto err;
-+
-+ if (memcmp(out, gcm_pt, 16))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+
-+ if (ret == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ else
-+ return ret;
-+
-+ }
-+
-+
-+static const unsigned char XTS_128_key[] = {
-+ 0xa1,0xb9,0x0c,0xba,0x3f,0x06,0xac,0x35,0x3b,0x2c,0x34,0x38,
-+ 0x76,0x08,0x17,0x62,0x09,0x09,0x23,0x02,0x6e,0x91,0x77,0x18,
-+ 0x15,0xf2,0x9d,0xab,0x01,0x93,0x2f,0x2f
-+};
-+static const unsigned char XTS_128_i[] = {
-+ 0x4f,0xae,0xf7,0x11,0x7c,0xda,0x59,0xc6,0x6e,0x4b,0x92,0x01,
-+ 0x3e,0x76,0x8a,0xd5
-+};
-+static const unsigned char XTS_128_pt[] = {
-+ 0xeb,0xab,0xce,0x95,0xb1,0x4d,0x3c,0x8d,0x6f,0xb3,0x50,0x39,
-+ 0x07,0x90,0x31,0x1c
-+};
-+static const unsigned char XTS_128_ct[] = {
-+ 0x77,0x8a,0xe8,0xb4,0x3c,0xb9,0x8d,0x5a,0x82,0x50,0x81,0xd5,
-+ 0xbe,0x47,0x1c,0x63
-+};
-+
-+static const unsigned char XTS_256_key[] = {
-+ 0x1e,0xa6,0x61,0xc5,0x8d,0x94,0x3a,0x0e,0x48,0x01,0xe4,0x2f,
-+ 0x4b,0x09,0x47,0x14,0x9e,0x7f,0x9f,0x8e,0x3e,0x68,0xd0,0xc7,
-+ 0x50,0x52,0x10,0xbd,0x31,0x1a,0x0e,0x7c,0xd6,0xe1,0x3f,0xfd,
-+ 0xf2,0x41,0x8d,0x8d,0x19,0x11,0xc0,0x04,0xcd,0xa5,0x8d,0xa3,
-+ 0xd6,0x19,0xb7,0xe2,0xb9,0x14,0x1e,0x58,0x31,0x8e,0xea,0x39,
-+ 0x2c,0xf4,0x1b,0x08
-+};
-+static const unsigned char XTS_256_i[] = {
-+ 0xad,0xf8,0xd9,0x26,0x27,0x46,0x4a,0xd2,0xf0,0x42,0x8e,0x84,
-+ 0xa9,0xf8,0x75,0x64
-+};
-+static const unsigned char XTS_256_pt[] = {
-+ 0x2e,0xed,0xea,0x52,0xcd,0x82,0x15,0xe1,0xac,0xc6,0x47,0xe8,
-+ 0x10,0xbb,0xc3,0x64,0x2e,0x87,0x28,0x7f,0x8d,0x2e,0x57,0xe3,
-+ 0x6c,0x0a,0x24,0xfb,0xc1,0x2a,0x20,0x2e
-+};
-+static const unsigned char XTS_256_ct[] = {
-+ 0xcb,0xaa,0xd0,0xe2,0xf6,0xce,0xa3,0xf5,0x0b,0x37,0xf9,0x34,
-+ 0xd4,0x6a,0x9b,0x13,0x0b,0x9d,0x54,0xf0,0x7e,0x34,0xf3,0x6a,
-+ 0xf7,0x93,0xe8,0x6f,0x73,0xc6,0xd7,0xdb
-+};
-+
-+int FIPS_selftest_aes_xts()
-+ {
-+ int ret = 1;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ if (fips_cipher_test(&ctx, EVP_aes_128_xts(),
-+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
-+ sizeof(XTS_128_pt)) <= 0)
-+ ret = 0;
-+
-+ if (fips_cipher_test(&ctx, EVP_aes_256_xts(),
-+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
-+ sizeof(XTS_256_pt)) <= 0)
-+ ret = 0;
-+
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS,FIPS_R_SELFTEST_FAILED);
-+ return ret;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips.c.fips openssl-1.0.1e/crypto/fips/fips.c
---- openssl-1.0.1e/crypto/fips/fips.c.fips 2013-10-04 11:48:04.182694181 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.c 2013-10-04 11:48:04.182694181 +0200
-@@ -0,0 +1,491 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#define _GNU_SOURCE
-+
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bio.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rsa.h>
-+#include <string.h>
-+#include <limits.h>
-+#include <dlfcn.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+#include <openssl/fips.h>
-+
-+#ifndef PATH_MAX
-+#define PATH_MAX 1024
-+#endif
-+
-+static int fips_selftest_fail = 0;
-+static int fips_mode = 0;
-+static int fips_started = 0;
-+
-+static int fips_is_owning_thread(void);
-+static int fips_set_owning_thread(void);
-+static int fips_clear_owning_thread(void);
-+
-+#define fips_w_lock() CRYPTO_w_lock(CRYPTO_LOCK_FIPS)
-+#define fips_w_unlock() CRYPTO_w_unlock(CRYPTO_LOCK_FIPS)
-+#define fips_r_lock() CRYPTO_r_lock(CRYPTO_LOCK_FIPS)
-+#define fips_r_unlock() CRYPTO_r_unlock(CRYPTO_LOCK_FIPS)
-+
-+static void fips_set_mode(int onoff)
-+ {
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (fips_started)
-+ {
-+ if (!owning_thread) fips_w_lock();
-+ fips_mode = onoff;
-+ if (!owning_thread) fips_w_unlock();
-+ }
-+ }
-+
-+int FIPS_module_mode(void)
-+ {
-+ int ret = 0;
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (fips_started)
-+ {
-+ if (!owning_thread) fips_r_lock();
-+ ret = fips_mode;
-+ if (!owning_thread) fips_r_unlock();
-+ }
-+ return ret;
-+ }
-+
-+int FIPS_selftest_failed(void)
-+ {
-+ int ret = 0;
-+ if (fips_started)
-+ {
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (!owning_thread) fips_r_lock();
-+ ret = fips_selftest_fail;
-+ if (!owning_thread) fips_r_unlock();
-+ }
-+ return ret;
-+ }
-+
-+/* Selftest failure fatal exit routine. This will be called
-+ * during *any* cryptographic operation. It has the minimum
-+ * overhead possible to avoid too big a performance hit.
-+ */
-+
-+void FIPS_selftest_check(void)
-+ {
-+ if (fips_selftest_fail)
-+ {
-+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
-+ }
-+ }
-+
-+void fips_set_selftest_fail(void)
-+ {
-+ fips_selftest_fail = 1;
-+ }
-+
-+/* we implement what libfipscheck does ourselves */
-+
-+static int
-+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
-+{
-+ Dl_info info;
-+ void *dl, *sym;
-+ int rv = -1;
-+
-+ dl = dlopen(libname, RTLD_LAZY);
-+ if (dl == NULL) {
-+ return -1;
-+ }
-+
-+ sym = dlsym(dl, symbolname);
-+
-+ if (sym != NULL && dladdr(sym, &info)) {
-+ strncpy(path, info.dli_fname, pathlen-1);
-+ path[pathlen-1] = '\0';
-+ rv = 0;
-+ }
-+
-+ dlclose(dl);
-+
-+ return rv;
-+}
-+
-+static const char conv[] = "0123456789abcdef";
-+
-+static char *
-+bin2hex(void *buf, size_t len)
-+{
-+ char *hex, *p;
-+ unsigned char *src = buf;
-+
-+ hex = malloc(len * 2 + 1);
-+ if (hex == NULL)
-+ return NULL;
-+
-+ p = hex;
-+
-+ while (len > 0) {
-+ unsigned c;
-+
-+ c = *src;
-+ src++;
-+
-+ *p = conv[c >> 4];
-+ ++p;
-+ *p = conv[c & 0x0f];
-+ ++p;
-+ --len;
-+ }
-+ *p = '\0';
-+ return hex;
-+}
-+
-+#define HMAC_PREFIX "."
-+#define HMAC_SUFFIX ".hmac"
-+#define READ_BUFFER_LENGTH 16384
-+
-+static char *
-+make_hmac_path(const char *origpath)
-+{
-+ char *path, *p;
-+ const char *fn;
-+
-+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
-+ if(path == NULL) {
-+ return NULL;
-+ }
-+
-+ fn = strrchr(origpath, '/');
-+ if (fn == NULL) {
-+ fn = origpath;
-+ } else {
-+ ++fn;
-+ }
-+
-+ strncpy(path, origpath, fn-origpath);
-+ p = path + (fn - origpath);
-+ p = stpcpy(p, HMAC_PREFIX);
-+ p = stpcpy(p, fn);
-+ p = stpcpy(p, HMAC_SUFFIX);
-+
-+ return path;
-+}
-+
-+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
-+
-+static int
-+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
-+{
-+ FILE *f = NULL;
-+ int rv = -1;
-+ unsigned char rbuf[READ_BUFFER_LENGTH];
-+ size_t len;
-+ unsigned int hlen;
-+ HMAC_CTX c;
-+
-+ HMAC_CTX_init(&c);
-+
-+ f = fopen(path, "r");
-+
-+ if (f == NULL) {
-+ goto end;
-+ }
-+
-+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
-+
-+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
-+ HMAC_Update(&c, rbuf, len);
-+ }
-+
-+ len = sizeof(rbuf);
-+ /* reuse rbuf for hmac */
-+ HMAC_Final(&c, rbuf, &hlen);
-+
-+ *buf = malloc(hlen);
-+ if (*buf == NULL) {
-+ goto end;
-+ }
-+
-+ *hmaclen = hlen;
-+
-+ memcpy(*buf, rbuf, hlen);
-+
-+ rv = 0;
-+end:
-+ HMAC_CTX_cleanup(&c);
-+
-+ if (f)
-+ fclose(f);
-+
-+ return rv;
-+}
-+
-+static int
-+FIPSCHECK_verify(const char *libname, const char *symbolname)
-+{
-+ char path[PATH_MAX+1];
-+ int rv;
-+ FILE *hf;
-+ char *hmacpath, *p;
-+ char *hmac = NULL;
-+ size_t n;
-+
-+ rv = get_library_path(libname, symbolname, path, sizeof(path));
-+
-+ if (rv < 0)
-+ return 0;
-+
-+ hmacpath = make_hmac_path(path);
-+ if (hmacpath == NULL)
-+ return 0;
-+
-+ hf = fopen(hmacpath, "r");
-+ if (hf == NULL) {
-+ free(hmacpath);
-+ return 0;
-+ }
-+
-+ if (getline(&hmac, &n, hf) > 0) {
-+ void *buf;
-+ size_t hmaclen;
-+ char *hex;
-+
-+ if ((p=strchr(hmac, '\n')) != NULL)
-+ *p = '\0';
-+
-+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
-+ rv = -4;
-+ goto end;
-+ }
-+
-+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
-+ free(buf);
-+ rv = -5;
-+ goto end;
-+ }
-+
-+ if (strcmp(hex, hmac) != 0) {
-+ rv = -1;
-+ }
-+ free(buf);
-+ free(hex);
-+ } else {
-+ rv = -1;
-+ }
-+
-+end:
-+ free(hmac);
-+ free(hmacpath);
-+ fclose(hf);
-+
-+ if (rv < 0)
-+ return 0;
-+
-+ /* check successful */
-+ return 1;
-+}
-+
-+int FIPS_module_mode_set(int onoff, const char *auth)
-+ {
-+ int ret = 0;
-+
-+ fips_w_lock();
-+ fips_started = 1;
-+ fips_set_owning_thread();
-+
-+ if(onoff)
-+ {
-+
-+ fips_selftest_fail = 0;
-+
-+ /* Don't go into FIPS mode twice, just so we can do automagic
-+ seeding */
-+ if(FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+#ifdef OPENSSL_IA32_SSE2
-+ {
-+ extern unsigned int OPENSSL_ia32cap_P[2];
-+ if ((OPENSSL_ia32cap_P[0] & (1<<25|1<<26)) != (1<<25|1<<26))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+ OPENSSL_ia32cap_P[0] |= (1<<28); /* set "shared cache" */
-+ OPENSSL_ia32cap_P[1] &= ~(1<<(60-32)); /* clear AVX */
-+ }
-+#endif
-+
-+ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+ if(FIPS_selftest())
-+ fips_set_mode(onoff);
-+ else
-+ {
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+ ret = 1;
-+ goto end;
-+ }
-+ fips_set_mode(0);
-+ fips_selftest_fail = 0;
-+ ret = 1;
-+end:
-+ fips_clear_owning_thread();
-+ fips_w_unlock();
-+ return ret;
-+ }
-+
-+static CRYPTO_THREADID fips_thread;
-+static int fips_thread_set = 0;
-+
-+static int fips_is_owning_thread(void)
-+ {
-+ int ret = 0;
-+
-+ if (fips_started)
-+ {
-+ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
-+ if (fips_thread_set)
-+ {
-+ CRYPTO_THREADID cur;
-+ CRYPTO_THREADID_current(&cur);
-+ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
-+ ret = 1;
-+ }
-+ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
-+ }
-+ return ret;
-+ }
-+
-+int fips_set_owning_thread(void)
-+ {
-+ int ret = 0;
-+
-+ if (fips_started)
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
-+ if (!fips_thread_set)
-+ {
-+ CRYPTO_THREADID_current(&fips_thread);
-+ ret = 1;
-+ fips_thread_set = 1;
-+ }
-+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
-+ }
-+ return ret;
-+ }
-+
-+int fips_clear_owning_thread(void)
-+ {
-+ int ret = 0;
-+
-+ if (fips_started)
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
-+ if (fips_thread_set)
-+ {
-+ CRYPTO_THREADID cur;
-+ CRYPTO_THREADID_current(&cur);
-+ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
-+ fips_thread_set = 0;
-+ }
-+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
-+ }
-+ return ret;
-+ }
-+
-+
-+#if 0
-+/* The purpose of this is to ensure the error code exists and the function
-+ * name is to keep the error checking script quiet
-+ */
-+void hash_final(void)
-+ {
-+ FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
-+ }
-+#endif
-+
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips 2013-10-04 11:48:04.183694204 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c 2013-10-04 11:48:04.183694204 +0200
-@@ -0,0 +1,161 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/cmac.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+typedef struct {
-+ int nid;
-+ const unsigned char key[EVP_MAX_KEY_LENGTH]; size_t keysize;
-+ const unsigned char msg[64]; size_t msgsize;
-+ const unsigned char mac[32]; size_t macsize;
-+} CMAC_KAT;
-+
-+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
-+static const CMAC_KAT vector[] = {
-+ { NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
-+ { 0x77,0xa7,0x7f,0xaf, 0x29,0x0c,0x1f,0xa3,
-+ 0x0c,0x68,0x3d,0xf1, 0x6b,0xa7,0xa7,0x7b, }, 128,
-+ { 0x02,0x06,0x83,0xe1, 0xf0,0x39,0x2f,0x4c,
-+ 0xac,0x54,0x31,0x8b, 0x60,0x29,0x25,0x9e,
-+ 0x9c,0x55,0x3d,0xbc, 0x4b,0x6a,0xd9,0x98,
-+ 0xe6,0x4d,0x58,0xe4, 0xe7,0xdc,0x2e,0x13, }, 256,
-+ { 0xfb,0xfe,0xa4,0x1b, }, 32
-+ },
-+ { NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
-+ { 0x7b,0x32,0x39,0x13, 0x69,0xaa,0x4c,0xa9,
-+ 0x75,0x58,0x09,0x5b, 0xe3,0xc3,0xec,0x86,
-+ 0x2b,0xd0,0x57,0xce, 0xf1,0xe3,0x2d,0x62, }, 192,
-+ { 0x0 }, 0,
-+ { 0xe4,0xd9,0x34,0x0b, 0x03,0xe6,0x7d,0xef,
-+ 0xd4,0x96,0x9c,0xc1, 0xed,0x37,0x35,0xe6, }, 128,
-+ },
-+ { NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
-+ { 0x0b,0x12,0x2a,0xc8, 0xf3,0x4e,0xd1,0xfe,
-+ 0x08,0x2a,0x36,0x25, 0xd1,0x57,0x56,0x14,
-+ 0x54,0x16,0x7a,0xc1, 0x45,0xa1,0x0b,0xbf,
-+ 0x77,0xc6,0xa7,0x05, 0x96,0xd5,0x74,0xf1, }, 256,
-+ { 0x49,0x8b,0x53,0xfd, 0xec,0x87,0xed,0xcb,
-+ 0xf0,0x70,0x97,0xdc, 0xcd,0xe9,0x3a,0x08,
-+ 0x4b,0xad,0x75,0x01, 0xa2,0x24,0xe3,0x88,
-+ 0xdf,0x34,0x9c,0xe1, 0x89,0x59,0xfe,0x84,
-+ 0x85,0xf8,0xad,0x15, 0x37,0xf0,0xd8,0x96,
-+ 0xea,0x73,0xbe,0xdc, 0x72,0x14,0x71,0x3f, }, 384,
-+ { 0xf6,0x2c,0x46,0x32, 0x9b, }, 40,
-+ },
-+ { NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
-+ { 0x89,0xbc,0xd9,0x52, 0xa8,0xc8,0xab,0x37,
-+ 0x1a,0xf4,0x8a,0xc7, 0xd0,0x70,0x85,0xd5,
-+ 0xef,0xf7,0x02,0xe6, 0xd6,0x2c,0xdc,0x23, }, 192,
-+ { 0xfa,0x62,0x0c,0x1b, 0xbe,0x97,0x31,0x9e,
-+ 0x9a,0x0c,0xf0,0x49, 0x21,0x21,0xf7,0xa2,
-+ 0x0e,0xb0,0x8a,0x6a, 0x70,0x9d,0xcb,0xd0,
-+ 0x0a,0xaf,0x38,0xe4, 0xf9,0x9e,0x75,0x4e, }, 256,
-+ { 0x8f,0x49,0xa1,0xb7, 0xd6,0xaa,0x22,0x58, }, 64,
-+ },
-+};
-+
-+int FIPS_selftest_cmac()
-+ {
-+ size_t n, outlen;
-+ unsigned char out[32];
-+ const EVP_CIPHER *cipher;
-+ CMAC_CTX *ctx = CMAC_CTX_new();
-+ const CMAC_KAT *t;
-+ int rv = 1;
-+
-+ for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++)
-+ {
-+ cipher = FIPS_get_cipherbynid(t->nid);
-+ if (!cipher)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ if (!CMAC_Init(ctx, t->key, t->keysize/8, cipher, 0))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ if (!CMAC_Update(ctx, t->msg, t->msgsize/8))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!CMAC_Final(ctx, out, &outlen))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ CMAC_CTX_cleanup(ctx);
-+
-+ if(outlen < t->macsize/8 || memcmp(out,t->mac,t->macsize/8))
-+ {
-+ rv = 0;
-+ }
-+ }
-+
-+ err:
-+ CMAC_CTX_free(ctx);
-+
-+ if (rv == -1)
-+ {
-+ rv = 0;
-+ }
-+ if (!rv)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC,FIPS_R_SELFTEST_FAILED);
-+
-+ return rv;
-+ }
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_des_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips 2013-10-04 11:48:04.183694204 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_des_selftest.c 2013-10-04 11:48:04.183694204 +0200
-@@ -0,0 +1,147 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+#include <openssl/opensslconf.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const struct
-+ {
-+ const unsigned char key[16];
-+ const unsigned char plaintext[8];
-+ const unsigned char ciphertext[8];
-+ } tests2[]=
-+ {
-+ {
-+ { 0x7c,0x4f,0x6e,0xf7,0xa2,0x04,0x16,0xec,
-+ 0x0b,0x6b,0x7c,0x9e,0x5e,0x19,0xa7,0xc4 },
-+ { 0x06,0xa7,0xd8,0x79,0xaa,0xce,0x69,0xef },
-+ { 0x4c,0x11,0x17,0x55,0xbf,0xc4,0x4e,0xfd }
-+ },
-+ {
-+ { 0x5d,0x9e,0x01,0xd3,0x25,0xc7,0x3e,0x34,
-+ 0x01,0x16,0x7c,0x85,0x23,0xdf,0xe0,0x68 },
-+ { 0x9c,0x50,0x09,0x0f,0x5e,0x7d,0x69,0x7e },
-+ { 0xd2,0x0b,0x18,0xdf,0xd9,0x0d,0x9e,0xff },
-+ }
-+ };
-+
-+static const struct
-+ {
-+ const unsigned char key[24];
-+ const unsigned char plaintext[8];
-+ const unsigned char ciphertext[8];
-+ } tests3[]=
-+ {
-+ {
-+ { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-+ 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,
-+ 0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0 },
-+ { 0x8f,0x8f,0xbf,0x9b,0x5d,0x48,0xb4,0x1c },
-+ { 0x59,0x8c,0xe5,0xd3,0x6c,0xa2,0xea,0x1b },
-+ },
-+ {
-+ { 0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,0xFE,
-+ 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
-+ 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4 },
-+ { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF },
-+ { 0x11,0x25,0xb0,0x35,0xbe,0xa0,0x82,0x86 },
-+ },
-+ };
-+
-+
-+static int corrupt_des;
-+
-+void FIPS_corrupt_des()
-+ {
-+ corrupt_des = 1;
-+ }
-+
-+int FIPS_selftest_des()
-+ {
-+ int n, ret = 0;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
-+ for(n=0 ; n < 2 ; ++n)
-+ {
-+ unsigned char plaintext[8];
-+
-+ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
-+ if (corrupt_des)
-+ plaintext[0]++;
-+ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(),
-+ tests2[n].key, NULL,
-+ plaintext, tests2[n].ciphertext, 8))
-+ goto err;
-+ }
-+
-+ /* Encrypt/decrypt with 3DES and compare to known answers */
-+ for(n=0 ; n < 2 ; ++n)
-+ {
-+ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(),
-+ tests3[n].key, NULL,
-+ tests3[n].plaintext, tests3[n].ciphertext, 8))
-+ goto err;
-+ }
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES,FIPS_R_SELFTEST_FAILED);
-+
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c
---- openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips 2013-10-04 11:48:04.183694204 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c 2013-10-04 11:48:04.183694204 +0200
-@@ -0,0 +1,436 @@
-+/* fips/rand/fips_drbg_ctr.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+static void inc_128(DRBG_CTR_CTX *cctx)
-+ {
-+ int i;
-+ unsigned char c;
-+ unsigned char *p = cctx->V + 15;
-+ for (i = 0; i < 16; i++)
-+ {
-+ c = *p;
-+ c++;
-+ *p = c;
-+ if (c)
-+ return;
-+ p--;
-+ }
-+ }
-+
-+static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen)
-+ {
-+ size_t i, n;
-+ /* Any zero padding will have no effect on the result as we
-+ * are XORing. So just process however much input we have.
-+ */
-+
-+ if (!in || !inlen)
-+ return;
-+
-+ if (inlen < cctx->keylen)
-+ n = inlen;
-+ else
-+ n = cctx->keylen;
-+
-+ for (i = 0; i < n; i++)
-+ cctx->K[i] ^= in[i];
-+ if (inlen <= cctx->keylen)
-+ return;
-+
-+ n = inlen - cctx->keylen;
-+ /* Should never happen */
-+ if (n > 16)
-+ n = 16;
-+ for (i = 0; i < 16; i++)
-+ cctx->V[i] ^= in[i + cctx->keylen];
-+ }
-+
-+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
-+
-+static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out,
-+ const unsigned char *in)
-+ {
-+ int i;
-+ for (i = 0; i < 16; i++)
-+ out[i] ^= in[i];
-+ AES_encrypt(out, out, &cctx->df_ks);
-+#if 0
-+fprintf(stderr, "BCC in+out\n");
-+BIO_dump_fp(stderr, in, 16);
-+BIO_dump_fp(stderr, out, 16);
-+#endif
-+ }
-+
-+/* Handle several BCC operations for as much data as we need for K and X */
-+static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in)
-+ {
-+ ctr_BCC_block(cctx, cctx->KX, in);
-+ ctr_BCC_block(cctx, cctx->KX + 16, in);
-+ if (cctx->keylen != 16)
-+ ctr_BCC_block(cctx, cctx->KX + 32, in);
-+ }
-+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
-+ * see 10.4.2 stage 7.
-+ */
-+static void ctr_BCC_init(DRBG_CTR_CTX *cctx)
-+ {
-+ memset(cctx->KX, 0, 48);
-+ memset(cctx->bltmp, 0, 16);
-+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
-+ cctx->bltmp[3] = 1;
-+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
-+ if (cctx->keylen != 16)
-+ {
-+ cctx->bltmp[3] = 2;
-+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
-+ }
-+ }
-+
-+/* Process several blocks into BCC algorithm, some possibly partial */
-+static void ctr_BCC_update(DRBG_CTR_CTX *cctx,
-+ const unsigned char *in, size_t inlen)
-+ {
-+ if (!in || !inlen)
-+ return;
-+ /* If we have partial block handle it first */
-+ if (cctx->bltmp_pos)
-+ {
-+ size_t left = 16 - cctx->bltmp_pos;
-+ /* If we now have a complete block process it */
-+ if (inlen >= left)
-+ {
-+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
-+ ctr_BCC_blocks(cctx, cctx->bltmp);
-+ cctx->bltmp_pos = 0;
-+ inlen -= left;
-+ in += left;
-+ }
-+ }
-+ /* Process zero or more complete blocks */
-+ while (inlen >= 16)
-+ {
-+ ctr_BCC_blocks(cctx, in);
-+ in += 16;
-+ inlen -= 16;
-+ }
-+ /* Copy any remaining partial block to the temporary buffer */
-+ if (inlen > 0)
-+ {
-+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
-+ cctx->bltmp_pos += inlen;
-+ }
-+ }
-+
-+static void ctr_BCC_final(DRBG_CTR_CTX *cctx)
-+ {
-+ if (cctx->bltmp_pos)
-+ {
-+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
-+ ctr_BCC_blocks(cctx, cctx->bltmp);
-+ }
-+ }
-+
-+static void ctr_df(DRBG_CTR_CTX *cctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len)
-+ {
-+ size_t inlen;
-+ unsigned char *p = cctx->bltmp;
-+ static unsigned char c80 = 0x80;
-+
-+ ctr_BCC_init(cctx);
-+ if (!in1)
-+ in1len = 0;
-+ if (!in2)
-+ in2len = 0;
-+ if (!in3)
-+ in3len = 0;
-+ inlen = in1len + in2len + in3len;
-+ /* Initialise L||N in temporary block */
-+ *p++ = (inlen >> 24) & 0xff;
-+ *p++ = (inlen >> 16) & 0xff;
-+ *p++ = (inlen >> 8) & 0xff;
-+ *p++ = inlen & 0xff;
-+ /* NB keylen is at most 32 bytes */
-+ *p++ = 0;
-+ *p++ = 0;
-+ *p++ = 0;
-+ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
-+ cctx->bltmp_pos = 8;
-+ ctr_BCC_update(cctx, in1, in1len);
-+ ctr_BCC_update(cctx, in2, in2len);
-+ ctr_BCC_update(cctx, in3, in3len);
-+ ctr_BCC_update(cctx, &c80, 1);
-+ ctr_BCC_final(cctx);
-+ /* Set up key K */
-+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
-+ /* X follows key K */
-+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
-+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
-+ if (cctx->keylen != 16)
-+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
-+#if 0
-+fprintf(stderr, "Output of ctr_df:\n");
-+BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
-+#endif
-+ }
-+
-+/* NB the no-df Update in SP800-90 specifies a constant input length
-+ * of seedlen, however other uses of this algorithm pad the input with
-+ * zeroes if necessary and have up to two parameters XORed together,
-+ * handle both cases in this function instead.
-+ */
-+
-+static void ctr_Update(DRBG_CTX *dctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *nonce, size_t noncelen)
-+ {
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ /* ks is already setup for correct key */
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
-+ /* If keylen longer than 128 bits need extra encrypt */
-+ if (cctx->keylen != 16)
-+ {
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
-+ }
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
-+ /* If 192 bit key part of V is on end of K */
-+ if (cctx->keylen == 24)
-+ {
-+ memcpy(cctx->V + 8, cctx->V, 8);
-+ memcpy(cctx->V, cctx->K + 24, 8);
-+ }
-+
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
-+ {
-+ /* If no input reuse existing derived value */
-+ if (in1 || nonce || in2)
-+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
-+ /* If this a reuse input in1len != 0 */
-+ if (in1len)
-+ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
-+ }
-+ else
-+ {
-+ ctr_XOR(cctx, in1, in1len);
-+ ctr_XOR(cctx, in2, in2len);
-+ }
-+
-+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
-+#if 0
-+fprintf(stderr, "K+V after update is:\n");
-+BIO_dump_fp(stderr, cctx->K, cctx->keylen);
-+BIO_dump_fp(stderr, cctx->V, 16);
-+#endif
-+ }
-+
-+static int drbg_ctr_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *nonce, size_t noncelen,
-+ const unsigned char *pers, size_t perslen)
-+ {
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ memset(cctx->K, 0, sizeof(cctx->K));
-+ memset(cctx->V, 0, sizeof(cctx->V));
-+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
-+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
-+ return 1;
-+ }
-+
-+static int drbg_ctr_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *adin, size_t adinlen)
-+ {
-+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
-+ return 1;
-+ }
-+
-+static int drbg_ctr_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adinlen)
-+ {
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ if (adin && adinlen)
-+ {
-+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
-+ /* This means we reuse derived value */
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
-+ {
-+ adin = NULL;
-+ adinlen = 1;
-+ }
-+ }
-+ else
-+ adinlen = 0;
-+
-+ for (;;)
-+ {
-+ inc_128(cctx);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
-+ {
-+ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
-+ dctx->lb_valid = 1;
-+ continue;
-+ }
-+ if (outlen < 16)
-+ {
-+ /* Use K as temp space as it will be updated */
-+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, cctx->K))
-+ return 0;
-+ memcpy(out, cctx->K, outlen);
-+ break;
-+ }
-+ AES_encrypt(cctx->V, out, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ out += 16;
-+ outlen -= 16;
-+ if (outlen == 0)
-+ break;
-+ }
-+
-+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
-+
-+ return 1;
-+
-+ }
-+
-+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
-+ {
-+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
-+ return 1;
-+ }
-+
-+int fips_drbg_ctr_init(DRBG_CTX *dctx)
-+ {
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+
-+ size_t keylen;
-+
-+ switch (dctx->type)
-+ {
-+ case NID_aes_128_ctr:
-+ keylen = 16;
-+ break;
-+
-+ case NID_aes_192_ctr:
-+ keylen = 24;
-+ break;
-+
-+ case NID_aes_256_ctr:
-+ keylen = 32;
-+ break;
-+
-+ default:
-+ return -2;
-+ }
-+
-+ dctx->instantiate = drbg_ctr_instantiate;
-+ dctx->reseed = drbg_ctr_reseed;
-+ dctx->generate = drbg_ctr_generate;
-+ dctx->uninstantiate = drbg_ctr_uninstantiate;
-+
-+ cctx->keylen = keylen;
-+ dctx->strength = keylen * 8;
-+ dctx->blocklength = 16;
-+ dctx->seedlen = keylen + 16;
-+
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
-+ {
-+ /* df initialisation */
-+ static unsigned char df_key[32] =
-+ {
-+ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-+ 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-+ 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
-+ 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
-+ };
-+ /* Set key schedule for df_key */
-+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
-+
-+ dctx->min_entropy = cctx->keylen;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+ }
-+ else
-+ {
-+ dctx->min_entropy = dctx->seedlen;
-+ dctx->max_entropy = dctx->seedlen;
-+ /* Nonce not used */
-+ dctx->min_nonce = 0;
-+ dctx->max_nonce = 0;
-+ dctx->max_pers = dctx->seedlen;
-+ dctx->max_adin = dctx->seedlen;
-+ }
-+
-+ dctx->max_request = 1<<16;
-+ dctx->reseed_interval = 1<<24;
-+
-+ return 1;
-+ }
-diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hash.c
---- openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips 2013-10-04 11:48:04.183694204 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_drbg_hash.c 2013-10-04 11:48:04.183694204 +0200
-@@ -0,0 +1,378 @@
-+/* fips/rand/fips_drbg_hash.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+/* This is Hash_df from SP 800-90 10.4.1 */
-+
-+static int hash_df(DRBG_CTX *dctx, unsigned char *out,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len,
-+ const unsigned char *in4, size_t in4len)
-+ {
-+ EVP_MD_CTX *mctx = &dctx->d.hash.mctx;
-+ unsigned char *vtmp = dctx->d.hash.vtmp;
-+ unsigned char tmp[6];
-+ /* Standard only ever needs seedlen bytes which is always less than
-+ * maximum permitted so no need to check length.
-+ */
-+ size_t outlen = dctx->seedlen;
-+ tmp[0] = 1;
-+ tmp[1] = ((outlen * 8) >> 24) & 0xff;
-+ tmp[2] = ((outlen * 8) >> 16) & 0xff;
-+ tmp[3] = ((outlen * 8) >> 8) & 0xff;
-+ tmp[4] = (outlen * 8) & 0xff;
-+ if (!in1)
-+ {
-+ tmp[5] = (unsigned char)in1len;
-+ in1 = tmp + 5;
-+ in1len = 1;
-+ }
-+ for (;;)
-+ {
-+ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
-+ return 0;
-+ if (!FIPS_digestupdate(mctx, tmp, 5))
-+ return 0;
-+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
-+ return 0;
-+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
-+ return 0;
-+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
-+ return 0;
-+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
-+ return 0;
-+ if (outlen < dctx->blocklength)
-+ {
-+ if (!FIPS_digestfinal(mctx, vtmp, NULL))
-+ return 0;
-+ memcpy(out, vtmp, outlen);
-+ OPENSSL_cleanse(vtmp, dctx->blocklength);
-+ return 1;
-+ }
-+ else if(!FIPS_digestfinal(mctx, out, NULL))
-+ return 0;
-+
-+ outlen -= dctx->blocklength;
-+ if (outlen == 0)
-+ return 1;
-+ tmp[0]++;
-+ out += dctx->blocklength;
-+ }
-+ }
-+
-+
-+/* Add an unsigned buffer to the buf value, storing the result in buf. For
-+ * this algorithm the length of input never exceeds the seed length.
-+ */
-+
-+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
-+ unsigned char *in, size_t inlen)
-+ {
-+ size_t i = inlen;
-+ const unsigned char *q;
-+ unsigned char c, *p;
-+ p = buf + dctx->seedlen;
-+ q = in + inlen;
-+
-+ OPENSSL_assert(i <= dctx->seedlen);
-+
-+ /* Special case: zero length, just increment buffer */
-+ if (i)
-+ c = 0;
-+ else
-+ c = 1;
-+
-+ while (i)
-+ {
-+ int r;
-+ p--;
-+ q--;
-+ r = *p + *q + c;
-+ /* Carry */
-+ if (r > 0xff)
-+ c = 1;
-+ else
-+ c = 0;
-+ *p = r & 0xff;
-+ i--;
-+ }
-+
-+ i = dctx->seedlen - inlen;
-+
-+ /* If not adding whole buffer handle final carries */
-+ if (c && i)
-+ {
-+ do
-+ {
-+ p--;
-+ c = *p;
-+ c++;
-+ *p = c;
-+ if(c)
-+ return;
-+ } while(i--);
-+ }
-+ }
-+
-+/* Finalise and add hash to V */
-+
-+static int ctx_add_md(DRBG_CTX *dctx)
-+ {
-+ if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
-+ return 0;
-+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
-+ return 1;
-+ }
-+
-+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
-+ {
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ if (outlen == 0)
-+ return 1;
-+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
-+ for(;;)
-+ {
-+ FIPS_digestinit(&hctx->mctx, hctx->md);
-+ FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
-+ {
-+ FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
-+ dctx->lb_valid = 1;
-+ }
-+ else if (outlen < dctx->blocklength)
-+ {
-+ FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
-+ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
-+ return 0;
-+ memcpy(out, hctx->vtmp, outlen);
-+ return 1;
-+ }
-+ else
-+ {
-+ FIPS_digestfinal(&hctx->mctx, out, NULL);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ outlen -= dctx->blocklength;
-+ if (outlen == 0)
-+ return 1;
-+ out += dctx->blocklength;
-+ }
-+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
-+ }
-+ }
-+
-+static int drbg_hash_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *nonce, size_t nonce_len,
-+ const unsigned char *pstr, size_t pstr_len)
-+ {
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ if (!hash_df(dctx, hctx->V,
-+ ent, ent_len, nonce, nonce_len, pstr, pstr_len,
-+ NULL, 0))
-+ return 0;
-+ if (!hash_df(dctx, hctx->C,
-+ NULL, 0, hctx->V, dctx->seedlen,
-+ NULL, 0, NULL, 0))
-+ return 0;
-+
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after instantiate:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+ }
-+
-+
-+static int drbg_hash_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *adin, size_t adin_len)
-+ {
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ /* V about to be updated so use C as output instead */
-+ if (!hash_df(dctx, hctx->C,
-+ NULL, 1, hctx->V, dctx->seedlen,
-+ ent, ent_len, adin, adin_len))
-+ return 0;
-+ memcpy(hctx->V, hctx->C, dctx->seedlen);
-+ if (!hash_df(dctx, hctx->C, NULL, 0,
-+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
-+ return 0;
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after reseed:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+ }
-+
-+static int drbg_hash_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adin_len)
-+ {
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ EVP_MD_CTX *mctx = &hctx->mctx;
-+ unsigned char tmp[4];
-+ if (adin && adin_len)
-+ {
-+ tmp[0] = 2;
-+ if (!FIPS_digestinit(mctx, hctx->md))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, tmp, 1))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, adin, adin_len))
-+ return 0;
-+ if (!ctx_add_md(dctx))
-+ return 0;
-+ }
-+ if (!hash_gen(dctx, out, outlen))
-+ return 0;
-+
-+ tmp[0] = 3;
-+ if (!FIPS_digestinit(mctx, hctx->md))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, tmp, 1))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
-+ return 0;
-+
-+ if (!ctx_add_md(dctx))
-+ return 0;
-+
-+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
-+
-+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
-+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
-+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
-+ tmp[3] = dctx->reseed_counter & 0xff;
-+ ctx_add_buf(dctx, hctx->V, tmp, 4);
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after generate:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+ }
-+
-+static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
-+ {
-+ EVP_MD_CTX_cleanup(&dctx->d.hash.mctx);
-+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
-+ return 1;
-+ }
-+
-+int fips_drbg_hash_init(DRBG_CTX *dctx)
-+ {
-+ const EVP_MD *md;
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ md = FIPS_get_digestbynid(dctx->type);
-+ if (!md)
-+ return -2;
-+ switch (dctx->type)
-+ {
-+ case NID_sha1:
-+ dctx->strength = 128;
-+ break;
-+
-+ case NID_sha224:
-+ dctx->strength = 192;
-+ break;
-+
-+ default:
-+ dctx->strength = 256;
-+ break;
-+ }
-+
-+ dctx->instantiate = drbg_hash_instantiate;
-+ dctx->reseed = drbg_hash_reseed;
-+ dctx->generate = drbg_hash_generate;
-+ dctx->uninstantiate = drbg_hash_uninstantiate;
-+
-+ dctx->d.hash.md = md;
-+ EVP_MD_CTX_init(&hctx->mctx);
-+
-+ /* These are taken from SP 800-90 10.1 table 2 */
-+
-+ dctx->blocklength = M_EVP_MD_size(md);
-+ if (dctx->blocklength > 32)
-+ dctx->seedlen = 111;
-+ else
-+ dctx->seedlen = 55;
-+
-+
-+ dctx->min_entropy = dctx->strength / 8;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+
-+ dctx->max_request = 1<<16;
-+ dctx->reseed_interval = 1<<24;
-+
-+ return 1;
-+ }
-diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c
---- openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips 2013-10-04 11:48:04.183694204 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c 2013-10-04 11:48:04.183694204 +0200
-@@ -0,0 +1,281 @@
-+/* fips/rand/fips_drbg_hmac.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/aes.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+static int drbg_hmac_update(DRBG_CTX *dctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len
-+ )
-+ {
-+ static unsigned char c0 = 0, c1 = 1;
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ HMAC_CTX *hctx = &hmac->hctx;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+ if (!HMAC_Update(hctx, &c0, 1))
-+ return 0;
-+ if (in1len && !HMAC_Update(hctx, in1, in1len))
-+ return 0;
-+ if (in2len && !HMAC_Update(hctx, in2, in2len))
-+ return 0;
-+ if (in3len && !HMAC_Update(hctx, in3, in3len))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->K, NULL))
-+ return 0;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+
-+ if (!in1len && !in2len && !in3len)
-+ return 1;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+ if (!HMAC_Update(hctx, &c1, 1))
-+ return 0;
-+ if (in1len && !HMAC_Update(hctx, in1, in1len))
-+ return 0;
-+ if (in2len && !HMAC_Update(hctx, in2, in2len))
-+ return 0;
-+ if (in3len && !HMAC_Update(hctx, in3, in3len))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->K, NULL))
-+ return 0;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+
-+ return 1;
-+
-+ }
-+
-+static int drbg_hmac_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *nonce, size_t nonce_len,
-+ const unsigned char *pstr, size_t pstr_len)
-+ {
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ memset(hmac->K, 0, dctx->blocklength);
-+ memset(hmac->V, 1, dctx->blocklength);
-+ if (!drbg_hmac_update(dctx,
-+ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
-+ return 0;
-+
-+#ifdef HMAC_DRBG_TRACE
-+ fprintf(stderr, "K+V after instantiate:\n");
-+ hexprint(stderr, hmac->K, hmac->blocklength);
-+ hexprint(stderr, hmac->V, hmac->blocklength);
-+#endif
-+ return 1;
-+ }
-+
-+static int drbg_hmac_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *adin, size_t adin_len)
-+ {
-+ if (!drbg_hmac_update(dctx,
-+ ent, ent_len, adin, adin_len, NULL, 0))
-+ return 0;
-+
-+#ifdef HMAC_DRBG_TRACE
-+ {
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ fprintf(stderr, "K+V after reseed:\n");
-+ hexprint(stderr, hmac->K, hmac->blocklength);
-+ hexprint(stderr, hmac->V, hmac->blocklength);
-+ }
-+#endif
-+ return 1;
-+ }
-+
-+static int drbg_hmac_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adin_len)
-+ {
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ HMAC_CTX *hctx = &hmac->hctx;
-+ const unsigned char *Vtmp = hmac->V;
-+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len,
-+ NULL, 0, NULL, 0))
-+ return 0;
-+ for (;;)
-+ {
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength,
-+ hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
-+ return 0;
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
-+ {
-+ if (!HMAC_Final(hctx, dctx->lb, NULL))
-+ return 0;
-+ dctx->lb_valid = 1;
-+ Vtmp = dctx->lb;
-+ continue;
-+ }
-+ else if (outlen > dctx->blocklength)
-+ {
-+ if (!HMAC_Final(hctx, out, NULL))
-+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ Vtmp = out;
-+ }
-+ else
-+ {
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, hmac->V))
-+ return 0;
-+ memcpy(out, hmac->V, outlen);
-+ break;
-+ }
-+ out += dctx->blocklength;
-+ outlen -= dctx->blocklength;
-+ }
-+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
-+ return 0;
-+
-+ return 1;
-+ }
-+
-+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
-+ {
-+ HMAC_CTX_cleanup(&dctx->d.hmac.hctx);
-+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
-+ return 1;
-+ }
-+
-+int fips_drbg_hmac_init(DRBG_CTX *dctx)
-+ {
-+ const EVP_MD *md = NULL;
-+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
-+ dctx->strength = 256;
-+ switch (dctx->type)
-+ {
-+ case NID_hmacWithSHA1:
-+ md = EVP_sha1();
-+ dctx->strength = 128;
-+ break;
-+
-+ case NID_hmacWithSHA224:
-+ md = EVP_sha224();
-+ dctx->strength = 192;
-+ break;
-+
-+ case NID_hmacWithSHA256:
-+ md = EVP_sha256();
-+ break;
-+
-+ case NID_hmacWithSHA384:
-+ md = EVP_sha384();
-+ break;
-+
-+ case NID_hmacWithSHA512:
-+ md = EVP_sha512();
-+ break;
-+
-+ default:
-+ dctx->strength = 0;
-+ return -2;
-+ }
-+ dctx->instantiate = drbg_hmac_instantiate;
-+ dctx->reseed = drbg_hmac_reseed;
-+ dctx->generate = drbg_hmac_generate;
-+ dctx->uninstantiate = drbg_hmac_uninstantiate;
-+ HMAC_CTX_init(&hctx->hctx);
-+ hctx->md = md;
-+ dctx->blocklength = M_EVP_MD_size(md);
-+ dctx->seedlen = M_EVP_MD_size(md);
-+
-+ dctx->min_entropy = dctx->strength / 8;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+
-+ dctx->max_request = 1<<16;
-+ dctx->reseed_interval = 1<<24;
-+
-+ return 1;
-+ }
-diff -up openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_lib.c
---- openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips 2013-10-04 11:48:04.184694226 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_drbg_lib.c 2013-10-04 11:48:04.184694226 +0200
-@@ -0,0 +1,578 @@
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_locl.h"
-+#include "fips_rand_lcl.h"
-+
-+/* Support framework for SP800-90 DRBGs */
-+
-+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
-+ {
-+ int rv;
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ dctx->xflags = flags;
-+ dctx->type = type;
-+
-+ dctx->iflags = 0;
-+ dctx->entropy_blocklen = 0;
-+ dctx->health_check_cnt = 0;
-+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
-+
-+ rv = fips_drbg_hash_init(dctx);
-+
-+ if (rv == -2)
-+ rv = fips_drbg_ctr_init(dctx);
-+ if (rv == -2)
-+ rv = fips_drbg_hmac_init(dctx);
-+
-+ if (rv <= 0)
-+ {
-+ if (rv == -2)
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
-+ else
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
-+ }
-+
-+ /* If not in test mode run selftests on DRBG of the same type */
-+
-+ if (!(dctx->xflags & DRBG_FLAG_TEST))
-+ {
-+ if (!FIPS_drbg_health_check(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
-+ return 0;
-+ }
-+ }
-+
-+ return rv;
-+ }
-+
-+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
-+ {
-+ DRBG_CTX *dctx;
-+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
-+ if (!dctx)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
-+ return NULL;
-+ }
-+
-+ if (type == 0)
-+ {
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->type = 0;
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ return dctx;
-+ }
-+
-+ if (FIPS_drbg_init(dctx, type, flags) <= 0)
-+ {
-+ OPENSSL_free(dctx);
-+ return NULL;
-+ }
-+
-+ return dctx;
-+ }
-+
-+void FIPS_drbg_free(DRBG_CTX *dctx)
-+ {
-+ if (dctx->uninstantiate)
-+ dctx->uninstantiate(dctx);
-+ /* Don't free up default DRBG */
-+ if (dctx == FIPS_get_default_drbg())
-+ {
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->type = 0;
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ }
-+ else
-+ {
-+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
-+ OPENSSL_free(dctx);
-+ }
-+ }
-+
-+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ unsigned char *tout, *p;
-+ size_t bl = dctx->entropy_blocklen, rv;
-+ if (!dctx->get_entropy)
-+ return 0;
-+ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
-+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
-+ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
-+ min_len + bl, max_len + bl);
-+ if (tout == NULL)
-+ return 0;
-+ *pout = tout + bl;
-+ if (rv < (min_len + bl) || (rv % bl))
-+ return 0;
-+ /* Compare consecutive blocks for continuous PRNG test */
-+ for (p = tout; p < tout + rv - bl; p += bl)
-+ {
-+ if (!memcmp(p, p + bl, bl))
-+ {
-+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
-+ return 0;
-+ }
-+ }
-+ rv -= bl;
-+ if (rv > max_len)
-+ return max_len;
-+ return rv;
-+ }
-+
-+static void fips_cleanup_entropy(DRBG_CTX *dctx,
-+ unsigned char *out, size_t olen)
-+ {
-+ size_t bl;
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ bl = 0;
-+ else
-+ bl = dctx->entropy_blocklen;
-+ /* Call cleanup with original arguments */
-+ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
-+ }
-+
-+
-+int FIPS_drbg_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *pers, size_t perslen)
-+ {
-+ size_t entlen = 0, noncelen = 0;
-+ unsigned char *nonce = NULL, *entropy = NULL;
-+
-+#if 0
-+ /* Put here so error script picks them up */
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
-+ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
-+#endif
-+
-+ int r = 0;
-+
-+ if (perslen > dctx->max_pers)
-+ {
-+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
-+ goto end;
-+ }
-+
-+ if (!dctx->instantiate)
-+ {
-+ r = FIPS_R_DRBG_NOT_INITIALISED;
-+ goto end;
-+ }
-+
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else
-+ r = FIPS_R_ALREADY_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_ERROR;
-+
-+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
-+ dctx->min_entropy, dctx->max_entropy);
-+
-+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
-+ {
-+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
-+ goto end;
-+ }
-+
-+ if (dctx->max_nonce > 0 && dctx->get_nonce)
-+ {
-+ noncelen = dctx->get_nonce(dctx, &nonce,
-+ dctx->strength / 2,
-+ dctx->min_nonce, dctx->max_nonce);
-+
-+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
-+ {
-+ r = FIPS_R_ERROR_RETRIEVING_NONCE;
-+ goto end;
-+ }
-+
-+ }
-+
-+ if (!dctx->instantiate(dctx,
-+ entropy, entlen,
-+ nonce, noncelen,
-+ pers, perslen))
-+ {
-+ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
-+ goto end;
-+ }
-+
-+
-+ dctx->status = DRBG_STATUS_READY;
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ dctx->reseed_counter = 1;
-+
-+ end:
-+
-+ if (entropy && dctx->cleanup_entropy)
-+ fips_cleanup_entropy(dctx, entropy, entlen);
-+
-+ if (nonce && dctx->cleanup_nonce)
-+ dctx->cleanup_nonce(dctx, nonce, noncelen);
-+
-+ if (dctx->status == DRBG_STATUS_READY)
-+ return 1;
-+
-+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
-+
-+ return 0;
-+
-+ }
-+
-+static int drbg_reseed(DRBG_CTX *dctx,
-+ const unsigned char *adin, size_t adinlen, int hcheck)
-+ {
-+ unsigned char *entropy = NULL;
-+ size_t entlen = 0;
-+ int r = 0;
-+
-+#if 0
-+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
-+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
-+#endif
-+ if (dctx->status != DRBG_STATUS_READY
-+ && dctx->status != DRBG_STATUS_RESEED)
-+ {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else if(dctx->status == DRBG_STATUS_UNINITIALISED)
-+ r = FIPS_R_NOT_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ if (!adin)
-+ adinlen = 0;
-+ else if (adinlen > dctx->max_adin)
-+ {
-+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_ERROR;
-+ /* Peform health check on all reseed operations if not a prediction
-+ * resistance request and not in test mode.
-+ */
-+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST))
-+ {
-+ if (!FIPS_drbg_health_check(dctx))
-+ {
-+ r = FIPS_R_SELFTEST_FAILURE;
-+ goto end;
-+ }
-+ }
-+
-+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
-+ dctx->min_entropy, dctx->max_entropy);
-+
-+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
-+ {
-+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
-+ goto end;
-+ }
-+
-+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
-+ goto end;
-+
-+ dctx->status = DRBG_STATUS_READY;
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ dctx->reseed_counter = 1;
-+ end:
-+
-+ if (entropy && dctx->cleanup_entropy)
-+ fips_cleanup_entropy(dctx, entropy, entlen);
-+
-+ if (dctx->status == DRBG_STATUS_READY)
-+ return 1;
-+
-+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_DRBG_RESEED, r);
-+
-+ return 0;
-+ }
-+
-+int FIPS_drbg_reseed(DRBG_CTX *dctx,
-+ const unsigned char *adin, size_t adinlen)
-+ {
-+ return drbg_reseed(dctx, adin, adinlen, 1);
-+ }
-+
-+static int fips_drbg_check(DRBG_CTX *dctx)
-+ {
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ return 1;
-+ dctx->health_check_cnt++;
-+ if (dctx->health_check_cnt >= dctx->health_check_interval)
-+ {
-+ if (!FIPS_drbg_health_check(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+ }
-+
-+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-+ int prediction_resistance,
-+ const unsigned char *adin, size_t adinlen)
-+ {
-+ int r = 0;
-+
-+ if (FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (!fips_drbg_check(dctx))
-+ return 0;
-+
-+ if (dctx->status != DRBG_STATUS_READY
-+ && dctx->status != DRBG_STATUS_RESEED)
-+ {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else if(dctx->status == DRBG_STATUS_UNINITIALISED)
-+ r = FIPS_R_NOT_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ if (outlen > dctx->max_request)
-+ {
-+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
-+ return 0;
-+ }
-+
-+ if (adinlen > dctx->max_adin)
-+ {
-+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
-+ goto end;
-+ }
-+
-+ if (dctx->iflags & DRBG_CUSTOM_RESEED)
-+ dctx->generate(dctx, NULL, outlen, NULL, 0);
-+ else if (dctx->reseed_counter >= dctx->reseed_interval)
-+ dctx->status = DRBG_STATUS_RESEED;
-+
-+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
-+ {
-+ /* If prediction resistance request don't do health check */
-+ int hcheck = prediction_resistance ? 0 : 1;
-+
-+ if (!drbg_reseed(dctx, adin, adinlen, hcheck))
-+ {
-+ r = FIPS_R_RESEED_ERROR;
-+ goto end;
-+ }
-+ adin = NULL;
-+ adinlen = 0;
-+ }
-+
-+ if (!dctx->generate(dctx, out, outlen, adin, adinlen))
-+ {
-+ r = FIPS_R_GENERATE_ERROR;
-+ dctx->status = DRBG_STATUS_ERROR;
-+ goto end;
-+ }
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ {
-+ if (dctx->reseed_counter >= dctx->reseed_interval)
-+ dctx->status = DRBG_STATUS_RESEED;
-+ else
-+ dctx->reseed_counter++;
-+ }
-+
-+ end:
-+ if (r)
-+ {
-+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
-+ return 0;
-+ }
-+
-+ return 1;
-+ }
-+
-+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
-+ {
-+ int rv;
-+ if (!dctx->uninstantiate)
-+ rv = 1;
-+ else
-+ rv = dctx->uninstantiate(dctx);
-+ /* Although we'd like to cleanse here we can't because we have to
-+ * test the uninstantiate really zeroes the data.
-+ */
-+ memset(&dctx->d, 0, sizeof(dctx->d));
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ /* If method has problems uninstantiating, return error */
-+ return rv;
-+ }
-+
-+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len),
-+ void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
-+ size_t entropy_blocklen,
-+ size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len),
-+ void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
-+ {
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ return 0;
-+ dctx->entropy_blocklen = entropy_blocklen;
-+ dctx->get_entropy = get_entropy;
-+ dctx->cleanup_entropy = cleanup_entropy;
-+ dctx->get_nonce = get_nonce;
-+ dctx->cleanup_nonce = cleanup_nonce;
-+ return 1;
-+ }
-+
-+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
-+ void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
-+ int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
-+ int (*rand_add_cb)(DRBG_CTX *ctx,
-+ const void *buf, int num, double entropy))
-+ {
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ return 0;
-+ dctx->get_adin = get_adin;
-+ dctx->cleanup_adin = cleanup_adin;
-+ dctx->rand_seed_cb = rand_seed_cb;
-+ dctx->rand_add_cb = rand_add_cb;
-+ return 1;
-+ }
-+
-+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
-+ {
-+ return dctx->app_data;
-+ }
-+
-+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
-+ {
-+ dctx->app_data = app_data;
-+ }
-+
-+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
-+ {
-+ return dctx->blocklength;
-+ }
-+
-+int FIPS_drbg_get_strength(DRBG_CTX *dctx)
-+ {
-+ return dctx->strength;
-+ }
-+
-+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
-+ {
-+ dctx->health_check_interval = interval;
-+ }
-+
-+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
-+ {
-+ dctx->reseed_interval = interval;
-+ }
-+
-+static int drbg_stick = 0;
-+
-+void FIPS_drbg_stick(int onoff)
-+ {
-+ drbg_stick = onoff;
-+ }
-+
-+/* Continuous DRBG utility function */
-+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
-+ {
-+ /* No CPRNG in test mode */
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ return 1;
-+ /* Check block is valid: should never happen */
-+ if (dctx->lb_valid == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ if (drbg_stick)
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ /* Check against last block: fail if match */
-+ if (!memcmp(dctx->lb, out, dctx->blocklength))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ /* Save last block for next comparison */
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ return 1;
-+ }
-diff -up openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_rand.c
---- openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips 2013-10-04 11:48:04.184694226 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_drbg_rand.c 2013-10-04 11:48:04.184694226 +0200
-@@ -0,0 +1,172 @@
-+/* fips/rand/fips_drbg_rand.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
-+
-+/* Since we only have one global PRNG used at any time in OpenSSL use a global
-+ * variable to store context.
-+ */
-+
-+static DRBG_CTX ossl_dctx;
-+
-+DRBG_CTX *FIPS_get_default_drbg(void)
-+ {
-+ return &ossl_dctx;
-+ }
-+
-+static int fips_drbg_bytes(unsigned char *out, int count)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ int rv = 0;
-+ unsigned char *adin = NULL;
-+ size_t adinlen = 0;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ do
-+ {
-+ size_t rcnt;
-+ if (count > (int)dctx->max_request)
-+ rcnt = dctx->max_request;
-+ else
-+ rcnt = count;
-+ if (dctx->get_adin)
-+ {
-+ adinlen = dctx->get_adin(dctx, &adin);
-+ if (adinlen && !adin)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES, FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
-+ goto err;
-+ }
-+ }
-+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
-+ if (adin)
-+ {
-+ if (dctx->cleanup_adin)
-+ dctx->cleanup_adin(dctx, adin, adinlen);
-+ adin = NULL;
-+ }
-+ if (!rv)
-+ goto err;
-+ out += rcnt;
-+ count -= rcnt;
-+ }
-+ while (count);
-+ rv = 1;
-+ err:
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return rv;
-+ }
-+
-+static int fips_drbg_pseudo(unsigned char *out, int count)
-+ {
-+ if (fips_drbg_bytes(out, count) <= 0)
-+ return -1;
-+ return 1;
-+ }
-+
-+static int fips_drbg_status(void)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ int rv;
-+ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
-+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
-+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
-+ return rv;
-+ }
-+
-+static void fips_drbg_cleanup(void)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ FIPS_drbg_uninstantiate(dctx);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ }
-+
-+static int fips_drbg_seed(const void *seed, int seedlen)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ if (dctx->rand_seed_cb)
-+ return dctx->rand_seed_cb(dctx, seed, seedlen);
-+ return 1;
-+ }
-+
-+static int fips_drbg_add(const void *seed, int seedlen,
-+ double add_entropy)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ if (dctx->rand_add_cb)
-+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
-+ return 1;
-+ }
-+
-+static const RAND_METHOD rand_drbg_meth =
-+ {
-+ fips_drbg_seed,
-+ fips_drbg_bytes,
-+ fips_drbg_cleanup,
-+ fips_drbg_add,
-+ fips_drbg_pseudo,
-+ fips_drbg_status
-+ };
-+
-+const RAND_METHOD *FIPS_drbg_method(void)
-+ {
-+ return &rand_drbg_meth;
-+ }
-+
-diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips 2013-10-04 11:48:04.184694226 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c 2013-10-04 11:48:04.184694226 +0200
-@@ -0,0 +1,862 @@
-+/* fips/rand/fips_drbg_selftest.c */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+#include "fips_locl.h"
-+
-+#include "fips_drbg_selftest.h"
-+
-+typedef struct {
-+ int post;
-+ int nid;
-+ unsigned int flags;
-+
-+ /* KAT data for no PR */
-+ const unsigned char *ent;
-+ size_t entlen;
-+ const unsigned char *nonce;
-+ size_t noncelen;
-+ const unsigned char *pers;
-+ size_t perslen;
-+ const unsigned char *adin;
-+ size_t adinlen;
-+ const unsigned char *entreseed;
-+ size_t entreseedlen;
-+ const unsigned char *adinreseed;
-+ size_t adinreseedlen;
-+ const unsigned char *adin2;
-+ size_t adin2len;
-+ const unsigned char *kat;
-+ size_t katlen;
-+ const unsigned char *kat2;
-+ size_t kat2len;
-+
-+ /* KAT data for PR */
-+ const unsigned char *ent_pr;
-+ size_t entlen_pr;
-+ const unsigned char *nonce_pr;
-+ size_t noncelen_pr;
-+ const unsigned char *pers_pr;
-+ size_t perslen_pr;
-+ const unsigned char *adin_pr;
-+ size_t adinlen_pr;
-+ const unsigned char *entpr_pr;
-+ size_t entprlen_pr;
-+ const unsigned char *ading_pr;
-+ size_t adinglen_pr;
-+ const unsigned char *entg_pr;
-+ size_t entglen_pr;
-+ const unsigned char *kat_pr;
-+ size_t katlen_pr;
-+ const unsigned char *kat2_pr;
-+ size_t kat2len_pr;
-+
-+ } DRBG_SELFTEST_DATA;
-+
-+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
-+ pr##_entropyinput, sizeof(pr##_entropyinput), \
-+ pr##_nonce, sizeof(pr##_nonce), \
-+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
-+ pr##_additionalinput, sizeof(pr##_additionalinput), \
-+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
-+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
-+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
-+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
-+ pr##_returnedbits, sizeof(pr##_returnedbits), \
-+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
-+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
-+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
-+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
-+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
-+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
-+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
-+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
-+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
-+ }
-+
-+#define make_drbg_test_data_df(nid, pr, p) \
-+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
-+
-+#define make_drbg_test_data_ec(curve, md, pr, p) \
-+ make_drbg_test_data((curve << 16) | md , 0, pr, p)
-+
-+static DRBG_SELFTEST_DATA drbg_test[] = {
-+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
-+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
-+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
-+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
-+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
-+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
-+ make_drbg_test_data(NID_sha1, 0, sha1, 0),
-+ make_drbg_test_data(NID_sha224, 0, sha224, 0),
-+ make_drbg_test_data(NID_sha256, 0, sha256, 1),
-+ make_drbg_test_data(NID_sha384, 0, sha384, 0),
-+ make_drbg_test_data(NID_sha512, 0, sha512, 0),
-+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
-+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
-+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
-+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
-+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
-+ {0,0,0}
-+ };
-+
-+typedef struct
-+ {
-+ const unsigned char *ent;
-+ size_t entlen;
-+ int entcnt;
-+ const unsigned char *nonce;
-+ size_t noncelen;
-+ int noncecnt;
-+ } TEST_ENT;
-+
-+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->ent;
-+ t->entcnt++;
-+ return t->entlen;
-+ }
-+
-+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->nonce;
-+ t->noncecnt++;
-+ return t->noncelen;
-+ }
-+
-+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
-+ int quick)
-+ {
-+ TEST_ENT t;
-+ int rv = 0;
-+ size_t adinlen;
-+ unsigned char randout[1024];
-+
-+ /* Initial test without PR */
-+
-+ /* Instantiate DRBG with test entropy, nonce and personalisation
-+ * string.
-+ */
-+
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, &t);
-+
-+ t.ent = td->ent;
-+ t.entlen = td->entlen;
-+ t.nonce = td->nonce;
-+ t.noncelen = td->noncelen;
-+ t.entcnt = 0;
-+ t.noncecnt = 0;
-+
-+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
-+ goto err;
-+
-+ /* Note for CTR without DF some additional input values
-+ * ignore bytes after the keylength: so reduce adinlen
-+ * to half to ensure invalid data is fed in.
-+ */
-+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
-+ adinlen = td->adinlen / 2;
-+ else
-+ adinlen = td->adinlen;
-+
-+ /* Generate with no PR and verify output matches expected data */
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, adinlen))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat, td->katlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
-+ goto err2;
-+ }
-+ /* If abbreviated POST end of test */
-+ if (quick)
-+ {
-+ rv = 1;
-+ goto err;
-+ }
-+ /* Reseed DRBG with test entropy and additional input */
-+ t.ent = td->entreseed;
-+ t.entlen = td->entreseedlen;
-+
-+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
-+ goto err;
-+
-+ /* Generate with no PR and verify output matches expected data */
-+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
-+ td->adin2, td->adin2len))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat2, td->kat2len))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
-+ goto err2;
-+ }
-+
-+ FIPS_drbg_uninstantiate(dctx);
-+
-+ /* Now test with PR */
-+
-+ /* Instantiate DRBG with test entropy, nonce and personalisation
-+ * string.
-+ */
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, &t);
-+
-+ t.ent = td->ent_pr;
-+ t.entlen = td->entlen_pr;
-+ t.nonce = td->nonce_pr;
-+ t.noncelen = td->noncelen_pr;
-+ t.entcnt = 0;
-+ t.noncecnt = 0;
-+
-+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
-+ goto err;
-+
-+ /* Now generate with PR: we need to supply entropy as this will
-+ * perform a reseed operation. Check output matches expected value.
-+ */
-+
-+ t.ent = td->entpr_pr;
-+ t.entlen = td->entprlen_pr;
-+
-+ /* Note for CTR without DF some additional input values
-+ * ignore bytes after the keylength: so reduce adinlen
-+ * to half to ensure invalid data is fed in.
-+ */
-+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
-+ adinlen = td->adinlen_pr / 2;
-+ else
-+ adinlen = td->adinlen_pr;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
-+ td->adin_pr, adinlen))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat_pr, td->katlen_pr))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
-+ goto err2;
-+ }
-+
-+ /* Now generate again with PR: supply new entropy again.
-+ * Check output matches expected value.
-+ */
-+
-+ t.ent = td->entg_pr;
-+ t.entlen = td->entglen_pr;
-+
-+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
-+ td->ading_pr, td->adinglen_pr))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
-+ goto err2;
-+ }
-+ /* All OK, test complete */
-+ rv = 1;
-+
-+ err:
-+ if (rv == 0)
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
-+ err2:
-+ FIPS_drbg_uninstantiate(dctx);
-+
-+ return rv;
-+
-+ }
-+
-+/* Initialise a DRBG based on selftest data */
-+
-+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, TEST_ENT *t)
-+ {
-+
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, t);
-+
-+ t->ent = td->ent;
-+ t->entlen = td->entlen;
-+ t->nonce = td->nonce;
-+ t->noncelen = td->noncelen;
-+ t->entcnt = 0;
-+ t->noncecnt = 0;
-+ return 1;
-+ }
-+
-+/* Initialise and instantiate DRBG based on selftest data */
-+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
-+ TEST_ENT *t)
-+ {
-+ if (!do_drbg_init(dctx, td, t))
-+ return 0;
-+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
-+ return 0;
-+
-+ return 1;
-+ }
-+
-+/* This function performs extensive error checking as required by SP800-90.
-+ * Induce several failure modes and check an error condition is set.
-+ * This function along with fips_drbg_single_kat peforms the health checking
-+ * operation.
-+ */
-+
-+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
-+ {
-+ unsigned char randout[1024];
-+ TEST_ENT t;
-+ size_t i;
-+ unsigned int reseed_counter_tmp;
-+ unsigned char *p = (unsigned char *)dctx;
-+
-+ /* Initialise DRBG */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ /* Don't report induced errors */
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Personalisation string tests */
-+
-+ /* Test detection of too large personlisation string */
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Entropy source tests */
-+
-+ /* Test entropy source failure detecion: i.e. returns no data */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Try to generate output from uninstantiated DRBG */
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Test insufficient entropy */
-+
-+ t.entlen = dctx->min_entropy - 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test too much entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->max_entropy + 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Nonce tests */
-+
-+ /* Test too small nonce */
-+
-+ if (dctx->min_nonce)
-+ {
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.noncelen = dctx->min_nonce - 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_NONCE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ }
-+
-+ /* Test too large nonce */
-+
-+ if (dctx->max_nonce)
-+ {
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.noncelen = dctx->max_nonce + 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_NONCE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ }
-+
-+ /* Instantiate with valid data. */
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+
-+ /* Check generation is now OK */
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Request too much data for one request */
-+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
-+ td->adin, td->adinlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Try too large additional input */
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, dctx->max_adin + 1))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Check prediction resistance request fails if entropy source
-+ * failure.
-+ */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
-+ td->adin, td->adinlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+
-+ /* Instantiate again with valid data */
-+
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+ /* Test reseed counter works */
-+ /* Save initial reseed counter */
-+ reseed_counter_tmp = dctx->reseed_counter;
-+ /* Set reseed counter to beyond interval */
-+ dctx->reseed_counter = dctx->reseed_interval;
-+
-+ /* Generate output and check entropy has been requested for reseed */
-+ t.entcnt = 0;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+ if (t.entcnt != 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
-+ goto err;
-+ }
-+ /* Check reseed counter has been reset */
-+ if (dctx->reseed_counter != reseed_counter_tmp + 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Check prediction resistance request fails if entropy source
-+ * failure.
-+ */
-+
-+ t.entlen = 0;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
-+ td->adin, td->adinlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+ /* Test reseed counter works */
-+ /* Save initial reseed counter */
-+ reseed_counter_tmp = dctx->reseed_counter;
-+ /* Set reseed counter to beyond interval */
-+ dctx->reseed_counter = dctx->reseed_interval;
-+
-+ /* Generate output and check entropy has been requested for reseed */
-+ t.entcnt = 0;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+ if (t.entcnt != 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
-+ goto err;
-+ }
-+ /* Check reseed counter has been reset */
-+ if (dctx->reseed_counter != reseed_counter_tmp + 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Explicit reseed tests */
-+
-+ /* Test explicit reseed with too large additional input */
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with entropy source failure */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with too much entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->max_entropy + 1;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with too little entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->min_entropy - 1;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ p = (unsigned char *)&dctx->d;
-+ /* Standard says we have to check uninstantiate really zeroes
-+ * the data...
-+ */
-+ for (i = 0; i < sizeof(dctx->d); i++)
-+ {
-+ if (*p != 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
-+ goto err;
-+ }
-+ p++;
-+ }
-+
-+ return 1;
-+
-+ err:
-+ /* A real error as opposed to an induced one: underlying function will
-+ * indicate the error.
-+ */
-+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
-+ FIPS_drbg_uninstantiate(dctx);
-+ return 0;
-+
-+ }
-+
-+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
-+ {
-+ DRBG_SELFTEST_DATA *td;
-+ flags |= DRBG_FLAG_TEST;
-+ for (td = drbg_test; td->nid != 0; td++)
-+ {
-+ if (td->nid == nid && td->flags == flags)
-+ {
-+ if (!fips_drbg_single_kat(dctx, td, 0))
-+ return 0;
-+ return fips_drbg_error_check(dctx, td);
-+ }
-+ }
-+ return 0;
-+ }
-+
-+int FIPS_drbg_health_check(DRBG_CTX *dctx)
-+ {
-+ int rv;
-+ DRBG_CTX *tctx = NULL;
-+ tctx = FIPS_drbg_new(0, 0);
-+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ if (!tctx)
-+ return 0;
-+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
-+ if (tctx)
-+ FIPS_drbg_free(tctx);
-+ if (rv)
-+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ else
-+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ if (!rv)
-+ dctx->status = DRBG_STATUS_ERROR;
-+ else
-+ dctx->health_check_cnt = 0;
-+ return rv;
-+ }
-+
-+int FIPS_selftest_drbg(void)
-+ {
-+ DRBG_CTX *dctx;
-+ DRBG_SELFTEST_DATA *td;
-+ int rv = 1;
-+ dctx = FIPS_drbg_new(0, 0);
-+ if (!dctx)
-+ return 0;
-+ for (td = drbg_test; td->nid != 0; td++)
-+ {
-+ if (td->post != 1)
-+ continue;
-+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 1;
-+ if (!fips_drbg_single_kat(dctx, td, 1))
-+ {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 0;
-+ }
-+ FIPS_drbg_free(dctx);
-+ return rv;
-+ }
-+
-+
-+int FIPS_selftest_drbg_all(void)
-+ {
-+ DRBG_CTX *dctx;
-+ DRBG_SELFTEST_DATA *td;
-+ int rv = 1;
-+ dctx = FIPS_drbg_new(0, 0);
-+ if (!dctx)
-+ return 0;
-+ for (td = drbg_test; td->nid != 0; td++)
-+ {
-+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 1;
-+ if (!fips_drbg_single_kat(dctx, td, 0))
-+ {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_drbg_error_check(dctx, td))
-+ {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 0;
-+ }
-+ FIPS_drbg_free(dctx);
-+ return rv;
-+ }
-+
-diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h
---- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips 2013-10-04 11:48:04.185694249 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h 2013-10-04 11:48:04.185694249 +0200
-@@ -0,0 +1,2335 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+/* Selftest and health check data for the SP800-90 DRBG */
-+
-+#define __fips_constseg
-+
-+/* AES-128 use df PR */
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_entropyinput[] =
-+ {
-+ 0x61,0x52,0x7c,0xe3,0x23,0x7d,0x0a,0x07,0x10,0x0c,0x50,0x33,
-+ 0xc8,0xdb,0xff,0x12
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_nonce[] =
-+ {
-+ 0x51,0x0d,0x85,0x77,0xed,0x22,0x97,0x28
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_personalizationstring[] =
-+ {
-+ 0x59,0x9f,0xbb,0xcd,0xd5,0x25,0x69,0xb5,0xcb,0xb5,0x03,0xfe,
-+ 0xd7,0xd7,0x01,0x67
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_additionalinput[] =
-+ {
-+ 0xef,0x88,0x76,0x01,0xaf,0x3c,0xfe,0x8b,0xaf,0x26,0x06,0x9e,
-+ 0x9a,0x47,0x08,0x76
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_entropyinputpr[] =
-+ {
-+ 0xe2,0x76,0xf9,0xf6,0x3a,0xba,0x10,0x9f,0xbf,0x47,0x0e,0x51,
-+ 0x09,0xfb,0xa3,0xb6
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_int_returnedbits[] =
-+ {
-+ 0xd4,0x98,0x8a,0x46,0x80,0x4c,0xdb,0xa3,0x59,0x02,0x57,0x52,
-+ 0x66,0x1c,0xea,0x5b
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_additionalinput2[] =
-+ {
-+ 0x88,0x8c,0x91,0xd6,0xbe,0x56,0x6e,0x08,0x9a,0x62,0x2b,0x11,
-+ 0x3f,0x5e,0x31,0x06
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_entropyinputpr2[] =
-+ {
-+ 0xc0,0x5c,0x6b,0x98,0x01,0x0d,0x58,0x18,0x51,0x18,0x96,0xae,
-+ 0xa7,0xe3,0xa8,0x67
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_returnedbits[] =
-+ {
-+ 0xcf,0x01,0xac,0x22,0x31,0x06,0x8e,0xfc,0xce,0x56,0xea,0x24,
-+ 0x0f,0x38,0x43,0xc6
-+ };
-+
-+
-+/* AES-128 use df No PR */
-+__fips_constseg
-+static const unsigned char aes_128_use_df_entropyinput[] =
-+ {
-+ 0x1f,0x8e,0x34,0x82,0x0c,0xb7,0xbe,0xc5,0x01,0x3e,0xd0,0xa3,
-+ 0x9d,0x7d,0x1c,0x9b
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_nonce[] =
-+ {
-+ 0xd5,0x4d,0xbd,0x4a,0x93,0x7f,0xb8,0x96
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_personalizationstring[] =
-+ {
-+ 0xab,0xd6,0x3f,0x04,0xfe,0x27,0x6b,0x2d,0xd7,0xc3,0x1c,0xf3,
-+ 0x38,0x66,0xba,0x1b
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_additionalinput[] =
-+ {
-+ 0xfe,0xf4,0x09,0xa8,0xb7,0x73,0x27,0x9c,0x5f,0xa7,0xea,0x46,
-+ 0xb5,0xe2,0xb2,0x41
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_int_returnedbits[] =
-+ {
-+ 0x42,0xe4,0x4e,0x7b,0x27,0xdd,0xcb,0xbc,0x0a,0xcf,0xa6,0x67,
-+ 0xe7,0x57,0x11,0xb4
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_entropyinputreseed[] =
-+ {
-+ 0x14,0x26,0x69,0xd9,0xf3,0x65,0x03,0xd6,0x6b,0xb9,0x44,0x0b,
-+ 0xc7,0xc4,0x9e,0x39
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_additionalinputreseed[] =
-+ {
-+ 0x55,0x2e,0x60,0x9a,0x05,0x72,0x8a,0xa8,0xef,0x22,0x81,0x5a,
-+ 0xc8,0x93,0xfa,0x84
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_additionalinput2[] =
-+ {
-+ 0x3c,0x40,0xc8,0xc4,0x16,0x0c,0x21,0xa4,0x37,0x2c,0x8f,0xa5,
-+ 0x06,0x0c,0x15,0x2c
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_returnedbits[] =
-+ {
-+ 0xe1,0x3e,0x99,0x98,0x86,0x67,0x0b,0x63,0x7b,0xbe,0x3f,0x88,
-+ 0x46,0x81,0xc7,0x19
-+ };
-+
-+
-+/* AES-192 use df PR */
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_entropyinput[] =
-+ {
-+ 0x2b,0x4e,0x8b,0xe1,0xf1,0x34,0x80,0x56,0x81,0xf9,0x74,0xec,
-+ 0x17,0x44,0x2a,0xf1,0x14,0xb0,0xbf,0x97,0x39,0xb7,0x04,0x7d
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_nonce[] =
-+ {
-+ 0xd6,0x9d,0xeb,0x14,0x4e,0x6c,0x30,0x1e,0x39,0x55,0x73,0xd0,
-+ 0xd1,0x80,0x78,0xfa
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_personalizationstring[] =
-+ {
-+ 0xfc,0x43,0x4a,0xf8,0x9a,0x55,0xb3,0x53,0x83,0xe2,0x18,0x16,
-+ 0x0c,0xdc,0xcd,0x5e,0x4f,0xa0,0x03,0x01,0x2b,0x9f,0xe4,0xd5,
-+ 0x7d,0x49,0xf0,0x41,0x9e,0x3d,0x99,0x04
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_additionalinput[] =
-+ {
-+ 0x5e,0x9f,0x49,0x6f,0x21,0x8b,0x1d,0x32,0xd5,0x84,0x5c,0xac,
-+ 0xaf,0xdf,0xe4,0x79,0x9e,0xaf,0xa9,0x82,0xd0,0xf8,0x4f,0xcb,
-+ 0x69,0x10,0x0a,0x7e,0x81,0x57,0xb5,0x36
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_entropyinputpr[] =
-+ {
-+ 0xd4,0x81,0x0c,0xd7,0x66,0x39,0xec,0x42,0x53,0x87,0x41,0xa5,
-+ 0x1e,0x7d,0x80,0x91,0x8e,0xbb,0xed,0xac,0x14,0x02,0x1a,0xd5
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_int_returnedbits[] =
-+ {
-+ 0xdf,0x1d,0x39,0x45,0x7c,0x9b,0xc6,0x2b,0x7d,0x8c,0x93,0xe9,
-+ 0x19,0x30,0x6b,0x67
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_additionalinput2[] =
-+ {
-+ 0x00,0x71,0x27,0x4e,0xd3,0x14,0xf1,0x20,0x7f,0x4a,0x41,0x32,
-+ 0x2a,0x97,0x11,0x43,0x8f,0x4a,0x15,0x7b,0x9b,0x51,0x79,0xda,
-+ 0x49,0x3d,0xde,0xe8,0xbc,0x93,0x91,0x99
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_entropyinputpr2[] =
-+ {
-+ 0x90,0xee,0x76,0xa1,0x45,0x8d,0xb7,0x40,0xb0,0x11,0xbf,0xd0,
-+ 0x65,0xd7,0x3c,0x7c,0x4f,0x20,0x3f,0x4e,0x11,0x9d,0xb3,0x5e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_returnedbits[] =
-+ {
-+ 0x24,0x3b,0x20,0xa4,0x37,0x66,0xba,0x72,0x39,0x3f,0xcf,0x3c,
-+ 0x7e,0x1a,0x2b,0x83
-+ };
-+
-+
-+/* AES-192 use df No PR */
-+__fips_constseg
-+static const unsigned char aes_192_use_df_entropyinput[] =
-+ {
-+ 0x8d,0x74,0xa4,0x50,0x1a,0x02,0x68,0x0c,0x2a,0x69,0xc4,0x82,
-+ 0x3b,0xbb,0xda,0x0e,0x7f,0x77,0xa3,0x17,0x78,0x57,0xb2,0x7b
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_nonce[] =
-+ {
-+ 0x75,0xd5,0x1f,0xac,0xa4,0x8d,0x42,0x78,0xd7,0x69,0x86,0x9d,
-+ 0x77,0xd7,0x41,0x0e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_personalizationstring[] =
-+ {
-+ 0x4e,0x33,0x41,0x3c,0x9c,0xc2,0xd2,0x53,0xaf,0x90,0xea,0xcf,
-+ 0x19,0x50,0x1e,0xe6,0x6f,0x63,0xc8,0x32,0x22,0xdc,0x07,0x65,
-+ 0x9c,0xd3,0xf8,0x30,0x9e,0xed,0x35,0x70
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_additionalinput[] =
-+ {
-+ 0x5d,0x8b,0x8c,0xc1,0xdf,0x0e,0x02,0x78,0xfb,0x19,0xb8,0x69,
-+ 0x78,0x4e,0x9c,0x52,0xbc,0xc7,0x20,0xc9,0xe6,0x5e,0x77,0x22,
-+ 0x28,0x3d,0x0c,0x9e,0x68,0xa8,0x45,0xd7
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_int_returnedbits[] =
-+ {
-+ 0xd5,0xe7,0x08,0xc5,0x19,0x99,0xd5,0x31,0x03,0x0a,0x74,0xb6,
-+ 0xb7,0xed,0xe9,0xea
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_entropyinputreseed[] =
-+ {
-+ 0x9c,0x26,0xda,0xf1,0xac,0xd9,0x5a,0xd6,0xa8,0x65,0xf5,0x02,
-+ 0x8f,0xdc,0xa2,0x09,0x54,0xa6,0xe2,0xa4,0xde,0x32,0xe0,0x01
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_additionalinputreseed[] =
-+ {
-+ 0x9b,0x90,0xb0,0x3a,0x0e,0x3a,0x80,0x07,0x4a,0xf4,0xda,0x76,
-+ 0x28,0x30,0x3c,0xee,0x54,0x1b,0x94,0x59,0x51,0x43,0x56,0x77,
-+ 0xaf,0x88,0xdd,0x63,0x89,0x47,0x06,0x65
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_additionalinput2[] =
-+ {
-+ 0x3c,0x11,0x64,0x7a,0x96,0xf5,0xd8,0xb8,0xae,0xd6,0x70,0x4e,
-+ 0x16,0x96,0xde,0xe9,0x62,0xbc,0xee,0x28,0x2f,0x26,0xa6,0xf0,
-+ 0x56,0xef,0xa3,0xf1,0x6b,0xa1,0xb1,0x77
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_returnedbits[] =
-+ {
-+ 0x0b,0xe2,0x56,0x03,0x1e,0xdb,0x2c,0x6d,0x7f,0x1b,0x15,0x58,
-+ 0x1a,0xf9,0x13,0x28
-+ };
-+
-+
-+/* AES-256 use df PR */
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_entropyinput[] =
-+ {
-+ 0x61,0x68,0xfc,0x1a,0xf0,0xb5,0x95,0x6b,0x85,0x09,0x9b,0x74,
-+ 0x3f,0x13,0x78,0x49,0x3b,0x85,0xec,0x93,0x13,0x3b,0xa9,0x4f,
-+ 0x96,0xab,0x2c,0xe4,0xc8,0x8f,0xdd,0x6a
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_nonce[] =
-+ {
-+ 0xad,0xd2,0xbb,0xba,0xb7,0x65,0x89,0xc3,0x21,0x6c,0x55,0x33,
-+ 0x2b,0x36,0xff,0xa4
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_personalizationstring[] =
-+ {
-+ 0x6e,0xca,0xe7,0x20,0x72,0xd3,0x84,0x5a,0x32,0xd3,0x4b,0x24,
-+ 0x72,0xc4,0x63,0x2b,0x9d,0x12,0x24,0x0c,0x23,0x26,0x8e,0x83,
-+ 0x16,0x37,0x0b,0xd1,0x06,0x4f,0x68,0x6d
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_additionalinput[] =
-+ {
-+ 0x7e,0x08,0x4a,0xbb,0xe3,0x21,0x7c,0xc9,0x23,0xd2,0xf8,0xb0,
-+ 0x73,0x98,0xba,0x84,0x74,0x23,0xab,0x06,0x8a,0xe2,0x22,0xd3,
-+ 0x7b,0xce,0x9b,0xd2,0x4a,0x76,0xb8,0xde
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_entropyinputpr[] =
-+ {
-+ 0x0b,0x23,0xaf,0xdf,0xf1,0x62,0xd7,0xd3,0x43,0x97,0xf8,0x77,
-+ 0x04,0xa8,0x42,0x20,0xbd,0xf6,0x0f,0xc1,0x17,0x2f,0x9f,0x54,
-+ 0xbb,0x56,0x17,0x86,0x68,0x0e,0xba,0xa9
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_int_returnedbits[] =
-+ {
-+ 0x31,0x8e,0xad,0xaf,0x40,0xeb,0x6b,0x74,0x31,0x46,0x80,0xc7,
-+ 0x17,0xab,0x3c,0x7a
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_additionalinput2[] =
-+ {
-+ 0x94,0x6b,0xc9,0x9f,0xab,0x8d,0xc5,0xec,0x71,0x88,0x1d,0x00,
-+ 0x8c,0x89,0x68,0xe4,0xc8,0x07,0x77,0x36,0x17,0x6d,0x79,0x78,
-+ 0xc7,0x06,0x4e,0x99,0x04,0x28,0x29,0xc3
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_entropyinputpr2[] =
-+ {
-+ 0xbf,0x6c,0x59,0x2a,0x0d,0x44,0x0f,0xae,0x9a,0x5e,0x03,0x73,
-+ 0xd8,0xa6,0xe1,0xcf,0x25,0x61,0x38,0x24,0x86,0x9e,0x53,0xe8,
-+ 0xa4,0xdf,0x56,0xf4,0x06,0x07,0x9c,0x0f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_returnedbits[] =
-+ {
-+ 0x22,0x4a,0xb4,0xb8,0xb6,0xee,0x7d,0xb1,0x9e,0xc9,0xf9,0xa0,
-+ 0xd9,0xe2,0x97,0x00
-+ };
-+
-+
-+/* AES-256 use df No PR */
-+__fips_constseg
-+static const unsigned char aes_256_use_df_entropyinput[] =
-+ {
-+ 0xa5,0x3e,0x37,0x10,0x17,0x43,0x91,0x93,0x59,0x1e,0x47,0x50,
-+ 0x87,0xaa,0xdd,0xd5,0xc1,0xc3,0x86,0xcd,0xca,0x0d,0xdb,0x68,
-+ 0xe0,0x02,0xd8,0x0f,0xdc,0x40,0x1a,0x47
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_nonce[] =
-+ {
-+ 0xa9,0x4d,0xa5,0x5a,0xfd,0xc5,0x0c,0xe5,0x1c,0x9a,0x3b,0x8a,
-+ 0x4c,0x44,0x84,0x40
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_personalizationstring[] =
-+ {
-+ 0x8b,0x52,0xa2,0x4a,0x93,0xc3,0x4e,0xa7,0x1e,0x1c,0xa7,0x05,
-+ 0xeb,0x82,0x9b,0xa6,0x5d,0xe4,0xd4,0xe0,0x7f,0xa3,0xd8,0x6b,
-+ 0x37,0x84,0x5f,0xf1,0xc7,0xd5,0xf6,0xd2
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_additionalinput[] =
-+ {
-+ 0x20,0xf4,0x22,0xed,0xf8,0x5c,0xa1,0x6a,0x01,0xcf,0xbe,0x5f,
-+ 0x8d,0x6c,0x94,0x7f,0xae,0x12,0xa8,0x57,0xdb,0x2a,0xa9,0xbf,
-+ 0xc7,0xb3,0x65,0x81,0x80,0x8d,0x0d,0x46
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_int_returnedbits[] =
-+ {
-+ 0x4e,0x44,0xfd,0xf3,0x9e,0x29,0xa2,0xb8,0x0f,0x5d,0x6c,0xe1,
-+ 0x28,0x0c,0x3b,0xc1
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_entropyinputreseed[] =
-+ {
-+ 0xdd,0x40,0xe5,0x98,0x7b,0x27,0x16,0x73,0x15,0x68,0xd2,0x76,
-+ 0xbf,0x0c,0x67,0x15,0x75,0x79,0x03,0xd3,0xde,0xde,0x91,0x46,
-+ 0x42,0xdd,0xd4,0x67,0xc8,0x79,0xc8,0x1e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_additionalinputreseed[] =
-+ {
-+ 0x7f,0xd8,0x1f,0xbd,0x2a,0xb5,0x1c,0x11,0x5d,0x83,0x4e,0x99,
-+ 0xf6,0x5c,0xa5,0x40,0x20,0xed,0x38,0x8e,0xd5,0x9e,0xe0,0x75,
-+ 0x93,0xfe,0x12,0x5e,0x5d,0x73,0xfb,0x75
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_additionalinput2[] =
-+ {
-+ 0xcd,0x2c,0xff,0x14,0x69,0x3e,0x4c,0x9e,0xfd,0xfe,0x26,0x0d,
-+ 0xe9,0x86,0x00,0x49,0x30,0xba,0xb1,0xc6,0x50,0x57,0x77,0x2a,
-+ 0x62,0x39,0x2c,0x3b,0x74,0xeb,0xc9,0x0d
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_returnedbits[] =
-+ {
-+ 0x4f,0x78,0xbe,0xb9,0x4d,0x97,0x8c,0xe9,0xd0,0x97,0xfe,0xad,
-+ 0xfa,0xfd,0x35,0x5e
-+ };
-+
-+
-+/* AES-128 no df PR */
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_entropyinput[] =
-+ {
-+ 0x9a,0x25,0x65,0x10,0x67,0xd5,0xb6,0x6b,0x70,0xa1,0xb3,0xa4,
-+ 0x43,0x95,0x80,0xc0,0x84,0x0a,0x79,0xb0,0x88,0x74,0xf2,0xbf,
-+ 0x31,0x6c,0x33,0x38,0x0b,0x00,0xb2,0x5a
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_nonce[] =
-+ {
-+ 0x78,0x47,0x6b,0xf7,0x90,0x8e,0x87,0xf1
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_personalizationstring[] =
-+ {
-+ 0xf7,0x22,0x1d,0x3a,0xbe,0x1d,0xca,0x32,0x1b,0xbd,0x87,0x0c,
-+ 0x51,0x24,0x19,0xee,0xa3,0x23,0x09,0x63,0x33,0x3d,0xa8,0x0c,
-+ 0x1c,0xfa,0x42,0x89,0xcc,0x6f,0xa0,0xa8
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_additionalinput[] =
-+ {
-+ 0xc9,0xe0,0x80,0xbf,0x8c,0x45,0x58,0x39,0xff,0x00,0xab,0x02,
-+ 0x4c,0x3e,0x3a,0x95,0x9b,0x80,0xa8,0x21,0x2a,0xee,0xba,0x73,
-+ 0xb1,0xd9,0xcf,0x28,0xf6,0x8f,0x9b,0x12
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_entropyinputpr[] =
-+ {
-+ 0x4c,0xa8,0xc5,0xf0,0x59,0x9e,0xa6,0x8d,0x26,0x53,0xd7,0x8a,
-+ 0xa9,0xd8,0xf7,0xed,0xb2,0xf9,0x12,0x42,0xe1,0xe5,0xbd,0xe7,
-+ 0xe7,0x1d,0x74,0x99,0x00,0x9d,0x31,0x3e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_int_returnedbits[] =
-+ {
-+ 0xe2,0xac,0x20,0xf0,0x80,0xe7,0xbc,0x7e,0x9c,0x7b,0x65,0x71,
-+ 0xaf,0x19,0x32,0x16
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_additionalinput2[] =
-+ {
-+ 0x32,0x7f,0x38,0x8b,0x73,0x0a,0x78,0x83,0xdc,0x30,0xbe,0x9f,
-+ 0x10,0x1f,0xf5,0x1f,0xca,0x00,0xb5,0x0d,0xd6,0x9d,0x60,0x83,
-+ 0x51,0x54,0x7d,0x38,0x23,0x3a,0x52,0x50
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_entropyinputpr2[] =
-+ {
-+ 0x18,0x61,0x53,0x56,0xed,0xed,0xd7,0x20,0xfb,0x71,0x04,0x7a,
-+ 0xb2,0xac,0xc1,0x28,0xcd,0xf2,0xc2,0xfc,0xaa,0xb1,0x06,0x07,
-+ 0xe9,0x46,0x95,0x02,0x48,0x01,0x78,0xf9
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_returnedbits[] =
-+ {
-+ 0x29,0xc8,0x1b,0x15,0xb1,0xd1,0xc2,0xf6,0x71,0x86,0x68,0x33,
-+ 0x57,0x82,0x33,0xaf
-+ };
-+
-+
-+/* AES-128 no df No PR */
-+__fips_constseg
-+static const unsigned char aes_128_no_df_entropyinput[] =
-+ {
-+ 0xc9,0xc5,0x79,0xbc,0xe8,0xc5,0x19,0xd8,0xbc,0x66,0x73,0x67,
-+ 0xf6,0xd3,0x72,0xaa,0xa6,0x16,0xb8,0x50,0xb7,0x47,0x3a,0x42,
-+ 0xab,0xf4,0x16,0xb2,0x96,0xd2,0xb6,0x60
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_nonce[] =
-+ {
-+ 0x5f,0xbf,0x97,0x0c,0x4b,0xa4,0x87,0x13
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_personalizationstring[] =
-+ {
-+ 0xce,0xfb,0x7b,0x3f,0xd4,0x6b,0x29,0x0d,0x69,0x06,0xff,0xbb,
-+ 0xf2,0xe5,0xc6,0x6c,0x0a,0x10,0xa0,0xcf,0x1a,0x48,0xc7,0x8b,
-+ 0x3c,0x16,0x88,0xed,0x50,0x13,0x81,0xce
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_additionalinput[] =
-+ {
-+ 0x4b,0x22,0x46,0x18,0x02,0x7b,0xd2,0x1b,0x22,0x42,0x7c,0x37,
-+ 0xd9,0xf6,0xe8,0x9b,0x12,0x30,0x5f,0xe9,0x90,0xe8,0x08,0x24,
-+ 0x4f,0x06,0x66,0xdb,0x19,0x2b,0x13,0x95
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_int_returnedbits[] =
-+ {
-+ 0x2e,0x96,0x70,0x64,0xfa,0xdf,0xdf,0x57,0xb5,0x82,0xee,0xd6,
-+ 0xed,0x3e,0x65,0xc2
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_entropyinputreseed[] =
-+ {
-+ 0x26,0xc0,0x72,0x16,0x3a,0x4b,0xb7,0x99,0xd4,0x07,0xaf,0x66,
-+ 0x62,0x36,0x96,0xa4,0x51,0x17,0xfa,0x07,0x8b,0x17,0x5e,0xa1,
-+ 0x2f,0x3c,0x10,0xe7,0x90,0xd0,0x46,0x00
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_additionalinputreseed[] =
-+ {
-+ 0x83,0x39,0x37,0x7b,0x02,0x06,0xd2,0x12,0x13,0x8d,0x8b,0xf2,
-+ 0xf0,0xf6,0x26,0xeb,0xa4,0x22,0x7b,0xc2,0xe7,0xba,0x79,0xe4,
-+ 0x3b,0x77,0x5d,0x4d,0x47,0xb2,0x2d,0xb4
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_additionalinput2[] =
-+ {
-+ 0x0b,0xb9,0x67,0x37,0xdb,0x83,0xdf,0xca,0x81,0x8b,0xf9,0x3f,
-+ 0xf1,0x11,0x1b,0x2f,0xf0,0x61,0xa6,0xdf,0xba,0xa3,0xb1,0xac,
-+ 0xd3,0xe6,0x09,0xb8,0x2c,0x6a,0x67,0xd6
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_returnedbits[] =
-+ {
-+ 0x1e,0xa7,0xa4,0xe4,0xe1,0xa6,0x7c,0x69,0x9a,0x44,0x6c,0x36,
-+ 0x81,0x37,0x19,0xd4
-+ };
-+
-+
-+/* AES-192 no df PR */
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_entropyinput[] =
-+ {
-+ 0x9d,0x2c,0xd2,0x55,0x66,0xea,0xe0,0xbe,0x18,0xb7,0x76,0xe7,
-+ 0x73,0x35,0xd8,0x1f,0xad,0x3a,0xe3,0x81,0x0e,0x92,0xd0,0x61,
-+ 0xc9,0x12,0x26,0xf6,0x1c,0xdf,0xfe,0x47,0xaa,0xfe,0x7d,0x5a,
-+ 0x17,0x1f,0x8d,0x9a
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_nonce[] =
-+ {
-+ 0x44,0x82,0xed,0xe8,0x4c,0x28,0x5a,0x14,0xff,0x88,0x8d,0x19,
-+ 0x61,0x5c,0xee,0x0f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_personalizationstring[] =
-+ {
-+ 0x47,0xd7,0x9b,0x99,0xaa,0xcb,0xe7,0xd2,0x57,0x66,0x2c,0xe1,
-+ 0x78,0xd6,0x2c,0xea,0xa3,0x23,0x5f,0x2a,0xc1,0x3a,0xf0,0xa4,
-+ 0x20,0x3b,0xfa,0x07,0xd5,0x05,0x02,0xe4,0x57,0x01,0xb6,0x10,
-+ 0x57,0x2e,0xe7,0x55
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_additionalinput[] =
-+ {
-+ 0x4b,0x74,0x0b,0x40,0xce,0x6b,0xc2,0x6a,0x24,0xb4,0xf3,0xad,
-+ 0x7a,0xa5,0x7a,0xa2,0x15,0xe2,0xc8,0x61,0x15,0xc6,0xb7,0x85,
-+ 0x69,0x11,0xad,0x7b,0x14,0xd2,0xf6,0x12,0xa1,0x95,0x5d,0x3f,
-+ 0xe2,0xd0,0x0c,0x2f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_entropyinputpr[] =
-+ {
-+ 0x0c,0x9c,0xad,0x05,0xee,0xae,0x48,0x23,0x89,0x59,0xa1,0x94,
-+ 0xd7,0xd8,0x75,0xd5,0x54,0x93,0xc7,0x4a,0xd9,0x26,0xde,0xeb,
-+ 0xba,0xb0,0x7e,0x30,0x1d,0x5f,0x69,0x40,0x9c,0x3b,0x17,0x58,
-+ 0x1d,0x30,0xb3,0x78
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_int_returnedbits[] =
-+ {
-+ 0xf7,0x93,0xb0,0x6d,0x77,0x83,0xd5,0x38,0x01,0xe1,0x52,0x40,
-+ 0x7e,0x3e,0x0c,0x26
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_additionalinput2[] =
-+ {
-+ 0xbc,0x4b,0x37,0x44,0x1c,0xc5,0x45,0x5f,0x8f,0x51,0x62,0x8a,
-+ 0x85,0x30,0x1d,0x7c,0xe4,0xcf,0xf7,0x44,0xce,0x32,0x3e,0x57,
-+ 0x95,0xa4,0x2a,0xdf,0xfd,0x9e,0x38,0x41,0xb3,0xf6,0xc5,0xee,
-+ 0x0c,0x4b,0xee,0x6e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_entropyinputpr2[] =
-+ {
-+ 0xec,0xaf,0xf6,0x4f,0xb1,0xa0,0x54,0xb5,0x5b,0xe3,0x46,0xb0,
-+ 0x76,0x5a,0x7c,0x3f,0x7b,0x94,0x69,0x21,0x51,0x02,0xe5,0x9f,
-+ 0x04,0x59,0x02,0x98,0xc6,0x43,0x2c,0xcc,0x26,0x4c,0x87,0x6b,
-+ 0x8e,0x0a,0x83,0xdf
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_returnedbits[] =
-+ {
-+ 0x74,0x45,0xfb,0x53,0x84,0x96,0xbe,0xff,0x15,0xcc,0x41,0x91,
-+ 0xb9,0xa1,0x21,0x68
-+ };
-+
-+
-+/* AES-192 no df No PR */
-+__fips_constseg
-+static const unsigned char aes_192_no_df_entropyinput[] =
-+ {
-+ 0x3c,0x7d,0xb5,0xe0,0x54,0xd9,0x6e,0x8c,0xa9,0x86,0xce,0x4e,
-+ 0x6b,0xaf,0xeb,0x2f,0xe7,0x75,0xe0,0x8b,0xa4,0x3b,0x07,0xfe,
-+ 0xbe,0x33,0x75,0x93,0x80,0x27,0xb5,0x29,0x47,0x8b,0xc7,0x28,
-+ 0x94,0xc3,0x59,0x63
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_nonce[] =
-+ {
-+ 0x43,0xf1,0x7d,0xb8,0xc3,0xfe,0xd0,0x23,0x6b,0xb4,0x92,0xdb,
-+ 0x29,0xfd,0x45,0x71
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_personalizationstring[] =
-+ {
-+ 0x9f,0x24,0x29,0x99,0x9e,0x01,0xab,0xe9,0x19,0xd8,0x23,0x08,
-+ 0xb7,0xd6,0x7e,0x8c,0xc0,0x9e,0x7f,0x6e,0x5b,0x33,0x20,0x96,
-+ 0x0b,0x23,0x2c,0xa5,0x6a,0xf8,0x1b,0x04,0x26,0xdb,0x2e,0x2b,
-+ 0x3b,0x88,0xce,0x35
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_additionalinput[] =
-+ {
-+ 0x94,0xe9,0x7c,0x3d,0xa7,0xdb,0x60,0x83,0x1f,0x98,0x3f,0x0b,
-+ 0x88,0x59,0x57,0x51,0x88,0x9f,0x76,0x49,0x9f,0xa6,0xda,0x71,
-+ 0x1d,0x0d,0x47,0x16,0x63,0xc5,0x68,0xe4,0x5d,0x39,0x69,0xb3,
-+ 0x3e,0xbe,0xd4,0x8e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_int_returnedbits[] =
-+ {
-+ 0xf9,0xd7,0xad,0x69,0xab,0x8f,0x23,0x56,0x70,0x17,0x4f,0x2a,
-+ 0x45,0xe7,0x4a,0xc5
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_entropyinputreseed[] =
-+ {
-+ 0xa6,0x71,0x6a,0x3d,0xba,0xd1,0xe8,0x66,0xa6,0xef,0xb2,0x0e,
-+ 0xa8,0x9c,0xaa,0x4e,0xaf,0x17,0x89,0x50,0x00,0xda,0xa1,0xb1,
-+ 0x0b,0xa4,0xd9,0x35,0x89,0xc8,0xe5,0xb0,0xd9,0xb7,0xc4,0x33,
-+ 0x9b,0xcb,0x7e,0x75
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_additionalinputreseed[] =
-+ {
-+ 0x27,0x21,0xfc,0xc2,0xbd,0xf3,0x3c,0xce,0xc3,0xca,0xc1,0x01,
-+ 0xe0,0xff,0x93,0x12,0x7d,0x54,0x42,0xe3,0x9f,0x03,0xdf,0x27,
-+ 0x04,0x07,0x3c,0x53,0x7f,0xa8,0x66,0xc8,0x97,0x4b,0x61,0x40,
-+ 0x5d,0x7a,0x25,0x79
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_additionalinput2[] =
-+ {
-+ 0x2d,0x8e,0x16,0x5d,0x0b,0x9f,0xeb,0xaa,0xd6,0xec,0x28,0x71,
-+ 0x7c,0x0b,0xc1,0x1d,0xd4,0x44,0x19,0x47,0xfd,0x1d,0x7c,0xe5,
-+ 0xf3,0x27,0xe1,0xb6,0x72,0x0a,0xe0,0xec,0x0e,0xcd,0xef,0x1a,
-+ 0x91,0x6a,0xe3,0x5f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_returnedbits[] =
-+ {
-+ 0xe5,0xda,0xb8,0xe0,0x63,0x59,0x5a,0xcc,0x3d,0xdc,0x9f,0xe8,
-+ 0x66,0x67,0x2c,0x92
-+ };
-+
-+
-+/* AES-256 no df PR */
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_entropyinput[] =
-+ {
-+ 0x15,0xc7,0x5d,0xcb,0x41,0x4b,0x16,0x01,0x3a,0xd1,0x44,0xe8,
-+ 0x22,0x32,0xc6,0x9c,0x3f,0xe7,0x43,0xf5,0x9a,0xd3,0xea,0xf2,
-+ 0xd7,0x4e,0x6e,0x6a,0x55,0x73,0x40,0xef,0x89,0xad,0x0d,0x03,
-+ 0x96,0x7e,0x78,0x81,0x2f,0x91,0x1b,0x44,0xb0,0x02,0xba,0x1c
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_nonce[] =
-+ {
-+ 0xdc,0xe4,0xd4,0x27,0x7a,0x90,0xd7,0x99,0x43,0xa1,0x3c,0x30,
-+ 0xcc,0x4b,0xee,0x2e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_personalizationstring[] =
-+ {
-+ 0xe3,0xe6,0xb9,0x11,0xe4,0x7a,0xa4,0x40,0x6b,0xf8,0x73,0xf7,
-+ 0x7e,0xec,0xc7,0xb9,0x97,0xbf,0xf8,0x25,0x7b,0xbe,0x11,0x9b,
-+ 0x5b,0x6a,0x0c,0x2e,0x2b,0x01,0x51,0xcd,0x41,0x4b,0x6b,0xac,
-+ 0x31,0xa8,0x0b,0xf7,0xe6,0x59,0x42,0xb8,0x03,0x0c,0xf8,0x06
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_additionalinput[] =
-+ {
-+ 0x6a,0x9f,0x00,0x91,0xae,0xfe,0xcf,0x84,0x99,0xce,0xb1,0x40,
-+ 0x6d,0x5d,0x33,0x28,0x84,0xf4,0x8c,0x63,0x4c,0x7e,0xbd,0x2c,
-+ 0x80,0x76,0xee,0x5a,0xaa,0x15,0x07,0x31,0xd8,0xbb,0x8c,0x69,
-+ 0x9d,0x9d,0xbc,0x7e,0x49,0xae,0xec,0x39,0x6b,0xd1,0x1f,0x7e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_entropyinputpr[] =
-+ {
-+ 0xf3,0xb9,0x75,0x9c,0xbd,0x88,0xea,0xa2,0x50,0xad,0xd6,0x16,
-+ 0x1a,0x12,0x3c,0x86,0x68,0xaf,0x6f,0xbe,0x19,0xf2,0xee,0xcc,
-+ 0xa5,0x70,0x84,0x53,0x50,0xcb,0x9f,0x14,0xa9,0xe5,0xee,0xb9,
-+ 0x48,0x45,0x40,0xe2,0xc7,0xc9,0x9a,0x74,0xff,0x8c,0x99,0x1f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_int_returnedbits[] =
-+ {
-+ 0x2e,0xf2,0x45,0x4c,0x62,0x2e,0x0a,0xb9,0x6b,0xa2,0xfd,0x56,
-+ 0x79,0x60,0x93,0xcf
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_additionalinput2[] =
-+ {
-+ 0xaf,0x69,0x20,0xe9,0x3b,0x37,0x9d,0x3f,0xb4,0x80,0x02,0x7a,
-+ 0x25,0x7d,0xb8,0xde,0x71,0xc5,0x06,0x0c,0xb4,0xe2,0x8f,0x35,
-+ 0xd8,0x14,0x0d,0x7f,0x76,0x63,0x4e,0xb5,0xee,0xe9,0x6f,0x34,
-+ 0xc7,0x5f,0x56,0x14,0x4a,0xe8,0x73,0x95,0x5b,0x1c,0xb9,0xcb
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_entropyinputpr2[] =
-+ {
-+ 0xe5,0xb0,0x2e,0x7e,0x52,0x30,0xe3,0x63,0x82,0xb6,0x44,0xd3,
-+ 0x25,0x19,0x05,0x24,0x9a,0x9f,0x5f,0x27,0x6a,0x29,0xab,0xfa,
-+ 0x07,0xa2,0x42,0x0f,0xc5,0xa8,0x94,0x7c,0x17,0x7b,0x85,0x83,
-+ 0x0c,0x25,0x0e,0x63,0x0b,0xe9,0x12,0x60,0xcd,0xef,0x80,0x0f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_returnedbits[] =
-+ {
-+ 0x5e,0xf2,0x26,0xef,0x9f,0x58,0x5d,0xd5,0x4a,0x10,0xfe,0xa7,
-+ 0x2d,0x5f,0x4a,0x46
-+ };
-+
-+
-+/* AES-256 no df No PR */
-+__fips_constseg
-+static const unsigned char aes_256_no_df_entropyinput[] =
-+ {
-+ 0xfb,0xcf,0x1b,0x61,0x16,0x89,0x78,0x23,0xf5,0xd8,0x96,0xe3,
-+ 0x4e,0x64,0x0b,0x29,0x9a,0x3f,0xf8,0xa5,0xed,0xf2,0xfe,0xdb,
-+ 0x16,0xca,0x7f,0x10,0xfa,0x5e,0x18,0x76,0x2c,0x63,0x5e,0x96,
-+ 0xcf,0xb3,0xd6,0xfc,0xaf,0x99,0x39,0x28,0x9c,0x61,0xe8,0xb3
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_nonce[] =
-+ {
-+ 0x12,0x96,0xf0,0x52,0xf3,0x8d,0x81,0xcf,0xde,0x86,0xf2,0x99,
-+ 0x43,0x96,0xb9,0xf0
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_personalizationstring[] =
-+ {
-+ 0x63,0x0d,0x78,0xf5,0x90,0x8e,0x32,0x47,0xb0,0x4d,0x37,0x60,
-+ 0x09,0x96,0xbc,0xbf,0x97,0x7a,0x62,0x14,0x45,0xbd,0x8d,0xcc,
-+ 0x69,0xfb,0x03,0xe1,0x80,0x1c,0xc7,0xe2,0x2a,0xf9,0x37,0x3f,
-+ 0x66,0x4d,0x62,0xd9,0x10,0xe0,0xad,0xc8,0x9a,0xf0,0xa8,0x6d
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_additionalinput[] =
-+ {
-+ 0x36,0xc6,0x13,0x60,0xbb,0x14,0xad,0x22,0xb0,0x38,0xac,0xa6,
-+ 0x18,0x16,0x93,0x25,0x86,0xb7,0xdc,0xdc,0x36,0x98,0x2b,0xf9,
-+ 0x68,0x33,0xd3,0xc6,0xff,0xce,0x8d,0x15,0x59,0x82,0x76,0xed,
-+ 0x6f,0x8d,0x49,0x74,0x2f,0xda,0xdc,0x1f,0x17,0xd0,0xde,0x17
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_int_returnedbits[] =
-+ {
-+ 0x16,0x2f,0x8e,0x3f,0x21,0x7a,0x1c,0x20,0x56,0xd1,0x92,0xf6,
-+ 0xd2,0x25,0x75,0x0e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_entropyinputreseed[] =
-+ {
-+ 0x91,0x79,0x76,0xee,0xe0,0xcf,0x9e,0xc2,0xd5,0xd4,0x23,0x9b,
-+ 0x12,0x8c,0x7e,0x0a,0xb7,0xd2,0x8b,0xd6,0x7c,0xa3,0xc6,0xe5,
-+ 0x0e,0xaa,0xc7,0x6b,0xae,0x0d,0xfa,0x53,0x06,0x79,0xa1,0xed,
-+ 0x4d,0x6a,0x0e,0xd8,0x9d,0xbe,0x1b,0x31,0x93,0x7b,0xec,0xfb
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_additionalinputreseed[] =
-+ {
-+ 0xd2,0x46,0x50,0x22,0x10,0x14,0x63,0xf7,0xea,0x0f,0xb9,0x7e,
-+ 0x0d,0xe1,0x94,0x07,0xaf,0x09,0x44,0x31,0xea,0x64,0xa4,0x18,
-+ 0x5b,0xf9,0xd8,0xc2,0xfa,0x03,0x47,0xc5,0x39,0x43,0xd5,0x3b,
-+ 0x62,0x86,0x64,0xea,0x2c,0x73,0x8c,0xae,0x9d,0x98,0x98,0x29
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_additionalinput2[] =
-+ {
-+ 0x8c,0xab,0x18,0xf8,0xc3,0xec,0x18,0x5c,0xb3,0x1e,0x9d,0xbe,
-+ 0x3f,0x03,0xb4,0x00,0x98,0x9d,0xae,0xeb,0xf4,0x94,0xf8,0x42,
-+ 0x8f,0xe3,0x39,0x07,0xe1,0xc9,0xad,0x0b,0x1f,0xed,0xc0,0xba,
-+ 0xf6,0xd1,0xec,0x27,0x86,0x7b,0xd6,0x55,0x9b,0x60,0xa5,0xc6
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_returnedbits[] =
-+ {
-+ 0xef,0xd2,0xd8,0x5c,0xdc,0x62,0x25,0x9f,0xaa,0x1e,0x2c,0x67,
-+ 0xf6,0x02,0x32,0xe2
-+ };
-+
-+
-+/* SHA-1 PR */
-+__fips_constseg
-+static const unsigned char sha1_pr_entropyinput[] =
-+ {
-+ 0xd2,0x36,0xa5,0x27,0x31,0x73,0xdd,0x11,0x4f,0x93,0xbd,0xe2,
-+ 0x31,0xa5,0x91,0x13
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_nonce[] =
-+ {
-+ 0xb5,0xb3,0x60,0xef,0xf7,0x63,0x31,0xf3
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_personalizationstring[] =
-+ {
-+ 0xd4,0xbb,0x02,0x10,0xb2,0x71,0xdb,0x81,0xd6,0xf0,0x42,0x60,
-+ 0xda,0xea,0x77,0x52
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_additionalinput[] =
-+ {
-+ 0x4d,0xd2,0x6c,0x87,0xfb,0x2c,0x4f,0xa6,0x8d,0x16,0x63,0x22,
-+ 0x6a,0x51,0xe3,0xf8
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_entropyinputpr[] =
-+ {
-+ 0xc9,0x83,0x9e,0x16,0xf6,0x1c,0x0f,0xb2,0xec,0x60,0x31,0xa9,
-+ 0xcb,0xa9,0x36,0x7a
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_int_returnedbits[] =
-+ {
-+ 0xa8,0x13,0x4f,0xf4,0x31,0x02,0x44,0xe3,0xd3,0x3d,0x61,0x9e,
-+ 0xe5,0xc6,0x3e,0x89,0xb5,0x9b,0x0f,0x35
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_additionalinput2[] =
-+ {
-+ 0xf9,0xe8,0xd2,0x72,0x13,0x34,0x95,0x6f,0x15,0x49,0x47,0x99,
-+ 0x16,0x03,0x19,0x47
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_entropyinputpr2[] =
-+ {
-+ 0x4e,0x8c,0x49,0x9b,0x4a,0x5c,0x9b,0x9c,0x3a,0xee,0xfb,0xd2,
-+ 0xae,0xcd,0x8c,0xc4
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_returnedbits[] =
-+ {
-+ 0x50,0xb4,0xb4,0xcd,0x68,0x57,0xfc,0x2e,0xc1,0x52,0xcc,0xf6,
-+ 0x68,0xa4,0x81,0xed,0x7e,0xe4,0x1d,0x87
-+ };
-+
-+
-+/* SHA-1 No PR */
-+__fips_constseg
-+static const unsigned char sha1_entropyinput[] =
-+ {
-+ 0xa9,0x47,0x1b,0x29,0x2d,0x1c,0x05,0xdf,0x76,0xd0,0x62,0xf9,
-+ 0xe2,0x7f,0x4c,0x7b
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_nonce[] =
-+ {
-+ 0x53,0x23,0x24,0xe3,0xec,0x0c,0x54,0x14
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_personalizationstring[] =
-+ {
-+ 0x7a,0x87,0xa1,0xac,0x1c,0xfd,0xab,0xae,0xf7,0xd6,0xfb,0x76,
-+ 0x28,0xec,0x6d,0xca
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_additionalinput[] =
-+ {
-+ 0xfc,0x92,0x35,0xd6,0x7e,0xb7,0x24,0x65,0xfd,0x12,0x27,0x35,
-+ 0xc0,0x72,0xca,0x28
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_int_returnedbits[] =
-+ {
-+ 0x57,0x88,0x82,0xe5,0x25,0xa5,0x2c,0x4a,0x06,0x20,0x6c,0x72,
-+ 0x55,0x61,0xdd,0x90,0x71,0x9f,0x95,0xea
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_entropyinputreseed[] =
-+ {
-+ 0x69,0xa5,0x40,0x62,0x98,0x47,0x56,0x73,0x4a,0x8f,0x60,0x96,
-+ 0xd6,0x99,0x27,0xed
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_additionalinputreseed[] =
-+ {
-+ 0xe5,0x40,0x4e,0xbd,0x50,0x00,0xf5,0x15,0xa6,0xee,0x45,0xda,
-+ 0x84,0x3d,0xd4,0xc0
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_additionalinput2[] =
-+ {
-+ 0x11,0x51,0x14,0xf0,0x09,0x1b,0x4e,0x56,0x0d,0xe9,0xf6,0x1e,
-+ 0x52,0x65,0xcd,0x96
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_returnedbits[] =
-+ {
-+ 0xa1,0x9c,0x94,0x6e,0x29,0xe1,0x33,0x0d,0x32,0xd6,0xaa,0xce,
-+ 0x71,0x3f,0x52,0x72,0x8b,0x42,0xa8,0xd7
-+ };
-+
-+
-+/* SHA-224 PR */
-+__fips_constseg
-+static const unsigned char sha224_pr_entropyinput[] =
-+ {
-+ 0x12,0x69,0x32,0x4f,0x83,0xa6,0xf5,0x14,0xe3,0x49,0x3e,0x75,
-+ 0x3e,0xde,0xad,0xa1,0x29,0xc3,0xf3,0x19,0x20,0xb5,0x4c,0xd9
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_nonce[] =
-+ {
-+ 0x6a,0x78,0xd0,0xeb,0xbb,0x5a,0xf0,0xee,0xe8,0xc3,0xba,0x71
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_personalizationstring[] =
-+ {
-+ 0xd5,0xb8,0xb6,0xbc,0xc1,0x5b,0x60,0x31,0x3c,0xf5,0xe5,0xc0,
-+ 0x8e,0x52,0x7a,0xbd,0xea,0x47,0xa9,0x5f,0x8f,0xf9,0x8b,0xae
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_additionalinput[] =
-+ {
-+ 0x1f,0x55,0xec,0xae,0x16,0x12,0x84,0xba,0x84,0x16,0x19,0x88,
-+ 0x8e,0xb8,0x33,0x25,0x54,0xff,0xca,0x79,0xaf,0x07,0x25,0x50
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_entropyinputpr[] =
-+ {
-+ 0x92,0xa3,0x32,0xa8,0x9a,0x0a,0x58,0x7c,0x1d,0x5a,0x7e,0xe1,
-+ 0xb2,0x73,0xab,0x0e,0x16,0x79,0x23,0xd3,0x29,0x89,0x81,0xe1
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_int_returnedbits[] =
-+ {
-+ 0xf3,0x38,0x91,0x40,0x37,0x7a,0x51,0x72,0x42,0x74,0x78,0x0a,
-+ 0x69,0xfd,0xa6,0x44,0x43,0x45,0x6c,0x0c,0x5a,0x19,0xff,0xf1,
-+ 0x54,0x60,0xee,0x6a
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_additionalinput2[] =
-+ {
-+ 0x75,0xf3,0x04,0x25,0xdd,0x36,0xa8,0x37,0x46,0xae,0x0c,0x52,
-+ 0x05,0x79,0x4c,0x26,0xdb,0xe9,0x71,0x16,0x4c,0x0a,0xf2,0x60
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_entropyinputpr2[] =
-+ {
-+ 0xea,0xc5,0x03,0x0a,0x4f,0xb0,0x38,0x8d,0x23,0xd4,0xc8,0x77,
-+ 0xe2,0x6d,0x9c,0x0b,0x44,0xf7,0x2d,0x5b,0xbf,0x5d,0x2a,0x11
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_returnedbits[] =
-+ {
-+ 0x60,0x50,0x2b,0xe7,0x86,0xd8,0x26,0x73,0xe3,0x1d,0x95,0x20,
-+ 0xb3,0x2c,0x32,0x1c,0xf5,0xce,0x57,0xa6,0x67,0x2b,0xdc,0x4e,
-+ 0xdd,0x11,0x4c,0xc4
-+ };
-+
-+
-+/* SHA-224 No PR */
-+__fips_constseg
-+static const unsigned char sha224_entropyinput[] =
-+ {
-+ 0xb2,0x1c,0x77,0x4d,0xf6,0xd3,0xb6,0x40,0xb7,0x30,0x3e,0x29,
-+ 0xb0,0x85,0x1c,0xbe,0x4a,0xea,0x6b,0x5a,0xb5,0x8a,0x97,0xeb
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_nonce[] =
-+ {
-+ 0x42,0x02,0x0a,0x1c,0x98,0x9a,0x77,0x9e,0x9f,0x80,0xba,0xe0
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_personalizationstring[] =
-+ {
-+ 0x98,0xb8,0x04,0x41,0xfc,0xc1,0x5d,0xc5,0xe9,0xb9,0x08,0xda,
-+ 0xf9,0xfa,0x0d,0x90,0xce,0xdf,0x1d,0x10,0xa9,0x8d,0x50,0x0c
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_additionalinput[] =
-+ {
-+ 0x9a,0x8d,0x39,0x49,0x42,0xd5,0x0b,0xae,0xe1,0xaf,0xb7,0x00,
-+ 0x02,0xfa,0x96,0xb1,0xa5,0x1d,0x2d,0x25,0x78,0xee,0x83,0x3f
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_int_returnedbits[] =
-+ {
-+ 0xe4,0xf5,0x53,0x79,0x5a,0x97,0x58,0x06,0x08,0xba,0x7b,0xfa,
-+ 0xf0,0x83,0x05,0x8c,0x22,0xc0,0xc9,0xdb,0x15,0xe7,0xde,0x20,
-+ 0x55,0x22,0x9a,0xad
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_entropyinputreseed[] =
-+ {
-+ 0x67,0x09,0x48,0xaa,0x07,0x16,0x99,0x89,0x7f,0x6d,0xa0,0xe5,
-+ 0x8f,0xdf,0xbc,0xdb,0xfe,0xe5,0x6c,0x7a,0x95,0x4a,0x66,0x17
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_additionalinputreseed[] =
-+ {
-+ 0x0f,0x4b,0x1c,0x6f,0xb7,0xe3,0x47,0xe5,0x5d,0x7d,0x38,0xd6,
-+ 0x28,0x9b,0xeb,0x55,0x63,0x09,0x3e,0x7c,0x56,0xea,0xf8,0x19
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_additionalinput2[] =
-+ {
-+ 0x2d,0x26,0x7c,0x37,0xe4,0x7a,0x28,0x5e,0x5a,0x3c,0xaf,0x3d,
-+ 0x5a,0x8e,0x55,0xa2,0x1a,0x6e,0xc0,0xe5,0xf6,0x21,0xd3,0xf6
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_returnedbits[] =
-+ {
-+ 0x4d,0x83,0x35,0xdf,0x67,0xa9,0xfc,0x17,0xda,0x70,0xcc,0x8b,
-+ 0x7f,0x77,0xae,0xa2,0x5f,0xb9,0x7e,0x74,0x4c,0x26,0xc1,0x7a,
-+ 0x3b,0xa7,0x5c,0x93
-+ };
-+
-+
-+/* SHA-256 PR */
-+__fips_constseg
-+static const unsigned char sha256_pr_entropyinput[] =
-+ {
-+ 0xce,0x49,0x00,0x7a,0x56,0xe3,0x67,0x8f,0xe1,0xb6,0xa7,0xd4,
-+ 0x4f,0x08,0x7a,0x1b,0x01,0xf4,0xfa,0x6b,0xef,0xb7,0xe5,0xeb,
-+ 0x07,0x3d,0x11,0x0d,0xc8,0xea,0x2b,0xfe
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_nonce[] =
-+ {
-+ 0x73,0x41,0xc8,0x92,0x94,0xe2,0xc5,0x5f,0x93,0xfd,0x39,0x5d,
-+ 0x2b,0x91,0x4d,0x38
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_personalizationstring[] =
-+ {
-+ 0x50,0x6d,0x01,0x01,0x07,0x5a,0x80,0x35,0x7a,0x56,0x1a,0x56,
-+ 0x2f,0x9a,0x0b,0x35,0xb2,0xb1,0xc9,0xe5,0xca,0x69,0x61,0x48,
-+ 0xff,0xfb,0x0f,0xd9,0x4b,0x79,0x1d,0xba
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_additionalinput[] =
-+ {
-+ 0x20,0xb8,0xdf,0x44,0x77,0x5a,0xb8,0xd3,0xbf,0xf6,0xcf,0xac,
-+ 0x5e,0xa6,0x96,0x62,0x73,0x44,0x40,0x4a,0x30,0xfb,0x38,0xa5,
-+ 0x7b,0x0d,0xe4,0x0d,0xc6,0xe4,0x9a,0x1f
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_entropyinputpr[] =
-+ {
-+ 0x04,0xc4,0x65,0xf4,0xd3,0xbf,0x83,0x4b,0xab,0xc8,0x41,0xa8,
-+ 0xc2,0xe0,0x44,0x63,0x77,0x4c,0x6f,0x6c,0x49,0x46,0xff,0x94,
-+ 0x17,0xea,0xe6,0x1a,0x9d,0x5e,0x66,0x78
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_int_returnedbits[] =
-+ {
-+ 0x07,0x4d,0xac,0x9b,0x86,0xca,0x4a,0xaa,0x6e,0x7a,0x03,0xa2,
-+ 0x5d,0x10,0xea,0x0b,0xf9,0x83,0xcc,0xd1,0xfc,0xe2,0x07,0xc7,
-+ 0x06,0x34,0x60,0x6f,0x83,0x94,0x99,0x76
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_additionalinput2[] =
-+ {
-+ 0x89,0x4e,0x45,0x8c,0x11,0xf9,0xbc,0x5b,0xac,0x74,0x8b,0x4b,
-+ 0x5f,0xf7,0x19,0xf3,0xf5,0x24,0x54,0x14,0xd1,0x15,0xb1,0x43,
-+ 0x12,0xa4,0x5f,0xd4,0xec,0xfc,0xcd,0x09
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_entropyinputpr2[] =
-+ {
-+ 0x0e,0xeb,0x1f,0xd7,0xfc,0xd1,0x9d,0xd4,0x05,0x36,0x8b,0xb2,
-+ 0xfb,0xe4,0xf4,0x51,0x0c,0x87,0x9b,0x02,0x44,0xd5,0x92,0x4d,
-+ 0x44,0xfe,0x1a,0x03,0x43,0x56,0xbd,0x86
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_returnedbits[] =
-+ {
-+ 0x02,0xaa,0xb6,0x1d,0x7e,0x2a,0x40,0x03,0x69,0x2d,0x49,0xa3,
-+ 0x41,0xe7,0x44,0x0b,0xaf,0x7b,0x85,0xe4,0x5f,0x53,0x3b,0x64,
-+ 0xbc,0x89,0xc8,0x82,0xd4,0x78,0x37,0xa2
-+ };
-+
-+
-+/* SHA-256 No PR */
-+__fips_constseg
-+static const unsigned char sha256_entropyinput[] =
-+ {
-+ 0x5b,0x1b,0xec,0x4d,0xa9,0x38,0x74,0x5a,0x34,0x0b,0x7b,0xc5,
-+ 0xe5,0xd7,0x66,0x7c,0xbc,0x82,0xb9,0x0e,0x2d,0x1f,0x92,0xd7,
-+ 0xc1,0xbc,0x67,0x69,0xec,0x6b,0x03,0x3c
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_nonce[] =
-+ {
-+ 0xa4,0x0c,0xd8,0x9c,0x61,0xd8,0xc3,0x54,0xfe,0x53,0xc9,0xe5,
-+ 0x5d,0x6f,0x6d,0x35
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_personalizationstring[] =
-+ {
-+ 0x22,0x5e,0x62,0x93,0x42,0x83,0x78,0x24,0xd8,0x40,0x8c,0xde,
-+ 0x6f,0xf9,0xa4,0x7a,0xc5,0xa7,0x3b,0x88,0xa3,0xee,0x42,0x20,
-+ 0xfd,0x61,0x56,0xc6,0x4c,0x13,0x41,0x9c
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_additionalinput[] =
-+ {
-+ 0xbf,0x74,0x5b,0xf6,0xc5,0x64,0x5e,0x99,0x34,0x8f,0xbc,0xa4,
-+ 0xe2,0xbd,0xd8,0x85,0x26,0x37,0xea,0xba,0x4f,0xf2,0x9a,0x9a,
-+ 0x66,0xfc,0xdf,0x63,0x26,0x26,0x19,0x87
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_int_returnedbits[] =
-+ {
-+ 0xb3,0xc6,0x07,0x07,0xd6,0x75,0xf6,0x2b,0xd6,0x21,0x96,0xf1,
-+ 0xae,0xdb,0x2b,0xac,0x25,0x2a,0xae,0xae,0x41,0x72,0x03,0x5e,
-+ 0xbf,0xd3,0x64,0xbc,0x59,0xf9,0xc0,0x76
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_entropyinputreseed[] =
-+ {
-+ 0xbf,0x20,0x33,0x56,0x29,0xa8,0x37,0x04,0x1f,0x78,0x34,0x3d,
-+ 0x81,0x2a,0xc9,0x86,0xc6,0x7a,0x2f,0x88,0x5e,0xd5,0xbe,0x34,
-+ 0x46,0x20,0xa4,0x35,0xeb,0xc7,0xe2,0x9d
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_additionalinputreseed[] =
-+ {
-+ 0x9b,0xae,0x2d,0x2d,0x61,0xa4,0x89,0xeb,0x43,0x46,0xa7,0xda,
-+ 0xef,0x40,0xca,0x4a,0x99,0x11,0x41,0xdc,0x5c,0x94,0xe9,0xac,
-+ 0xd4,0xd0,0xe6,0xbd,0xfb,0x03,0x9c,0xa8
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_additionalinput2[] =
-+ {
-+ 0x23,0xaa,0x0c,0xbd,0x28,0x33,0xe2,0x51,0xfc,0x71,0xd2,0x15,
-+ 0x1f,0x76,0xfd,0x0d,0xe0,0xb7,0xb5,0x84,0x75,0x5b,0xbe,0xf3,
-+ 0x5c,0xca,0xc5,0x30,0xf2,0x75,0x1f,0xda
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_returnedbits[] =
-+ {
-+ 0x90,0x3c,0xc1,0x10,0x8c,0x12,0x01,0xc6,0xa6,0x3a,0x0f,0x4d,
-+ 0xb6,0x3a,0x4f,0x41,0x9c,0x61,0x75,0x84,0xe9,0x74,0x75,0xfd,
-+ 0xfe,0xf2,0x1f,0x43,0xd8,0x5e,0x24,0xa3
-+ };
-+
-+
-+/* SHA-384 PR */
-+__fips_constseg
-+static const unsigned char sha384_pr_entropyinput[] =
-+ {
-+ 0x71,0x9d,0xb2,0x5a,0x71,0x6d,0x04,0xe9,0x1e,0xc7,0x92,0x24,
-+ 0x6e,0x12,0x33,0xa9,0x52,0x64,0x31,0xef,0x71,0xeb,0x22,0x55,
-+ 0x28,0x97,0x06,0x6a,0xc0,0x0c,0xa0,0x7e
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_nonce[] =
-+ {
-+ 0xf5,0x0d,0xfa,0xb0,0xec,0x6a,0x7c,0xd6,0xbd,0x9b,0x05,0xfd,
-+ 0x38,0x3e,0x2e,0x56
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_personalizationstring[] =
-+ {
-+ 0x74,0xac,0x7e,0x6d,0xb1,0xa4,0xe7,0x21,0xd1,0x1e,0x6e,0x96,
-+ 0x6d,0x4d,0x53,0x46,0x82,0x96,0x6e,0xcf,0xaa,0x81,0x8d,0x7d,
-+ 0x9e,0xe1,0x0f,0x15,0xea,0x41,0xbf,0xe3
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_additionalinput[] =
-+ {
-+ 0xda,0x95,0xd4,0xd0,0xb8,0x11,0xd3,0x49,0x27,0x5d,0xa9,0x39,
-+ 0x68,0xf3,0xa8,0xe9,0x5d,0x19,0x8a,0x2b,0x66,0xe8,0x69,0x06,
-+ 0x7c,0x9e,0x03,0xa1,0x8b,0x26,0x2d,0x6e
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_entropyinputpr[] =
-+ {
-+ 0x49,0xdf,0x44,0x00,0xe4,0x1c,0x75,0x0b,0x26,0x5a,0x59,0x64,
-+ 0x1f,0x4e,0xb1,0xb2,0x13,0xf1,0x22,0x4e,0xb4,0x6d,0x9a,0xcc,
-+ 0xa0,0x48,0xe6,0xcf,0x1d,0xd1,0x92,0x0d
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_int_returnedbits[] =
-+ {
-+ 0xc8,0x52,0xae,0xbf,0x04,0x3c,0x27,0xb7,0x78,0x18,0xaa,0x8f,
-+ 0xff,0xcf,0xa4,0xf1,0xcc,0xe7,0x68,0xfa,0x22,0xa2,0x13,0x45,
-+ 0xe8,0xdd,0x87,0xe6,0xf2,0x6e,0xdd,0xc7,0x52,0x90,0x9f,0x7b,
-+ 0xfa,0x61,0x2d,0x9d,0x9e,0xcf,0x98,0xac,0x52,0x40,0xce,0xaf
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_additionalinput2[] =
-+ {
-+ 0x61,0x7c,0x03,0x9a,0x3e,0x50,0x57,0x60,0xc5,0x83,0xc9,0xb2,
-+ 0xd1,0x87,0x85,0x66,0x92,0x5d,0x84,0x0e,0x53,0xfb,0x70,0x03,
-+ 0x72,0xfd,0xba,0xae,0x9c,0x8f,0xf8,0x18
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_entropyinputpr2[] =
-+ {
-+ 0xf8,0xeb,0x89,0xb1,0x8d,0x78,0xbe,0x21,0xe0,0xbb,0x9d,0xb7,
-+ 0x95,0x0e,0xd9,0x46,0x0c,0x8c,0xe2,0x63,0xb7,0x9d,0x67,0x90,
-+ 0xbd,0xc7,0x0b,0xa5,0xce,0xb2,0x65,0x81
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_returnedbits[] =
-+ {
-+ 0xe6,0x9f,0xfe,0x68,0xd6,0xb5,0x79,0xf1,0x06,0x5f,0xa3,0xbb,
-+ 0x23,0x85,0xd8,0xf0,0x29,0x5a,0x68,0x9e,0xf5,0xf4,0xa6,0x12,
-+ 0xe0,0x9a,0xe2,0xac,0x00,0x1d,0x98,0x26,0xfc,0x53,0x95,0x53,
-+ 0xe4,0x3e,0x17,0xd5,0x08,0x0b,0x70,0x3d,0x67,0x99,0xac,0x66
-+ };
-+
-+
-+/* SHA-384 No PR */
-+__fips_constseg
-+static const unsigned char sha384_entropyinput[] =
-+ {
-+ 0x07,0x15,0x27,0x2a,0xaf,0x74,0x24,0x37,0xbc,0xd5,0x14,0x69,
-+ 0xce,0x11,0xff,0xa2,0x6b,0xb8,0x05,0x67,0x34,0xf8,0xbd,0x6d,
-+ 0x6a,0xcc,0xcd,0x60,0xa3,0x68,0xca,0xf4
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_nonce[] =
-+ {
-+ 0x70,0x17,0xc2,0x5b,0x5d,0x22,0x0b,0x06,0x15,0x54,0x78,0x77,
-+ 0x44,0xaf,0x2f,0x09
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_personalizationstring[] =
-+ {
-+ 0x89,0x39,0x28,0xb0,0x60,0xeb,0x3d,0xdc,0x55,0x75,0x86,0xeb,
-+ 0xae,0xa2,0x8f,0xbc,0x1b,0x75,0xd4,0xe1,0x0f,0xaa,0x38,0xca,
-+ 0x62,0x8b,0xcb,0x2c,0x26,0xf6,0xbc,0xb1
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_additionalinput[] =
-+ {
-+ 0x30,0x2b,0x42,0x35,0xef,0xda,0x40,0x55,0x28,0xc6,0x95,0xfb,
-+ 0x54,0x01,0x62,0xd7,0x87,0x14,0x48,0x6d,0x90,0x4c,0xa9,0x02,
-+ 0x54,0x40,0x22,0xc8,0x66,0xa5,0x48,0x48
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_int_returnedbits[] =
-+ {
-+ 0x82,0xc4,0xa1,0x9c,0x21,0xd2,0xe7,0xa5,0xa6,0xf6,0x5f,0x04,
-+ 0x5c,0xc7,0x31,0x9d,0x8d,0x59,0x74,0x50,0x19,0x89,0x2f,0x63,
-+ 0xd5,0xb7,0x7e,0xeb,0x15,0xe3,0x70,0x83,0xa1,0x24,0x59,0xfa,
-+ 0x2c,0x56,0xf6,0x88,0x3a,0x92,0x93,0xa1,0xfb,0x79,0xc1,0x7a
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_entropyinputreseed[] =
-+ {
-+ 0x39,0xa6,0xe8,0x5c,0x82,0x17,0x71,0x26,0x57,0x4f,0x9f,0xc2,
-+ 0x55,0xff,0x5c,0x9b,0x53,0x1a,0xd1,0x5f,0xbc,0x62,0xe4,0x27,
-+ 0x2d,0x32,0xf0,0xe4,0x52,0x8c,0xc5,0x0c
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_additionalinputreseed[] =
-+ {
-+ 0x8d,0xcb,0x8d,0xce,0x08,0xea,0x80,0xe8,0x9b,0x61,0xa8,0x0f,
-+ 0xaf,0x49,0x20,0x9e,0x74,0xcb,0x57,0x80,0x42,0xb0,0x84,0x5e,
-+ 0x30,0x2a,0x67,0x08,0xf4,0xe3,0x40,0x22
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_additionalinput2[] =
-+ {
-+ 0x7c,0x8f,0xc2,0xae,0x22,0x4a,0xd6,0xf6,0x05,0xa4,0x7a,0xea,
-+ 0xbb,0x25,0xd0,0xb7,0x5a,0xd6,0xcf,0x9d,0xf3,0x6c,0xe2,0xb2,
-+ 0x4e,0xb4,0xbd,0xf4,0xe5,0x40,0x80,0x94
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_returnedbits[] =
-+ {
-+ 0x9e,0x7e,0xfb,0x59,0xbb,0xaa,0x3c,0xf7,0xe1,0xf8,0x76,0xdd,
-+ 0x63,0x5f,0xaf,0x23,0xd6,0x64,0x61,0xc0,0x9a,0x09,0x47,0xc9,
-+ 0x33,0xdf,0x6d,0x55,0x91,0x34,0x79,0x70,0xc4,0x99,0x6e,0x54,
-+ 0x09,0x64,0x21,0x1a,0xbd,0x1e,0x80,0x40,0x34,0xad,0xfa,0xd7
-+ };
-+
-+
-+/* SHA-512 PR */
-+__fips_constseg
-+static const unsigned char sha512_pr_entropyinput[] =
-+ {
-+ 0x13,0xf7,0x61,0x75,0x65,0x28,0xa2,0x59,0x13,0x5a,0x4a,0x4f,
-+ 0x56,0x60,0x8c,0x53,0x7d,0xb0,0xbd,0x06,0x4f,0xed,0xcc,0xd2,
-+ 0xa2,0xb5,0xfd,0x5b,0x3a,0xab,0xec,0x28
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_nonce[] =
-+ {
-+ 0xbe,0xa3,0x91,0x93,0x1d,0xc3,0x31,0x3a,0x23,0x33,0x50,0x67,
-+ 0x88,0xc7,0xa2,0xc4
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_personalizationstring[] =
-+ {
-+ 0x1f,0x59,0x4d,0x7b,0xe6,0x46,0x91,0x48,0xc1,0x25,0xfa,0xff,
-+ 0x89,0x12,0x77,0x35,0xdf,0x3e,0xf4,0x80,0x5f,0xd9,0xb0,0x07,
-+ 0x22,0x41,0xdd,0x48,0x78,0x6b,0x77,0x2b
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_additionalinput[] =
-+ {
-+ 0x30,0xff,0x63,0x6f,0xac,0xd9,0x84,0x39,0x6f,0xe4,0x99,0xce,
-+ 0x91,0x7d,0x7e,0xc8,0x58,0xf2,0x12,0xc3,0xb6,0xad,0xda,0x22,
-+ 0x04,0xa0,0xd2,0x21,0xfe,0xf2,0x95,0x1d
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_entropyinputpr[] =
-+ {
-+ 0x64,0x54,0x13,0xec,0x4f,0x77,0xda,0xb2,0x92,0x2e,0x52,0x80,
-+ 0x11,0x10,0xc2,0xf8,0xe6,0xa7,0xcd,0x4b,0xfc,0x32,0x2e,0x9e,
-+ 0xeb,0xbb,0xb1,0xbf,0x15,0x5c,0x73,0x08
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_int_returnedbits[] =
-+ {
-+ 0xef,0x1e,0xdc,0x0a,0xa4,0x36,0x91,0x9c,0x3d,0x27,0x97,0x50,
-+ 0x8d,0x36,0x29,0x8d,0xce,0x6a,0x0c,0xf7,0x21,0xc0,0x91,0xae,
-+ 0x0c,0x96,0x72,0xbd,0x52,0x81,0x58,0xfc,0x6d,0xe5,0xf7,0xa5,
-+ 0xfd,0x5d,0xa7,0x58,0x68,0xc8,0x99,0x58,0x8e,0xc8,0xce,0x95,
-+ 0x01,0x7d,0xff,0xa4,0xc8,0xf7,0x63,0xfe,0x5f,0x69,0x83,0x53,
-+ 0xe2,0xc6,0x8b,0xc3
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_additionalinput2[] =
-+ {
-+ 0xe6,0x9b,0xc4,0x88,0x34,0xca,0xea,0x29,0x2f,0x98,0x05,0xa4,
-+ 0xd3,0xc0,0x7b,0x11,0xe8,0xbb,0x75,0xf2,0xbd,0x29,0xb7,0x40,
-+ 0x25,0x7f,0xc1,0xb7,0xb1,0xf1,0x25,0x61
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_entropyinputpr2[] =
-+ {
-+ 0x23,0x6d,0xff,0xde,0xfb,0xd1,0xba,0x33,0x18,0xe6,0xbe,0xb5,
-+ 0x48,0x77,0x6d,0x7f,0xa7,0xe1,0x4d,0x48,0x1e,0x3c,0xa7,0x34,
-+ 0x1a,0xc8,0x60,0xdb,0x8f,0x99,0x15,0x99
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_returnedbits[] =
-+ {
-+ 0x70,0x27,0x31,0xdb,0x92,0x70,0x21,0xfe,0x16,0xb6,0xc8,0x51,
-+ 0x34,0x87,0x65,0xd0,0x4e,0xfd,0xfe,0x68,0xec,0xac,0xdc,0x93,
-+ 0x41,0x38,0x92,0x90,0xb4,0x94,0xf9,0x0d,0xa4,0xf7,0x4e,0x80,
-+ 0x92,0x67,0x48,0x40,0xa7,0x08,0xc7,0xbc,0x66,0x00,0xfd,0xf7,
-+ 0x4c,0x8b,0x17,0x6e,0xd1,0x8f,0x9b,0xf3,0x6f,0xf6,0x34,0xdd,
-+ 0x67,0xf7,0x68,0xdd
-+ };
-+
-+
-+/* SHA-512 No PR */
-+__fips_constseg
-+static const unsigned char sha512_entropyinput[] =
-+ {
-+ 0xb6,0x0b,0xb7,0xbc,0x84,0x56,0xf6,0x12,0xaf,0x45,0x67,0x17,
-+ 0x7c,0xd1,0xb2,0x78,0x2b,0xa0,0xf2,0xbe,0xb6,0x6d,0x8b,0x56,
-+ 0xc6,0xbc,0x4d,0xe1,0xf7,0xbe,0xce,0xbd
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_nonce[] =
-+ {
-+ 0x9d,0xed,0xc0,0xe5,0x5a,0x98,0x6a,0xcb,0x51,0x7d,0x76,0x31,
-+ 0x5a,0x64,0xf0,0xf7
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_personalizationstring[] =
-+ {
-+ 0xc2,0x6d,0xa3,0xc3,0x06,0x74,0xe5,0x01,0x5c,0x10,0x17,0xc7,
-+ 0xaf,0x83,0x9d,0x59,0x8d,0x2d,0x29,0x38,0xc5,0x59,0x70,0x8b,
-+ 0x46,0x48,0x2d,0xcf,0x36,0x7d,0x59,0xc0
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_additionalinput[] =
-+ {
-+ 0xec,0x8c,0xd4,0xf7,0x61,0x6e,0x0d,0x95,0x79,0xb7,0x28,0xad,
-+ 0x5f,0x69,0x74,0x5f,0x2d,0x36,0x06,0x8a,0x6b,0xac,0x54,0x97,
-+ 0xc4,0xa1,0x12,0x85,0x0a,0xdf,0x4b,0x34
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_int_returnedbits[] =
-+ {
-+ 0x84,0x2f,0x1f,0x68,0x6a,0xa3,0xad,0x1e,0xfb,0xf4,0x15,0xbd,
-+ 0xde,0x38,0xd4,0x30,0x80,0x51,0xe9,0xd3,0xc7,0x20,0x88,0xe9,
-+ 0xf5,0xcc,0xdf,0x57,0x5c,0x47,0x2f,0x57,0x3c,0x5f,0x13,0x56,
-+ 0xcc,0xc5,0x4f,0x84,0xf8,0x10,0x41,0xd5,0x7e,0x58,0x6e,0x19,
-+ 0x19,0x9e,0xaf,0xc2,0x22,0x58,0x41,0x50,0x79,0xc2,0xd8,0x04,
-+ 0x28,0xd4,0x39,0x9a
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_entropyinputreseed[] =
-+ {
-+ 0xfa,0x7f,0x46,0x51,0x83,0x62,0x98,0x16,0x9a,0x19,0xa2,0x49,
-+ 0xa9,0xe6,0x4a,0xd8,0x85,0xe7,0xd4,0x3b,0x2c,0x82,0xc5,0x82,
-+ 0xbf,0x11,0xf9,0x9e,0xbc,0xd0,0x01,0xee
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_additionalinputreseed[] =
-+ {
-+ 0xb9,0x12,0xe0,0x4f,0xf7,0xa7,0xc4,0xd8,0xd0,0x8e,0x99,0x29,
-+ 0x7c,0x9a,0xe9,0xcf,0xc4,0x6c,0xf8,0xc3,0xa7,0x41,0x83,0xd6,
-+ 0x2e,0xfa,0xb8,0x5e,0x8e,0x6b,0x78,0x20
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_additionalinput2[] =
-+ {
-+ 0xd7,0x07,0x52,0xb9,0x83,0x2c,0x03,0x71,0xee,0xc9,0xc0,0x85,
-+ 0xe1,0x57,0xb2,0xcd,0x3a,0xf0,0xc9,0x34,0x24,0x41,0x1c,0x42,
-+ 0x99,0xb2,0x84,0xe9,0x17,0xd2,0x76,0x92
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_returnedbits[] =
-+ {
-+ 0x36,0x17,0x5d,0x98,0x2b,0x65,0x25,0x8e,0xc8,0x29,0xdf,0x27,
-+ 0x05,0x36,0x26,0x12,0x8a,0x68,0x74,0x27,0x37,0xd4,0x7f,0x32,
-+ 0xb1,0x12,0xd6,0x85,0x83,0xeb,0x2e,0xa0,0xed,0x4b,0xb5,0x7b,
-+ 0x6f,0x39,0x3c,0x71,0x77,0x02,0x12,0xcc,0x2c,0x3a,0x8e,0x63,
-+ 0xdf,0x4a,0xbd,0x6f,0x6e,0x2e,0xed,0x0a,0x85,0xa5,0x2f,0xa2,
-+ 0x68,0xde,0x42,0xb5
-+ };
-+
-+
-+/* HMAC SHA-1 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_entropyinput[] =
-+ {
-+ 0x26,0x5f,0x36,0x14,0xff,0x3d,0x83,0xfa,0x73,0x5e,0x75,0xdc,
-+ 0x2c,0x18,0x17,0x1b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_nonce[] =
-+ {
-+ 0xc8,0xe3,0x57,0xa5,0x7b,0x74,0x86,0x6e
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_personalizationstring[] =
-+ {
-+ 0x6e,0xdb,0x0d,0xfe,0x7d,0xac,0x79,0xd0,0xa5,0x3a,0x48,0x85,
-+ 0x80,0xe2,0x7f,0x2a
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_additionalinput[] =
-+ {
-+ 0x31,0xcd,0x5e,0x43,0xdc,0xfb,0x7a,0x79,0xca,0x88,0xde,0x1f,
-+ 0xd7,0xbb,0x42,0x09
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_entropyinputpr[] =
-+ {
-+ 0x7c,0x23,0x95,0x38,0x00,0x95,0xc1,0x78,0x1f,0x8f,0xd7,0x63,
-+ 0x23,0x87,0x2a,0xed
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_int_returnedbits[] =
-+ {
-+ 0xbb,0x34,0xe7,0x93,0xa3,0x02,0x2c,0x4a,0xd0,0x89,0xda,0x7f,
-+ 0xed,0xf4,0x4c,0xde,0x17,0xec,0xe5,0x6c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_additionalinput2[] =
-+ {
-+ 0x49,0xbc,0x2d,0x2c,0xb7,0x32,0xcb,0x20,0xdf,0xf5,0x77,0x58,
-+ 0xa0,0x4b,0x93,0x6e
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_entropyinputpr2[] =
-+ {
-+ 0x3c,0xaa,0xb0,0x21,0x42,0xb0,0xdd,0x34,0xf0,0x16,0x7f,0x0c,
-+ 0x0f,0xff,0x2e,0xaf
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_returnedbits[] =
-+ {
-+ 0x8e,0xcb,0xa3,0x64,0xb2,0xb8,0x33,0x6c,0x64,0x3b,0x78,0x16,
-+ 0x99,0x35,0xc8,0x30,0xcb,0x3e,0xa0,0xd8
-+ };
-+
-+
-+/* HMAC SHA-1 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha1_entropyinput[] =
-+ {
-+ 0x32,0x9a,0x2a,0x87,0x7b,0x89,0x7c,0xf6,0xcb,0x95,0xd5,0x40,
-+ 0x17,0xfe,0x47,0x70
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_nonce[] =
-+ {
-+ 0x16,0xd8,0xe0,0xc7,0x52,0xcf,0x4a,0x25
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_personalizationstring[] =
-+ {
-+ 0x35,0x35,0xa9,0xa5,0x40,0xbe,0x9b,0xd1,0x56,0xdd,0x44,0x00,
-+ 0x72,0xf7,0xd3,0x5e
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_additionalinput[] =
-+ {
-+ 0x1b,0x2c,0x84,0x2d,0x4a,0x89,0x8f,0x69,0x19,0xf1,0xf3,0xdb,
-+ 0xbb,0xe3,0xaa,0xea
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_int_returnedbits[] =
-+ {
-+ 0xcf,0xfa,0x7d,0x72,0x0f,0xe6,0xc7,0x96,0xa0,0x69,0x31,0x11,
-+ 0x9b,0x0b,0x1a,0x20,0x1f,0x3f,0xaa,0xd1
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_entropyinputreseed[] =
-+ {
-+ 0x90,0x75,0x15,0x04,0x95,0xf1,0xba,0x81,0x0c,0x37,0x94,0x6f,
-+ 0x86,0x52,0x6d,0x9c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_additionalinputreseed[] =
-+ {
-+ 0x5b,0x40,0xba,0x5f,0x17,0x70,0xf0,0x4b,0xdf,0xc9,0x97,0x92,
-+ 0x79,0xc5,0x82,0x28
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_additionalinput2[] =
-+ {
-+ 0x97,0xc8,0x80,0x90,0xb3,0xaa,0x6e,0x60,0xea,0x83,0x7a,0xe3,
-+ 0x8a,0xca,0xa4,0x7f
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_returnedbits[] =
-+ {
-+ 0x90,0xbd,0x05,0x56,0x6d,0xb5,0x22,0xd5,0xb9,0x5a,0x29,0x2d,
-+ 0xe9,0x0b,0xe1,0xac,0xde,0x27,0x0b,0xb0
-+ };
-+
-+
-+/* HMAC SHA-224 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_entropyinput[] =
-+ {
-+ 0x17,0x32,0x2b,0x2e,0x6f,0x1b,0x9c,0x6d,0x31,0xe0,0x34,0x07,
-+ 0xcf,0xed,0xf6,0xb6,0x5a,0x76,0x4c,0xbc,0x62,0x85,0x01,0x90
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_nonce[] =
-+ {
-+ 0x38,0xbf,0x5f,0x20,0xb3,0x68,0x2f,0x43,0x61,0x05,0x8f,0x23
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_personalizationstring[] =
-+ {
-+ 0xc0,0xc9,0x45,0xac,0x8d,0x27,0x77,0x08,0x0b,0x17,0x6d,0xed,
-+ 0xc1,0x7d,0xd5,0x07,0x9d,0x6e,0xf8,0x23,0x2a,0x22,0x13,0xbd
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_additionalinput[] =
-+ {
-+ 0xa4,0x3c,0xe7,0x3b,0xea,0x19,0x45,0x32,0xc2,0x83,0x6d,0x21,
-+ 0x8a,0xc0,0xee,0x67,0x45,0xde,0x13,0x7d,0x9d,0x61,0x00,0x3b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_entropyinputpr[] =
-+ {
-+ 0x15,0x05,0x74,0x4a,0x7f,0x8d,0x5c,0x60,0x16,0xe5,0x7b,0xad,
-+ 0xf5,0x41,0x8f,0x55,0x60,0xc4,0x09,0xee,0x1e,0x11,0x81,0xab
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_int_returnedbits[] =
-+ {
-+ 0x6f,0xf5,0x9a,0xe2,0x54,0x53,0x30,0x3d,0x5a,0x27,0x29,0x38,
-+ 0x27,0xf2,0x0d,0x05,0xe9,0x26,0xcb,0x16,0xc3,0x51,0x5f,0x13,
-+ 0x41,0xfe,0x99,0xf2
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_additionalinput2[] =
-+ {
-+ 0x73,0x81,0x88,0x84,0x8f,0xed,0x6f,0x10,0x9f,0x93,0xbf,0x17,
-+ 0x35,0x7c,0xef,0xd5,0x8d,0x26,0xa6,0x7a,0xe8,0x09,0x36,0x4f
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_entropyinputpr2[] =
-+ {
-+ 0xe6,0xcf,0xcf,0x7e,0x12,0xe5,0x43,0xd2,0x38,0xd8,0x24,0x6f,
-+ 0x5a,0x37,0x68,0xbf,0x4f,0xa0,0xff,0xd5,0x61,0x8a,0x93,0xe0
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_returnedbits[] =
-+ {
-+ 0xaf,0xf9,0xd8,0x19,0x91,0x30,0x82,0x6f,0xa9,0x1e,0x9d,0xd7,
-+ 0xf3,0x50,0xe0,0xc7,0xd5,0x64,0x96,0x7d,0x4c,0x4d,0x78,0x03,
-+ 0x6d,0xd8,0x9e,0x72
-+ };
-+
-+
-+/* HMAC SHA-224 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha224_entropyinput[] =
-+ {
-+ 0x11,0x82,0xfd,0xd9,0x42,0xf4,0xfa,0xc8,0xf2,0x41,0xe6,0x54,
-+ 0x01,0xae,0x22,0x6e,0xc6,0xaf,0xaf,0xd0,0xa6,0xb2,0xe2,0x6d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_nonce[] =
-+ {
-+ 0xa9,0x48,0xd7,0x92,0x39,0x7e,0x2a,0xdc,0x30,0x1f,0x0e,0x2b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_personalizationstring[] =
-+ {
-+ 0x11,0xd5,0xf4,0xbd,0x67,0x8c,0x31,0xcf,0xa3,0x3f,0x1e,0x6b,
-+ 0xa8,0x07,0x02,0x0b,0xc8,0x2e,0x6c,0x64,0x41,0x5b,0xc8,0x37
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_additionalinput[] =
-+ {
-+ 0x68,0x18,0xc2,0x06,0xeb,0x3e,0x04,0x95,0x44,0x5e,0xfb,0xe6,
-+ 0x41,0xc1,0x5c,0xcc,0x40,0x2f,0xb7,0xd2,0x0f,0xf3,0x6b,0xe7
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_int_returnedbits[] =
-+ {
-+ 0x7f,0x45,0xc7,0x5d,0x32,0xe6,0x17,0x60,0xba,0xdc,0xb8,0x42,
-+ 0x1b,0x9c,0xf1,0xfa,0x3b,0x4d,0x29,0x54,0xc6,0x90,0xff,0x5c,
-+ 0xcd,0xd6,0xa9,0xcc
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_entropyinputreseed[] =
-+ {
-+ 0xc4,0x8e,0x37,0x95,0x69,0x53,0x28,0xd7,0x37,0xbb,0x70,0x95,
-+ 0x1c,0x07,0x1d,0xd9,0xb7,0xe6,0x1b,0xbb,0xfe,0x41,0xeb,0xc9
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_additionalinputreseed[] =
-+ {
-+ 0x53,0x17,0xa1,0x6a,0xfa,0x77,0x47,0xb0,0x95,0x56,0x9a,0x20,
-+ 0x57,0xde,0x5c,0x89,0x9f,0x7f,0xe2,0xde,0x17,0x3a,0x50,0x23
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_additionalinput2[] =
-+ {
-+ 0x3a,0x32,0xf9,0x85,0x0c,0xc1,0xed,0x76,0x2d,0xdf,0x40,0xc3,
-+ 0x06,0x22,0x66,0xd4,0x9a,0x9a,0xff,0x5a,0x7e,0x7a,0xf3,0x96
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_returnedbits[] =
-+ {
-+ 0x43,0xb4,0x57,0x5c,0x38,0x25,0x9d,0xae,0xec,0x96,0xd1,0x85,
-+ 0x3a,0x84,0x8d,0xfe,0x68,0xd5,0x0e,0x5c,0x8f,0x65,0xa5,0x4e,
-+ 0x45,0x84,0xa8,0x94
-+ };
-+
-+
-+/* HMAC SHA-256 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_entropyinput[] =
-+ {
-+ 0x4d,0xb0,0x43,0xd8,0x34,0x4b,0x10,0x70,0xb1,0x8b,0xed,0xea,
-+ 0x07,0x92,0x9f,0x6c,0x79,0x31,0xaf,0x81,0x29,0xeb,0x6e,0xca,
-+ 0x32,0x48,0x28,0xe7,0x02,0x5d,0xa6,0xa6
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_nonce[] =
-+ {
-+ 0x3a,0xae,0x15,0xa9,0x99,0xdc,0xe4,0x67,0x34,0x3b,0x70,0x15,
-+ 0xaa,0xd3,0x30,0x9a
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_personalizationstring[] =
-+ {
-+ 0x13,0x1d,0x24,0x04,0xb0,0x18,0x81,0x15,0x21,0x51,0x2a,0x24,
-+ 0x52,0x61,0xbe,0x64,0x82,0x6b,0x55,0x2f,0xe2,0xf1,0x40,0x7d,
-+ 0x71,0xd8,0x01,0x86,0x15,0xb7,0x8b,0xb5
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_additionalinput[] =
-+ {
-+ 0x8f,0xa6,0x54,0x5f,0xb1,0xd0,0xd8,0xc3,0xe7,0x0c,0x15,0xa9,
-+ 0x23,0x6e,0xfe,0xfb,0x93,0xf7,0x3a,0xbd,0x59,0x01,0xfa,0x18,
-+ 0x8e,0xe9,0x1a,0xa9,0x78,0xfc,0x79,0x0b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_entropyinputpr[] =
-+ {
-+ 0xcf,0x24,0xb9,0xeb,0xb3,0xd4,0xcd,0x17,0x37,0x38,0x75,0x79,
-+ 0x15,0xcb,0x2d,0x75,0x51,0xf1,0xcc,0xaa,0x32,0xa4,0xa7,0x36,
-+ 0x7c,0x5c,0xe4,0x47,0xf1,0x3e,0x1d,0xe5
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_int_returnedbits[] =
-+ {
-+ 0x52,0x42,0xfa,0xeb,0x85,0xe0,0x30,0x22,0x79,0x00,0x16,0xb2,
-+ 0x88,0x2f,0x14,0x6a,0xb7,0xfc,0xb7,0x53,0xdc,0x4a,0x12,0xef,
-+ 0x54,0xd6,0x33,0xe9,0x20,0xd6,0xfd,0x56
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_additionalinput2[] =
-+ {
-+ 0xf4,0xf6,0x49,0xa1,0x2d,0x64,0x2b,0x30,0x58,0xf8,0xbd,0xb8,
-+ 0x75,0xeb,0xbb,0x5e,0x1c,0x9b,0x81,0x6a,0xda,0x14,0x86,0x6e,
-+ 0xd0,0xda,0x18,0xb7,0x88,0xfb,0x59,0xf3
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_entropyinputpr2[] =
-+ {
-+ 0x21,0xcd,0x6e,0x46,0xad,0x99,0x07,0x17,0xb4,0x3d,0x76,0x0a,
-+ 0xff,0x5b,0x52,0x50,0x78,0xdf,0x1f,0x24,0x06,0x0d,0x3f,0x74,
-+ 0xa9,0xc9,0x37,0xcf,0xd8,0x26,0x25,0x91
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_returnedbits[] =
-+ {
-+ 0xa7,0xaf,0x2f,0x29,0xe0,0x3a,0x72,0x95,0x96,0x1c,0xa9,0xf0,
-+ 0x4a,0x17,0x4d,0x66,0x06,0x10,0xbf,0x39,0x89,0x88,0xb8,0x91,
-+ 0x37,0x18,0x99,0xcf,0x8c,0x53,0x3b,0x7e
-+ };
-+
-+
-+/* HMAC SHA-256 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha256_entropyinput[] =
-+ {
-+ 0x96,0xb7,0x53,0x22,0x1e,0x52,0x2a,0x96,0xb1,0x15,0x3c,0x35,
-+ 0x5a,0x8b,0xd3,0x4a,0xa6,0x6c,0x83,0x0a,0x7d,0xa3,0x23,0x3d,
-+ 0x43,0xa1,0x07,0x2c,0x2d,0xe3,0x81,0xcc
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_nonce[] =
-+ {
-+ 0xf1,0xac,0x97,0xcb,0x5e,0x06,0x48,0xd2,0x94,0xbe,0x15,0x2e,
-+ 0xc7,0xfc,0xc2,0x01
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_personalizationstring[] =
-+ {
-+ 0x98,0xc5,0x1e,0x35,0x5e,0x89,0x0d,0xce,0x64,0x6d,0x18,0xa7,
-+ 0x5a,0xc6,0xf3,0xe7,0xd6,0x9e,0xc0,0xea,0xb7,0x3a,0x8d,0x65,
-+ 0xb8,0xeb,0x10,0xd7,0x57,0x18,0xa0,0x32
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_additionalinput[] =
-+ {
-+ 0x1b,0x10,0xaf,0xac,0xd0,0x65,0x95,0xad,0x04,0xad,0x03,0x1c,
-+ 0xe0,0x40,0xd6,0x3e,0x1c,0x46,0x53,0x39,0x7c,0xe2,0xbc,0xda,
-+ 0x8c,0xa2,0x33,0xa7,0x9a,0x26,0xd3,0x27
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_int_returnedbits[] =
-+ {
-+ 0xba,0x61,0x0e,0x55,0xfe,0x11,0x8a,0x9e,0x0f,0x80,0xdf,0x1d,
-+ 0x03,0x0a,0xfe,0x15,0x94,0x28,0x4b,0xba,0xf4,0x9f,0x51,0x25,
-+ 0x88,0xe5,0x4e,0xfb,0xaf,0xce,0x69,0x90
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_entropyinputreseed[] =
-+ {
-+ 0x62,0x7f,0x1e,0x6b,0xe8,0x8e,0xe1,0x35,0x7d,0x9b,0x4f,0xc7,
-+ 0xec,0xc8,0xac,0xef,0x6b,0x13,0x9e,0x05,0x56,0xc1,0x08,0xf9,
-+ 0x2f,0x0f,0x27,0x9c,0xd4,0x15,0xed,0x2d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_additionalinputreseed[] =
-+ {
-+ 0xc7,0x76,0x6e,0xa9,0xd2,0xb2,0x76,0x40,0x82,0x25,0x2c,0xb3,
-+ 0x6f,0xac,0xe9,0x74,0xef,0x8f,0x3c,0x8e,0xcd,0xf1,0xbf,0xb3,
-+ 0x49,0x77,0x34,0x88,0x52,0x36,0xe6,0x2e
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_additionalinput2[] =
-+ {
-+ 0x8d,0xb8,0x0c,0xd1,0xbf,0x70,0xf6,0x19,0xc3,0x41,0x80,0x9f,
-+ 0xe1,0xa5,0xa4,0x1f,0x2c,0x26,0xb1,0xe5,0xd8,0xeb,0xbe,0xf8,
-+ 0xdf,0x88,0x6a,0x89,0xd6,0x05,0xd8,0x9d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_returnedbits[] =
-+ {
-+ 0x43,0x12,0x2a,0x2c,0x40,0x53,0x2e,0x7c,0x66,0x34,0xac,0xc3,
-+ 0x43,0xe3,0xe0,0x6a,0xfc,0xfa,0xea,0x87,0x21,0x1f,0xe2,0x26,
-+ 0xc4,0xf9,0x09,0x9a,0x0d,0x6e,0x7f,0xe0
-+ };
-+
-+
-+/* HMAC SHA-384 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_entropyinput[] =
-+ {
-+ 0x69,0x81,0x98,0x88,0x44,0xf5,0xd6,0x2e,0x00,0x08,0x3b,0xc5,
-+ 0xfb,0xd7,0x8e,0x6f,0x23,0xf8,0x6d,0x09,0xd6,0x85,0x49,0xd1,
-+ 0xf8,0x6d,0xa4,0x58,0x54,0xfd,0x88,0xa9
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_nonce[] =
-+ {
-+ 0x6e,0x38,0x81,0xca,0xb7,0xe8,0x6e,0x66,0x49,0x8a,0xb2,0x59,
-+ 0xee,0x16,0xc9,0xde
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_personalizationstring[] =
-+ {
-+ 0xfe,0x4c,0xd9,0xf4,0x78,0x3b,0x08,0x41,0x8d,0x8f,0x55,0xc4,
-+ 0x43,0x56,0xb6,0x12,0x36,0x6b,0x30,0xb7,0x5e,0xe1,0xb9,0x47,
-+ 0x04,0xb1,0x4e,0xa9,0x00,0xa1,0x52,0xa1
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_additionalinput[] =
-+ {
-+ 0x89,0xe9,0xcc,0x8f,0x27,0x3c,0x26,0xd1,0x95,0xc8,0x7d,0x0f,
-+ 0x5b,0x1a,0xf0,0x78,0x39,0x56,0x6f,0xa4,0x23,0xe7,0xd1,0xda,
-+ 0x7c,0x66,0x33,0xa0,0x90,0xc9,0x92,0x88
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_entropyinputpr[] =
-+ {
-+ 0xbe,0x3d,0x7c,0x0d,0xca,0xda,0x7c,0x49,0xb8,0x12,0x36,0xc0,
-+ 0xdb,0xad,0x35,0xa8,0xc7,0x0b,0x2a,0x2c,0x69,0x6d,0x25,0x56,
-+ 0x63,0x82,0x11,0x3e,0xa7,0x33,0x70,0x72
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_int_returnedbits[] =
-+ {
-+ 0x82,0x3d,0xe6,0x54,0x80,0x42,0xf8,0xba,0x90,0x4f,0x06,0xa6,
-+ 0xd2,0x7f,0xbf,0x79,0x7c,0x12,0x7d,0xa6,0xa2,0x66,0xe8,0xa6,
-+ 0xc0,0xd6,0x4a,0x55,0xbf,0xd8,0x0a,0xc5,0xf8,0x03,0x88,0xdd,
-+ 0x8e,0x87,0xd1,0x5a,0x48,0x26,0x72,0x2a,0x8e,0xcf,0xee,0xba
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_additionalinput2[] =
-+ {
-+ 0x8f,0xff,0xd9,0x84,0xbb,0x85,0x3a,0x66,0xa1,0x21,0xce,0xb2,
-+ 0x3a,0x3a,0x17,0x22,0x19,0xae,0xc7,0xb6,0x63,0x81,0xd5,0xff,
-+ 0x0d,0xc8,0xe1,0xaf,0x57,0xd2,0xcb,0x60
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_entropyinputpr2[] =
-+ {
-+ 0xd7,0xfb,0xc9,0xe8,0xe2,0xf2,0xaa,0x4c,0xb8,0x51,0x2f,0xe1,
-+ 0x22,0xba,0xf3,0xda,0x0a,0x19,0x76,0x71,0x57,0xb2,0x1d,0x94,
-+ 0x09,0x69,0x6c,0xd3,0x97,0x51,0x81,0x87
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_returnedbits[] =
-+ {
-+ 0xe6,0x19,0x28,0xa8,0x21,0xce,0x5e,0xdb,0x24,0x79,0x8c,0x76,
-+ 0x5d,0x73,0xb2,0xdf,0xac,0xef,0x85,0xa7,0x3b,0x19,0x09,0x8b,
-+ 0x7f,0x98,0x28,0xa9,0x93,0xd8,0x7a,0xad,0x55,0x8b,0x24,0x9d,
-+ 0xe6,0x98,0xfe,0x47,0xd5,0x48,0xc1,0x23,0xd8,0x1d,0x62,0x75
-+ };
-+
-+
-+/* HMAC SHA-384 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha384_entropyinput[] =
-+ {
-+ 0xc3,0x56,0x2b,0x1d,0xc2,0xbb,0xa8,0xf0,0xae,0x1b,0x0d,0xd3,
-+ 0x5a,0x6c,0xda,0x57,0x8e,0xa5,0x8a,0x0d,0x6c,0x4b,0x18,0xb1,
-+ 0x04,0x3e,0xb4,0x99,0x35,0xc4,0xc0,0x5f
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_nonce[] =
-+ {
-+ 0xc5,0x49,0x1e,0x66,0x27,0x92,0xbe,0xec,0xb5,0x1e,0x4b,0xb1,
-+ 0x38,0xe3,0xeb,0x62
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_personalizationstring[] =
-+ {
-+ 0xbe,0xe7,0x6b,0x57,0xde,0x88,0x11,0x96,0x9b,0x6e,0xea,0xe5,
-+ 0x63,0x83,0x4c,0xb6,0x8d,0x66,0xaa,0x1f,0x8b,0x54,0xe7,0x62,
-+ 0x6d,0x5a,0xfc,0xbf,0x97,0xba,0xcd,0x77
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_additionalinput[] =
-+ {
-+ 0xe5,0x28,0x5f,0x43,0xf5,0x83,0x6e,0x0a,0x83,0x5c,0xe3,0x81,
-+ 0x03,0xf2,0xf8,0x78,0x00,0x7c,0x95,0x87,0x16,0xd6,0x6c,0x58,
-+ 0x33,0x6c,0x53,0x35,0x0d,0x66,0xe3,0xce
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_int_returnedbits[] =
-+ {
-+ 0xe2,0x1f,0xf3,0xda,0x0d,0x19,0x99,0x87,0xc4,0x90,0xa2,0x31,
-+ 0xca,0x2a,0x89,0x58,0x43,0x44,0xb8,0xde,0xcf,0xa4,0xbe,0x3b,
-+ 0x53,0x26,0x22,0x31,0x76,0x41,0x22,0xb5,0xa8,0x70,0x2f,0x4b,
-+ 0x64,0x95,0x4d,0x48,0x96,0x35,0xe6,0xbd,0x3c,0x34,0xdb,0x1b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_entropyinputreseed[] =
-+ {
-+ 0x77,0x61,0xba,0xbc,0xf2,0xc1,0xf3,0x4b,0x86,0x65,0xfd,0x48,
-+ 0x0e,0x3c,0x02,0x5e,0xa2,0x7a,0x6b,0x7c,0xed,0x21,0x5e,0xf9,
-+ 0xcd,0xcd,0x77,0x07,0x2b,0xbe,0xc5,0x5c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_additionalinputreseed[] =
-+ {
-+ 0x18,0x24,0x5f,0xc6,0x84,0xd1,0x67,0xc3,0x9a,0x11,0xa5,0x8c,
-+ 0x07,0x39,0x21,0x83,0x4d,0x04,0xc4,0x6a,0x28,0x19,0xcf,0x92,
-+ 0x21,0xd9,0x9e,0x41,0x72,0x6c,0x9e,0x63
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_additionalinput2[] =
-+ {
-+ 0x96,0x67,0x41,0x28,0x9b,0xb7,0x92,0x8d,0x64,0x3b,0xe4,0xcf,
-+ 0x7e,0xaa,0x1e,0xb1,0x4b,0x1d,0x09,0x56,0x67,0x9c,0xc6,0x6d,
-+ 0x3b,0xe8,0x91,0x9d,0xe1,0x8a,0xb7,0x32
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_returnedbits[] =
-+ {
-+ 0xe3,0x59,0x61,0x38,0x92,0xec,0xe2,0x3c,0xff,0xb7,0xdb,0x19,
-+ 0x0f,0x5b,0x93,0x68,0x0d,0xa4,0x94,0x40,0x72,0x0b,0xe0,0xed,
-+ 0x4d,0xcd,0x68,0xa0,0x1e,0xfe,0x67,0xb2,0xfa,0x21,0x56,0x74,
-+ 0xa4,0xad,0xcf,0xb7,0x60,0x66,0x2e,0x40,0xde,0x82,0xca,0xfb
-+ };
-+
-+
-+/* HMAC SHA-512 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_entropyinput[] =
-+ {
-+ 0xaa,0x9e,0x45,0x67,0x0e,0x00,0x2a,0x67,0x98,0xd6,0xda,0x0b,
-+ 0x0f,0x17,0x7e,0xac,0xfd,0x27,0xc4,0xca,0x84,0xdf,0xde,0xba,
-+ 0x85,0xd9,0xbe,0x8f,0xf3,0xff,0x91,0x4d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_nonce[] =
-+ {
-+ 0x8c,0x49,0x2f,0x58,0x1e,0x7a,0xda,0x4b,0x7e,0x8a,0x30,0x7b,
-+ 0x86,0xea,0xaf,0xa2
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_personalizationstring[] =
-+ {
-+ 0x71,0xe1,0xbb,0xad,0xa7,0x4b,0x2e,0x31,0x3b,0x0b,0xec,0x24,
-+ 0x99,0x38,0xbc,0xaa,0x05,0x4c,0x46,0x44,0xfa,0xad,0x8e,0x02,
-+ 0xc1,0x7e,0xad,0xec,0x54,0xa6,0xd0,0xad
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_additionalinput[] =
-+ {
-+ 0x3d,0x6e,0xa6,0xa8,0x29,0x2a,0xb2,0xf5,0x98,0x42,0xe4,0x92,
-+ 0x78,0x22,0x67,0xfd,0x1b,0x15,0x1e,0x29,0xaa,0x71,0x3c,0x3c,
-+ 0xe7,0x05,0x20,0xa9,0x29,0xc6,0x75,0x71
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_entropyinputpr[] =
-+ {
-+ 0xab,0xb9,0x16,0xd8,0x55,0x35,0x54,0xb7,0x97,0x3f,0x94,0xbc,
-+ 0x2f,0x7c,0x70,0xc7,0xd0,0xed,0xb7,0x4b,0xf7,0xf6,0x6c,0x03,
-+ 0x0c,0xb0,0x03,0xd8,0xbb,0x71,0xd9,0x10
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_int_returnedbits[] =
-+ {
-+ 0x8e,0xd3,0xfd,0x52,0x9e,0x83,0x08,0x49,0x18,0x6e,0x23,0x56,
-+ 0x5c,0x45,0x93,0x34,0x05,0xe2,0x98,0x8f,0x0c,0xd4,0x32,0x0c,
-+ 0xfd,0xda,0x5f,0x92,0x3a,0x8c,0x81,0xbd,0xf6,0x6c,0x55,0xfd,
-+ 0xb8,0x20,0xce,0x8d,0x97,0x27,0xe8,0xe8,0xe0,0xb3,0x85,0x50,
-+ 0xa2,0xc2,0xb2,0x95,0x1d,0x48,0xd3,0x7b,0x4b,0x78,0x13,0x35,
-+ 0x05,0x17,0xbe,0x0d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_additionalinput2[] =
-+ {
-+ 0xc3,0xfc,0x95,0xaa,0x69,0x06,0xae,0x59,0x41,0xce,0x26,0x08,
-+ 0x29,0x6d,0x45,0xda,0xe8,0xb3,0x6c,0x95,0x60,0x0f,0x70,0x2c,
-+ 0x10,0xba,0x38,0x8c,0xcf,0x29,0x99,0xaa
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_entropyinputpr2[] =
-+ {
-+ 0x3b,0x9a,0x25,0xce,0xd7,0xf9,0x5c,0xd1,0x3a,0x3e,0xaa,0x71,
-+ 0x14,0x3e,0x19,0xe8,0xce,0xe6,0xfe,0x51,0x84,0xe9,0x1b,0xfe,
-+ 0x3f,0xa7,0xf2,0xfd,0x76,0x5f,0x6a,0xe7
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_returnedbits[] =
-+ {
-+ 0xb7,0x82,0xa9,0x57,0x81,0x67,0x53,0xb5,0xa1,0xe9,0x3d,0x35,
-+ 0xf9,0xe4,0x97,0xbe,0xa6,0xca,0xf1,0x01,0x13,0x09,0xe7,0x21,
-+ 0xc0,0xed,0x93,0x5d,0x4b,0xf4,0xeb,0x8d,0x53,0x25,0x8a,0xc4,
-+ 0xb1,0x6f,0x6e,0x37,0xcd,0x2e,0xac,0x39,0xb2,0xb6,0x99,0xa3,
-+ 0x82,0x00,0xb0,0x21,0xf0,0xc7,0x2f,0x4c,0x73,0x92,0xfd,0x00,
-+ 0xb6,0xaf,0xbc,0xd3
-+ };
-+
-+
-+/* HMAC SHA-512 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha512_entropyinput[] =
-+ {
-+ 0x6e,0x85,0xe6,0x25,0x96,0x29,0xa7,0x52,0x5b,0x60,0xba,0xaa,
-+ 0xde,0xdb,0x36,0x0a,0x51,0x9a,0x15,0xae,0x6e,0x18,0xd3,0xfe,
-+ 0x39,0xb9,0x4a,0x96,0xf8,0x77,0xcb,0x95
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_nonce[] =
-+ {
-+ 0xe0,0xa6,0x5d,0x08,0xc3,0x7c,0xae,0x25,0x2e,0x80,0xd1,0x3e,
-+ 0xd9,0xaf,0x43,0x3c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_personalizationstring[] =
-+ {
-+ 0x53,0x99,0x52,0x5f,0x11,0xa9,0x64,0x66,0x20,0x5e,0x1b,0x5f,
-+ 0x42,0xb3,0xf4,0xda,0xed,0xbb,0x63,0xc1,0x23,0xaf,0xd0,0x01,
-+ 0x90,0x3b,0xd0,0x78,0xe4,0x0b,0xa7,0x20
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_additionalinput[] =
-+ {
-+ 0x85,0x90,0x80,0xd3,0x98,0xf1,0x53,0x6d,0x68,0x15,0x8f,0xe5,
-+ 0x60,0x3f,0x17,0x29,0x55,0x8d,0x33,0xb1,0x45,0x64,0x64,0x8d,
-+ 0x50,0x21,0x89,0xae,0xf6,0xfd,0x32,0x73
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_int_returnedbits[] =
-+ {
-+ 0x28,0x56,0x30,0x6f,0xf4,0xa1,0x48,0xe0,0xc9,0xf5,0x75,0x90,
-+ 0xcc,0xfb,0xdf,0xdf,0x71,0x3d,0x0a,0x9a,0x03,0x65,0x3b,0x18,
-+ 0x61,0xe3,0xd1,0xda,0xcc,0x4a,0xfe,0x55,0x38,0xf8,0x21,0x6b,
-+ 0xfa,0x18,0x01,0x42,0x39,0x2f,0x99,0x53,0x38,0x15,0x82,0x34,
-+ 0xc5,0x93,0x92,0xbc,0x4d,0x75,0x1a,0x5f,0x21,0x27,0xcc,0xa1,
-+ 0xb1,0x57,0x69,0xe8
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_entropyinputreseed[] =
-+ {
-+ 0x8c,0x52,0x7e,0x77,0x72,0x3f,0xa3,0x04,0x97,0x10,0x9b,0x41,
-+ 0xbd,0xe8,0xff,0x89,0xed,0x80,0xe3,0xbd,0xaa,0x12,0x2d,0xca,
-+ 0x75,0x82,0x36,0x77,0x88,0xcd,0xa6,0x73
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_additionalinputreseed[] =
-+ {
-+ 0x7e,0x32,0xe3,0x69,0x69,0x07,0x34,0xa2,0x16,0xa2,0x5d,0x1a,
-+ 0x10,0x91,0xd3,0xe2,0x21,0xa2,0xa3,0xdd,0xcd,0x0c,0x09,0x86,
-+ 0x11,0xe1,0x50,0xff,0x5c,0xb7,0xeb,0x5c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_additionalinput2[] =
-+ {
-+ 0x7f,0x78,0x66,0xd8,0xfb,0x67,0xcf,0x8d,0x8c,0x08,0x30,0xa5,
-+ 0xf8,0x7d,0xcf,0x44,0x59,0xce,0xf8,0xdf,0x58,0xd3,0x60,0xcb,
-+ 0xa8,0x60,0xb9,0x07,0xc4,0xb1,0x95,0x48
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_returnedbits[] =
-+ {
-+ 0xdf,0xa7,0x36,0xd4,0xdc,0x5d,0x4d,0x31,0xad,0x69,0x46,0x9f,
-+ 0xf1,0x7c,0xd7,0x3b,0x4f,0x55,0xf2,0xd7,0xb9,0x9d,0xad,0x7a,
-+ 0x79,0x08,0x59,0xa5,0xdc,0x74,0xf5,0x9b,0x73,0xd2,0x13,0x25,
-+ 0x0b,0x81,0x08,0x08,0x25,0xfb,0x39,0xf2,0xf0,0xa3,0xa4,0x8d,
-+ 0xef,0x05,0x9e,0xb8,0xc7,0x52,0xe4,0x0e,0x42,0xaa,0x7c,0x79,
-+ 0xc2,0xd6,0xfd,0xa5
-+ };
-+
-diff -up openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips 2013-10-04 11:48:04.185694249 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c 2013-10-04 11:48:04.185694249 +0200
-@@ -0,0 +1,193 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char dsa_test_2048_p[] = {
-+ 0xa8,0x53,0x78,0xd8,0xfd,0x3f,0x8d,0x72,0xec,0x74,0x18,0x08,
-+ 0x0d,0xa2,0x13,0x17,0xe4,0x3e,0xc4,0xb6,0x2b,0xa8,0xc8,0x62,
-+ 0x3b,0x7e,0x4d,0x04,0x44,0x1d,0xd1,0xa0,0x65,0x86,0x62,0x59,
-+ 0x64,0x93,0xca,0x8e,0x9e,0x8f,0xbb,0x7e,0x34,0xaa,0xdd,0xb6,
-+ 0x2e,0x5d,0x67,0xb6,0xd0,0x9a,0x6e,0x61,0xb7,0x69,0xe7,0xc3,
-+ 0x52,0xaa,0x2b,0x10,0xe2,0x0c,0xa0,0x63,0x69,0x63,0xb5,0x52,
-+ 0x3e,0x86,0x47,0x0d,0xec,0xbb,0xed,0xa0,0x27,0xe7,0x97,0xe7,
-+ 0xb6,0x76,0x35,0xd4,0xd4,0x9c,0x30,0x70,0x0e,0x74,0xaf,0x8a,
-+ 0x0f,0xf1,0x56,0xa8,0x01,0xaf,0x57,0xa2,0x6e,0x70,0x78,0xf1,
-+ 0xd8,0x2f,0x74,0x90,0x8e,0xcb,0x6d,0x07,0xe7,0x0b,0x35,0x03,
-+ 0xee,0xd9,0x4f,0xa3,0x2c,0xf1,0x7a,0x7f,0xc3,0xd6,0xcf,0x40,
-+ 0xdc,0x7b,0x00,0x83,0x0e,0x6a,0x25,0x66,0xdc,0x07,0x3e,0x34,
-+ 0x33,0x12,0x51,0x7c,0x6a,0xa5,0x15,0x2b,0x4b,0xfe,0xcd,0x2e,
-+ 0x55,0x1f,0xee,0x34,0x63,0x18,0xa1,0x53,0x42,0x3c,0x99,0x6b,
-+ 0x0d,0x5d,0xcb,0x91,0x02,0xae,0xdd,0x38,0x79,0x86,0x16,0xf1,
-+ 0xf1,0xe0,0xd6,0xc4,0x03,0x52,0x5b,0x1f,0x9b,0x3d,0x4d,0xc7,
-+ 0x66,0xde,0x2d,0xfc,0x4a,0x56,0xd7,0xb8,0xba,0x59,0x63,0xd6,
-+ 0x0f,0x3e,0x16,0x31,0x88,0x70,0xad,0x43,0x69,0x52,0xe5,0x57,
-+ 0x65,0x37,0x4e,0xab,0x85,0xe8,0xec,0x17,0xd6,0xb9,0xa4,0x54,
-+ 0x7b,0x9b,0x5f,0x27,0x52,0xf3,0x10,0x5b,0xe8,0x09,0xb2,0x3a,
-+ 0x2c,0x8d,0x74,0x69,0xdb,0x02,0xe2,0x4d,0x59,0x23,0x94,0xa7,
-+ 0xdb,0xa0,0x69,0xe9
-+};
-+
-+static const unsigned char dsa_test_2048_q[] = {
-+ 0xd2,0x77,0x04,0x4e,0x50,0xf5,0xa4,0xe3,0xf5,0x10,0xa5,0x0a,
-+ 0x0b,0x84,0xfd,0xff,0xbc,0xa0,0x47,0xed,0x27,0x60,0x20,0x56,
-+ 0x74,0x41,0xa0,0xa5
-+};
-+
-+static const unsigned char dsa_test_2048_g[] = {
-+ 0x13,0xd7,0x54,0xe2,0x1f,0xd2,0x41,0x65,0x5d,0xa8,0x91,0xc5,
-+ 0x22,0xa6,0x5a,0x72,0xa8,0x9b,0xdc,0x64,0xec,0x9b,0x54,0xa8,
-+ 0x21,0xed,0x4a,0x89,0x8b,0x49,0x0e,0x0c,0x4f,0xcb,0x72,0x19,
-+ 0x2a,0x4a,0x20,0xf5,0x41,0xf3,0xf2,0x92,0x53,0x99,0xf0,0xba,
-+ 0xec,0xf9,0x29,0xaa,0xfb,0xf7,0x9d,0xfe,0x43,0x32,0x39,0x3b,
-+ 0x32,0xcd,0x2e,0x2f,0xcf,0x27,0x2f,0x32,0xa6,0x27,0x43,0x4a,
-+ 0x0d,0xf2,0x42,0xb7,0x5b,0x41,0x4d,0xf3,0x72,0x12,0x1e,0x53,
-+ 0xa5,0x53,0xf2,0x22,0xf8,0x36,0xb0,0x00,0xf0,0x16,0x48,0x5b,
-+ 0x6b,0xd0,0x89,0x84,0x51,0x80,0x1d,0xcd,0x8d,0xe6,0x4c,0xd5,
-+ 0x36,0x56,0x96,0xff,0xc5,0x32,0xd5,0x28,0xc5,0x06,0x62,0x0a,
-+ 0x94,0x2a,0x03,0x05,0x04,0x6d,0x8f,0x18,0x76,0x34,0x1f,0x1e,
-+ 0x57,0x0b,0xc3,0x97,0x4b,0xa6,0xb9,0xa4,0x38,0xe9,0x70,0x23,
-+ 0x02,0xa2,0xe6,0xe6,0x7b,0xfd,0x06,0xd3,0x2b,0xc6,0x79,0x96,
-+ 0x22,0x71,0xd7,0xb4,0x0c,0xd7,0x2f,0x38,0x6e,0x64,0xe0,0xd7,
-+ 0xef,0x86,0xca,0x8c,0xa5,0xd1,0x42,0x28,0xdc,0x2a,0x4f,0x16,
-+ 0xe3,0x18,0x98,0x86,0xb5,0x99,0x06,0x74,0xf4,0x20,0x0f,0x3a,
-+ 0x4c,0xf6,0x5a,0x3f,0x0d,0xdb,0xa1,0xfa,0x67,0x2d,0xff,0x2f,
-+ 0x5e,0x14,0x3d,0x10,0xe4,0xe9,0x7a,0xe8,0x4f,0x6d,0xa0,0x95,
-+ 0x35,0xd5,0xb9,0xdf,0x25,0x91,0x81,0xa7,0x9b,0x63,0xb0,0x69,
-+ 0xe9,0x49,0x97,0x2b,0x02,0xba,0x36,0xb3,0x58,0x6a,0xab,0x7e,
-+ 0x45,0xf3,0x22,0xf8,0x2e,0x4e,0x85,0xca,0x3a,0xb8,0x55,0x91,
-+ 0xb3,0xc2,0xa9,0x66
-+};
-+
-+static const unsigned char dsa_test_2048_pub_key[] = {
-+ 0x24,0x52,0xf3,0xcc,0xbe,0x9e,0xd5,0xca,0x7d,0xc7,0x4c,0x60,
-+ 0x2b,0x99,0x22,0x6e,0x8f,0x2f,0xab,0x38,0xe7,0xd7,0xdd,0xfb,
-+ 0x75,0x53,0x9b,0x17,0x15,0x5e,0x9f,0xcf,0xd1,0xab,0xa5,0x64,
-+ 0xeb,0x85,0x35,0xd8,0x12,0xc9,0xc2,0xdc,0xf9,0x72,0x84,0x44,
-+ 0x1b,0xc4,0x82,0x24,0x36,0x24,0xc7,0xf4,0x57,0x58,0x0c,0x1c,
-+ 0x38,0xa5,0x7c,0x46,0xc4,0x57,0x39,0x24,0x70,0xed,0xb5,0x2c,
-+ 0xb5,0xa6,0xe0,0x3f,0xe6,0x28,0x7b,0xb6,0xf4,0x9a,0x42,0xa2,
-+ 0x06,0x5a,0x05,0x4f,0x03,0x08,0x39,0xdf,0x1f,0xd3,0x14,0x9c,
-+ 0x4c,0xa0,0x53,0x1d,0xd8,0xca,0x8a,0xaa,0x9c,0xc7,0x33,0x71,
-+ 0x93,0x38,0x73,0x48,0x33,0x61,0x18,0x22,0x45,0x45,0xe8,0x8c,
-+ 0x80,0xff,0xd8,0x76,0x5d,0x74,0x36,0x03,0x33,0xcc,0xab,0x99,
-+ 0x72,0x77,0x9b,0x65,0x25,0xa6,0x5b,0xdd,0x0d,0x10,0xc6,0x75,
-+ 0xc1,0x09,0xbb,0xd3,0xe5,0xbe,0x4d,0x72,0xef,0x6e,0xba,0x6e,
-+ 0x43,0x8d,0x52,0x26,0x23,0x7d,0xb8,0x88,0x37,0x9c,0x5f,0xcc,
-+ 0x47,0xa3,0x84,0x7f,0xf6,0x37,0x11,0xba,0xed,0x6d,0x03,0xaf,
-+ 0xe8,0x1e,0x69,0x4a,0x41,0x3b,0x68,0x0b,0xd3,0x8a,0xb4,0x90,
-+ 0x3f,0x83,0x70,0xa7,0x07,0xef,0x55,0x1d,0x49,0x41,0x02,0x6d,
-+ 0x95,0x79,0xd6,0x91,0xde,0x8e,0xda,0xa1,0x61,0x05,0xeb,0x9d,
-+ 0xba,0x3c,0x2f,0x4c,0x1b,0xec,0x50,0x82,0x75,0xaa,0x02,0x07,
-+ 0xe2,0x51,0xb5,0xec,0xcb,0x28,0x6a,0x4b,0x01,0xd4,0x49,0xd3,
-+ 0x0a,0xcb,0x67,0x37,0x17,0xa0,0xd2,0xfb,0x3b,0x50,0xc8,0x93,
-+ 0xf7,0xda,0xb1,0x4f
-+};
-+
-+static const unsigned char dsa_test_2048_priv_key[] = {
-+ 0x0c,0x4b,0x30,0x89,0xd1,0xb8,0x62,0xcb,0x3c,0x43,0x64,0x91,
-+ 0xf0,0x91,0x54,0x70,0xc5,0x27,0x96,0xe3,0xac,0xbe,0xe8,0x00,
-+ 0xec,0x55,0xf6,0xcc
-+};
-+
-+static int corrupt_dsa;
-+
-+void FIPS_corrupt_dsa()
-+ {
-+ corrupt_dsa = 1;
-+ }
-+
-+int FIPS_selftest_dsa()
-+ {
-+ DSA *dsa = NULL;
-+ EVP_PKEY *pk = NULL;
-+ int ret = 0;
-+
-+ dsa = DSA_new();
-+
-+ if(dsa == NULL)
-+ goto err;
-+
-+ fips_load_key_component(dsa, p, dsa_test_2048);
-+ fips_load_key_component(dsa, q, dsa_test_2048);
-+ fips_load_key_component(dsa, g, dsa_test_2048);
-+ fips_load_key_component(dsa, pub_key, dsa_test_2048);
-+ fips_load_key_component(dsa, priv_key, dsa_test_2048);
-+
-+ if (corrupt_dsa)
-+ BN_set_bit(dsa->pub_key, 2047);
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_DSA(pk, dsa);
-+
-+ if (!fips_pkey_signature_test(pk, NULL, 0,
-+ NULL, 0, EVP_sha256(), 0,
-+ "DSA SHA256"))
-+ goto err;
-+ ret = 1;
-+
-+ err:
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (dsa)
-+ DSA_free(dsa);
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_enc.c.fips openssl-1.0.1e/crypto/fips/fips_enc.c
---- openssl-1.0.1e/crypto/fips/fips_enc.c.fips 2013-10-04 11:48:04.185694249 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_enc.c 2013-10-04 11:48:04.185694249 +0200
-@@ -0,0 +1,191 @@
-+/* fipe/evp/fips_enc.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
-+ {
-+ switch (nid)
-+ {
-+ case NID_aes_128_cbc:
-+ return EVP_aes_128_cbc();
-+
-+ case NID_aes_128_ccm:
-+ return EVP_aes_128_ccm();
-+
-+ case NID_aes_128_cfb1:
-+ return EVP_aes_128_cfb1();
-+
-+ case NID_aes_128_cfb128:
-+ return EVP_aes_128_cfb128();
-+
-+ case NID_aes_128_cfb8:
-+ return EVP_aes_128_cfb8();
-+
-+ case NID_aes_128_ctr:
-+ return EVP_aes_128_ctr();
-+
-+ case NID_aes_128_ecb:
-+ return EVP_aes_128_ecb();
-+
-+ case NID_aes_128_gcm:
-+ return EVP_aes_128_gcm();
-+
-+ case NID_aes_128_ofb128:
-+ return EVP_aes_128_ofb();
-+
-+ case NID_aes_128_xts:
-+ return EVP_aes_128_xts();
-+
-+ case NID_aes_192_cbc:
-+ return EVP_aes_192_cbc();
-+
-+ case NID_aes_192_ccm:
-+ return EVP_aes_192_ccm();
-+
-+ case NID_aes_192_cfb1:
-+ return EVP_aes_192_cfb1();
-+
-+ case NID_aes_192_cfb128:
-+ return EVP_aes_192_cfb128();
-+
-+ case NID_aes_192_cfb8:
-+ return EVP_aes_192_cfb8();
-+
-+ case NID_aes_192_ctr:
-+ return EVP_aes_192_ctr();
-+
-+ case NID_aes_192_ecb:
-+ return EVP_aes_192_ecb();
-+
-+ case NID_aes_192_gcm:
-+ return EVP_aes_192_gcm();
-+
-+ case NID_aes_192_ofb128:
-+ return EVP_aes_192_ofb();
-+
-+ case NID_aes_256_cbc:
-+ return EVP_aes_256_cbc();
-+
-+ case NID_aes_256_ccm:
-+ return EVP_aes_256_ccm();
-+
-+ case NID_aes_256_cfb1:
-+ return EVP_aes_256_cfb1();
-+
-+ case NID_aes_256_cfb128:
-+ return EVP_aes_256_cfb128();
-+
-+ case NID_aes_256_cfb8:
-+ return EVP_aes_256_cfb8();
-+
-+ case NID_aes_256_ctr:
-+ return EVP_aes_256_ctr();
-+
-+ case NID_aes_256_ecb:
-+ return EVP_aes_256_ecb();
-+
-+ case NID_aes_256_gcm:
-+ return EVP_aes_256_gcm();
-+
-+ case NID_aes_256_ofb128:
-+ return EVP_aes_256_ofb();
-+
-+ case NID_aes_256_xts:
-+ return EVP_aes_256_xts();
-+
-+ case NID_des_ede_ecb:
-+ return EVP_des_ede();
-+
-+ case NID_des_ede3_ecb:
-+ return EVP_des_ede3();
-+
-+ case NID_des_ede3_cbc:
-+ return EVP_des_ede3_cbc();
-+
-+ case NID_des_ede3_cfb1:
-+ return EVP_des_ede3_cfb1();
-+
-+ case NID_des_ede3_cfb64:
-+ return EVP_des_ede3_cfb64();
-+
-+ case NID_des_ede3_cfb8:
-+ return EVP_des_ede3_cfb8();
-+
-+ case NID_des_ede3_ofb64:
-+ return EVP_des_ede3_ofb();
-+
-+ case NID_des_ede_cbc:
-+ return EVP_des_ede_cbc();
-+
-+ case NID_des_ede_cfb64:
-+ return EVP_des_ede_cfb64();
-+
-+ case NID_des_ede_ofb64:
-+ return EVP_des_ede_ofb();
-+
-+ default:
-+ return NULL;
-+
-+ }
-+ }
-+
-diff -up openssl-1.0.1e/crypto/fips/fips.h.fips openssl-1.0.1e/crypto/fips/fips.h
---- openssl-1.0.1e/crypto/fips/fips.h.fips 2013-10-04 11:48:04.186694271 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.h 2013-10-04 11:48:04.186694271 +0200
-@@ -0,0 +1,279 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <openssl/opensslconf.h>
-+#include <openssl/crypto.h>
-+#include <stdarg.h>
-+
-+#ifndef OPENSSL_FIPS
-+#error FIPS is disabled.
-+#endif
-+
-+#ifdef OPENSSL_FIPS
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+struct dsa_st;
-+struct rsa_st;
-+struct evp_pkey_st;
-+struct env_md_st;
-+struct env_md_ctx_st;
-+struct evp_cipher_st;
-+struct evp_cipher_ctx_st;
-+struct dh_method;
-+struct CMAC_CTX_st;
-+struct hmac_ctx_st;
-+
-+int FIPS_module_mode_set(int onoff, const char *auth);
-+int FIPS_module_mode(void);
-+const void *FIPS_rand_check(void);
-+int FIPS_selftest(void);
-+int FIPS_selftest_failed(void);
-+void FIPS_corrupt_sha1(void);
-+int FIPS_selftest_sha1(void);
-+int FIPS_selftest_sha2(void);
-+void FIPS_corrupt_aes(void);
-+int FIPS_selftest_aes_ccm(void);
-+int FIPS_selftest_aes_gcm(void);
-+int FIPS_selftest_aes_xts(void);
-+int FIPS_selftest_aes(void);
-+void FIPS_corrupt_des(void);
-+int FIPS_selftest_des(void);
-+void FIPS_corrupt_rsa(void);
-+void FIPS_corrupt_rsa_keygen(void);
-+int FIPS_selftest_rsa(void);
-+void FIPS_corrupt_dsa(void);
-+void FIPS_corrupt_dsa_keygen(void);
-+int FIPS_selftest_dsa(void);
-+void FIPS_corrupt_rng(void);
-+void FIPS_rng_stick(void);
-+void FIPS_x931_stick(int onoff);
-+void FIPS_drbg_stick(int onoff);
-+int FIPS_selftest_rng(void);
-+int FIPS_selftest_x931(void);
-+int FIPS_selftest_hmac(void);
-+int FIPS_selftest_drbg(void);
-+int FIPS_selftest_drbg_all(void);
-+int FIPS_selftest_cmac(void);
-+
-+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
-+
-+#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
-+ alg " previous FIPS forbidden algorithm error ignored");
-+
-+int fips_pkey_signature_test(struct evp_pkey_st *pkey,
-+ const unsigned char *tbs, int tbslen,
-+ const unsigned char *kat, unsigned int katlen,
-+ const struct env_md_st *digest, unsigned int md_flags,
-+ const char *fail_str);
-+
-+int fips_cipher_test(struct evp_cipher_ctx_st *ctx,
-+ const struct evp_cipher_st *cipher,
-+ const unsigned char *key,
-+ const unsigned char *iv,
-+ const unsigned char *plaintext,
-+ const unsigned char *ciphertext,
-+ int len);
-+
-+void fips_set_selftest_fail(void);
-+
-+const struct env_md_st *FIPS_get_digestbynid(int nid);
-+
-+const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
-+
-+
-+/* BEGIN ERROR CODES */
-+/* The following lines are auto generated by the script mkerr.pl. Any changes
-+ * made after this point may be overwritten when the script is next run.
-+ */
-+void ERR_load_FIPS_strings(void);
-+
-+/* Error codes for the FIPS functions. */
-+
-+/* Function codes. */
-+#define FIPS_F_DH_BUILTIN_GENPARAMS 100
-+#define FIPS_F_DH_INIT 148
-+#define FIPS_F_DRBG_RESEED 162
-+#define FIPS_F_DSA_BUILTIN_PARAMGEN 101
-+#define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
-+#define FIPS_F_DSA_DO_SIGN 102
-+#define FIPS_F_DSA_DO_VERIFY 103
-+#define FIPS_F_ECDH_COMPUTE_KEY 163
-+#define FIPS_F_ECDSA_DO_SIGN 164
-+#define FIPS_F_ECDSA_DO_VERIFY 165
-+#define FIPS_F_EC_KEY_GENERATE_KEY 166
-+#define FIPS_F_EVP_CIPHERINIT_EX 124
-+#define FIPS_F_EVP_DIGESTINIT_EX 125
-+#define FIPS_F_FIPS_CHECK_DSA 104
-+#define FIPS_F_FIPS_CHECK_DSA_PRNG 151
-+#define FIPS_F_FIPS_CHECK_EC 142
-+#define FIPS_F_FIPS_CHECK_EC_PRNG 152
-+#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
-+#define FIPS_F_FIPS_CHECK_RSA 106
-+#define FIPS_F_FIPS_CHECK_RSA_PRNG 150
-+#define FIPS_F_FIPS_CIPHER 160
-+#define FIPS_F_FIPS_CIPHERINIT 143
-+#define FIPS_F_FIPS_CIPHER_CTX_CTRL 161
-+#define FIPS_F_FIPS_DIGESTFINAL 158
-+#define FIPS_F_FIPS_DIGESTINIT 128
-+#define FIPS_F_FIPS_DIGESTUPDATE 159
-+#define FIPS_F_FIPS_DRBG_BYTES 131
-+#define FIPS_F_FIPS_DRBG_CHECK 146
-+#define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
-+#define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
-+#define FIPS_F_FIPS_DRBG_GENERATE 134
-+#define FIPS_F_FIPS_DRBG_INIT 135
-+#define FIPS_F_FIPS_DRBG_INSTANTIATE 138
-+#define FIPS_F_FIPS_DRBG_NEW 139
-+#define FIPS_F_FIPS_DRBG_RESEED 140
-+#define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
-+#define FIPS_F_FIPS_DSA_CHECK /* unused */ 107
-+#define FIPS_F_FIPS_DSA_SIGN_DIGEST 154
-+#define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155
-+#define FIPS_F_FIPS_GET_ENTROPY 147
-+#define FIPS_F_FIPS_MODE_SET /* unused */ 108
-+#define FIPS_F_FIPS_MODULE_MODE_SET 108
-+#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
-+#define FIPS_F_FIPS_RAND_ADD 137
-+#define FIPS_F_FIPS_RAND_BYTES 122
-+#define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167
-+#define FIPS_F_FIPS_RAND_SEED 168
-+#define FIPS_F_FIPS_RAND_SET_METHOD 126
-+#define FIPS_F_FIPS_RAND_STATUS 127
-+#define FIPS_F_FIPS_RSA_SIGN_DIGEST 156
-+#define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157
-+#define FIPS_F_FIPS_SELFTEST_AES 110
-+#define FIPS_F_FIPS_SELFTEST_AES_CCM 145
-+#define FIPS_F_FIPS_SELFTEST_AES_GCM 129
-+#define FIPS_F_FIPS_SELFTEST_AES_XTS 144
-+#define FIPS_F_FIPS_SELFTEST_CMAC 130
-+#define FIPS_F_FIPS_SELFTEST_DES 111
-+#define FIPS_F_FIPS_SELFTEST_DSA 112
-+#define FIPS_F_FIPS_SELFTEST_ECDSA 133
-+#define FIPS_F_FIPS_SELFTEST_HMAC 113
-+#define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114
-+#define FIPS_F_FIPS_SELFTEST_SHA1 115
-+#define FIPS_F_FIPS_SELFTEST_X931 114
-+#define FIPS_F_FIPS_SET_PRNG_KEY 153
-+#define FIPS_F_HASH_FINAL 123
-+#define FIPS_F_RSA_BUILTIN_KEYGEN 116
-+#define FIPS_F_RSA_EAY_INIT 149
-+#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117
-+#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118
-+#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119
-+#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120
-+#define FIPS_F_RSA_X931_GENERATE_KEY_EX 121
-+#define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122
-+
-+/* Reason codes. */
-+#define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
-+#define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
-+#define FIPS_R_ALREADY_INSTANTIATED 134
-+#define FIPS_R_AUTHENTICATION_FAILURE 151
-+#define FIPS_R_CANNOT_READ_EXE /* unused */ 103
-+#define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104
-+#define FIPS_R_CONTRADICTING_EVIDENCE 114
-+#define FIPS_R_DRBG_NOT_INITIALISED 152
-+#define FIPS_R_DRBG_STUCK 103
-+#define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
-+#define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
-+#define FIPS_R_ENTROPY_SOURCE_STUCK 142
-+#define FIPS_R_ERROR_INITIALISING_DRBG 115
-+#define FIPS_R_ERROR_INSTANTIATING_DRBG 127
-+#define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
-+#define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
-+#define FIPS_R_ERROR_RETRIEVING_NONCE 140
-+#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105
-+#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
-+#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111
-+#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
-+#define FIPS_R_FIPS_MODE_ALREADY_SET 102
-+#define FIPS_R_FIPS_SELFTEST_FAILED 106
-+#define FIPS_R_FUNCTION_ERROR 116
-+#define FIPS_R_GENERATE_ERROR 137
-+#define FIPS_R_GENERATE_ERROR_UNDETECTED 118
-+#define FIPS_R_INSTANTIATE_ERROR 119
-+#define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120
-+#define FIPS_R_INTERNAL_ERROR 121
-+#define FIPS_R_INVALID_KEY_LENGTH 109
-+#define FIPS_R_INVALID_PARAMETERS 144
-+#define FIPS_R_IN_ERROR_STATE 123
-+#define FIPS_R_KEY_TOO_SHORT 108
-+#define FIPS_R_NONCE_ERROR_UNDETECTED 149
-+#define FIPS_R_NON_FIPS_METHOD 100
-+#define FIPS_R_NOPR_TEST1_FAILURE 145
-+#define FIPS_R_NOPR_TEST2_FAILURE 146
-+#define FIPS_R_NOT_INSTANTIATED 126
-+#define FIPS_R_PAIRWISE_TEST_FAILED 107
-+#define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
-+#define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
-+#define FIPS_R_PRNG_STRENGTH_TOO_LOW 143
-+#define FIPS_R_PR_TEST1_FAILURE 147
-+#define FIPS_R_PR_TEST2_FAILURE 148
-+#define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
-+#define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
-+#define FIPS_R_RESEED_COUNTER_ERROR 132
-+#define FIPS_R_RESEED_ERROR 133
-+#define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115
-+#define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116
-+#define FIPS_R_SELFTEST_FAILED 101
-+#define FIPS_R_SELFTEST_FAILURE 135
-+#define FIPS_R_STRENGTH_ERROR_UNDETECTED 136
-+#define FIPS_R_TEST_FAILURE 117
-+#define FIPS_R_UNINSTANTIATE_ERROR 141
-+#define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
-+#define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
-+#define FIPS_R_UNSUPPORTED_PLATFORM 113
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips 2013-10-04 11:48:04.186694271 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c 2013-10-04 11:48:04.186694271 +0200
-@@ -0,0 +1,137 @@
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/hmac.h>
-+
-+#ifdef OPENSSL_FIPS
-+typedef struct {
-+ const EVP_MD *(*alg)(void);
-+ const char *key, *iv;
-+ unsigned char kaval[EVP_MAX_MD_SIZE];
-+} HMAC_KAT;
-+
-+static const HMAC_KAT vector[] = {
-+ { EVP_sha1,
-+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0x09,0x22,0xd3,0x40,0x5f,0xaa,0x3d,0x19,
-+ 0x4f,0x82,0xa4,0x58,0x30,0x73,0x7d,0x5c,
-+ 0xc6,0xc7,0x5d,0x24 }
-+ },
-+ { EVP_sha224,
-+ /* just keep extending the above... */
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0xdd,0xef,0x0a,0x40,0xcb,0x7d,0x50,0xfb,
-+ 0x6e,0xe6,0xce,0xa1,0x20,0xba,0x26,0xaa,
-+ 0x08,0xf3,0x07,0x75,0x87,0xb8,0xad,0x1b,
-+ 0x8c,0x8d,0x12,0xc7 }
-+ },
-+ { EVP_sha256,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0xb8,0xf2,0x0d,0xb5,0x41,0xea,0x43,0x09,
-+ 0xca,0x4e,0xa9,0x38,0x0c,0xd0,0xe8,0x34,
-+ 0xf7,0x1f,0xbe,0x91,0x74,0xa2,0x61,0x38,
-+ 0x0d,0xc1,0x7e,0xae,0x6a,0x34,0x51,0xd9 }
-+ },
-+ { EVP_sha384,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0x08,0xbc,0xb0,0xda,0x49,0x1e,0x87,0xad,
-+ 0x9a,0x1d,0x6a,0xce,0x23,0xc5,0x0b,0xf6,
-+ 0xb7,0x18,0x06,0xa5,0x77,0xcd,0x49,0x04,
-+ 0x89,0xf1,0xe6,0x23,0x44,0x51,0x51,0x9f,
-+ 0x85,0x56,0x80,0x79,0x0c,0xbd,0x4d,0x50,
-+ 0xa4,0x5f,0x29,0xe3,0x93,0xf0,0xe8,0x7f }
-+ },
-+ { EVP_sha512,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0x80,0x9d,0x44,0x05,0x7c,0x5b,0x95,0x41,
-+ 0x05,0xbd,0x04,0x13,0x16,0xdb,0x0f,0xac,
-+ 0x44,0xd5,0xa4,0xd5,0xd0,0x89,0x2b,0xd0,
-+ 0x4e,0x86,0x64,0x12,0xc0,0x90,0x77,0x68,
-+ 0xf1,0x87,0xb7,0x7c,0x4f,0xae,0x2c,0x2f,
-+ 0x21,0xa5,0xb5,0x65,0x9a,0x4f,0x4b,0xa7,
-+ 0x47,0x02,0xa3,0xde,0x9b,0x51,0xf1,0x45,
-+ 0xbd,0x4f,0x25,0x27,0x42,0x98,0x99,0x05 }
-+ },
-+};
-+
-+int FIPS_selftest_hmac()
-+ {
-+ int n;
-+ unsigned int outlen;
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ const EVP_MD *md;
-+ const HMAC_KAT *t;
-+
-+ for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++)
-+ {
-+ md = (*t->alg)();
-+ HMAC(md,t->key,strlen(t->key),
-+ (const unsigned char *)t->iv,strlen(t->iv),
-+ out,&outlen);
-+
-+ if(memcmp(out,t->kaval,outlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+ }
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_locl.h.fips openssl-1.0.1e/crypto/fips/fips_locl.h
---- openssl-1.0.1e/crypto/fips/fips_locl.h.fips 2013-10-04 11:48:04.186694271 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_locl.h 2013-10-04 11:48:04.186694271 +0200
-@@ -0,0 +1,71 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#ifdef OPENSSL_FIPS
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+#define FIPS_MAX_CIPHER_TEST_SIZE 32
-+#define fips_load_key_component(key, comp, pre) \
-+ key->comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), key->comp); \
-+ if (!key->comp) \
-+ goto err
-+
-+#define fips_post_started(id, subid, ex) 1
-+#define fips_post_success(id, subid, ex) 1
-+#define fips_post_failed(id, subid, ex) 1
-+#define fips_post_corrupt(id, subid, ex) 1
-+#define fips_post_status() 1
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_md.c.fips openssl-1.0.1e/crypto/fips/fips_md.c
---- openssl-1.0.1e/crypto/fips/fips_md.c.fips 2013-10-04 11:48:04.186694271 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_md.c 2013-10-04 11:48:04.186694271 +0200
-@@ -0,0 +1,145 @@
-+/* fips/evp/fips_md.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+/* Minimal standalone FIPS versions of Digest operations */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/objects.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_MD *FIPS_get_digestbynid(int nid)
-+ {
-+ switch (nid)
-+ {
-+ case NID_sha1:
-+ return EVP_sha1();
-+
-+ case NID_sha224:
-+ return EVP_sha224();
-+
-+ case NID_sha256:
-+ return EVP_sha256();
-+
-+ case NID_sha384:
-+ return EVP_sha384();
-+
-+ case NID_sha512:
-+ return EVP_sha512();
-+
-+ default:
-+ return NULL;
-+ }
-+ }
-diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips openssl-1.0.1e/crypto/fips/fips_post.c
---- openssl-1.0.1e/crypto/fips/fips_post.c.fips 2013-10-04 11:48:04.186694271 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_post.c 2013-10-04 11:48:04.186694271 +0200
-@@ -0,0 +1,205 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <openssl/crypto.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bio.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rsa.h>
-+#include <openssl/dsa.h>
-+#include <string.h>
-+#include <limits.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+/* Power on self test (POST) support functions */
-+
-+#include <openssl/fips.h>
-+#include "fips_locl.h"
-+
-+/* Run all selftests */
-+int FIPS_selftest(void)
-+ {
-+ int rv = 1;
-+ if (!FIPS_selftest_drbg())
-+ rv = 0;
-+ if (!FIPS_selftest_x931())
-+ rv = 0;
-+ if (!FIPS_selftest_sha1())
-+ rv = 0;
-+ if (!FIPS_selftest_sha2())
-+ rv = 0;
-+ if (!FIPS_selftest_hmac())
-+ rv = 0;
-+ if (!FIPS_selftest_cmac())
-+ rv = 0;
-+ if (!FIPS_selftest_aes())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_ccm())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_gcm())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_xts())
-+ rv = 0;
-+ if (!FIPS_selftest_des())
-+ rv = 0;
-+ if (!FIPS_selftest_rsa())
-+ rv = 0;
-+ if (!FIPS_selftest_dsa())
-+ rv = 0;
-+ return rv;
-+ }
-+
-+/* Generalized public key test routine. Signs and verifies the data
-+ * supplied in tbs using mesage digest md and setting option digest
-+ * flags md_flags. If the 'kat' parameter is not NULL it will
-+ * additionally check the signature matches it: a known answer test
-+ * The string "fail_str" is used for identification purposes in case
-+ * of failure. If "pkey" is NULL just perform a message digest check.
-+ */
-+
-+int fips_pkey_signature_test(EVP_PKEY *pkey,
-+ const unsigned char *tbs, int tbslen,
-+ const unsigned char *kat, unsigned int katlen,
-+ const EVP_MD *digest, unsigned int md_flags,
-+ const char *fail_str)
-+ {
-+ int ret = 0;
-+ unsigned char sigtmp[256], *sig = sigtmp;
-+ unsigned int siglen;
-+ EVP_MD_CTX mctx;
-+ EVP_MD_CTX_init(&mctx);
-+
-+ if (digest == NULL)
-+ digest = EVP_sha256();
-+
-+ if ((pkey->type == EVP_PKEY_RSA)
-+ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp)))
-+ {
-+ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
-+ if (!sig)
-+ {
-+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE);
-+ return 0;
-+ }
-+ }
-+
-+ if (tbslen == -1)
-+ tbslen = strlen((char *)tbs);
-+
-+ if (md_flags)
-+ EVP_MD_CTX_set_flags(&mctx, md_flags);
-+
-+ if (!EVP_SignInit_ex(&mctx, digest, NULL))
-+ goto error;
-+ if (!EVP_SignUpdate(&mctx, tbs, tbslen))
-+ goto error;
-+ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
-+ goto error;
-+
-+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
-+ goto error;
-+
-+ if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
-+ goto error;
-+ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
-+ goto error;
-+ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);
-+
-+ error:
-+ if (sig != sigtmp)
-+ OPENSSL_free(sig);
-+ EVP_MD_CTX_cleanup(&mctx);
-+ if (ret != 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE);
-+ if (fail_str)
-+ ERR_add_error_data(2, "Type=", fail_str);
-+ return 0;
-+ }
-+ return 1;
-+ }
-+
-+/* Generalized symmetric cipher test routine. Encrypt data, verify result
-+ * against known answer, decrypt and compare with original plaintext.
-+ */
-+
-+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-+ const unsigned char *key,
-+ const unsigned char *iv,
-+ const unsigned char *plaintext,
-+ const unsigned char *ciphertext,
-+ int len)
-+ {
-+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
-+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
-+
-+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
-+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
-+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
-+
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
-+ return 0;
-+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
-+ return 0;
-+ if (memcmp(citmp, ciphertext, len))
-+ return 0;
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
-+ return 0;
-+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
-+ return 0;
-+ if (memcmp(pltmp, plaintext, len))
-+ return 0;
-+ return 1;
-+ }
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_rand.c.fips openssl-1.0.1e/crypto/fips/fips_rand.c
---- openssl-1.0.1e/crypto/fips/fips_rand.c.fips 2013-10-04 11:48:04.187694294 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_rand.c 2013-10-04 11:48:04.187694294 +0200
-@@ -0,0 +1,457 @@
-+/* ====================================================================
-+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+/*
-+ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
-+ */
-+#include <openssl/crypto.h>
-+#include "e_os.h"
-+
-+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
-+ be defined and gettimeofday() won't be declared with strict compilers
-+ like DEC C in ANSI C mode. */
-+#ifndef _XOPEN_SOURCE_EXTENDED
-+#define _XOPEN_SOURCE_EXTENDED 1
-+#endif
-+
-+#include <openssl/rand.h>
-+#include <openssl/aes.h>
-+#include <openssl/err.h>
-+#include <openssl/fips_rand.h>
-+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
-+# include <sys/time.h>
-+#endif
-+#if defined(OPENSSL_SYS_VXWORKS)
-+# include <time.h>
-+#endif
-+#include <assert.h>
-+#ifndef OPENSSL_SYS_WIN32
-+# ifdef OPENSSL_UNISTD
-+# include OPENSSL_UNISTD
-+# else
-+# include <unistd.h>
-+# endif
-+#endif
-+#include <string.h>
-+#include <openssl/fips.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+void *OPENSSL_stderr(void);
-+
-+#define AES_BLOCK_LENGTH 16
-+
-+
-+/* AES FIPS PRNG implementation */
-+
-+typedef struct
-+ {
-+ int seeded;
-+ int keyed;
-+ int test_mode;
-+ int second;
-+ int error;
-+ unsigned long counter;
-+ AES_KEY ks;
-+ int vpos;
-+ /* Temporary storage for key if it equals seed length */
-+ unsigned char tmp_key[AES_BLOCK_LENGTH];
-+ unsigned char V[AES_BLOCK_LENGTH];
-+ unsigned char DT[AES_BLOCK_LENGTH];
-+ unsigned char last[AES_BLOCK_LENGTH];
-+ } FIPS_PRNG_CTX;
-+
-+static FIPS_PRNG_CTX sctx;
-+
-+static int fips_prng_fail = 0;
-+
-+void FIPS_x931_stick(int onoff)
-+ {
-+ fips_prng_fail = onoff;
-+ }
-+
-+void FIPS_rng_stick(void)
-+ {
-+ FIPS_x931_stick(1);
-+ }
-+
-+static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
-+ {
-+ ctx->seeded = 0;
-+ ctx->keyed = 0;
-+ ctx->test_mode = 0;
-+ ctx->counter = 0;
-+ ctx->second = 0;
-+ ctx->error = 0;
-+ ctx->vpos = 0;
-+ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
-+ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
-+ }
-+
-+
-+static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
-+ const unsigned char *key, unsigned int keylen)
-+ {
-+ if (FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ if (keylen != 16 && keylen != 24 && keylen != 32)
-+ {
-+ /* error: invalid key size */
-+ return 0;
-+ }
-+ AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
-+ if (keylen == 16)
-+ {
-+ memcpy(ctx->tmp_key, key, 16);
-+ ctx->keyed = 2;
-+ }
-+ else
-+ ctx->keyed = 1;
-+ ctx->seeded = 0;
-+ ctx->second = 0;
-+ return 1;
-+ }
-+
-+static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
-+ const unsigned char *seed, unsigned int seedlen)
-+ {
-+ unsigned int i;
-+ if (!ctx->keyed)
-+ return 0;
-+ /* In test mode seed is just supplied data */
-+ if (ctx->test_mode)
-+ {
-+ if (seedlen != AES_BLOCK_LENGTH)
-+ return 0;
-+ memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
-+ ctx->seeded = 1;
-+ return 1;
-+ }
-+ /* Outside test mode XOR supplied data with existing seed */
-+ for (i = 0; i < seedlen; i++)
-+ {
-+ ctx->V[ctx->vpos++] ^= seed[i];
-+ if (ctx->vpos == AES_BLOCK_LENGTH)
-+ {
-+ ctx->vpos = 0;
-+ /* Special case if first seed and key length equals
-+ * block size check key and seed do not match.
-+ */
-+ if (ctx->keyed == 2)
-+ {
-+ if (!memcmp(ctx->tmp_key, ctx->V, 16))
-+ {
-+ RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
-+ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
-+ return 0;
-+ }
-+ OPENSSL_cleanse(ctx->tmp_key, 16);
-+ ctx->keyed = 1;
-+ }
-+ ctx->seeded = 1;
-+ }
-+ }
-+ return 1;
-+ }
-+
-+static int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
-+ {
-+ if (ctx->keyed)
-+ {
-+ RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
-+ return 0;
-+ }
-+ ctx->test_mode = 1;
-+ return 1;
-+ }
-+
-+int FIPS_x931_test_mode(void)
-+ {
-+ return fips_set_test_mode(&sctx);
-+ }
-+
-+int FIPS_rand_test_mode(void)
-+ {
-+ return fips_set_test_mode(&sctx);
-+ }
-+
-+
-+int FIPS_x931_set_dt(unsigned char *dt)
-+ {
-+ if (!sctx.test_mode)
-+ {
-+ RANDerr(RAND_F_FIPS_X931_SET_DT,RAND_R_NOT_IN_TEST_MODE);
-+ return 0;
-+ }
-+ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
-+ return 1;
-+ }
-+
-+int FIPS_rand_set_dt(unsigned char *dt)
-+ {
-+ if (!sctx.test_mode)
-+ {
-+ RANDerr(RAND_F_FIPS_RAND_SET_DT,RAND_R_NOT_IN_TEST_MODE);
-+ return 0;
-+ }
-+ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
-+ return 1;
-+ }
-+
-+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
-+ {
-+#ifdef OPENSSL_SYS_WIN32
-+ FILETIME ft;
-+#elif defined(OPENSSL_SYS_VXWORKS)
-+ struct timespec ts;
-+#else
-+ struct timeval tv;
-+#endif
-+
-+#ifndef GETPID_IS_MEANINGLESS
-+ unsigned long pid;
-+#endif
-+
-+#ifdef OPENSSL_SYS_WIN32
-+ GetSystemTimeAsFileTime(&ft);
-+ buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
-+ buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
-+ buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
-+ buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
-+ buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
-+ buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
-+ buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
-+ buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
-+#elif defined(OPENSSL_SYS_VXWORKS)
-+ clock_gettime(CLOCK_REALTIME, &ts);
-+ buf[0] = (unsigned char) (ts.tv_sec & 0xff);
-+ buf[1] = (unsigned char) ((ts.tv_sec >> 8) & 0xff);
-+ buf[2] = (unsigned char) ((ts.tv_sec >> 16) & 0xff);
-+ buf[3] = (unsigned char) ((ts.tv_sec >> 24) & 0xff);
-+ buf[4] = (unsigned char) (ts.tv_nsec & 0xff);
-+ buf[5] = (unsigned char) ((ts.tv_nsec >> 8) & 0xff);
-+ buf[6] = (unsigned char) ((ts.tv_nsec >> 16) & 0xff);
-+ buf[7] = (unsigned char) ((ts.tv_nsec >> 24) & 0xff);
-+#else
-+ gettimeofday(&tv,NULL);
-+ buf[0] = (unsigned char) (tv.tv_sec & 0xff);
-+ buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
-+ buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
-+ buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
-+ buf[4] = (unsigned char) (tv.tv_usec & 0xff);
-+ buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
-+ buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
-+ buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
-+#endif
-+ buf[8] = (unsigned char) (*pctr & 0xff);
-+ buf[9] = (unsigned char) ((*pctr >> 8) & 0xff);
-+ buf[10] = (unsigned char) ((*pctr >> 16) & 0xff);
-+ buf[11] = (unsigned char) ((*pctr >> 24) & 0xff);
-+
-+ (*pctr)++;
-+
-+
-+#ifndef GETPID_IS_MEANINGLESS
-+ pid=(unsigned long)getpid();
-+ buf[12] = (unsigned char) (pid & 0xff);
-+ buf[13] = (unsigned char) ((pid >> 8) & 0xff);
-+ buf[14] = (unsigned char) ((pid >> 16) & 0xff);
-+ buf[15] = (unsigned char) ((pid >> 24) & 0xff);
-+#endif
-+ }
-+
-+static int fips_rand(FIPS_PRNG_CTX *ctx,
-+ unsigned char *out, unsigned int outlen)
-+ {
-+ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
-+ unsigned char tmp[AES_BLOCK_LENGTH];
-+ int i;
-+ if (ctx->error)
-+ {
-+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
-+ return 0;
-+ }
-+ if (!ctx->keyed)
-+ {
-+ RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
-+ return 0;
-+ }
-+ if (!ctx->seeded)
-+ {
-+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
-+ return 0;
-+ }
-+ for (;;)
-+ {
-+ if (!ctx->test_mode)
-+ FIPS_get_timevec(ctx->DT, &ctx->counter);
-+ AES_encrypt(ctx->DT, I, &ctx->ks);
-+ for (i = 0; i < AES_BLOCK_LENGTH; i++)
-+ tmp[i] = I[i] ^ ctx->V[i];
-+ AES_encrypt(tmp, R, &ctx->ks);
-+ for (i = 0; i < AES_BLOCK_LENGTH; i++)
-+ tmp[i] = R[i] ^ I[i];
-+ AES_encrypt(tmp, ctx->V, &ctx->ks);
-+ /* Continuous PRNG test */
-+ if (ctx->second)
-+ {
-+ if (fips_prng_fail)
-+ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
-+ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
-+ {
-+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
-+ ctx->error = 1;
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ }
-+ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
-+ if (!ctx->second)
-+ {
-+ ctx->second = 1;
-+ if (!ctx->test_mode)
-+ continue;
-+ }
-+
-+ if (outlen <= AES_BLOCK_LENGTH)
-+ {
-+ memcpy(out, R, outlen);
-+ break;
-+ }
-+
-+ memcpy(out, R, AES_BLOCK_LENGTH);
-+ out += AES_BLOCK_LENGTH;
-+ outlen -= AES_BLOCK_LENGTH;
-+ }
-+ return 1;
-+ }
-+
-+
-+int FIPS_x931_set_key(const unsigned char *key, int keylen)
-+ {
-+ int ret;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ ret = fips_set_prng_key(&sctx, key, keylen);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+ }
-+
-+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
-+ {
-+ return FIPS_x931_set_key(key, keylen);
-+ }
-+
-+int FIPS_x931_seed(const void *seed, int seedlen)
-+ {
-+ int ret;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ ret = fips_set_prng_seed(&sctx, seed, seedlen);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+ }
-+
-+
-+int FIPS_x931_bytes(unsigned char *out, int count)
-+ {
-+ int ret;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ ret = fips_rand(&sctx, out, count);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+ }
-+
-+int FIPS_x931_status(void)
-+ {
-+ int ret;
-+ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
-+ ret = sctx.seeded;
-+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+ }
-+
-+void FIPS_x931_reset(void)
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ fips_rand_prng_reset(&sctx);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ }
-+
-+static int fips_do_rand_seed(const void *seed, int seedlen)
-+ {
-+ FIPS_x931_seed(seed, seedlen);
-+ return 1;
-+ }
-+
-+static int fips_do_rand_add(const void *seed, int seedlen,
-+ double add_entropy)
-+ {
-+ FIPS_x931_seed(seed, seedlen);
-+ return 1;
-+ }
-+
-+static const RAND_METHOD rand_x931_meth=
-+ {
-+ fips_do_rand_seed,
-+ FIPS_x931_bytes,
-+ FIPS_x931_reset,
-+ fips_do_rand_add,
-+ FIPS_x931_bytes,
-+ FIPS_x931_status
-+ };
-+
-+const RAND_METHOD *FIPS_x931_method(void)
-+{
-+ return &rand_x931_meth;
-+}
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_rand.h.fips openssl-1.0.1e/crypto/fips/fips_rand.h
---- openssl-1.0.1e/crypto/fips/fips_rand.h.fips 2013-10-04 11:48:04.187694294 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_rand.h 2013-10-04 11:48:04.187694294 +0200
-@@ -0,0 +1,145 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#ifndef HEADER_FIPS_RAND_H
-+#define HEADER_FIPS_RAND_H
-+
-+#include <openssl/aes.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rand.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+int FIPS_x931_set_key(const unsigned char *key, int keylen);
-+int FIPS_x931_seed(const void *buf, int num);
-+int FIPS_x931_bytes(unsigned char *out, int outlen);
-+
-+int FIPS_x931_test_mode(void);
-+void FIPS_x931_reset(void);
-+int FIPS_x931_set_dt(unsigned char *dt);
-+
-+int FIPS_x931_status(void);
-+
-+const RAND_METHOD *FIPS_x931_method(void);
-+
-+typedef struct drbg_ctx_st DRBG_CTX;
-+/* DRBG external flags */
-+/* Flag for CTR mode only: use derivation function ctr_df */
-+#define DRBG_FLAG_CTR_USE_DF 0x1
-+/* PRNG is in test state */
-+#define DRBG_FLAG_TEST 0x2
-+
-+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
-+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
-+int FIPS_drbg_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *pers, size_t perslen);
-+int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
-+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-+ int prediction_resistance,
-+ const unsigned char *adin, size_t adinlen);
-+
-+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
-+void FIPS_drbg_free(DRBG_CTX *dctx);
-+
-+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len),
-+ void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
-+ size_t entropy_blocklen,
-+ size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len),
-+ void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen));
-+
-+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
-+ void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
-+ int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
-+ int (*rand_add_cb)(DRBG_CTX *ctx,
-+ const void *buf, int num, double entropy));
-+
-+void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
-+void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
-+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
-+int FIPS_drbg_get_strength(DRBG_CTX *dctx);
-+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
-+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
-+
-+int FIPS_drbg_health_check(DRBG_CTX *dctx);
-+
-+DRBG_CTX *FIPS_get_default_drbg(void);
-+const RAND_METHOD *FIPS_drbg_method(void);
-+
-+
-+int FIPS_rand_set_method(const RAND_METHOD *meth);
-+const RAND_METHOD *FIPS_rand_get_method(void);
-+
-+void FIPS_rand_set_bits(int nbits);
-+
-+int FIPS_rand_strength(void);
-+
-+/* 1.0.0 compat functions */
-+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
-+int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
-+int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
-+int FIPS_rand_test_mode(void);
-+void FIPS_rand_reset(void);
-+int FIPS_rand_set_dt(unsigned char *dt);
-+int FIPS_rand_status(void);
-+const RAND_METHOD *FIPS_rand_method(void);
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+#endif
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1e/crypto/fips/fips_rand_lcl.h
---- openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips 2013-10-04 11:48:04.187694294 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_rand_lcl.h 2013-10-04 11:48:04.187694294 +0200
-@@ -0,0 +1,219 @@
-+/* fips/rand/fips_rand_lcl.h */
-+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
-+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
-+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
-+
-+/* 888 bits from 10.1 table 2 */
-+#define HASH_PRNG_MAX_SEEDLEN 111
-+
-+struct drbg_hash_ctx_st
-+ {
-+ const EVP_MD *md;
-+ EVP_MD_CTX mctx;
-+ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
-+ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
-+ /* Temporary value storage: should always exceed max digest length */
-+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
-+ };
-+
-+struct drbg_hmac_ctx_st
-+ {
-+ const EVP_MD *md;
-+ HMAC_CTX hctx;
-+ unsigned char K[EVP_MAX_MD_SIZE];
-+ unsigned char V[EVP_MAX_MD_SIZE];
-+ };
-+
-+struct drbg_ctr_ctx_st
-+ {
-+ AES_KEY ks;
-+ size_t keylen;
-+ unsigned char K[32];
-+ unsigned char V[16];
-+ /* Temp variables used by derivation function */
-+ AES_KEY df_ks;
-+ AES_KEY df_kxks;
-+ /* Temporary block storage used by ctr_df */
-+ unsigned char bltmp[16];
-+ size_t bltmp_pos;
-+ unsigned char KX[48];
-+ };
-+
-+/* DRBG internal flags */
-+
-+/* Functions shouldn't call err library */
-+#define DRBG_FLAG_NOERR 0x1
-+/* Custom reseed checking */
-+#define DRBG_CUSTOM_RESEED 0x2
-+
-+/* DRBG status values */
-+/* not initialised */
-+#define DRBG_STATUS_UNINITIALISED 0
-+/* ok and ready to generate random bits */
-+#define DRBG_STATUS_READY 1
-+/* reseed required */
-+#define DRBG_STATUS_RESEED 2
-+/* fatal error condition */
-+#define DRBG_STATUS_ERROR 3
-+
-+/* A default maximum length: larger than any reasonable value used in pratice */
-+
-+#define DRBG_MAX_LENGTH 0x7ffffff0
-+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
-+ * so use max digest length.
-+ */
-+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
-+
-+#define DRBG_HEALTH_INTERVAL (1 << 24)
-+
-+/* DRBG context structure */
-+
-+struct drbg_ctx_st
-+ {
-+ /* First types common to all implementations */
-+ /* DRBG type: a NID for the underlying algorithm */
-+ int type;
-+ /* Various external flags */
-+ unsigned int xflags;
-+ /* Various internal use only flags */
-+ unsigned int iflags;
-+ /* Used for periodic health checks */
-+ int health_check_cnt, health_check_interval;
-+
-+ /* The following parameters are setup by mechanism drbg_init() call */
-+ int strength;
-+ size_t blocklength;
-+ size_t max_request;
-+
-+ size_t min_entropy, max_entropy;
-+ size_t min_nonce, max_nonce;
-+ size_t max_pers, max_adin;
-+ unsigned int reseed_counter;
-+ unsigned int reseed_interval;
-+ size_t seedlen;
-+ int status;
-+ /* Application data: typically used by test get_entropy */
-+ void *app_data;
-+ /* Implementation specific structures */
-+ union
-+ {
-+ DRBG_HASH_CTX hash;
-+ DRBG_HMAC_CTX hmac;
-+ DRBG_CTR_CTX ctr;
-+ } d;
-+ /* Initialiase PRNG and setup callbacks below */
-+ int (*init)(DRBG_CTX *ctx, int nid, int security, unsigned int flags);
-+ /* Intantiate PRNG */
-+ int (*instantiate)(DRBG_CTX *ctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *nonce, size_t noncelen,
-+ const unsigned char *pers, size_t perslen);
-+ /* reseed */
-+ int (*reseed)(DRBG_CTX *ctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *adin, size_t adinlen);
-+ /* generat output */
-+ int (*generate)(DRBG_CTX *ctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adinlen);
-+ /* uninstantiate */
-+ int (*uninstantiate)(DRBG_CTX *ctx);
-+
-+ /* Entropy source block length */
-+ size_t entropy_blocklen;
-+
-+ /* entropy gathering function */
-+ size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len);
-+ /* Indicates we have finished with entropy buffer */
-+ void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+
-+ /* nonce gathering function */
-+ size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len);
-+ /* Indicates we have finished with nonce buffer */
-+ void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+
-+ /* Continuous random number test temporary area */
-+ /* Last block */
-+ unsigned char lb[EVP_MAX_MD_SIZE];
-+ /* set if lb is valid */
-+ int lb_valid;
-+
-+ /* Callbacks used when called through RAND interface */
-+ /* Get any additional input for generate */
-+ size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout);
-+ void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+ /* Callback for RAND_seed(), RAND_add() */
-+ int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num);
-+ int (*rand_add_cb)(DRBG_CTX *ctx,
-+ const void *buf, int num, double entropy);
-+ };
-+
-+
-+int fips_drbg_ctr_init(DRBG_CTX *dctx);
-+int fips_drbg_hash_init(DRBG_CTX *dctx);
-+int fips_drbg_hmac_init(DRBG_CTX *dctx);
-+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
-+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
-+
-+const struct env_md_st *FIPS_get_digestbynid(int nid);
-+
-+const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
-+
-+#define FIPS_digestinit EVP_DigestInit
-+#define FIPS_digestupdate EVP_DigestUpdate
-+#define FIPS_digestfinal EVP_DigestFinal
-+#define M_EVP_MD_size EVP_MD_size
-diff -up openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1e/crypto/fips/fips_rand_lib.c
---- openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips 2013-10-04 11:48:04.187694294 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_rand_lib.c 2013-10-04 11:48:04.187694294 +0200
-@@ -0,0 +1,191 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <openssl/crypto.h>
-+#include <openssl/rand.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "e_os.h"
-+
-+/* FIPS API for PRNG use. Similar to RAND functionality but without
-+ * ENGINE and additional checking for non-FIPS rand methods.
-+ */
-+
-+static const RAND_METHOD *fips_rand_meth = NULL;
-+static int fips_approved_rand_meth = 0;
-+static int fips_rand_bits = 0;
-+
-+/* Allows application to override number of bits and uses non-FIPS methods */
-+void FIPS_rand_set_bits(int nbits)
-+ {
-+ fips_rand_bits = nbits;
-+ }
-+
-+int FIPS_rand_set_method(const RAND_METHOD *meth)
-+ {
-+ if (!fips_rand_bits)
-+ {
-+ if (meth == FIPS_drbg_method())
-+ fips_approved_rand_meth = 1;
-+ else if (meth == FIPS_x931_method())
-+ fips_approved_rand_meth = 2;
-+ else
-+ {
-+ fips_approved_rand_meth = 0;
-+ if (FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD,
-+ FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ }
-+ }
-+ fips_rand_meth = meth;
-+ return 1;
-+ }
-+
-+const RAND_METHOD *FIPS_rand_get_method(void)
-+ {
-+ return fips_rand_meth;
-+ }
-+
-+const RAND_METHOD *FIPS_rand_method(void)
-+ {
-+ return FIPS_rand_get_method();
-+ }
-+
-+void FIPS_rand_reset(void)
-+ {
-+ if (fips_rand_meth && fips_rand_meth->cleanup)
-+ fips_rand_meth->cleanup();
-+ }
-+
-+int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->seed)
-+ fips_rand_meth->seed(buf,num);
-+ return 1;
-+ }
-+
-+void FIPS_rand_add(const void *buf, int num, double entropy)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
-+ return;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->add)
-+ fips_rand_meth->add(buf,num,entropy);
-+ }
-+
-+int FIPS_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->bytes)
-+ return fips_rand_meth->bytes(buf,num);
-+ return 0;
-+ }
-+
-+int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->pseudorand)
-+ return fips_rand_meth->pseudorand(buf,num);
-+ return -1;
-+ }
-+
-+int FIPS_rand_status(void)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->status)
-+ return fips_rand_meth->status();
-+ return 0;
-+ }
-+
-+/* Return instantiated strength of PRNG. For DRBG this is an internal
-+ * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other
-+ * type of PRNG is not approved and returns 0 in FIPS mode and maximum
-+ * 256 outside FIPS mode.
-+ */
-+
-+int FIPS_rand_strength(void)
-+ {
-+ if (fips_rand_bits)
-+ return fips_rand_bits;
-+ if (fips_approved_rand_meth == 1)
-+ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
-+ else if (fips_approved_rand_meth == 2)
-+ return 80;
-+ else if (fips_approved_rand_meth == 0)
-+ {
-+ if (FIPS_module_mode())
-+ return 0;
-+ else
-+ return 256;
-+ }
-+ return 0;
-+ }
-diff -up openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rand_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips 2013-10-04 11:48:04.187694294 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_rand_selftest.c 2013-10-04 11:48:04.187694294 +0200
-@@ -0,0 +1,183 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+
-+
-+typedef struct
-+ {
-+ unsigned char DT[16];
-+ unsigned char V[16];
-+ unsigned char R[16];
-+ } AES_PRNG_TV;
-+
-+/* The following test vectors are taken directly from the RGNVS spec */
-+
-+static unsigned char aes_128_key[16] =
-+ {0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42,
-+ 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02};
-+
-+static AES_PRNG_TV aes_128_tv =
-+ {
-+ /* DT */
-+ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
-+ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9},
-+ /* V */
-+ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-+ /* R */
-+ {0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55,
-+ 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41}
-+ };
-+
-+static unsigned char aes_192_key[24] =
-+ {0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e,
-+ 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc,
-+ 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b};
-+
-+static AES_PRNG_TV aes_192_tv =
-+ {
-+ /* DT */
-+ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
-+ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b},
-+ /* V */
-+ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-+ /* R */
-+ {0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef,
-+ 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93}
-+ };
-+
-+static unsigned char aes_256_key[32] =
-+ {0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d,
-+ 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f,
-+ 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5,
-+ 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb};
-+
-+static AES_PRNG_TV aes_256_tv =
-+ {
-+ /* DT */
-+ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
-+ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88},
-+ /* V */
-+ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-+ /* R */
-+ {0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc,
-+ 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72}
-+ };
-+
-+void FIPS_corrupt_rng()
-+ {
-+ aes_192_tv.V[0]++;
-+ }
-+
-+#define fips_x931_test(key, tv) \
-+ do_x931_test(key, sizeof key, &tv)
-+
-+static int do_x931_test(unsigned char *key, int keylen,
-+ AES_PRNG_TV *tv)
-+ {
-+ unsigned char R[16], V[16];
-+ int rv = 1;
-+ memcpy(V, tv->V, sizeof(V));
-+ if (!FIPS_x931_set_key(key, keylen))
-+ return 0;
-+ if (!fips_post_started(FIPS_TEST_X931, keylen, NULL))
-+ return 1;
-+ if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL))
-+ V[0]++;
-+ FIPS_x931_seed(V, 16);
-+ FIPS_x931_set_dt(tv->DT);
-+ FIPS_x931_bytes(R, 16);
-+ if (memcmp(R, tv->R, 16))
-+ {
-+ fips_post_failed(FIPS_TEST_X931, keylen, NULL);
-+ rv = 0;
-+ }
-+ else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL))
-+ return 0;
-+ return rv;
-+ }
-+
-+int FIPS_selftest_x931()
-+ {
-+ int rv = 1;
-+ FIPS_x931_reset();
-+ if (!FIPS_x931_test_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ if (!fips_x931_test(aes_128_key,aes_128_tv))
-+ rv = 0;
-+ if (!fips_x931_test(aes_192_key, aes_192_tv))
-+ rv = 0;
-+ if (!fips_x931_test(aes_256_key, aes_256_tv))
-+ rv = 0;
-+ FIPS_x931_reset();
-+ if (!rv)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED);
-+ return rv;
-+ }
-+
-+int FIPS_selftest_rng(void)
-+ {
-+ return FIPS_selftest_x931();
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_randtest.c.fips openssl-1.0.1e/crypto/fips/fips_randtest.c
---- openssl-1.0.1e/crypto/fips/fips_randtest.c.fips 2013-10-04 11:48:04.188694316 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_randtest.c 2013-10-04 11:48:04.187694294 +0200
-@@ -0,0 +1,250 @@
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <ctype.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+
-+#include "e_os.h"
-+
-+#ifndef OPENSSL_FIPS
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RAND support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+#include <openssl/fips.h>
-+
-+typedef struct
-+ {
-+ unsigned char DT[16];
-+ unsigned char V[16];
-+ unsigned char R[16];
-+ } AES_PRNG_MCT;
-+
-+static const unsigned char aes_128_mct_key[16] =
-+ {0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5,
-+ 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48};
-+
-+static const AES_PRNG_MCT aes_128_mct_tv = {
-+ /* DT */
-+ {0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b,
-+ 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac},
-+ /* V */
-+ {0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97,
-+ 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1},
-+ /* R */
-+ {0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb,
-+ 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73}
-+};
-+
-+static const unsigned char aes_192_mct_key[24] =
-+ {0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73,
-+ 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91,
-+ 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a};
-+
-+static const AES_PRNG_MCT aes_192_mct_tv = {
-+ /* DT */
-+ {0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9,
-+ 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52},
-+ /* V */
-+ {0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64,
-+ 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d},
-+ /* R */
-+ {0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21,
-+ 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47}
-+};
-+
-+static const unsigned char aes_256_mct_key[32] =
-+ {0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a,
-+ 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0,
-+ 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d,
-+ 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50};
-+
-+static const AES_PRNG_MCT aes_256_mct_tv = {
-+ /* DT */
-+ {0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee,
-+ 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c},
-+ /* V */
-+ {0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1,
-+ 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca},
-+ /* R */
-+ {0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1,
-+ 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d}
-+};
-+
-+static void dump(const unsigned char *b,int n)
-+ {
-+ while(n-- > 0)
-+ {
-+ printf(" %02x",*b++);
-+ }
-+ }
-+
-+static void compare(const unsigned char *result,const unsigned char *expected,
-+ int n)
-+ {
-+ int i;
-+
-+ for(i=0 ; i < n ; ++i)
-+ if(result[i] != expected[i])
-+ {
-+ puts("Random test failed, got:");
-+ dump(result,n);
-+ puts("\n expected:");
-+ dump(expected,n);
-+ putchar('\n');
-+ EXIT(1);
-+ }
-+ }
-+
-+
-+static void run_test(const unsigned char *key, int keylen,
-+ const AES_PRNG_MCT *tv)
-+ {
-+ unsigned char buf[16], dt[16];
-+ int i, j;
-+ FIPS_x931_reset();
-+ FIPS_x931_test_mode();
-+ FIPS_x931_set_key(key, keylen);
-+ FIPS_x931_seed(tv->V, 16);
-+ memcpy(dt, tv->DT, 16);
-+ for (i = 0; i < 10000; i++)
-+ {
-+ FIPS_x931_set_dt(dt);
-+ FIPS_x931_bytes(buf, 16);
-+ /* Increment DT */
-+ for (j = 15; j >= 0; j--)
-+ {
-+ dt[j]++;
-+ if (dt[j])
-+ break;
-+ }
-+ }
-+
-+ compare(buf,tv->R, 16);
-+ }
-+
-+int main()
-+ {
-+ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
-+ printf("FIPS PRNG test 1 done\n");
-+ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
-+ printf("FIPS PRNG test 2 done\n");
-+ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
-+ printf("FIPS PRNG test 3 done\n");
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips 2013-10-04 11:48:04.188694316 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c 2013-10-04 11:48:04.188694316 +0200
-@@ -0,0 +1,444 @@
-+/* ====================================================================
-+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/rsa.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include <openssl/opensslconf.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char n[] =
-+"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
-+"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
-+"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
-+"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
-+"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
-+"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
-+"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
-+"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
-+"\xCB";
-+
-+static int corrupt_rsa;
-+
-+static int setrsakey(RSA *key)
-+ {
-+ static const unsigned char e[] = "\x11";
-+
-+ static const unsigned char d[] =
-+"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
-+"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
-+"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
-+"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
-+"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
-+"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
-+"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
-+"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
-+"\xC1";
-+
-+ static const unsigned char p[] =
-+"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
-+"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
-+"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
-+"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
-+"\x99";
-+
-+ static const unsigned char q[] =
-+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
-+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
-+"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
-+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
-+"\x03";
-+
-+ static const unsigned char dmp1[] =
-+"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
-+"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
-+"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
-+"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
-+
-+ static const unsigned char dmq1[] =
-+"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
-+"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
-+"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
-+"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
-+
-+ static const unsigned char iqmp[] =
-+"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
-+"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
-+"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
-+"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
-+"\xF7";
-+
-+ key->n = BN_bin2bn(n, sizeof(n)-1, key->n);
-+ if (corrupt_rsa)
-+ BN_set_bit(key->n, 1024);
-+ key->e = BN_bin2bn(e, sizeof(e)-1, key->e);
-+ key->d = BN_bin2bn(d, sizeof(d)-1, key->d);
-+ key->p = BN_bin2bn(p, sizeof(p)-1, key->p);
-+ key->q = BN_bin2bn(q, sizeof(q)-1, key->q);
-+ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1);
-+ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1);
-+ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp);
-+ return 1;
-+ }
-+
-+void FIPS_corrupt_rsa()
-+ {
-+ corrupt_rsa = 1;
-+ }
-+
-+/* Known Answer Test (KAT) data for the above RSA private key signing
-+ * kat_tbs.
-+ */
-+
-+static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT";
-+
-+static const unsigned char kat_RSA_PSS_SHA1[] = {
-+ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
-+ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
-+ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
-+ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
-+ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
-+ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
-+ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
-+ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
-+ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
-+ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
-+ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA224[] = {
-+ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
-+ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
-+ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
-+ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
-+ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
-+ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
-+ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
-+ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
-+ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
-+ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
-+ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA256[] = {
-+ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
-+ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
-+ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
-+ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
-+ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
-+ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
-+ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
-+ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
-+ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
-+ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
-+ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA384[] = {
-+ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
-+ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
-+ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
-+ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
-+ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
-+ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
-+ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
-+ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
-+ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
-+ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
-+ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA512[] = {
-+ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
-+ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
-+ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
-+ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
-+ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
-+ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
-+ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
-+ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
-+ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
-+ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
-+ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
-+};
-+
-+static const unsigned char kat_RSA_SHA1[] = {
-+ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
-+ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
-+ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
-+ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
-+ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
-+ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
-+ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
-+ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
-+ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
-+ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
-+ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
-+};
-+
-+static const unsigned char kat_RSA_SHA224[] = {
-+ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
-+ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
-+ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
-+ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
-+ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
-+ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
-+ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
-+ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
-+ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
-+ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
-+ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
-+};
-+
-+static const unsigned char kat_RSA_SHA256[] = {
-+ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
-+ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
-+ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
-+ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
-+ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
-+ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
-+ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
-+ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
-+ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
-+ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
-+ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
-+};
-+
-+static const unsigned char kat_RSA_SHA384[] = {
-+ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
-+ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
-+ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
-+ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
-+ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
-+ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
-+ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
-+ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
-+ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
-+ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
-+ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
-+};
-+
-+static const unsigned char kat_RSA_SHA512[] = {
-+ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
-+ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
-+ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
-+ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
-+ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
-+ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
-+ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
-+ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
-+ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
-+ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
-+ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA1[] = {
-+ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
-+ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
-+ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
-+ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
-+ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
-+ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
-+ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
-+ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
-+ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
-+ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
-+ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA256[] = {
-+ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
-+ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
-+ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
-+ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
-+ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
-+ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
-+ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
-+ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
-+ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
-+ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
-+ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA384[] = {
-+ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
-+ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
-+ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
-+ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
-+ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
-+ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
-+ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
-+ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
-+ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
-+ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
-+ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA512[] = {
-+ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
-+ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
-+ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
-+ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
-+ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
-+ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
-+ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
-+ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
-+ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
-+ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
-+ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
-+};
-+
-+
-+int FIPS_selftest_rsa()
-+ {
-+ int ret = 0;
-+ RSA *key;
-+ EVP_PKEY *pk = NULL;
-+
-+ if ((key=RSA_new()) == NULL)
-+ goto err;
-+ setrsakey(key);
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_RSA(pk, key);
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA1 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
-+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA224 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
-+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA256 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
-+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA384 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
-+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA512 PKCS#1"))
-+ goto err;
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA1 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224),
-+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA224 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256),
-+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA256 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384),
-+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA384 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512),
-+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA512 PSS"))
-+ goto err;
-+
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA1 X931"))
-+ goto err;
-+ /* NB: SHA224 not supported in X9.31 */
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256),
-+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA256 X931"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384),
-+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA384 X931"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512),
-+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA512 X931"))
-+ goto err;
-+
-+
-+ ret = 1;
-+
-+ err:
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (key)
-+ RSA_free(key);
-+ return ret;
-+ }
-+
-+#endif /* def OPENSSL_FIPS */
-diff -up openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c
---- openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips 2013-10-04 11:48:04.188694316 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c 2013-10-04 11:48:04.188694316 +0200
-@@ -0,0 +1,282 @@
-+/* crypto/rsa/rsa_gen.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <time.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/rsa.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+
-+extern int fips_check_rsa(RSA *rsa);
-+#endif
-+
-+/* X9.31 RSA key derivation and generation */
-+
-+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
-+ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
-+ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
-+ const BIGNUM *e, BN_GENCB *cb)
-+ {
-+ BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL;
-+ BN_CTX *ctx=NULL,*ctx2=NULL;
-+
-+ if (!rsa)
-+ goto err;
-+
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ goto err;
-+ BN_CTX_start(ctx);
-+
-+ r0 = BN_CTX_get(ctx);
-+ r1 = BN_CTX_get(ctx);
-+ r2 = BN_CTX_get(ctx);
-+ r3 = BN_CTX_get(ctx);
-+
-+ if (r3 == NULL)
-+ goto err;
-+ if (!rsa->e)
-+ {
-+ rsa->e = BN_dup(e);
-+ if (!rsa->e)
-+ goto err;
-+ }
-+ else
-+ e = rsa->e;
-+
-+ /* If not all parameters present only calculate what we can.
-+ * This allows test programs to output selective parameters.
-+ */
-+
-+ if (Xp && !rsa->p)
-+ {
-+ rsa->p = BN_new();
-+ if (!rsa->p)
-+ goto err;
-+
-+ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
-+ Xp, Xp1, Xp2, e, ctx, cb))
-+ goto err;
-+ }
-+
-+ if (Xq && !rsa->q)
-+ {
-+ rsa->q = BN_new();
-+ if (!rsa->q)
-+ goto err;
-+ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
-+ Xq, Xq1, Xq2, e, ctx, cb))
-+ goto err;
-+ }
-+
-+ if (!rsa->p || !rsa->q)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ return 2;
-+ }
-+
-+ /* Since both primes are set we can now calculate all remaining
-+ * components.
-+ */
-+
-+ /* calculate n */
-+ rsa->n=BN_new();
-+ if (rsa->n == NULL)
-+ goto err;
-+ if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx))
-+ goto err;
-+
-+ /* calculate d */
-+ if (!BN_sub(r1,rsa->p,BN_value_one()))
-+ goto err; /* p-1 */
-+ if (!BN_sub(r2,rsa->q,BN_value_one()))
-+ goto err; /* q-1 */
-+ if (!BN_mul(r0,r1,r2,ctx))
-+ goto err; /* (p-1)(q-1) */
-+
-+ if (!BN_gcd(r3, r1, r2, ctx))
-+ goto err;
-+
-+ if (!BN_div(r0, NULL, r0, r3, ctx))
-+ goto err; /* LCM((p-1)(q-1)) */
-+
-+ ctx2 = BN_CTX_new();
-+ if (!ctx2)
-+ goto err;
-+
-+ rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
-+ if (rsa->d == NULL)
-+ goto err;
-+
-+ /* calculate d mod (p-1) */
-+ rsa->dmp1=BN_new();
-+ if (rsa->dmp1 == NULL)
-+ goto err;
-+ if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx))
-+ goto err;
-+
-+ /* calculate d mod (q-1) */
-+ rsa->dmq1=BN_new();
-+ if (rsa->dmq1 == NULL)
-+ goto err;
-+ if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx))
-+ goto err;
-+
-+ /* calculate inverse of q mod p */
-+ rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
-+
-+ err:
-+ if (ctx)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+ if (ctx2)
-+ BN_CTX_free(ctx2);
-+ /* If this is set all calls successful */
-+ if (rsa && rsa->iqmp != NULL)
-+ return 1;
-+
-+ return 0;
-+
-+ }
-+
-+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
-+ {
-+ int ok = 0;
-+ BIGNUM *Xp = NULL, *Xq = NULL;
-+ BN_CTX *ctx = NULL;
-+
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
-+ (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT);
-+ return 0;
-+ }
-+
-+ if (bits & 0xff)
-+ {
-+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_INVALID_KEY_LENGTH);
-+ return 0;
-+ }
-+
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+#endif
-+
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ goto error;
-+
-+ BN_CTX_start(ctx);
-+ Xp = BN_CTX_get(ctx);
-+ Xq = BN_CTX_get(ctx);
-+ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
-+ goto error;
-+
-+ rsa->p = BN_new();
-+ rsa->q = BN_new();
-+ if (!rsa->p || !rsa->q)
-+ goto error;
-+
-+ /* Generate two primes from Xp, Xq */
-+
-+ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
-+ e, ctx, cb))
-+ goto error;
-+
-+ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
-+ e, ctx, cb))
-+ goto error;
-+
-+ /* Since rsa->p and rsa->q are valid this call will just derive
-+ * remaining RSA components.
-+ */
-+
-+ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
-+ NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
-+ goto error;
-+
-+#ifdef OPENSSL_FIPS
-+ if(!fips_check_rsa(rsa))
-+ goto error;
-+#endif
-+
-+ ok = 1;
-+
-+ error:
-+ if (ctx)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+
-+ if (ok)
-+ return 1;
-+
-+ return 0;
-+
-+ }
-diff -up openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_sha_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips 2013-10-04 11:48:04.188694316 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_sha_selftest.c 2013-10-04 11:48:04.188694316 +0200
-@@ -0,0 +1,140 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+#include <openssl/sha.h>
-+
-+#ifdef OPENSSL_FIPS
-+static const char test[][60]=
-+ {
-+ "",
-+ "abc",
-+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
-+ };
-+
-+static const unsigned char ret[][SHA_DIGEST_LENGTH]=
-+ {
-+ { 0xda,0x39,0xa3,0xee,0x5e,0x6b,0x4b,0x0d,0x32,0x55,
-+ 0xbf,0xef,0x95,0x60,0x18,0x90,0xaf,0xd8,0x07,0x09 },
-+ { 0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,0xba,0x3e,
-+ 0x25,0x71,0x78,0x50,0xc2,0x6c,0x9c,0xd0,0xd8,0x9d },
-+ { 0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,0xba,0xae,
-+ 0x4a,0xa1,0xf9,0x51,0x29,0xe5,0xe5,0x46,0x70,0xf1 },
-+ };
-+
-+static int corrupt_sha;
-+
-+void FIPS_corrupt_sha1()
-+ {
-+ corrupt_sha = 1;
-+ }
-+
-+int FIPS_selftest_sha1()
-+ {
-+ int n;
-+
-+ for(n=0 ; n<sizeof(test)/sizeof(test[0]) ; ++n)
-+ {
-+ unsigned char md[SHA_DIGEST_LENGTH];
-+
-+ EVP_Digest(test[n],strlen(test[n])+corrupt_sha,md, NULL, EVP_sha1(), NULL);
-+ if(memcmp(md,ret[n],sizeof md))
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+ }
-+
-+static const unsigned char msg_sha256[] = { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
-+ 0xfc };
-+static const unsigned char dig_sha256[] = { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
-+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
-+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
-+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a };
-+
-+static const unsigned char msg_sha512[] = { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
-+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd };
-+static const unsigned char dig_sha512[] = { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
-+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
-+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
-+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
-+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
-+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
-+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
-+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 };
-+
-+int FIPS_selftest_sha2(void)
-+ {
-+ unsigned char md[SHA512_DIGEST_LENGTH];
-+
-+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
-+ if(memcmp(dig_sha256, md, sizeof(dig_sha256)))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
-+ if(memcmp(dig_sha512, md, sizeof(dig_sha512)))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ return 1;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c
---- openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips 2013-10-04 11:48:04.188694316 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c 2013-10-04 11:48:04.188694316 +0200
-@@ -0,0 +1,236 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/opensslconf.h>
-+#include <openssl/sha.h>
-+#include <openssl/hmac.h>
-+
-+#ifndef FIPSCANISTER_O
-+int FIPS_selftest_failed() { return 0; }
-+void FIPS_selftest_check() {}
-+#endif
-+
-+#ifdef OPENSSL_FIPS
-+int bn_mul_mont_fpu64(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num) { return 0; };
-+int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num) { return 0; };
-+
-+#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
-+ defined(__INTEL__) || \
-+ defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
-+
-+unsigned int OPENSSL_ia32cap_P[2];
-+unsigned long *OPENSSL_ia32cap_loc(void)
-+{ if (sizeof(long)==4)
-+ /*
-+ * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
-+ * clear second element to maintain the illusion that vector
-+ * is 32-bit.
-+ */
-+ OPENSSL_ia32cap_P[1]=0;
-+ return (unsigned long *)OPENSSL_ia32cap_P;
-+}
-+
-+#if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
-+#define OPENSSL_CPUID_SETUP
-+#if defined(_WIN32)
-+typedef unsigned __int64 IA32CAP;
-+#else
-+typedef unsigned long long IA32CAP;
-+#endif
-+void OPENSSL_cpuid_setup(void)
-+{ static int trigger=0;
-+ IA32CAP OPENSSL_ia32_cpuid(void);
-+ IA32CAP vec;
-+ char *env;
-+
-+ if (trigger) return;
-+
-+ trigger=1;
-+ if ((env=getenv("OPENSSL_ia32cap"))) {
-+ int off = (env[0]=='~')?1:0;
-+#if defined(_WIN32)
-+ if (!sscanf(env+off,"%I64i",&vec)) vec = strtoul(env+off,NULL,0);
-+#else
-+ if (!sscanf(env+off,"%lli",(long long *)&vec)) vec = strtoul(env+off,NULL,0);
-+#endif
-+ if (off) vec = OPENSSL_ia32_cpuid()&~vec;
-+ }
-+ else
-+ vec = OPENSSL_ia32_cpuid();
-+
-+ /*
-+ * |(1<<10) sets a reserved bit to signal that variable
-+ * was initialized already... This is to avoid interference
-+ * with cpuid snippets in ELF .init segment.
-+ */
-+ OPENSSL_ia32cap_P[0] = (unsigned int)vec|(1<<10);
-+ OPENSSL_ia32cap_P[1] = (unsigned int)(vec>>32);
-+}
-+#endif
-+
-+#else
-+unsigned long *OPENSSL_ia32cap_loc(void) { return NULL; }
-+#endif
-+int OPENSSL_NONPIC_relocated = 0;
-+#if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
-+void OPENSSL_cpuid_setup(void) {}
-+#endif
-+
-+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
-+ const char *key)
-+ {
-+ size_t len=strlen(key);
-+ int i;
-+ unsigned char keymd[HMAC_MAX_MD_CBLOCK];
-+ unsigned char pad[HMAC_MAX_MD_CBLOCK];
-+
-+ if (len > SHA_CBLOCK)
-+ {
-+ SHA256_Init(md_ctx);
-+ SHA256_Update(md_ctx,key,len);
-+ SHA256_Final(keymd,md_ctx);
-+ len=SHA256_DIGEST_LENGTH;
-+ }
-+ else
-+ memcpy(keymd,key,len);
-+ memset(&keymd[len],'\0',HMAC_MAX_MD_CBLOCK-len);
-+
-+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
-+ pad[i]=0x36^keymd[i];
-+ SHA256_Init(md_ctx);
-+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
-+
-+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
-+ pad[i]=0x5c^keymd[i];
-+ SHA256_Init(o_ctx);
-+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
-+ }
-+
-+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
-+ {
-+ unsigned char buf[SHA256_DIGEST_LENGTH];
-+
-+ SHA256_Final(buf,md_ctx);
-+ SHA256_Update(o_ctx,buf,sizeof buf);
-+ SHA256_Final(md,o_ctx);
-+ }
-+
-+#endif
-+
-+int main(int argc,char **argv)
-+ {
-+#ifdef OPENSSL_FIPS
-+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
-+ int n,binary=0;
-+
-+ if(argc < 2)
-+ {
-+ fprintf(stderr,"%s [<file>]+\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ n=1;
-+ if (!strcmp(argv[n],"-binary"))
-+ {
-+ n++;
-+ binary=1; /* emit binary fingerprint... */
-+ }
-+
-+ for(; n < argc ; ++n)
-+ {
-+ FILE *f=fopen(argv[n],"rb");
-+ SHA256_CTX md_ctx,o_ctx;
-+ unsigned char md[SHA256_DIGEST_LENGTH];
-+ int i;
-+
-+ if(!f)
-+ {
-+ perror(argv[n]);
-+ exit(2);
-+ }
-+
-+ hmac_init(&md_ctx,&o_ctx,key);
-+ for( ; ; )
-+ {
-+ char buf[1024];
-+ size_t l=fread(buf,1,sizeof buf,f);
-+
-+ if(l == 0)
-+ {
-+ if(ferror(f))
-+ {
-+ perror(argv[n]);
-+ exit(3);
-+ }
-+ else
-+ break;
-+ }
-+ SHA256_Update(&md_ctx,buf,l);
-+ }
-+ hmac_final(md,&md_ctx,&o_ctx);
-+
-+ if (binary)
-+ {
-+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
-+ break; /* ... for single(!) file */
-+ }
-+
-+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
-+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
-+ printf("%02x",md[i]);
-+ printf("\n");
-+ }
-+#endif
-+ return 0;
-+ }
-+
-+
-diff -up openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips openssl-1.0.1e/crypto/fips/fips_test_suite.c
---- openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips 2013-10-04 11:48:04.189694339 +0200
-+++ openssl-1.0.1e/crypto/fips/fips_test_suite.c 2013-10-04 11:48:04.189694339 +0200
-@@ -0,0 +1,588 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ *
-+ * This command is intended as a test driver for the FIPS-140 testing
-+ * lab performing FIPS-140 validation. It demonstrates the use of the
-+ * OpenSSL library ito perform a variety of common cryptographic
-+ * functions. A power-up self test is demonstrated by deliberately
-+ * pointing to an invalid executable hash
-+ *
-+ * Contributed by Steve Marquess.
-+ *
-+ */
-+#include <stdio.h>
-+#include <assert.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <openssl/aes.h>
-+#include <openssl/des.h>
-+#include <openssl/rsa.h>
-+#include <openssl/dsa.h>
-+#include <openssl/dh.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+
-+#include <openssl/bn.h>
-+#include <openssl/rand.h>
-+#include <openssl/sha.h>
-+
-+
-+#ifndef OPENSSL_FIPS
-+int main(int argc, char *argv[])
-+ {
-+ printf("No FIPS support\n");
-+ return(0);
-+ }
-+#else
-+
-+#include <openssl/fips.h>
-+#include "fips_utl.h"
-+
-+/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
-+*/
-+static int FIPS_aes_test(void)
-+ {
-+ int ret = 0;
-+ unsigned char pltmp[16];
-+ unsigned char citmp[16];
-+ unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
-+ unsigned char plaintext[16] = "etaonrishdlcu";
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, citmp, plaintext, 16);
-+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, pltmp, citmp, 16);
-+ if (memcmp(pltmp, plaintext, 16))
-+ goto err;
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ return ret;
-+ }
-+
-+static int FIPS_des3_test(void)
-+ {
-+ int ret = 0;
-+ unsigned char pltmp[8];
-+ unsigned char citmp[8];
-+ unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
-+ 19,20,21,22,23,24};
-+ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, citmp, plaintext, 8);
-+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, pltmp, citmp, 8);
-+ if (memcmp(pltmp, plaintext, 8))
-+ goto err;
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ return ret;
-+ }
-+
-+/*
-+ * DSA: generate keys and sign, verify input plaintext.
-+ */
-+static int FIPS_dsa_test(int bad)
-+ {
-+ DSA *dsa = NULL;
-+ EVP_PKEY pk;
-+ unsigned char dgst[] = "etaonrishdlc";
-+ unsigned char buf[60];
-+ unsigned int slen;
-+ int r = 0;
-+ EVP_MD_CTX mctx;
-+
-+ ERR_clear_error();
-+ EVP_MD_CTX_init(&mctx);
-+ dsa = DSA_new();
-+ if (!dsa)
-+ goto end;
-+ if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
-+ goto end;
-+ if (!DSA_generate_key(dsa))
-+ goto end;
-+ if (bad)
-+ BN_add_word(dsa->pub_key, 1);
-+
-+ pk.type = EVP_PKEY_DSA;
-+ pk.pkey.dsa = dsa;
-+
-+ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
-+ goto end;
-+ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
-+ goto end;
-+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
-+ goto end;
-+
-+ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
-+ goto end;
-+ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
-+ goto end;
-+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
-+ end:
-+ EVP_MD_CTX_cleanup(&mctx);
-+ if (dsa)
-+ DSA_free(dsa);
-+ if (r != 1)
-+ return 0;
-+ return 1;
-+ }
-+
-+/*
-+ * RSA: generate keys and sign, verify input plaintext.
-+ */
-+static int FIPS_rsa_test(int bad)
-+ {
-+ RSA *key;
-+ unsigned char input_ptext[] = "etaonrishdlc";
-+ unsigned char buf[256];
-+ unsigned int slen;
-+ BIGNUM *bn;
-+ EVP_MD_CTX mctx;
-+ EVP_PKEY pk;
-+ int r = 0;
-+
-+ ERR_clear_error();
-+ EVP_MD_CTX_init(&mctx);
-+ key = RSA_new();
-+ bn = BN_new();
-+ if (!key || !bn)
-+ return 0;
-+ BN_set_word(bn, 65537);
-+ if (!RSA_generate_key_ex(key, 1024,bn,NULL))
-+ return 0;
-+ BN_free(bn);
-+ if (bad)
-+ BN_add_word(key->n, 1);
-+
-+ pk.type = EVP_PKEY_RSA;
-+ pk.pkey.rsa = key;
-+
-+ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
-+ goto end;
-+ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
-+ goto end;
-+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
-+ goto end;
-+
-+ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
-+ goto end;
-+ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
-+ goto end;
-+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
-+ end:
-+ EVP_MD_CTX_cleanup(&mctx);
-+ if (key)
-+ RSA_free(key);
-+ if (r != 1)
-+ return 0;
-+ return 1;
-+ }
-+
-+/* SHA1: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_sha1_test()
-+ {
-+ unsigned char digest[SHA_DIGEST_LENGTH] =
-+ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
-+ unsigned char str[] = "etaonrishd";
-+
-+ unsigned char md[SHA_DIGEST_LENGTH];
-+
-+ ERR_clear_error();
-+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0;
-+ if (memcmp(md,digest,sizeof(md)))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* SHA256: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_sha256_test()
-+ {
-+ unsigned char digest[SHA256_DIGEST_LENGTH] =
-+ {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
-+ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
-+ unsigned char str[] = "etaonrishd";
-+
-+ unsigned char md[SHA256_DIGEST_LENGTH];
-+
-+ ERR_clear_error();
-+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0;
-+ if (memcmp(md,digest,sizeof(md)))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* SHA512: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_sha512_test()
-+ {
-+ unsigned char digest[SHA512_DIGEST_LENGTH] =
-+ {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
-+ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
-+ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
-+ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
-+ unsigned char str[] = "etaonrishd";
-+
-+ unsigned char md[SHA512_DIGEST_LENGTH];
-+
-+ ERR_clear_error();
-+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0;
-+ if (memcmp(md,digest,sizeof(md)))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA1: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha1_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
-+ 0xb2, 0xfb, 0xec, 0xc6};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA224: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha224_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
-+ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA256: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha256_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
-+ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA384: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha384_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
-+ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
-+ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA512: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha512_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
-+ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
-+ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
-+ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+
-+/* DH: generate shared parameters
-+*/
-+static int dh_test()
-+ {
-+ DH *dh;
-+ ERR_clear_error();
-+ dh = FIPS_dh_new();
-+ if (!dh)
-+ return 0;
-+ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
-+ return 0;
-+ FIPS_dh_free(dh);
-+ return 1;
-+ }
-+
-+/* Zeroize
-+*/
-+static int Zeroize()
-+ {
-+ RSA *key;
-+ BIGNUM *bn;
-+ unsigned char userkey[16] =
-+ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
-+ int i, n;
-+
-+ key = FIPS_rsa_new();
-+ bn = BN_new();
-+ if (!key || !bn)
-+ return 0;
-+ BN_set_word(bn, 65537);
-+ if (!RSA_generate_key_ex(key, 1024,bn,NULL))
-+ return 0;
-+ BN_free(bn);
-+
-+ n = BN_num_bytes(key->d);
-+ printf(" Generated %d byte RSA private key\n", n);
-+ printf("\tBN key before overwriting:\n");
-+ do_bn_print(stdout, key->d);
-+ BN_rand(key->d,n*8,-1,0);
-+ printf("\tBN key after overwriting:\n");
-+ do_bn_print(stdout, key->d);
-+
-+ printf("\tchar buffer key before overwriting: \n\t\t");
-+ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
-+ printf("\n");
-+ RAND_bytes(userkey, sizeof userkey);
-+ printf("\tchar buffer key after overwriting: \n\t\t");
-+ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
-+ printf("\n");
-+
-+ return 1;
-+ }
-+
-+static int Error;
-+const char * Fail(const char *msg)
-+ {
-+ do_print_errors();
-+ Error++;
-+ return msg;
-+ }
-+
-+int main(int argc,char **argv)
-+ {
-+
-+ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
-+ int bad_rsa = 0, bad_dsa = 0;
-+ int do_rng_stick = 0;
-+ int no_exit = 0;
-+
-+ printf("\tFIPS-mode test application\n\n");
-+
-+ /* Load entropy from external file, if any */
-+ RAND_load_file(".rnd", 1024);
-+
-+ if (argv[1]) {
-+ /* Corrupted KAT tests */
-+ if (!strcmp(argv[1], "aes")) {
-+ FIPS_corrupt_aes();
-+ printf("AES encryption/decryption with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "des")) {
-+ FIPS_corrupt_des();
-+ printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "dsa")) {
-+ FIPS_corrupt_dsa();
-+ printf("DSA key generation and signature validation with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "rsa")) {
-+ FIPS_corrupt_rsa();
-+ printf("RSA key generation and signature validation with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "rsakey")) {
-+ printf("RSA key generation and signature validation with corrupted key...\n");
-+ bad_rsa = 1;
-+ no_exit = 1;
-+ } else if (!strcmp(argv[1], "rsakeygen")) {
-+ do_corrupt_rsa_keygen = 1;
-+ no_exit = 1;
-+ printf("RSA key generation and signature validation with corrupted keygen...\n");
-+ } else if (!strcmp(argv[1], "dsakey")) {
-+ printf("DSA key generation and signature validation with corrupted key...\n");
-+ bad_dsa = 1;
-+ no_exit = 1;
-+ } else if (!strcmp(argv[1], "dsakeygen")) {
-+ do_corrupt_dsa_keygen = 1;
-+ no_exit = 1;
-+ printf("DSA key generation and signature validation with corrupted keygen...\n");
-+ } else if (!strcmp(argv[1], "sha1")) {
-+ FIPS_corrupt_sha1();
-+ printf("SHA-1 hash with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "rng")) {
-+ FIPS_corrupt_rng();
-+ } else if (!strcmp(argv[1], "rngstick")) {
-+ do_rng_stick = 1;
-+ no_exit = 1;
-+ printf("RNG test with stuck continuous test...\n");
-+ } else {
-+ printf("Bad argument \"%s\"\n", argv[1]);
-+ exit(1);
-+ }
-+ if (!no_exit) {
-+ if (!FIPS_mode_set(1)) {
-+ do_print_errors();
-+ printf("Power-up self test failed\n");
-+ exit(1);
-+ }
-+ printf("Power-up self test successful\n");
-+ exit(0);
-+ }
-+ }
-+
-+ /* Non-Approved cryptographic operation
-+ */
-+ printf("1. Non-Approved cryptographic operation test...\n");
-+ printf("\ta. Included algorithm (D-H)...");
-+ printf( dh_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* Power-up self test
-+ */
-+ ERR_clear_error();
-+ printf("2. Automatic power-up self test...");
-+ if (!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ printf(Fail("FAILED!\n"));
-+ exit(1);
-+ }
-+ printf("successful\n");
-+ if (do_corrupt_dsa_keygen)
-+ FIPS_corrupt_dsa_keygen();
-+ if (do_corrupt_rsa_keygen)
-+ FIPS_corrupt_rsa_keygen();
-+ if (do_rng_stick)
-+ FIPS_rng_stick();
-+
-+ /* AES encryption/decryption
-+ */
-+ printf("3. AES encryption/decryption...");
-+ printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* RSA key generation and encryption/decryption
-+ */
-+ printf("4. RSA key generation and encryption/decryption...");
-+ printf( FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* DES-CBC encryption/decryption
-+ */
-+ printf("5. DES-ECB encryption/decryption...");
-+ printf( FIPS_des3_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* DSA key generation and signature validation
-+ */
-+ printf("6. DSA key generation and signature validation...");
-+ printf( FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* SHA-1 hash
-+ */
-+ printf("7a. SHA-1 hash...");
-+ printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* SHA-256 hash
-+ */
-+ printf("7b. SHA-256 hash...");
-+ printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* SHA-512 hash
-+ */
-+ printf("7c. SHA-512 hash...");
-+ printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-1 hash
-+ */
-+ printf("7d. HMAC-SHA-1 hash...");
-+ printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-224 hash
-+ */
-+ printf("7e. HMAC-SHA-224 hash...");
-+ printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-256 hash
-+ */
-+ printf("7f. HMAC-SHA-256 hash...");
-+ printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-384 hash
-+ */
-+ printf("7g. HMAC-SHA-384 hash...");
-+ printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-512 hash
-+ */
-+ printf("7h. HMAC-SHA-512 hash...");
-+ printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* Non-Approved cryptographic operation
-+ */
-+ printf("8. Non-Approved cryptographic operation test...\n");
-+ printf("\ta. Included algorithm (D-H)...");
-+ printf( dh_test() ? "successful as expected\n"
-+ : Fail("failed INCORRECTLY!\n") );
-+
-+ /* Zeroization
-+ */
-+ printf("9. Zero-ization...\n");
-+ printf( Zeroize() ? "\tsuccessful as expected\n"
-+ : Fail("\tfailed INCORRECTLY!\n") );
-+
-+ printf("\nAll tests completed with %d errors\n", Error);
-+ return Error ? 1 : 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/Makefile.fips openssl-1.0.1e/crypto/fips/Makefile
---- openssl-1.0.1e/crypto/fips/Makefile.fips 2013-10-04 11:48:04.189694339 +0200
-+++ openssl-1.0.1e/crypto/fips/Makefile 2013-10-04 11:48:04.189694339 +0200
-@@ -0,0 +1,341 @@
-+#
-+# OpenSSL/crypto/fips/Makefile
-+#
-+
-+DIR= fips
-+TOP= ../..
-+CC= cc
-+INCLUDES=
-+CFLAG=-g
-+MAKEFILE= Makefile
-+AR= ar r
-+
-+CFLAGS= $(INCLUDES) $(CFLAG)
-+
-+GENERAL=Makefile
-+TEST=fips_test_suite.c fips_randtest.c
-+APPS=
-+
-+PROGRAM= fips_standalone_hmac
-+EXE= $(PROGRAM)$(EXE_EXT)
-+
-+LIB=$(TOP)/libcrypto.a
-+LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
-+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
-+ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
-+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-+ fips_cmac_selftest.c fips_enc.c fips_md.c
-+
-+LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
-+ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
-+ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
-+ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
-+ fips_cmac_selftest.o fips_enc.o fips_md.o
-+
-+LIBCRYPTO=-L.. -lcrypto
-+
-+SRC= $(LIBSRC) fips_standalone_hmac.c
-+
-+EXHEADER= fips.h fips_rand.h
-+HEADER= $(EXHEADER)
-+
-+ALL= $(GENERAL) $(SRC) $(HEADER)
-+
-+top:
-+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
-+
-+all: lib exe
-+
-+lib: $(LIBOBJ)
-+ $(AR) $(LIB) $(LIBOBJ)
-+ $(RANLIB) $(LIB) || echo Never mind.
-+ @touch lib
-+
-+exe: $(EXE)
-+
-+files:
-+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-+
-+links:
-+ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-+ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-+ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
-+
-+install:
-+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-+ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
-+ do \
-+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-+ done;
-+
-+tags:
-+ ctags $(SRC)
-+
-+tests:
-+
-+lint:
-+ lint -DLINT $(INCLUDES) $(SRC)>fluff
-+
-+depend:
-+ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
-+ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
-+
-+dclean:
-+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-+ mv -f Makefile.new $(MAKEFILE)
-+
-+clean:
-+ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-+
-+$(EXE): $(PROGRAM).o
-+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
-+ for i in $(CPUID_OBJ); do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../$$i" ; done; \
-+ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
-+
-+# DO NOT DELETE THIS LINE -- make depend depends on it.
-+
-+fips.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
-+fips.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-+fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-+fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-+fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-+fips.o: ../../include/openssl/symhacks.h fips.c fips_locl.h
-+fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_aes_selftest.o: ../../include/openssl/crypto.h
-+fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_aes_selftest.o: ../../include/openssl/lhash.h
-+fips_aes_selftest.o: ../../include/openssl/obj_mac.h
-+fips_aes_selftest.o: ../../include/openssl/objects.h
-+fips_aes_selftest.o: ../../include/openssl/opensslconf.h
-+fips_aes_selftest.o: ../../include/openssl/opensslv.h
-+fips_aes_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_aes_selftest.o: ../../include/openssl/safestack.h
-+fips_aes_selftest.o: ../../include/openssl/stack.h
-+fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
-+fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_des_selftest.o: ../../include/openssl/crypto.h
-+fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_des_selftest.o: ../../include/openssl/lhash.h
-+fips_des_selftest.o: ../../include/openssl/obj_mac.h
-+fips_des_selftest.o: ../../include/openssl/objects.h
-+fips_des_selftest.o: ../../include/openssl/opensslconf.h
-+fips_des_selftest.o: ../../include/openssl/opensslv.h
-+fips_des_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_des_selftest.o: ../../include/openssl/safestack.h
-+fips_des_selftest.o: ../../include/openssl/stack.h
-+fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c
-+fips_drbg_ctr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_ctr.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_ctr.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-+fips_drbg_ctr.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_drbg_ctr.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
-+fips_drbg_ctr.o: ../../include/openssl/objects.h
-+fips_drbg_ctr.o: ../../include/openssl/opensslconf.h
-+fips_drbg_ctr.o: ../../include/openssl/opensslv.h
-+fips_drbg_ctr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_ctr.o: ../../include/openssl/safestack.h
-+fips_drbg_ctr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_drbg_ctr.o: fips_drbg_ctr.c fips_rand_lcl.h
-+fips_drbg_hash.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_hash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_hash.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-+fips_drbg_hash.o: ../../include/openssl/fips.h
-+fips_drbg_hash.o: ../../include/openssl/fips_rand.h
-+fips_drbg_hash.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
-+fips_drbg_hash.o: ../../include/openssl/objects.h
-+fips_drbg_hash.o: ../../include/openssl/opensslconf.h
-+fips_drbg_hash.o: ../../include/openssl/opensslv.h
-+fips_drbg_hash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_hash.o: ../../include/openssl/safestack.h
-+fips_drbg_hash.o: ../../include/openssl/stack.h
-+fips_drbg_hash.o: ../../include/openssl/symhacks.h fips_drbg_hash.c
-+fips_drbg_hash.o: fips_rand_lcl.h
-+fips_drbg_hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_hmac.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-+fips_drbg_hmac.o: ../../include/openssl/fips.h
-+fips_drbg_hmac.o: ../../include/openssl/fips_rand.h
-+fips_drbg_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
-+fips_drbg_hmac.o: ../../include/openssl/objects.h
-+fips_drbg_hmac.o: ../../include/openssl/opensslconf.h
-+fips_drbg_hmac.o: ../../include/openssl/opensslv.h
-+fips_drbg_hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_hmac.o: ../../include/openssl/safestack.h
-+fips_drbg_hmac.o: ../../include/openssl/stack.h
-+fips_drbg_hmac.o: ../../include/openssl/symhacks.h fips_drbg_hmac.c
-+fips_drbg_hmac.o: fips_rand_lcl.h
-+fips_drbg_lib.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_lib.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_drbg_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_drbg_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
-+fips_drbg_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-+fips_drbg_lib.o: ../../include/openssl/objects.h
-+fips_drbg_lib.o: ../../include/openssl/opensslconf.h
-+fips_drbg_lib.o: ../../include/openssl/opensslv.h
-+fips_drbg_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_lib.o: ../../include/openssl/safestack.h
-+fips_drbg_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_drbg_lib.o: fips_drbg_lib.c fips_locl.h fips_rand_lcl.h
-+fips_drbg_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_drbg_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_drbg_rand.o: ../../include/openssl/fips_rand.h
-+fips_drbg_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_drbg_rand.o: ../../include/openssl/obj_mac.h
-+fips_drbg_rand.o: ../../include/openssl/objects.h
-+fips_drbg_rand.o: ../../include/openssl/opensslconf.h
-+fips_drbg_rand.o: ../../include/openssl/opensslv.h
-+fips_drbg_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_rand.o: ../../include/openssl/safestack.h
-+fips_drbg_rand.o: ../../include/openssl/stack.h
-+fips_drbg_rand.o: ../../include/openssl/symhacks.h fips_drbg_rand.c
-+fips_drbg_rand.o: fips_rand_lcl.h
-+fips_drbg_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_selftest.o: ../../include/openssl/bio.h
-+fips_drbg_selftest.o: ../../include/openssl/crypto.h
-+fips_drbg_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_drbg_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_drbg_selftest.o: ../../include/openssl/fips_rand.h
-+fips_drbg_selftest.o: ../../include/openssl/hmac.h
-+fips_drbg_selftest.o: ../../include/openssl/lhash.h
-+fips_drbg_selftest.o: ../../include/openssl/obj_mac.h
-+fips_drbg_selftest.o: ../../include/openssl/objects.h
-+fips_drbg_selftest.o: ../../include/openssl/opensslconf.h
-+fips_drbg_selftest.o: ../../include/openssl/opensslv.h
-+fips_drbg_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_drbg_selftest.o: ../../include/openssl/rand.h
-+fips_drbg_selftest.o: ../../include/openssl/safestack.h
-+fips_drbg_selftest.o: ../../include/openssl/stack.h
-+fips_drbg_selftest.o: ../../include/openssl/symhacks.h fips_drbg_selftest.c
-+fips_drbg_selftest.o: fips_drbg_selftest.h fips_locl.h fips_rand_lcl.h
-+fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-+fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_dsa_selftest.o: ../../include/openssl/obj_mac.h
-+fips_dsa_selftest.o: ../../include/openssl/objects.h
-+fips_dsa_selftest.o: ../../include/openssl/opensslconf.h
-+fips_dsa_selftest.o: ../../include/openssl/opensslv.h
-+fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_dsa_selftest.o: ../../include/openssl/safestack.h
-+fips_dsa_selftest.o: ../../include/openssl/stack.h
-+fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
-+fips_dsa_selftest.o: fips_locl.h
-+fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_hmac_selftest.o: ../../include/openssl/crypto.h
-+fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_hmac_selftest.o: ../../include/openssl/hmac.h
-+fips_hmac_selftest.o: ../../include/openssl/lhash.h
-+fips_hmac_selftest.o: ../../include/openssl/obj_mac.h
-+fips_hmac_selftest.o: ../../include/openssl/objects.h
-+fips_hmac_selftest.o: ../../include/openssl/opensslconf.h
-+fips_hmac_selftest.o: ../../include/openssl/opensslv.h
-+fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_hmac_selftest.o: ../../include/openssl/safestack.h
-+fips_hmac_selftest.o: ../../include/openssl/stack.h
-+fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
-+fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-+fips_post.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_post.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_post.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_post.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_post.o: ../../include/openssl/opensslconf.h
-+fips_post.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips_post.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-+fips_post.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-+fips_post.o: ../../include/openssl/symhacks.h fips_locl.h fips_post.c
-+fips_rand.o: ../../e_os.h ../../include/openssl/aes.h
-+fips_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_rand.o: ../../include/openssl/opensslconf.h
-+fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-+fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_rand.o: fips_locl.h fips_rand.c
-+fips_rand_lib.o: ../../e_os.h ../../include/openssl/aes.h
-+fips_rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_rand_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_rand_lib.o: ../../include/openssl/obj_mac.h
-+fips_rand_lib.o: ../../include/openssl/objects.h
-+fips_rand_lib.o: ../../include/openssl/opensslconf.h
-+fips_rand_lib.o: ../../include/openssl/opensslv.h
-+fips_rand_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_rand_lib.o: ../../include/openssl/safestack.h
-+fips_rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_rand_lib.o: fips_rand_lib.c
-+fips_rand_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_rand_selftest.o: ../../include/openssl/bio.h
-+fips_rand_selftest.o: ../../include/openssl/crypto.h
-+fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_rand_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_rand_selftest.o: ../../include/openssl/fips_rand.h
-+fips_rand_selftest.o: ../../include/openssl/hmac.h
-+fips_rand_selftest.o: ../../include/openssl/lhash.h
-+fips_rand_selftest.o: ../../include/openssl/obj_mac.h
-+fips_rand_selftest.o: ../../include/openssl/objects.h
-+fips_rand_selftest.o: ../../include/openssl/opensslconf.h
-+fips_rand_selftest.o: ../../include/openssl/opensslv.h
-+fips_rand_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_rand_selftest.o: ../../include/openssl/rand.h
-+fips_rand_selftest.o: ../../include/openssl/safestack.h
-+fips_rand_selftest.o: ../../include/openssl/stack.h
-+fips_rand_selftest.o: ../../include/openssl/symhacks.h fips_locl.h
-+fips_rand_selftest.o: fips_rand_selftest.c
-+fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_rsa_selftest.o: ../../include/openssl/lhash.h
-+fips_rsa_selftest.o: ../../include/openssl/obj_mac.h
-+fips_rsa_selftest.o: ../../include/openssl/objects.h
-+fips_rsa_selftest.o: ../../include/openssl/opensslconf.h
-+fips_rsa_selftest.o: ../../include/openssl/opensslv.h
-+fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_rsa_selftest.o: ../../include/openssl/rsa.h
-+fips_rsa_selftest.o: ../../include/openssl/safestack.h
-+fips_rsa_selftest.o: ../../include/openssl/stack.h
-+fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
-+fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_rsa_x931g.o: ../../include/openssl/opensslconf.h
-+fips_rsa_x931g.o: ../../include/openssl/opensslv.h
-+fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
-+fips_rsa_x931g.o: ../../include/openssl/safestack.h
-+fips_rsa_x931g.o: ../../include/openssl/stack.h
-+fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c
-+fips_sha_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_sha_selftest.o: ../../include/openssl/crypto.h
-+fips_sha_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_sha_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_sha_selftest.o: ../../include/openssl/lhash.h
-+fips_sha_selftest.o: ../../include/openssl/obj_mac.h
-+fips_sha_selftest.o: ../../include/openssl/objects.h
-+fips_sha_selftest.o: ../../include/openssl/opensslconf.h
-+fips_sha_selftest.o: ../../include/openssl/opensslv.h
-+fips_sha_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_sha_selftest.o: ../../include/openssl/safestack.h
-+fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-+fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c
-diff -up openssl-1.0.1e/crypto/hmac/hmac.c.fips openssl-1.0.1e/crypto/hmac/hmac.c
---- openssl-1.0.1e/crypto/hmac/hmac.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/hmac/hmac.c 2013-10-04 11:48:04.189694339 +0200
-@@ -81,11 +81,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
- EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
- return 0;
- }
-- /* Other algorithm blocking will be done in FIPS_cmac_init,
-- * via FIPS_hmac_init_ex().
-- */
-- if (!impl && !ctx->i_ctx.engine)
-- return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
- }
- #endif
-
-@@ -99,6 +94,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
-
- if (key != NULL)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
-+ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-+ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-+ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
-+ goto err;
-+#endif
- reset=1;
- j=EVP_MD_block_size(md);
- OPENSSL_assert(j <= (int)sizeof(ctx->key));
-@@ -155,10 +157,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void
-
- int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->i_ctx.engine)
-- return FIPS_hmac_update(ctx, data, len);
--#endif
- return EVP_DigestUpdate(&ctx->md_ctx,data,len);
- }
-
-@@ -166,10 +164,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
- {
- unsigned int i;
- unsigned char buf[EVP_MAX_MD_SIZE];
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->i_ctx.engine)
-- return FIPS_hmac_final(ctx, md, len);
--#endif
-
- if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
- goto err;
-@@ -209,13 +203,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
-
- void HMAC_CTX_cleanup(HMAC_CTX *ctx)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->i_ctx.engine)
-- {
-- FIPS_hmac_ctx_cleanup(ctx);
-- return;
-- }
--#endif
- EVP_MD_CTX_cleanup(&ctx->i_ctx);
- EVP_MD_CTX_cleanup(&ctx->o_ctx);
- EVP_MD_CTX_cleanup(&ctx->md_ctx);
-diff -up openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1e/crypto/mdc2/mdc2dgst.c
---- openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/mdc2/mdc2dgst.c 2013-10-04 11:48:04.189694339 +0200
-@@ -76,7 +76,7 @@
- *((c)++)=(unsigned char)(((l)>>24L)&0xff))
-
- static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
--fips_md_init(MDC2)
-+nonfips_md_init(MDC2)
- {
- c->num=0;
- c->pad_type=1;
-diff -up openssl-1.0.1e/crypto/md2/md2_dgst.c.fips openssl-1.0.1e/crypto/md2/md2_dgst.c
---- openssl-1.0.1e/crypto/md2/md2_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/md2/md2_dgst.c 2013-10-04 11:48:04.189694339 +0200
-@@ -62,6 +62,11 @@
- #include <openssl/md2.h>
- #include <openssl/opensslv.h>
- #include <openssl/crypto.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
-+#include <openssl/err.h>
-
- const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT;
-
-@@ -116,7 +121,7 @@ const char *MD2_options(void)
- return("md2(int)");
- }
-
--fips_md_init(MD2)
-+nonfips_md_init(MD2)
- {
- c->num=0;
- memset(c->state,0,sizeof c->state);
-diff -up openssl-1.0.1e/crypto/md4/md4_dgst.c.fips openssl-1.0.1e/crypto/md4/md4_dgst.c
---- openssl-1.0.1e/crypto/md4/md4_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/md4/md4_dgst.c 2013-10-04 11:48:04.190694362 +0200
-@@ -71,7 +71,7 @@ const char MD4_version[]="MD4" OPENSSL_V
- #define INIT_DATA_C (unsigned long)0x98badcfeL
- #define INIT_DATA_D (unsigned long)0x10325476L
-
--fips_md_init(MD4)
-+nonfips_md_init(MD4)
- {
- memset (c,0,sizeof(*c));
- c->A=INIT_DATA_A;
-diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.fips openssl-1.0.1e/crypto/md5/md5_dgst.c
---- openssl-1.0.1e/crypto/md5/md5_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-10-04 11:48:04.190694362 +0200
-@@ -71,7 +71,7 @@ const char MD5_version[]="MD5" OPENSSL_V
- #define INIT_DATA_C (unsigned long)0x98badcfeL
- #define INIT_DATA_D (unsigned long)0x10325476L
-
--fips_md_init(MD5)
-+nonfips_md_init(MD5)
- {
- memset (c,0,sizeof(*c));
- c->A=INIT_DATA_A;
-diff -up openssl-1.0.1e/crypto/o_fips.c.fips openssl-1.0.1e/crypto/o_fips.c
---- openssl-1.0.1e/crypto/o_fips.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/o_fips.c 2013-10-04 11:48:04.190694362 +0200
-@@ -79,6 +79,8 @@ int FIPS_mode_set(int r)
- #ifndef FIPS_AUTH_USER_PASS
- #define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password"
- #endif
-+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
-+ return 1;
- if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
- return 0;
- if (r)
-diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c
---- openssl-1.0.1e/crypto/o_init.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/o_init.c 2013-10-04 11:48:04.190694362 +0200
-@@ -55,28 +55,68 @@
- #include <e_os.h>
- #include <openssl/err.h>
- #ifdef OPENSSL_FIPS
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+#include <errno.h>
-+#include <stdlib.h>
- #include <openssl/fips.h>
- #include <openssl/rand.h>
-+
-+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
-+
-+static void init_fips_mode(void)
-+ {
-+ char buf[2] = "0";
-+ int fd;
-+
-+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
-+ {
-+ buf[0] = '1';
-+ }
-+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
-+ {
-+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
-+ close(fd);
-+ }
-+ /* Failure reading the fips mode switch file means just not
-+ * switching into FIPS mode. We would break too many things
-+ * otherwise.
-+ */
-+
-+ if (buf[0] == '1')
-+ {
-+ FIPS_mode_set(1);
-+ }
-+ }
- #endif
-
- /* Perform any essential OpenSSL initialization operations.
- * Currently only sets FIPS callbacks
- */
-
--void OPENSSL_init(void)
-+void OPENSSL_init_library(void)
- {
- static int done = 0;
- if (done)
- return;
- done = 1;
- #ifdef OPENSSL_FIPS
-- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
-- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
-- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
- RAND_init_fips();
-+ init_fips_mode();
-+ if (!FIPS_mode())
-+ {
-+ /* Clean up prematurely set default rand method */
-+ RAND_set_rand_method(NULL);
-+ }
- #endif
- #if 0
- fprintf(stderr, "Called OPENSSL_init\n");
- #endif
- }
-
-+void OPENSSL_init(void)
-+ {
-+ OPENSSL_init_library();
-+ }
-diff -up openssl-1.0.1e/crypto/opensslconf.h.in.fips openssl-1.0.1e/crypto/opensslconf.h.in
---- openssl-1.0.1e/crypto/opensslconf.h.in.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/opensslconf.h.in 2013-10-04 11:48:04.190694362 +0200
-@@ -1,5 +1,20 @@
- /* crypto/opensslconf.h.in */
-
-+#ifdef OPENSSL_DOING_MAKEDEPEND
-+
-+/* Include any symbols here that have to be explicitly set to enable a feature
-+ * that should be visible to makedepend.
-+ *
-+ * [Our "make depend" doesn't actually look at this, we use actual build settings
-+ * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
-+ */
-+
-+#ifndef OPENSSL_FIPS
-+#define OPENSSL_FIPS
-+#endif
-+
-+#endif
-+
- /* Generate 80386 code? */
- #undef I386_ONLY
-
-diff -up openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1e/crypto/pkcs12/p12_crt.c
---- openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/pkcs12/p12_crt.c 2013-10-04 11:48:04.190694362 +0200
-@@ -59,6 +59,10 @@
- #include <stdio.h>
- #include "cryptlib.h"
- #include <openssl/pkcs12.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
-
-
- static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
-@@ -90,7 +94,14 @@ PKCS12 *PKCS12_create(char *pass, char *
-
- /* Set defaults */
- if (!nid_cert)
-+ {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-+ else
-+#endif
- nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
-+ }
- if (!nid_key)
- nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
- if (!iter)
-diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips openssl-1.0.1e/crypto/rand/md_rand.c
---- openssl-1.0.1e/crypto/rand/md_rand.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rand/md_rand.c 2013-10-04 11:48:04.190694362 +0200
-@@ -389,7 +389,10 @@ static int ssleay_rand_bytes(unsigned ch
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
- crypto_lock_rand = 1;
-
-- if (!initialized)
-+ /* always poll for external entropy in FIPS mode, drbg provides the
-+ * expansion
-+ */
-+ if (!initialized || FIPS_module_mode())
- {
- RAND_poll();
- initialized = 1;
-diff -up openssl-1.0.1e/crypto/rand/rand.h.fips openssl-1.0.1e/crypto/rand/rand.h
---- openssl-1.0.1e/crypto/rand/rand.h.fips 2013-10-04 11:48:03.945688829 +0200
-+++ openssl-1.0.1e/crypto/rand/rand.h 2013-10-04 11:48:04.190694362 +0200
-@@ -133,15 +133,33 @@ void ERR_load_RAND_strings(void);
- /* Error codes for the RAND functions. */
-
- /* Function codes. */
-+#define RAND_F_ENG_RAND_GET_RAND_METHOD 108
-+#define RAND_F_FIPS_RAND 103
-+#define RAND_F_FIPS_RAND_BYTES 102
-+#define RAND_F_FIPS_RAND_SET_DT 106
-+#define RAND_F_FIPS_X931_SET_DT 106
-+#define RAND_F_FIPS_SET_DT 104
-+#define RAND_F_FIPS_SET_PRNG_SEED 107
-+#define RAND_F_FIPS_SET_TEST_MODE 105
- #define RAND_F_RAND_GET_RAND_METHOD 101
--#define RAND_F_RAND_INIT_FIPS 102
-+#define RAND_F_RAND_INIT_FIPS 109
- #define RAND_F_SSLEAY_RAND_BYTES 100
-
- /* Reason codes. */
--#define RAND_R_ERROR_INITIALISING_DRBG 102
--#define RAND_R_ERROR_INSTANTIATING_DRBG 103
--#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
-+#define RAND_R_ERROR_INITIALISING_DRBG 112
-+#define RAND_R_ERROR_INSTANTIATING_DRBG 113
-+#define RAND_R_NON_FIPS_METHOD 105
-+#define RAND_R_NOT_IN_TEST_MODE 106
-+#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111
-+#define RAND_R_NO_KEY_SET 107
-+#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101
-+#define RAND_R_PRNG_ERROR 108
-+#define RAND_R_PRNG_KEYED 109
-+#define RAND_R_PRNG_NOT_REKEYED 102
-+#define RAND_R_PRNG_NOT_RESEEDED 103
- #define RAND_R_PRNG_NOT_SEEDED 100
-+#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110
-+#define RAND_R_PRNG_STUCK 104
-
- #ifdef __cplusplus
- }
-diff -up openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1e/crypto/ripemd/rmd_dgst.c
---- openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ripemd/rmd_dgst.c 2013-10-04 11:48:04.191694385 +0200
-@@ -70,7 +70,7 @@ const char RMD160_version[]="RIPE-MD160"
- void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num);
- # endif
-
--fips_md_init(RIPEMD160)
-+nonfips_md_init(RIPEMD160)
- {
- memset (c,0,sizeof(*c));
- c->A=RIPEMD160_A;
-diff -up openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1e/crypto/rsa/rsa_crpt.c
---- openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_crpt.c 2013-10-04 11:48:04.191694385 +0200
-@@ -90,10 +90,9 @@ int RSA_private_encrypt(int flen, const
- RSA *rsa, int padding)
- {
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-+ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
- {
-- RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
- return -1;
- }
- #endif
-@@ -118,10 +117,9 @@ int RSA_public_decrypt(int flen, const u
- RSA *rsa, int padding)
- {
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-+ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
- {
-- RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
- return -1;
- }
- #endif
-diff -up openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips openssl-1.0.1e/crypto/rsa/rsa_eay.c
---- openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_eay.c 2013-10-04 11:48:04.191694385 +0200
-@@ -114,6 +114,10 @@
- #include <openssl/bn.h>
- #include <openssl/rsa.h>
- #include <openssl/rand.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- #ifndef RSA_NULL
-
-@@ -138,7 +142,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
- BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
- RSA_eay_init,
- RSA_eay_finish,
-- 0, /* flags */
-+ RSA_FLAG_FIPS_METHOD, /* flags */
- NULL,
- 0, /* rsa_sign */
- 0, /* rsa_verify */
-@@ -158,6 +162,24 @@ static int RSA_eay_public_encrypt(int fl
- unsigned char *buf=NULL;
- BN_CTX *ctx=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_mode())
-+ {
-+ if (FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
- {
- RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
-@@ -361,6 +383,24 @@ static int RSA_eay_private_encrypt(int f
- BIGNUM *unblind = NULL;
- BN_BLINDING *blinding = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ {
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- if ((ctx=BN_CTX_new()) == NULL) goto err;
- BN_CTX_start(ctx);
- f = BN_CTX_get(ctx);
-@@ -504,6 +544,24 @@ static int RSA_eay_private_decrypt(int f
- BIGNUM *unblind = NULL;
- BN_BLINDING *blinding = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ {
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- if((ctx = BN_CTX_new()) == NULL) goto err;
- BN_CTX_start(ctx);
- f = BN_CTX_get(ctx);
-@@ -639,6 +697,24 @@ static int RSA_eay_public_decrypt(int fl
- unsigned char *buf=NULL;
- BN_CTX *ctx=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ {
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
- {
- RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
-@@ -897,6 +973,9 @@ err:
-
- static int RSA_eay_init(RSA *rsa)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
- return(1);
- }
-diff -up openssl-1.0.1e/crypto/rsa/rsa_err.c.fips openssl-1.0.1e/crypto/rsa/rsa_err.c
---- openssl-1.0.1e/crypto/rsa/rsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_err.c 2013-10-04 11:48:04.191694385 +0200
-@@ -121,6 +121,8 @@ static ERR_STRING_DATA RSA_str_functs[]=
- {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
- {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
- {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
-+{ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
-+{ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
- {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
- {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
- {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
-diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips openssl-1.0.1e/crypto/rsa/rsa_gen.c
---- openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2013-10-04 11:48:04.191694385 +0200
-@@ -69,6 +69,78 @@
- #include <openssl/rsa.h>
- #ifdef OPENSSL_FIPS
- #include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+
-+static int fips_rsa_pairwise_fail = 0;
-+
-+void FIPS_corrupt_rsa_keygen(void)
-+ {
-+ fips_rsa_pairwise_fail = 1;
-+ }
-+
-+int fips_check_rsa(RSA *rsa)
-+ {
-+ const unsigned char tbs[] = "RSA Pairwise Check Data";
-+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
-+ int len, ret = 0;
-+ EVP_PKEY *pk;
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_RSA(pk, rsa);
-+
-+ /* Perform pairwise consistency signature test */
-+ if (!fips_pkey_signature_test(pk, tbs, -1,
-+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
-+ || !fips_pkey_signature_test(pk, tbs, -1,
-+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL)
-+ || !fips_pkey_signature_test(pk, tbs, -1,
-+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL))
-+ goto err;
-+ /* Now perform pairwise consistency encrypt/decrypt test */
-+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ctbuf)
-+ goto err;
-+
-+ len = RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len <= 0)
-+ goto err;
-+ /* Check ciphertext doesn't match plaintext */
-+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
-+ goto err;
-+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
-+
-+ if (!ptbuf)
-+ goto err;
-+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len != (sizeof(tbs) - 1))
-+ goto err;
-+ if (memcmp(ptbuf, tbs, len))
-+ goto err;
-+
-+ ret = 1;
-+
-+ if (!ptbuf)
-+ goto err;
-+
-+ err:
-+ if (ret == 0)
-+ {
-+ fips_set_selftest_fail();
-+ FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
-+ }
-+
-+ if (ctbuf)
-+ OPENSSL_free(ctbuf);
-+ if (ptbuf)
-+ OPENSSL_free(ptbuf);
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+
-+ return ret;
-+ }
- #endif
-
- static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
-@@ -81,7 +153,7 @@ static int rsa_builtin_keygen(RSA *rsa,
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
- {
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-+ if (FIPS_module_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
- {
- RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
-@@ -90,10 +162,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi
- #endif
- if(rsa->meth->rsa_keygen)
- return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
--#endif
- return rsa_builtin_keygen(rsa, bits, e_value, cb);
- }
-
-@@ -105,6 +173,23 @@ static int rsa_builtin_keygen(RSA *rsa,
- int bitsp,bitsq,ok= -1,n=0;
- BN_CTX *ctx=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_module_mode())
-+ {
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
-+ {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);
-+ return 0;
-+ }
-+ }
-+#endif
-+
- ctx=BN_CTX_new();
- if (ctx == NULL) goto err;
- BN_CTX_start(ctx);
-@@ -216,6 +301,17 @@ static int rsa_builtin_keygen(RSA *rsa,
- p = rsa->p;
- if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_module_mode())
-+ {
-+ if (fips_rsa_pairwise_fail)
-+ BN_add_word(rsa->n, 1);
-+
-+ if(!fips_check_rsa(rsa))
-+ goto err;
-+ }
-+#endif
-+
- ok=1;
- err:
- if (ok == -1)
-diff -up openssl-1.0.1e/crypto/rsa/rsa.h.fips openssl-1.0.1e/crypto/rsa/rsa.h
---- openssl-1.0.1e/crypto/rsa/rsa.h.fips 2013-10-04 11:48:04.075691765 +0200
-+++ openssl-1.0.1e/crypto/rsa/rsa.h 2013-10-04 11:48:04.192694407 +0200
-@@ -164,6 +164,8 @@ struct rsa_st
- # define OPENSSL_RSA_MAX_MODULUS_BITS 16384
- #endif
-
-+#define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
-+
- #ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
- # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
- #endif
-@@ -290,6 +292,11 @@ RSA * RSA_generate_key(int bits, unsigne
-
- /* New version */
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
-+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
-+ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
-+ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
-+ const BIGNUM *e, BN_GENCB *cb);
-+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb);
-
- int RSA_check_key(const RSA *);
- /* next 4 return -1 on error */
-@@ -487,7 +494,7 @@ void ERR_load_RSA_strings(void);
- #define RSA_F_RSA_PADDING_ADD_NONE 107
- #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
- #define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
--#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
-+#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158
- #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
- #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
- #define RSA_F_RSA_PADDING_ADD_SSLV23 110
-@@ -500,20 +507,22 @@ void ERR_load_RSA_strings(void);
- #define RSA_F_RSA_PADDING_CHECK_X931 128
- #define RSA_F_RSA_PRINT 115
- #define RSA_F_RSA_PRINT_FP 116
--#define RSA_F_RSA_PRIVATE_DECRYPT 150
--#define RSA_F_RSA_PRIVATE_ENCRYPT 151
-+#define RSA_F_RSA_PRIVATE_DECRYPT 157
-+#define RSA_F_RSA_PRIVATE_ENCRYPT 148
- #define RSA_F_RSA_PRIV_DECODE 137
- #define RSA_F_RSA_PRIV_ENCODE 138
--#define RSA_F_RSA_PUBLIC_DECRYPT 152
-+#define RSA_F_RSA_PUBLIC_DECRYPT 149
- #define RSA_F_RSA_PUBLIC_ENCRYPT 153
- #define RSA_F_RSA_PUB_DECODE 139
- #define RSA_F_RSA_SETUP_BLINDING 136
-+#define RSA_F_RSA_SET_DEFAULT_METHOD 150
-+#define RSA_F_RSA_SET_METHOD 151
- #define RSA_F_RSA_SIGN 117
- #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
- #define RSA_F_RSA_VERIFY 119
- #define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
- #define RSA_F_RSA_VERIFY_PKCS1_PSS 126
--#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
-+#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152
-
- /* Reason codes. */
- #define RSA_R_ALGORITHM_MISMATCH 100
-@@ -542,21 +551,22 @@ void ERR_load_RSA_strings(void);
- #define RSA_R_INVALID_MGF1_MD 156
- #define RSA_R_INVALID_PADDING 138
- #define RSA_R_INVALID_PADDING_MODE 141
--#define RSA_R_INVALID_PSS_PARAMETERS 149
-+#define RSA_R_INVALID_PSS_PARAMETERS 157
- #define RSA_R_INVALID_PSS_SALTLEN 146
--#define RSA_R_INVALID_SALT_LENGTH 150
-+#define RSA_R_INVALID_SALT_LENGTH 158
- #define RSA_R_INVALID_TRAILER 139
- #define RSA_R_INVALID_X931_DIGEST 142
- #define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
- #define RSA_R_KEY_SIZE_TOO_SMALL 120
- #define RSA_R_LAST_OCTET_INVALID 134
- #define RSA_R_MODULUS_TOO_LARGE 105
--#define RSA_R_NON_FIPS_RSA_METHOD 157
-+#define RSA_R_NON_FIPS_RSA_METHOD 149
-+#define RSA_R_NON_FIPS_METHOD 149
- #define RSA_R_NO_PUBLIC_EXPONENT 140
- #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
- #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
- #define RSA_R_OAEP_DECODING_ERROR 121
--#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
-+#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150
- #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
- #define RSA_R_PADDING_CHECK_FAILED 114
- #define RSA_R_P_NOT_PRIME 128
-diff -up openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips openssl-1.0.1e/crypto/rsa/rsa_lib.c
---- openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_lib.c 2013-10-04 11:48:04.192694407 +0200
-@@ -84,6 +84,13 @@ RSA *RSA_new(void)
-
- void RSA_set_default_method(const RSA_METHOD *meth)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
-+ {
-+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
-+ return;
-+ }
-+#endif
- default_RSA_meth = meth;
- }
-
-@@ -91,18 +98,11 @@ const RSA_METHOD *RSA_get_default_method
- {
- if (default_RSA_meth == NULL)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_rsa_pkcs1_ssleay();
-- else
-- return RSA_PKCS1_SSLeay();
--#else
- #ifdef RSA_NULL
- default_RSA_meth=RSA_null_method();
- #else
- default_RSA_meth=RSA_PKCS1_SSLeay();
- #endif
--#endif
- }
-
- return default_RSA_meth;
-@@ -118,6 +118,13 @@ int RSA_set_method(RSA *rsa, const RSA_M
- /* NB: The caller is specifically setting a method, so it's not up to us
- * to deal with which ENGINE it comes from. */
- const RSA_METHOD *mtmp;
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
-+ {
-+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+#endif
- mtmp = rsa->meth;
- if (mtmp->finish) mtmp->finish(rsa);
- #ifndef OPENSSL_NO_ENGINE
-@@ -170,6 +177,18 @@ RSA *RSA_new_method(ENGINE *engine)
- }
- }
- #endif
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD))
-+ {
-+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
-+#ifndef OPENSSL_NO_ENGINE
-+ if (ret->engine)
-+ ENGINE_finish(ret->engine);
-+#endif
-+ OPENSSL_free(ret);
-+ return NULL;
-+ }
-+#endif
-
- ret->pad=0;
- ret->version=0;
-@@ -188,7 +207,7 @@ RSA *RSA_new_method(ENGINE *engine)
- ret->blinding=NULL;
- ret->mt_blinding=NULL;
- ret->bignum_data=NULL;
-- ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
-+ ret->flags=ret->meth->flags;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
- {
- #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1e/crypto/rsa/rsa_pmeth.c
---- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-10-04 11:48:04.192694407 +0200
-@@ -206,22 +206,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
- RSA_R_INVALID_DIGEST_LENGTH);
- return -1;
- }
--#ifdef OPENSSL_FIPS
-- if (ret > 0)
-- {
-- unsigned int slen;
-- ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
-- rctx->pad_mode,
-- rctx->saltlen,
-- rctx->mgf1md,
-- sig, &slen);
-- if (ret > 0)
-- *siglen = slen;
-- else
-- *siglen = 0;
-- return ret;
-- }
--#endif
-
- if (EVP_MD_type(rctx->md) == NID_mdc2)
- {
-@@ -354,19 +338,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
- #endif
- if (rctx->md)
- {
--#ifdef OPENSSL_FIPS
-- if (rv > 0)
-- {
-- return FIPS_rsa_verify_digest(rsa,
-- tbs, tbslen,
-- rctx->md,
-- rctx->pad_mode,
-- rctx->saltlen,
-- rctx->mgf1md,
-- sig, siglen);
--
-- }
--#endif
- if (rctx->pad_mode == RSA_PKCS1_PADDING)
- return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
- sig, siglen, rsa);
-diff -up openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips openssl-1.0.1e/crypto/rsa/rsa_sign.c
---- openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_sign.c 2013-10-04 11:48:04.192694407 +0200
-@@ -138,7 +138,8 @@ int RSA_sign(int type, const unsigned ch
- i2d_X509_SIG(&sig,&p);
- s=tmps;
- }
-- i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
-+ /* NB: call underlying method directly to avoid FIPS blocking */
-+ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i,s,sigret,rsa,RSA_PKCS1_PADDING) : 0;
- if (i <= 0)
- ret=0;
- else
-@@ -178,8 +179,8 @@ int int_rsa_verify(int dtype, const unsi
-
- if((dtype == NID_md5_sha1) && rm)
- {
-- i = RSA_public_decrypt((int)siglen,
-- sigbuf,rm,rsa,RSA_PKCS1_PADDING);
-+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,
-+ sigbuf,rm,rsa,RSA_PKCS1_PADDING) : 0;
- if (i <= 0)
- return 0;
- *prm_len = i;
-@@ -196,7 +197,8 @@ int int_rsa_verify(int dtype, const unsi
- RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
- goto err;
- }
-- i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
-+ /* NB: call underlying method directly to avoid FIPS blocking */
-+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING) : 0;
-
- if (i <= 0) goto err;
- /* Oddball MDC2 case: signature can be OCTET STRING.
-diff -up openssl-1.0.1e/crypto/sha/sha.h.fips openssl-1.0.1e/crypto/sha/sha.h
---- openssl-1.0.1e/crypto/sha/sha.h.fips 2013-10-04 11:48:03.867687068 +0200
-+++ openssl-1.0.1e/crypto/sha/sha.h 2013-10-04 11:48:04.192694407 +0200
-@@ -116,9 +116,6 @@ unsigned char *SHA(const unsigned char *
- void SHA_Transform(SHA_CTX *c, const unsigned char *data);
- #endif
- #ifndef OPENSSL_NO_SHA1
--#ifdef OPENSSL_FIPS
--int private_SHA1_Init(SHA_CTX *c);
--#endif
- int SHA1_Init(SHA_CTX *c);
- int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
- int SHA1_Final(unsigned char *md, SHA_CTX *c);
-@@ -141,10 +138,6 @@ typedef struct SHA256state_st
- } SHA256_CTX;
-
- #ifndef OPENSSL_NO_SHA256
--#ifdef OPENSSL_FIPS
--int private_SHA224_Init(SHA256_CTX *c);
--int private_SHA256_Init(SHA256_CTX *c);
--#endif
- int SHA224_Init(SHA256_CTX *c);
- int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
- int SHA224_Final(unsigned char *md, SHA256_CTX *c);
-@@ -192,10 +185,6 @@ typedef struct SHA512state_st
- #endif
-
- #ifndef OPENSSL_NO_SHA512
--#ifdef OPENSSL_FIPS
--int private_SHA384_Init(SHA512_CTX *c);
--int private_SHA512_Init(SHA512_CTX *c);
--#endif
- int SHA384_Init(SHA512_CTX *c);
- int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
- int SHA384_Final(unsigned char *md, SHA512_CTX *c);
-diff -up openssl-1.0.1e/crypto/sha/sha_locl.h.fips openssl-1.0.1e/crypto/sha/sha_locl.h
---- openssl-1.0.1e/crypto/sha/sha_locl.h.fips 2013-10-04 11:48:03.870687135 +0200
-+++ openssl-1.0.1e/crypto/sha/sha_locl.h 2013-10-04 11:48:04.192694407 +0200
-@@ -123,11 +123,14 @@ void sha1_block_data_order (SHA_CTX *c,
- #define INIT_DATA_h4 0xc3d2e1f0UL
-
- #ifdef SHA_0
--fips_md_init(SHA)
-+nonfips_md_init(SHA)
- #else
- fips_md_init_ctx(SHA1, SHA)
- #endif
- {
-+#if defined(SHA_1) && defined(OPENSSL_FIPS)
-+ FIPS_selftest_check();
-+#endif
- memset (c,0,sizeof(*c));
- c->h0=INIT_DATA_h0;
- c->h1=INIT_DATA_h1;
-diff -up openssl-1.0.1e/crypto/sha/sha256.c.fips openssl-1.0.1e/crypto/sha/sha256.c
---- openssl-1.0.1e/crypto/sha/sha256.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/sha/sha256.c 2013-10-04 11:48:04.193694429 +0200
-@@ -12,12 +12,19 @@
-
- #include <openssl/crypto.h>
- #include <openssl/sha.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
- #include <openssl/opensslv.h>
-
- const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT;
-
- fips_md_init_ctx(SHA224, SHA256)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- memset (c,0,sizeof(*c));
- c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL;
- c->h[2]=0x3070dd17UL; c->h[3]=0xf70e5939UL;
-@@ -29,6 +36,9 @@ fips_md_init_ctx(SHA224, SHA256)
-
- fips_md_init(SHA256)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- memset (c,0,sizeof(*c));
- c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL;
- c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL;
-diff -up openssl-1.0.1e/crypto/sha/sha512.c.fips openssl-1.0.1e/crypto/sha/sha512.c
---- openssl-1.0.1e/crypto/sha/sha512.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/sha/sha512.c 2013-10-04 11:48:04.193694429 +0200
-@@ -5,6 +5,10 @@
- * ====================================================================
- */
- #include <openssl/opensslconf.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
- /*
- * IMPLEMENTATION NOTES.
-@@ -61,6 +65,9 @@ const char SHA512_version[]="SHA-512" OP
-
- fips_md_init_ctx(SHA384, SHA512)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- c->h[0]=U64(0xcbbb9d5dc1059ed8);
- c->h[1]=U64(0x629a292a367cd507);
- c->h[2]=U64(0x9159015a3070dd17);
-@@ -77,6 +84,9 @@ fips_md_init_ctx(SHA384, SHA512)
-
- fips_md_init(SHA512)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- c->h[0]=U64(0x6a09e667f3bcc908);
- c->h[1]=U64(0xbb67ae8584caa73b);
- c->h[2]=U64(0x3c6ef372fe94f82b);
-diff -up openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1e/crypto/whrlpool/wp_dgst.c
---- openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/whrlpool/wp_dgst.c 2013-10-04 11:48:04.193694429 +0200
-@@ -55,7 +55,7 @@
- #include <openssl/crypto.h>
- #include <string.h>
-
--fips_md_init(WHIRLPOOL)
-+nonfips_md_init(WHIRLPOOL)
- {
- memset (c,0,sizeof(*c));
- return(1);
-diff -up openssl-1.0.1e/Makefile.org.fips openssl-1.0.1e/Makefile.org
---- openssl-1.0.1e/Makefile.org.fips 2013-10-04 11:48:04.157693616 +0200
-+++ openssl-1.0.1e/Makefile.org 2013-10-04 11:48:04.193694429 +0200
-@@ -136,6 +136,9 @@ FIPSCANLIB=
-
- BASEADDR=
-
-+# Non-empty if FIPS enabled
-+FIPS=
-+
- DIRS= crypto ssl engines apps test tools
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
-@@ -148,7 +151,7 @@ SDIRS= \
- bn ec rsa dsa ecdsa dh ecdh dso engine \
- buffer bio stack lhash rand err \
- evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-- cms pqueue ts jpake srp store cmac
-+ cms pqueue ts jpake srp store cmac fips
- # keep in mind that the above list is adjusted by ./Configure
- # according to no-xxx arguments...
-
-@@ -237,6 +240,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
- FIPSLIBDIR='${FIPSLIBDIR}' \
- FIPSDIR='${FIPSDIR}' \
- FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
-+ FIPS="$${FIPS:-$(FIPS)}" \
- THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
- # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
- # which in turn eliminates ambiguities in variable treatment with -e.
-diff -up openssl-1.0.1e/ssl/d1_srvr.c.fips openssl-1.0.1e/ssl/d1_srvr.c
---- openssl-1.0.1e/ssl/d1_srvr.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/d1_srvr.c 2013-10-04 11:48:04.193694429 +0200
-@@ -1372,6 +1372,8 @@ int dtls1_send_server_key_exchange(SSL *
- j=0;
- for (num=2; num > 0; num--)
- {
-+ EVP_MD_CTX_set_flags(&md_ctx,
-+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_DigestInit_ex(&md_ctx,(num == 2)
- ?s->ctx->md5:s->ctx->sha1, NULL);
- EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
-diff -up openssl-1.0.1e/ssl/ssl_algs.c.fips openssl-1.0.1e/ssl/ssl_algs.c
---- openssl-1.0.1e/ssl/ssl_algs.c.fips 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/ssl_algs.c 2013-10-04 11:48:04.193694429 +0200
-@@ -64,6 +64,12 @@
- int SSL_library_init(void)
- {
-
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (!FIPS_mode())
-+ {
-+#endif
-+
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cbc());
- EVP_add_cipher(EVP_des_ede3_cbc());
-@@ -137,6 +143,50 @@ int SSL_library_init(void)
- EVP_add_digest(EVP_sha());
- EVP_add_digest(EVP_dss());
- #endif
-+#ifdef OPENSSL_FIPS
-+ }
-+ else
-+ {
-+#ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+#endif
-+#ifndef OPENSSL_NO_AES
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_128_gcm());
-+ EVP_add_cipher(EVP_aes_256_gcm());
-+#endif
-+#ifndef OPENSSL_NO_MD5
-+ /* needed even in the FIPS mode for TLS MAC */
-+ EVP_add_digest(EVP_md5());
-+ EVP_add_digest_alias(SN_md5,"ssl2-md5");
-+ EVP_add_digest_alias(SN_md5,"ssl3-md5");
-+#endif
-+#ifndef OPENSSL_NO_SHA
-+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
-+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-+#endif
-+#ifndef OPENSSL_NO_SHA256
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+#endif
-+#ifndef OPENSSL_NO_SHA512
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+#endif
-+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
-+ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
-+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
-+#endif
-+#ifndef OPENSSL_NO_ECDSA
-+ EVP_add_digest(EVP_ecdsa());
-+#endif
-+ }
-+#endif
- #ifndef OPENSSL_NO_COMP
- /* This will initialise the built-in compression algorithms.
- The value returned is a STACK_OF(SSL_COMP), but that can
diff --git a/SOURCES/openssl-1.0.1e-issuer-hash.patch b/SOURCES/openssl-1.0.1e-issuer-hash.patch
deleted file mode 100644
index 0f3bfdb..0000000
--- a/SOURCES/openssl-1.0.1e-issuer-hash.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -up openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1e/crypto/x509/x509_cmp.c
---- openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/x509/x509_cmp.c 2013-02-19 12:46:11.315788592 +0100
-@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
- char *f;
-
- EVP_MD_CTX_init(&ctx);
-+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
- if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
- goto err;
diff --git a/SOURCES/openssl-1.0.1e-keymat-algo.patch b/SOURCES/openssl-1.0.1e-keymat-algo.patch
deleted file mode 100644
index 5f5cab0..0000000
--- a/SOURCES/openssl-1.0.1e-keymat-algo.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/ssl/t1_enc.c.keymat-algo openssl-1.0.1e/ssl/t1_enc.c
---- openssl-1.0.1e/ssl/t1_enc.c.keymat-algo 2016-04-07 13:54:03.000000000 +0200
-+++ openssl-1.0.1e/ssl/t1_enc.c 2016-04-07 14:45:25.216561938 +0200
-@@ -1205,7 +1205,7 @@ int tls1_export_keying_material(SSL *s,
- if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
- TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1;
-
-- rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
-+ rv = tls1_PRF(ssl_get_algorithm2(s),
- val, vallen,
- NULL, 0,
- NULL, 0,
diff --git a/SOURCES/openssl-1.0.1e-krb5keytab.patch b/SOURCES/openssl-1.0.1e-krb5keytab.patch
deleted file mode 100644
index 45d3dd8..0000000
--- a/SOURCES/openssl-1.0.1e-krb5keytab.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-diff -up openssl-1.0.1e/apps/s_client.c.krb5keytab openssl-1.0.1e/apps/s_client.c
---- openssl-1.0.1e/apps/s_client.c.krb5keytab 2015-03-03 14:41:41.248686764 +0100
-+++ openssl-1.0.1e/apps/s_client.c 2015-03-03 15:43:38.285048063 +0100
-@@ -169,6 +169,10 @@ typedef unsigned int u_int;
- #include "s_apps.h"
- #include "timeouts.h"
-
-+#ifndef OPENSSL_NO_KRB5
-+static char *krb5svc=NULL;
-+#endif
-+
- #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
- /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
- #undef FIONBIO
-@@ -348,6 +352,9 @@ static void sc_usage(void)
- BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
- BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
- BIO_printf(bio_err," are supported.\n");
-+#ifndef OPENSSL_NO_KRB5
-+ BIO_printf(bio_err," -krb5svc arg - Kerberos service name\n");
-+#endif
- #ifndef OPENSSL_NO_ENGINE
- BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
- #endif
-@@ -906,6 +913,13 @@ int MAIN(int argc, char **argv)
- else if (strcmp(*argv,"-nbio") == 0)
- { c_nbio=1; }
- #endif
-+#ifndef OPENSSL_NO_KRB5
-+ else if (strcmp(*argv,"-krb5svc") == 0)
-+ {
-+ if (--argc < 1) goto bad;
-+ krb5svc= *(++argv);
-+ }
-+#endif
- else if (strcmp(*argv,"-starttls") == 0)
- {
- if (--argc < 1) goto bad;
-@@ -1266,6 +1280,8 @@ bad:
- {
- SSL_set0_kssl_ctx(con, kctx);
- kssl_ctx_setstring(kctx, KSSL_SERVER, host);
-+ if (krb5svc != NULL)
-+ kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc);
- }
- #endif /* OPENSSL_NO_KRB5 */
- /* SSL_set_cipher_list(con,"RC4-MD5"); */
-diff -up openssl-1.0.1e/apps/s_server.c.krb5keytab openssl-1.0.1e/apps/s_server.c
---- openssl-1.0.1e/apps/s_server.c.krb5keytab 2015-03-03 14:41:41.198686492 +0100
-+++ openssl-1.0.1e/apps/s_server.c 2015-03-03 16:14:14.827107550 +0100
-@@ -201,6 +201,11 @@ typedef unsigned int u_int;
- #include <fcntl.h>
- #endif
-
-+#ifndef OPENSSL_NO_KRB5
-+static char *krb5svc=NULL;
-+static char *keytab=NULL;
-+#endif
-+
- #ifndef OPENSSL_NO_RSA
- static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
- #endif
-@@ -507,6 +512,10 @@ static void sv_usage(void)
- BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
- BIO_printf(bio_err," -quiet - No server output\n");
- BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n");
-+#ifndef OPENSSL_NO_KRB5
-+ BIO_printf(bio_err," -krb5svc arg - Kerberos service name\n");
-+ BIO_printf(bio_err," -keytab arg - Kerberos keytab filename\n");
-+#endif
- #ifndef OPENSSL_NO_PSK
- BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
- BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
-@@ -1121,6 +1130,18 @@ int MAIN(int argc, char *argv[])
- if (--argc < 1) goto bad;
- cipher= *(++argv);
- }
-+#ifndef OPENSSL_NO_KRB5
-+ else if (strcmp(*argv,"-krb5svc") == 0)
-+ {
-+ if (--argc < 1) goto bad;
-+ krb5svc= *(++argv);
-+ }
-+ else if (strcmp(*argv,"-keytab") == 0)
-+ {
-+ if (--argc < 1) goto bad;
-+ keytab= *(++argv);
-+ }
-+#endif
- else if (strcmp(*argv,"-CAfile") == 0)
- {
- if (--argc < 1) goto bad;
-@@ -2019,8 +2040,10 @@ static int sv_body(char *hostname, int s
- if ((kctx = kssl_ctx_new()) != NULL)
- {
- SSL_set0_kssl_ctx(con, kctx);
-- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
-- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
-+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
-+ krb5svc == NULL ? KRB5SVC : krb5svc);
-+ if (keytab != NULL)
-+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
- }
- #endif /* OPENSSL_NO_KRB5 */
- if(context)
-@@ -2613,8 +2636,11 @@ static int www_body(char *hostname, int
- #ifndef OPENSSL_NO_KRB5
- if ((kctx = kssl_ctx_new()) != NULL)
- {
-- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
-- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
-+ SSL_set0_kssl_ctx(con, kctx);
-+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
-+ krb5svc == NULL ? KRB5SVC : krb5svc);
-+ if (keytab != NULL)
-+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
- }
- #endif /* OPENSSL_NO_KRB5 */
- if(context) SSL_set_session_id_context(con, context,
-diff -up openssl-1.0.1e/doc/apps/s_client.pod.krb5keytab openssl-1.0.1e/doc/apps/s_client.pod
---- openssl-1.0.1e/doc/apps/s_client.pod.krb5keytab 2015-03-03 14:41:41.249686770 +0100
-+++ openssl-1.0.1e/doc/apps/s_client.pod 2015-03-03 16:28:08.374701114 +0100
-@@ -18,6 +18,8 @@ B<openssl> B<s_client>
- [B<-CApath directory>]
- [B<-CAfile filename>]
- [B<-trusted_first>]
-+[B<-krb5svc service>]
-+[B<-keytab filename>]
- [B<-reconnect>]
- [B<-pause>]
- [B<-showcerts>]
-@@ -115,6 +117,17 @@ and to use when attempting to build the
- Set various certificate chain valiadition option. See the
- L<B<verify>|verify(1)> manual page for details.
-
-+=item B<-krb5svc service>
-+
-+the Kerberos service name to use (default "host"). This means s_server
-+will expect a ticket for the principal I<service>/hostname@REALM, and will
-+need keys for that principal in its keytab.
-+
-+=item B<-keytab filename>
-+
-+the Kerberos "keytab" (key table) file, containing keys for the s_server
-+service principal (Kerberos identity; see -krb5svc).
-+
- =item B<-reconnect>
-
- reconnects to the same server 5 times using the same session ID, this can
-diff -up openssl-1.0.1e/doc/apps/s_server.pod.krb5keytab openssl-1.0.1e/doc/apps/s_server.pod
---- openssl-1.0.1e/doc/apps/s_server.pod.krb5keytab 2015-03-03 14:41:41.200686503 +0100
-+++ openssl-1.0.1e/doc/apps/s_server.pod 2015-03-03 16:29:35.631184313 +0100
-@@ -34,6 +34,8 @@ B<openssl> B<s_server>
- [B<-CApath directory>]
- [B<-CAfile filename>]
- [B<-trusted_first>]
-+[B<-krb5svc service>]
-+[B<-keytab filename>]
- [B<-nocert>]
- [B<-cipher cipherlist>]
- [B<-quiet>]
-@@ -181,6 +183,17 @@ Use certificates in CA file or CA direct
- when building the trust chain to verify client certificates.
- This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-
-+=item B<-krb5svc service>
-+
-+the Kerberos service name to use (default "host"). This means s_server
-+will expect a ticket for the principal I<service>/hostname@REALM, and will
-+need keys for that principal in its keytab.
-+
-+=item B<-keytab filename>
-+
-+the Kerberos "keytab" (key table) file, containing keys for the s_server
-+service principal (Kerberos identity; see -krb5svc).
-+
- =item B<-state>
-
- prints out the SSL session states.
diff --git a/SOURCES/openssl-1.0.1e-manfix.patch b/SOURCES/openssl-1.0.1e-manfix.patch
deleted file mode 100644
index 4ba2abb..0000000
--- a/SOURCES/openssl-1.0.1e-manfix.patch
+++ /dev/null
@@ -1,555 +0,0 @@
-diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod
---- openssl-1.0.1e/doc/apps/cms.pod.manfix 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/cms.pod 2013-09-12 11:17:42.147092310 +0200
-@@ -450,28 +450,28 @@ remains DER.
-
- =over 4
-
--=item 0
-+=item C<0>
-
- the operation was completely successfully.
-
--=item 1
-+=item C<1>
-
- an error occurred parsing the command options.
-
--=item 2
-+=item C<2>
-
- one of the input files could not be read.
-
--=item 3
-+=item C<3>
-
- an error occurred creating the CMS file or when reading the MIME
- message.
-
--=item 4
-+=item C<4>
-
- an error occurred decrypting or verifying the message.
-
--=item 5
-+=item C<5>
-
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-diff -up openssl-1.0.1e/doc/apps/ec.pod.manfix openssl-1.0.1e/doc/apps/ec.pod
---- openssl-1.0.1e/doc/apps/ec.pod.manfix 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/ec.pod 2013-09-12 11:17:42.147092310 +0200
-@@ -93,10 +93,6 @@ prints out the public, private key compo
-
- this option prevents output of the encoded version of the key.
-
--=item B<-modulus>
--
--this option prints out the value of the public key component of the key.
--
- =item B<-pubin>
-
- by default a private key is read from the input file: with this option a
-diff -up openssl-1.0.1e/doc/apps/openssl.pod.manfix openssl-1.0.1e/doc/apps/openssl.pod
---- openssl-1.0.1e/doc/apps/openssl.pod.manfix 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/openssl.pod 2013-09-12 11:17:42.148092331 +0200
-@@ -163,7 +163,7 @@ Create or examine a netscape certificate
-
- Online Certificate Status Protocol utility.
-
--=item L<B<passwd>|passwd(1)>
-+=item L<B<passwd>|sslpasswd(1)>
-
- Generation of hashed passwords.
-
-@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
-
- Public key algorithm cryptographic operation utility.
-
--=item L<B<rand>|rand(1)>
-+=item L<B<rand>|sslrand(1)>
-
- Generate pseudo-random bytes.
-
-@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
- L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
- L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
- L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
--L<passwd(1)|passwd(1)>,
-+L<sslpasswd(1)|sslpasswd(1)>,
- L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
--L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
-+L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
- L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
- L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
- L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
-diff -up openssl-1.0.1e/doc/apps/s_client.pod.manfix openssl-1.0.1e/doc/apps/s_client.pod
---- openssl-1.0.1e/doc/apps/s_client.pod.manfix 2013-09-12 11:17:41.517078502 +0200
-+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-09-12 11:17:42.149092353 +0200
-@@ -32,9 +32,14 @@ B<openssl> B<s_client>
- [B<-ssl2>]
- [B<-ssl3>]
- [B<-tls1>]
-+[B<-tls1_1>]
-+[B<-tls1_2>]
-+[B<-dtls1>]
- [B<-no_ssl2>]
- [B<-no_ssl3>]
- [B<-no_tls1>]
-+[B<-no_tls1_1>]
-+[B<-no_tls1_2>]
- [B<-bugs>]
- [B<-cipher cipherlist>]
- [B<-starttls protocol>]
-@@ -44,6 +49,7 @@ B<openssl> B<s_client>
- [B<-sess_out filename>]
- [B<-sess_in filename>]
- [B<-rand file(s)>]
-+[B<-nextprotoneg protocols>]
-
- =head1 DESCRIPTION
-
-@@ -182,7 +188,7 @@ Use the PSK key B<key> when using a PSK
- given as a hexadecimal number without leading 0x, for example -psk
- 1a2b3c4d.
-
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
-@@ -243,6 +249,17 @@ Multiple files can be specified separate
- The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
- all others.
-
-+=item B<-nextprotoneg protocols>
-+
-+enable Next Protocol Negotiation TLS extension and provide a list of
-+comma-separated protocol names that the client should advertise
-+support for. The list should contain most wanted protocols first.
-+Protocol names are printable ASCII strings, for example "http/1.1" or
-+"spdy/3".
-+Empty list of protocols is treated specially and will cause the client to
-+advertise support for the TLS extension but disconnect just after
-+reciving ServerHello with a list of server supported protocols.
-+
- =back
-
- =head1 CONNECTED COMMANDS
-diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime.pod
---- openssl-1.0.1e/doc/apps/smime.pod.manfix 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/smime.pod 2013-09-12 11:17:42.150092375 +0200
-@@ -308,28 +308,28 @@ remains DER.
-
- =over 4
-
--=item 0
-+=item C<0>
-
- the operation was completely successfully.
-
--=item 1
-+=item C<1>
-
- an error occurred parsing the command options.
-
--=item 2
-+=item C<2>
-
- one of the input files could not be read.
-
--=item 3
-+=item C<3>
-
- an error occurred creating the PKCS#7 file or when reading the MIME
- message.
-
--=item 4
-+=item C<4>
-
- an error occurred decrypting or verifying the message.
-
--=item 5
-+=item C<5>
-
- the message was verified correctly but an error occurred writing out
- the signers certificates.
-diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_server.pod
---- openssl-1.0.1e/doc/apps/s_server.pod.manfix 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-09-12 11:17:42.150092375 +0200
-@@ -40,10 +40,16 @@ B<openssl> B<s_server>
- [B<-ssl2>]
- [B<-ssl3>]
- [B<-tls1>]
-+[B<-tls1_1>]
-+[B<-tls1_2>]
-+[B<-dtls1>]
- [B<-no_ssl2>]
- [B<-no_ssl3>]
- [B<-no_tls1>]
-+[B<-no_tls1_1>]
-+[B<-no_tls1_2>]
- [B<-no_dhe>]
-+[B<-no_ecdhe>]
- [B<-bugs>]
- [B<-hack>]
- [B<-www>]
-@@ -54,6 +60,7 @@ B<openssl> B<s_server>
- [B<-no_ticket>]
- [B<-id_prefix arg>]
- [B<-rand file(s)>]
-+[B<-nextprotoneg protocols>]
-
- =head1 DESCRIPTION
-
-@@ -131,6 +138,10 @@ a static set of parameters hard coded in
- if this option is set then no DH parameters will be loaded effectively
- disabling the ephemeral DH cipher suites.
-
-+=item B<-no_ecdhe>
-+
-+if this option is set then ephemeral ECDH cipher suites will be disabled.
-+
- =item B<-no_tmp_rsa>
-
- certain export cipher suites sometimes use a temporary RSA key, this option
-@@ -201,7 +212,7 @@ Use the PSK key B<key> when using a PSK
- given as a hexadecimal number without leading 0x, for example -psk
- 1a2b3c4d.
-
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
-@@ -276,6 +287,14 @@ Multiple files can be specified separate
- The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
- all others.
-
-+=item B<-nextprotoneg protocols>
-+
-+enable Next Protocol Negotiation TLS extension and provide a
-+comma-separated list of supported protocol names.
-+The list should contain most wanted protocols first.
-+Protocol names are printable ASCII strings, for example "http/1.1" or
-+"spdy/3".
-+
- =back
-
- =head1 CONNECTED COMMANDS
-diff -up openssl-1.0.1e/doc/apps/verify.pod.manfix openssl-1.0.1e/doc/apps/verify.pod
---- openssl-1.0.1e/doc/apps/verify.pod.manfix 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/verify.pod 2013-09-12 11:25:13.994994992 +0200
-@@ -25,6 +25,7 @@ B<openssl> B<verify>
- [B<-untrusted file>]
- [B<-help>]
- [B<-issuer_checks>]
-+[B<-attime timestamp>]
- [B<-verbose>]
- [B<->]
- [certificates]
-@@ -80,6 +81,12 @@ rejected. The presence of rejection mess
- anything is wrong; during the normal verification process, several
- rejections may take place.
-
-+=item B<-attime timestamp>
-+
-+Perform validation checks using the time specified by B<timestamp> and not
-+the current system time. B<timestamp> is the number of seconds since
-+01.01.1970 (UNIX time).
-+
- =item B<-policy arg>
-
- Enable policy processing and add B<arg> to the user-initial-policy-set (see
-diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL_accept.pod
---- openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix 2013-09-12 11:17:42.129091915 +0200
-+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-09-12 11:17:42.156092507 +0200
-@@ -44,13 +44,13 @@ The following return values can occur:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
--=item 1
-+=item C<1>
-
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_clear.pod
---- openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_clear.pod 2013-09-12 11:17:42.158092551 +0200
-@@ -56,12 +56,12 @@ The following return values can occur:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The SSL_clear() operation could not be performed. Check the error stack to
- find out the reason.
-
--=item 1
-+=item C<1>
-
- The SSL_clear() operation was successful.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
---- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix 2013-09-12 11:17:42.049090162 +0200
-+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-09-12 11:17:42.159092573 +0200
-@@ -60,11 +60,11 @@ SSL_COMP_add_compression_method() may re
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation succeeded.
-
--=item 1
-+=item C<1>
-
- The operation failed. Check the error queue to find out the reason.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SSL_connect.pod
---- openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix 2013-09-12 11:17:42.130091937 +0200
-+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-09-12 11:17:42.161092616 +0200
-@@ -41,13 +41,13 @@ The following return values can occur:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
--=item 1
-+=item C<1>
-
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod 2013-09-12 11:17:42.162092638 +0200
-@@ -52,13 +52,13 @@ The following values are returned by all
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation failed. In case of the add operation, it was tried to add
- the same (identical) session twice. In case of the remove operation, the
- session was not found in the cache.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-09-12 11:17:42.163092660 +0200
-@@ -100,13 +100,13 @@ The following return values can occur:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation failed because B<CAfile> and B<CApath> are NULL or the
- processing at one of the locations specified failed. Check the error
- stack to find out the reason.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix 2013-09-12 11:17:42.132091981 +0200
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-09-12 11:17:42.164092682 +0200
-@@ -66,13 +66,13 @@ values:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- A failure while manipulating the STACK_OF(X509_NAME) object occurred or
- the X509_NAME could not be extracted from B<cacert>. Check the error stack
- to find out the reason.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-09-12 11:17:42.166092726 +0200
-@@ -64,13 +64,13 @@ return the following values:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
- the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
- is logged to the error stack.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-09-12 11:17:42.167092748 +0200
-@@ -42,11 +42,11 @@ and SSL_set_ssl_method():
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The new choice failed, check the error stack to find out the reason.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
---- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix 2013-09-12 11:17:42.133092003 +0200
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-09-12 11:17:42.168092770 +0200
-@@ -96,7 +96,7 @@ data to B<psk> and return the length of
- connection will fail with decryption_error before it will be finished
- completely.
-
--=item 0
-+=item C<0>
-
- PSK identity was not found. An "unknown_psk_identity" alert message
- will be sent and the connection setup fails.
-diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
---- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix 2013-09-12 11:17:42.135092047 +0200
-+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-09-12 11:17:42.170092814 +0200
-@@ -45,13 +45,13 @@ The following return values can occur:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
--=item 1
-+=item C<1>
-
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_read.pod
---- openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_read.pod 2013-09-12 11:17:42.171092836 +0200
-@@ -86,7 +86,7 @@ The following return values can occur:
- The read operation was successful; the return value is the number of
- bytes actually read from the TLS/SSL connection.
-
--=item 0
-+=item C<0>
-
- The read operation was not successful. The reason may either be a clean
- shutdown due to a "close notify" alert sent by the peer (in which case
-diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc/ssl/SSL_session_reused.pod
---- openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod 2013-09-12 11:17:42.172092857 +0200
-@@ -27,11 +27,11 @@ The following return values can occur:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- A new session was negotiated.
-
--=item 1
-+=item C<1>
-
- A session was reused.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_fd.pod
---- openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod 2013-09-12 11:17:42.174092901 +0200
-@@ -35,11 +35,11 @@ The following return values can occur:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation failed. Check the error stack to find out why.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_session.pod
---- openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod 2013-09-12 11:17:42.175092923 +0200
-@@ -37,11 +37,11 @@ The following return values can occur:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The operation failed; check the error stack to find out the reason.
-
--=item 1
-+=item C<1>
-
- The operation succeeded.
-
-diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
---- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix 2013-09-12 11:17:42.137092090 +0200
-+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-09-12 11:17:42.177092967 +0200
-@@ -92,14 +92,14 @@ The following return values can occur:
-
- =over 4
-
--=item 0
-+=item C<0>
-
- The shutdown is not yet finished. Call SSL_shutdown() for a second time,
- if a bidirectional shutdown shall be performed.
- The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
- erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
-
--=item 1
-+=item C<1>
-
- The shutdown was successfully completed. The "close notify" alert was sent
- and the peer's "close notify" alert was received.
-diff -up openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix openssl-1.0.1e/doc/ssl/SSL_write.pod
---- openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_write.pod 2013-09-12 11:17:42.177092967 +0200
-@@ -79,7 +79,7 @@ The following return values can occur:
- The write operation was successful, the return value is the number of
- bytes actually written to the TLS/SSL connection.
-
--=item 0
-+=item C<0>
-
- The write operation was not successful. Probably the underlying connection
- was closed. Call SSL_get_error() with the return value B<ret> to find out,
diff --git a/SOURCES/openssl-1.0.1e-new-fips-reqs.patch b/SOURCES/openssl-1.0.1e-new-fips-reqs.patch
deleted file mode 100644
index 80e5162..0000000
--- a/SOURCES/openssl-1.0.1e-new-fips-reqs.patch
+++ /dev/null
@@ -1,1695 +0,0 @@
-diff -up openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1e/crypto/bn/bn_rand.c
---- openssl-1.0.1e/crypto/bn/bn_rand.c.fips-reqs 2013-02-11 16:02:47.000000000 +0100
-+++ openssl-1.0.1e/crypto/bn/bn_rand.c 2014-02-13 16:50:34.280893285 +0100
-@@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM
- goto err;
- }
-
-- /* make a random number and set the top and bottom bits */
-- time(&tim);
-- RAND_add(&tim,sizeof(tim),0.0);
-+ if (!FIPS_mode()) /* in FIPS mode the RNG is always properly seeded or the module fails */
-+ {
-+ /* make a random number and set the top and bottom bits */
-+ time(&tim);
-+ RAND_add(&tim,sizeof(tim),0.0);
-+ }
-
- if (pseudorand)
- {
-diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1e/crypto/dh/dh_gen.c
---- openssl-1.0.1e/crypto/dh/dh_gen.c.fips-reqs 2013-12-18 12:17:09.748636614 +0100
-+++ openssl-1.0.1e/crypto/dh/dh_gen.c 2013-12-18 12:17:09.798637687 +0100
-@@ -125,7 +125,7 @@ static int dh_builtin_genparams(DH *ret,
- return 0;
- }
-
-- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
-+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN))
- {
- DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
- goto err;
-diff -up openssl-1.0.1e/crypto/dh/dh.h.fips-reqs openssl-1.0.1e/crypto/dh/dh.h
---- openssl-1.0.1e/crypto/dh/dh.h.fips-reqs 2013-12-18 12:17:09.748636614 +0100
-+++ openssl-1.0.1e/crypto/dh/dh.h 2013-12-18 12:17:09.798637687 +0100
-@@ -78,6 +78,7 @@
- #endif
-
- #define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
-+#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024)
-
- #define DH_FLAG_CACHE_MONT_P 0x01
- #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-diff -up openssl-1.0.1e/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1e/crypto/dh/dh_check.c
---- openssl-1.0.1e/crypto/dh/dh_check.c.fips-reqs 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/dh/dh_check.c 2013-12-18 12:17:09.799637708 +0100
-@@ -134,7 +134,33 @@ int DH_check_pub_key(const DH *dh, const
- BN_sub_word(q,1);
- if (BN_cmp(pub_key,q)>=0)
- *ret|=DH_CHECK_PUBKEY_TOO_LARGE;
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && dh->q != NULL)
-+ {
-+ BN_CTX *ctx = NULL;
-
-+ ctx = BN_CTX_new();
-+ if (ctx == NULL)
-+ goto err;
-+
-+ if (BN_mod_exp_mont(q, pub_key, dh->q, dh->p, ctx, NULL) <= 0)
-+ {
-+ BN_CTX_free(ctx);
-+ goto err;
-+ }
-+ if (!BN_is_one(q))
-+ {
-+ /* it would be more correct to add new return flag
-+ * for this test, but we do not want to do it
-+ * so just error out
-+ */
-+ BN_CTX_free(ctx);
-+ goto err;
-+ }
-+
-+ BN_CTX_free(ctx);
-+ }
-+#endif
- ok = 1;
- err:
- if (q != NULL) BN_free(q);
-diff -up openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1e/crypto/dsa/dsa_gen.c
---- openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips-reqs 2013-12-18 12:17:09.749636636 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_gen.c 2013-12-18 12:17:09.799637708 +0100
-@@ -159,7 +159,7 @@ int dsa_builtin_paramgen(DSA *ret, size_
- }
-
- if (FIPS_module_mode() &&
-- (bits != 1024 || qbits != 160) &&
-+ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024 || qbits != 160) &&
- (bits != 2048 || qbits != 224) &&
- (bits != 2048 || qbits != 256) &&
- (bits != 3072 || qbits != 256))
-diff -up openssl-1.0.1e/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1e/crypto/dsa/dsa.h
---- openssl-1.0.1e/crypto/dsa/dsa.h.fips-reqs 2013-12-18 12:17:09.749636636 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa.h 2013-12-18 12:17:09.799637708 +0100
-@@ -89,6 +89,7 @@
- #endif
-
- #define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
-+#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024)
-
- #define DSA_FLAG_CACHE_MONT_P 0x01
- #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
-@@ -254,9 +255,9 @@ int DSAparams_print_fp(FILE *fp, const D
- int DSA_print_fp(FILE *bp, const DSA *x, int off);
- #endif
-
--#define DSS_prime_checks 50
--/* Primality test according to FIPS PUB 186[-1], Appendix 2.1:
-- * 50 rounds of Rabin-Miller */
-+#define DSS_prime_checks 64
-+/* Primality test according to FIPS PUB 186[-4], Appendix 2.1:
-+ * 64 rounds of Rabin-Miller */
- #define DSA_is_prime(n, callback, cb_arg) \
- BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
-
-diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1e/crypto/dsa/dsa_key.c
---- openssl-1.0.1e/crypto/dsa/dsa_key.c.fips-reqs 2013-12-18 12:17:09.797637665 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-12-18 12:17:09.799637708 +0100
-@@ -127,7 +127,7 @@ static int dsa_builtin_keygen(DSA *dsa)
-
- #ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-- && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN))
- {
- DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
- goto err;
-diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-reqs openssl-1.0.1e/crypto/fips/fips.c
---- openssl-1.0.1e/crypto/fips/fips.c.fips-reqs 2014-09-24 16:38:43.000000000 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.c 2014-09-24 16:37:28.000000000 +0200
-@@ -427,27 +427,25 @@ int FIPS_module_mode_set(int onoff, cons
- ret = 0;
- goto end;
- }
-- OPENSSL_ia32cap_P[0] |= (1<<28); /* set "shared cache" */
-- OPENSSL_ia32cap_P[1] &= ~(1<<(60-32)); /* clear AVX */
- }
- #endif
-
-- if(!verify_checksums())
-+ if(!FIPS_selftest())
- {
-- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
- }
-
-- if(FIPS_selftest())
-- fips_set_mode(onoff);
-- else
-+ if(!verify_checksums())
- {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
- }
-+
-+ fips_set_mode(onoff);
- ret = 1;
- goto end;
- }
-diff -up openssl-1.0.1e/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1e/crypto/fips/fips_dh_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_dh_selftest.c.fips-reqs 2013-12-18 17:06:36.575114314 +0100
-+++ openssl-1.0.1e/crypto/fips/fips_dh_selftest.c 2013-12-18 17:26:14.409036334 +0100
-@@ -0,0 +1,162 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 2013 Red Hat, Inc.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char dh_test_2048_p[] = {
-+ 0xAE,0xEC,0xEE,0x22,0xFA,0x3A,0xA5,0x22,0xC0,0xDE,0x0F,0x09,
-+ 0x7E,0x17,0xC0,0x05,0xF9,0xF1,0xE7,0xC6,0x87,0x14,0x6D,0x11,
-+ 0xE7,0xAE,0xED,0x2F,0x72,0x59,0xC5,0xA9,0x9B,0xB8,0x02,0xA5,
-+ 0xF3,0x69,0x70,0xD6,0xDD,0x90,0xF9,0x19,0x79,0xBE,0x60,0x8F,
-+ 0x25,0x92,0x30,0x1C,0x51,0x51,0x38,0x26,0x82,0x25,0xE6,0xFC,
-+ 0xED,0x65,0x96,0x8F,0x57,0xE5,0x53,0x8B,0x38,0x63,0xC7,0xCE,
-+ 0xBC,0x1B,0x4D,0x18,0x2A,0x5B,0x04,0x3F,0x6A,0x3C,0x94,0x39,
-+ 0xAE,0x36,0xD6,0x5E,0x0F,0xA2,0xCC,0xD0,0xD4,0xD5,0xC6,0x1E,
-+ 0xF6,0xA0,0xF5,0x89,0x4E,0xB4,0x0B,0xA4,0xB3,0x2B,0x3D,0xE2,
-+ 0x4E,0xE1,0x49,0x25,0x99,0x5F,0x32,0x16,0x33,0x32,0x1B,0x7A,
-+ 0xA5,0x5C,0x6B,0x34,0x0D,0x39,0x99,0xDC,0xF0,0x76,0xE5,0x5A,
-+ 0xD4,0x71,0x00,0xED,0x5A,0x73,0xFB,0xC8,0x01,0xAD,0x99,0xCF,
-+ 0x99,0x52,0x7C,0x9C,0x64,0xC6,0x76,0x40,0x57,0xAF,0x59,0xD7,
-+ 0x38,0x0B,0x40,0xDE,0x33,0x0D,0xB8,0x76,0xEC,0xA9,0xD8,0x73,
-+ 0xF8,0xEF,0x26,0x66,0x06,0x27,0xDD,0x7C,0xA4,0x10,0x9C,0xA6,
-+ 0xAA,0xF9,0x53,0x62,0x73,0x1D,0xBA,0x1C,0xF1,0x67,0xF4,0x35,
-+ 0xED,0x6F,0x37,0x92,0xE8,0x4F,0x6C,0xBA,0x52,0x6E,0xA1,0xED,
-+ 0xDA,0x9F,0x85,0x11,0x82,0x52,0x62,0x08,0x44,0xF1,0x30,0x03,
-+ 0xC3,0x38,0x2C,0x79,0xBD,0xD4,0x43,0x45,0xEE,0x8E,0x50,0xFC,
-+ 0x29,0x46,0x9A,0xFE,0x54,0x1A,0x19,0x8F,0x4B,0x84,0x08,0xDE,
-+ 0x20,0x62,0x73,0xCC,0xDD,0x7E,0xF0,0xEF,0xA2,0xFD,0x86,0x58,
-+ 0x4B,0xD8,0x37,0xEB
-+};
-+
-+static const unsigned char dh_test_2048_g[] = {
-+ 0x02
-+};
-+
-+static const unsigned char dh_test_2048_pub_key[] = {
-+ 0xA0,0x39,0x11,0x77,0x9A,0xC1,0x30,0x1F,0xBE,0x48,0xA7,0xAA,
-+ 0xA0,0x84,0x54,0x64,0xAD,0x1B,0x70,0xFA,0x13,0x55,0x63,0xD2,
-+ 0x1F,0x62,0x32,0x93,0x8E,0xC9,0x3E,0x09,0xA7,0x64,0xE4,0x12,
-+ 0x6E,0x1B,0xF2,0x92,0x3B,0xB9,0xCB,0x56,0xEA,0x07,0x88,0xB5,
-+ 0xA6,0xBC,0x16,0x1F,0x27,0xFE,0xD8,0xAA,0x40,0xB2,0xB0,0x2D,
-+ 0x37,0x76,0xA6,0xA4,0x82,0x2C,0x0E,0x22,0x64,0x9D,0xCB,0xD1,
-+ 0x00,0xB7,0x89,0x14,0x72,0x4E,0xBE,0x48,0x41,0xF8,0xB2,0x51,
-+ 0x11,0x09,0x4B,0x22,0x01,0x23,0x39,0x96,0xE0,0x15,0xD7,0x9F,
-+ 0x60,0xD1,0xB7,0xAE,0xFE,0x5F,0xDB,0xE7,0x03,0x17,0x97,0xA6,
-+ 0x16,0x74,0xBD,0x53,0x81,0x19,0xC5,0x47,0x5E,0xCE,0x8D,0xED,
-+ 0x45,0x5D,0x3C,0x00,0xA0,0x0A,0x68,0x6A,0xE0,0x8E,0x06,0x46,
-+ 0x6F,0xD7,0xF9,0xDF,0x31,0x7E,0x77,0x44,0x0D,0x98,0xE0,0xCA,
-+ 0x98,0x09,0x52,0x04,0x90,0xEA,0x6D,0xF4,0x30,0x69,0x8F,0xB1,
-+ 0x9B,0xC1,0x43,0xDB,0xD5,0x8D,0xC8,0x8E,0xB6,0x0B,0x05,0xBE,
-+ 0x0E,0xC5,0x99,0xC8,0x6E,0x4E,0xF3,0xCB,0xC3,0x5E,0x9B,0x53,
-+ 0xF7,0x06,0x1C,0x4F,0xC7,0xB8,0x6E,0x30,0x18,0xCA,0x9B,0xB9,
-+ 0xBC,0x5F,0x17,0x72,0x29,0x5A,0xE5,0xD9,0x96,0xB7,0x0B,0xF3,
-+ 0x2D,0x8C,0xF1,0xE1,0x0E,0x0D,0x74,0xD5,0x9D,0xF0,0x06,0xA9,
-+ 0xB4,0x95,0x63,0x76,0x46,0x55,0x48,0x82,0x39,0x90,0xEF,0x56,
-+ 0x75,0x34,0xB8,0x34,0xC3,0x18,0x6E,0x1E,0xAD,0xE3,0x48,0x7E,
-+ 0x93,0x2C,0x23,0xE7,0xF8,0x90,0x73,0xB1,0x77,0x80,0x67,0xA9,
-+ 0x36,0x9E,0xDA,0xD2
-+};
-+
-+static const unsigned char dh_test_2048_priv_key[] = {
-+ 0x0C,0x4B,0x30,0x89,0xD1,0xB8,0x62,0xCB,0x3C,0x43,0x64,0x91,
-+ 0xF0,0x91,0x54,0x70,0xC5,0x27,0x96,0xE3,0xAC,0xBE,0xE8,0x00,
-+ 0xEC,0x55,0xF6,0xCC
-+};
-+
-+int FIPS_selftest_dh()
-+ {
-+ DH *dh = NULL;
-+ int ret = 0;
-+ void *pub_key = NULL;
-+ int len;
-+
-+ dh = DH_new();
-+
-+ if(dh == NULL)
-+ goto err;
-+
-+ fips_load_key_component(dh, p, dh_test_2048);
-+ fips_load_key_component(dh, g, dh_test_2048);
-+ /* note that the private key is much shorter than normally used
-+ * but still g ** priv_key > p
-+ */
-+ fips_load_key_component(dh, priv_key, dh_test_2048);
-+
-+ if (DH_generate_key(dh) <= 0)
-+ goto err;
-+
-+ len = BN_num_bytes(dh->pub_key);
-+ if ((pub_key = OPENSSL_malloc(len)) == NULL)
-+ goto err;
-+ BN_bn2bin(dh->pub_key, pub_key);
-+
-+ if (len != sizeof(dh_test_2048_pub_key) ||
-+ memcmp(pub_key, dh_test_2048_pub_key, len) != 0)
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ if (dh)
-+ DH_free(dh);
-+
-+ OPENSSL_free(pub_key);
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips-reqs openssl-1.0.1e/crypto/fips/fips_drbg_rand.c
---- openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips-reqs 2013-12-18 12:17:09.757636808 +0100
-+++ openssl-1.0.1e/crypto/fips/fips_drbg_rand.c 2013-12-18 18:53:33.263711297 +0100
-@@ -77,7 +77,8 @@ static int fips_drbg_bytes(unsigned char
- int rv = 0;
- unsigned char *adin = NULL;
- size_t adinlen = 0;
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ int locked;
-+ locked = private_RAND_lock(1);
- do
- {
- size_t rcnt;
-@@ -109,7 +110,8 @@ static int fips_drbg_bytes(unsigned char
- while (count);
- rv = 1;
- err:
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
- return rv;
- }
-
-@@ -124,35 +126,51 @@ static int fips_drbg_status(void)
- {
- DRBG_CTX *dctx = &ossl_dctx;
- int rv;
-- CRYPTO_r_lock(CRYPTO_LOCK_RAND);
-+ int locked;
-+ locked = private_RAND_lock(1);
- rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
-- CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
- return rv;
- }
-
- static void fips_drbg_cleanup(void)
- {
- DRBG_CTX *dctx = &ossl_dctx;
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ int locked;
-+ locked = private_RAND_lock(1);
- FIPS_drbg_uninstantiate(dctx);
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
- }
-
- static int fips_drbg_seed(const void *seed, int seedlen)
- {
- DRBG_CTX *dctx = &ossl_dctx;
-+ int locked;
-+ int ret = 1;
-+
-+ locked = private_RAND_lock(1);
- if (dctx->rand_seed_cb)
-- return dctx->rand_seed_cb(dctx, seed, seedlen);
-- return 1;
-+ ret = dctx->rand_seed_cb(dctx, seed, seedlen);
-+ if (locked)
-+ private_RAND_lock(0);
-+ return ret;
- }
-
- static int fips_drbg_add(const void *seed, int seedlen,
- double add_entropy)
- {
- DRBG_CTX *dctx = &ossl_dctx;
-+ int locked;
-+ int ret = 1;
-+
-+ locked = private_RAND_lock(1);
- if (dctx->rand_add_cb)
-- return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
-- return 1;
-+ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
-+ if (locked)
-+ private_RAND_lock(0);
-+ return ret;
- }
-
- static const RAND_METHOD rand_drbg_meth =
-diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-reqs openssl-1.0.1e/crypto/fips/fips.h
---- openssl-1.0.1e/crypto/fips/fips.h.fips-reqs 2013-12-18 12:17:09.000000000 +0100
-+++ openssl-1.0.1e/crypto/fips/fips.h 2013-12-18 17:13:00.928586689 +0100
-@@ -96,6 +96,7 @@ void FIPS_corrupt_dsa_keygen(void);
- int FIPS_selftest_dsa(void);
- int FIPS_selftest_ecdsa(void);
- int FIPS_selftest_ecdh(void);
-+int FIPS_selftest_dh(void);
- void FIPS_corrupt_rng(void);
- void FIPS_rng_stick(void);
- void FIPS_x931_stick(int onoff);
-diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1e/crypto/fips/fips_post.c
---- openssl-1.0.1e/crypto/fips/fips_post.c.fips-reqs 2013-12-18 12:17:09.000000000 +0100
-+++ openssl-1.0.1e/crypto/fips/fips_post.c 2013-12-18 17:12:26.721832716 +0100
-@@ -99,6 +99,8 @@ int FIPS_selftest(void)
- rv = 0;
- if (!FIPS_selftest_dsa())
- rv = 0;
-+ if (!FIPS_selftest_dh())
-+ rv = 0;
- if (!FIPS_selftest_ecdh())
- rv = 0;
- return rv;
-diff -up openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c
---- openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips-reqs 2014-03-14 14:47:18.809259727 +0100
-+++ openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c 2014-03-14 15:37:26.295687852 +0100
-@@ -60,69 +60,113 @@
- #ifdef OPENSSL_FIPS
-
- static const unsigned char n[] =
--"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
--"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
--"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
--"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
--"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
--"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
--"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
--"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
--"\xCB";
-+"\x00\xc9\xd5\x6d\x9d\x90\xdb\x43\xd6\x02\xed\x96\x88\x13\x8a"
-+"\xb2\xbf\x6e\xa1\x06\x10\xb2\x78\x37\xa7\x14\xa8\xff\xdd\x00"
-+"\xdd\xb4\x93\xa0\x45\xcc\x96\x90\xed\xad\xa9\xdd\xc4\xd6\xca"
-+"\x0c\xf0\xed\x4f\x72\x5e\x21\x49\x9a\x18\x12\x15\x8f\x90\x5a"
-+"\xdb\xb6\x33\x99\xa3\xe6\xb4\xf0\xc4\x97\x21\x26\xbb\xe3\xba"
-+"\xf2\xff\xa0\x72\xda\x89\x63\x8e\x8b\x3e\x08\x9d\x92\x2a\xbe"
-+"\x16\xe1\x43\x15\xfc\x57\xc7\x1f\x09\x11\x67\x1c\xa9\x96\xd1"
-+"\x8b\x3e\x80\x93\xc1\x59\xd0\x6d\x39\xf2\xac\x95\xcc\x10\x75"
-+"\xe9\x31\x24\xd1\x43\xaf\x68\x52\x4b\xe7\x16\xd7\x49\x65\x6f"
-+"\x26\xc0\x86\xad\xc0\x07\x0a\xc1\xe1\x2f\x87\x85\x86\x3b\xdc"
-+"\x5a\x99\xbe\xe9\xf9\xb9\xe9\x82\x27\x51\x04\x15\xab\x06\x0e"
-+"\x76\x5a\x28\x8d\x92\xbd\xc5\xb5\x7b\xa8\xdf\x4e\x47\xa2\xc1"
-+"\xe7\x52\xbf\x47\xf7\x62\xe0\x3a\x6f\x4d\x6a\x4d\x4e\xd4\xb9"
-+"\x59\x69\xfa\xb2\x14\xc1\xee\xe6\x2f\x95\xcd\x94\x72\xae\xe4"
-+"\xdb\x18\x9a\xc4\xcd\x70\xbd\xee\x31\x16\xb7\x49\x65\xac\x40"
-+"\x19\x0e\xb5\x6d\x83\xf1\x36\xbb\x08\x2f\x2e\x4e\x92\x62\xa4"
-+"\xff\x50\xdb\x20\x45\xa2\xeb\x16\x7a\xf2\xd5\x28\xc1\xfd\x4e"
-+"\x03\x71";
-+
-
- static int corrupt_rsa;
-
- static int setrsakey(RSA *key)
- {
-- static const unsigned char e[] = "\x11";
-+ static const unsigned char e[] = "\x01\x00\x01";
-
- static const unsigned char d[] =
--"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
--"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
--"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
--"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
--"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
--"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
--"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
--"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
--"\xC1";
-+"\x36\x27\x3d\xb1\xf9\x1b\xdb\xa7\xa0\x41\x7f\x12\x23\xac\x23"
-+"\x29\x99\xd5\x3a\x7b\x60\x67\x41\x07\x63\x53\xb4\xd2\xe7\x58"
-+"\x95\x0a\xc7\x05\xf3\x4e\xb2\xb4\x12\xd4\x70\xdc\x4f\x85\x06"
-+"\xd3\xdd\xd8\x63\x27\x3e\x67\x31\x21\x24\x39\x04\xbc\x06\xa4"
-+"\xcc\xce\x2b\x7a\xfe\x7b\xad\xde\x11\x6e\xa3\xa5\xe6\x04\x53"
-+"\x0e\xa3\x4e\x2d\xb4\x8f\x31\xbf\xca\x75\x25\x52\x02\x85\xde"
-+"\x3d\xb2\x72\x43\xb2\x89\x8a\x9a\x34\x41\x26\x3f\x9a\x67\xbe"
-+"\xa4\x96\x7b\x0e\x75\xba\xa6\x93\xd5\xb8\xd8\xb8\x57\xf2\x4b"
-+"\x0f\x14\x81\xd1\x57\x4e\xf6\x45\x4c\xa6\x3b\xd0\x70\xca\xd3"
-+"\x9d\x55\xde\x22\x05\xe7\x8e\x28\x4d\xee\x11\xcf\xb6\x67\x76"
-+"\x09\xd3\xe3\x3c\x13\xf9\x99\x34\x10\x7b\xec\x81\x38\xf0\xb6"
-+"\x34\x9c\x9b\x50\x6f\x0b\x91\x81\x4d\x89\x94\x04\x7b\xf0\x3c"
-+"\xf4\xb1\xb2\x00\x48\x8d\x5a\x8f\x88\x9e\xc5\xab\x3a\x9e\x44"
-+"\x3f\x54\xe7\xd9\x6e\x47\xaa\xa1\xbd\x40\x46\x31\xf9\xf0\x34"
-+"\xb6\x04\xe1\x2b\x5b\x73\x86\xdd\x3a\x92\x1b\x71\xc7\x3f\x32"
-+"\xe5\xc3\xc2\xab\xa1\x7e\xbf\xa4\x52\xa0\xb0\x68\x90\xd1\x20"
-+"\x12\x79\xe9\xd7\xc9\x40\xba\xf2\x19\xc7\xa5\x00\x92\x86\x0d"
-+"\x01";
-
- static const unsigned char p[] =
--"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
--"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
--"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
--"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
--"\x99";
-+"\x00\xfc\x5c\x6e\x16\xce\x1f\x03\x7b\xcd\xf7\xb3\x72\xb2\x8f"
-+"\x16\x72\xb8\x56\xae\xf7\xcd\x67\xd8\x4e\x7d\x07\xaf\xd5\x43"
-+"\x26\xc3\x35\xbe\x43\x8f\x4e\x2f\x1c\x43\x4e\x6b\xd2\xb2\xec"
-+"\x52\x6d\x97\x52\x2b\xcc\x5c\x3a\x6b\xf4\x14\xc6\x74\xda\x66"
-+"\x38\x1c\x7a\x3f\x84\x2f\xe3\xf9\x5a\xb8\x65\x69\x46\x06\xa3"
-+"\x37\x79\xb2\xa1\x5b\x58\xed\x5e\xa7\x5f\x8c\x65\x66\xbb\xd1"
-+"\x24\x36\xe6\x37\xa7\x3d\x49\x77\x8a\x8c\x34\xd8\x69\x29\xf3"
-+"\x4d\x58\x22\xb0\x51\x24\xb6\x40\xa8\x86\x59\x0a\xb7\xba\x5c"
-+"\x97\xda\x57\xe8\x36\xda\x7a\x9c\xad";
-
- static const unsigned char q[] =
--"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
--"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
--"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
--"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
--"\x03";
-+"\x00\xcc\xbe\x7b\x09\x69\x06\xee\x45\xbf\x88\x47\x38\xa8\xf8"
-+"\x17\xe5\xb6\xba\x67\x55\xe3\xe8\x05\x8b\xb8\xe2\x53\xd6\x8e"
-+"\xef\x2c\xe7\x4f\x4a\xf7\x4e\x26\x8d\x85\x0b\x3f\xec\xc3\x1c"
-+"\xd4\xeb\xec\x6a\xc8\x72\x2a\x25\x7d\xfd\xa6\x77\x96\xf0\x1e"
-+"\xcd\x28\x57\xf8\x37\x30\x75\x6b\xbd\xd4\x7b\x0c\x87\xc5\x6c"
-+"\x87\x40\xa5\xbb\x27\x2c\x78\xc9\x74\x5a\x54\x5b\x0b\x30\x6f"
-+"\x44\x4a\xfa\x71\xe4\x21\x61\x66\xf9\xee\x65\xde\x7c\x04\xd7"
-+"\xfd\xa9\x15\x5b\x7f\xe2\x7a\xba\x69\x86\x72\xa6\x06\x8d\x9b"
-+"\x90\x55\x60\x9e\x4c\x5d\xa9\xb6\x55";
-+
-
- static const unsigned char dmp1[] =
--"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
--"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
--"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
--"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
-+"\x7a\xd6\x12\xd0\x0e\xec\x91\xa9\x85\x8b\xf8\x50\xf0\x11\x2e"
-+"\x00\x11\x32\x40\x60\x66\x1f\x11\xee\xc2\x75\x27\x65\x4b\x16"
-+"\x67\x16\x95\xd2\x14\xc3\x1d\xb3\x48\x1f\xb7\xe4\x0b\x2b\x74"
-+"\xc3\xdb\x50\x27\xf9\x85\x3a\xfa\xa9\x08\x23\xc1\x65\x3d\x34"
-+"\x3a\xc8\x56\x7a\x65\x45\x36\x6e\xae\x2a\xce\x9f\x43\x43\xd7"
-+"\x10\xe9\x9e\x18\xf4\xa4\x35\xda\x8a\x6b\xb0\x3f\xdd\x53\xe3"
-+"\xa8\xc5\x4e\x79\x9d\x1f\x51\x8c\xa2\xca\x66\x3c\x6a\x2a\xff"
-+"\x8e\xd2\xf3\xb7\xcb\x82\xda\xde\x2c\xe6\xd2\x8c\xb3\xad\xb6"
-+"\x4c\x95\x55\x76\xbd\xc9\xc8\xd1";
-+
-
- static const unsigned char dmq1[] =
--"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
--"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
--"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
--"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
--
-+"\x00\x83\x23\x1d\xbb\x11\x42\x17\x2b\x25\x5a\x2c\x03\xe6\x75"
-+"\xc1\x18\xa8\xc9\x0b\x96\xbf\xba\xc4\x92\x91\x80\xa5\x22\x2f"
-+"\xba\x91\x90\x36\x01\x56\x15\x00\x2c\x74\xa2\x97\xf7\x15\xa1"
-+"\x49\xdf\x32\x35\xd2\xdd\x0c\x91\xa6\xf8\xe7\xbe\x81\x36\x9b"
-+"\x03\xdc\x6b\x3b\xd8\x5d\x79\x57\xe0\xe6\x4f\x49\xdf\x4c\x5c"
-+"\x0e\xe5\x21\x41\x95\xfd\xad\xff\x9a\x3e\xa0\xf9\x0f\x59\x9e"
-+"\x6a\xa7\x7b\x71\xa7\x24\x9a\x36\x52\xae\x97\x20\xc1\x5e\x78"
-+"\xd9\x47\x8b\x1e\x67\xf2\xaf\x98\xe6\x2d\xef\x10\xd7\xf1\xab"
-+"\x49\xee\xe5\x4b\x7e\xae\x1f\x1d\x61";
-+
-+
- static const unsigned char iqmp[] =
--"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
--"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
--"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
--"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
--"\xF7";
-+"\x23\x96\xc1\x91\x17\x5e\x0a\x83\xd2\xdc\x7b\x69\xb2\x59\x1d"
-+"\x33\x58\x52\x3f\x18\xc7\x09\x50\x1c\xb9\xa1\xbb\x4c\xa2\x38"
-+"\x40\x4c\x9a\x8e\xfe\x9c\x90\x92\xd0\x71\x9f\x89\x99\x50\x91"
-+"\x1f\x34\x8b\x74\x53\x11\x11\x4a\x70\xe2\xf7\x30\xd8\x8c\x80"
-+"\xe1\xcc\x9f\xf1\x63\x17\x1a\x7d\x67\x29\x4c\xcb\x4e\x74\x7b"
-+"\xe0\x3e\x9e\x2f\xf4\x67\x8f\xec\xb9\x5c\x00\x1e\x7e\xa2\x7b"
-+"\x92\xc9\x6f\x4c\xe4\x0e\xf9\x48\x63\xcd\x50\x22\x5d\xbf\xb6"
-+"\x9d\x01\x33\x6a\xf4\x50\xbe\x86\x98\x4f\xca\x3f\x3a\xfa\xcf"
-+"\x07\x40\xc4\xaa\xad\xae\xbe\xbf";
-
- key->n = BN_bin2bn(n, sizeof(n)-1, key->n);
- if (corrupt_rsa)
-- BN_set_bit(key->n, 1024);
-+ BN_set_bit(key->n, 2048);
- key->e = BN_bin2bn(e, sizeof(e)-1, key->e);
- key->d = BN_bin2bn(d, sizeof(d)-1, key->d);
- key->p = BN_bin2bn(p, sizeof(p)-1, key->p);
-@@ -145,201 +189,291 @@ void FIPS_corrupt_rsa()
- static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT";
-
- static const unsigned char kat_RSA_PSS_SHA1[] = {
-- 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
-- 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
-- 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
-- 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
-- 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
-- 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
-- 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
-- 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
-- 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
-- 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
-- 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
-+ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3,
-+ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B,
-+ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84,
-+ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B,
-+ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9,
-+ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19,
-+ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98,
-+ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5,
-+ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4,
-+ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A,
-+ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70,
-+ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1,
-+ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C,
-+ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF,
-+ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99,
-+ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45,
-+ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF,
-+ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F,
-+ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01,
-+ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC,
-+ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05,
-+ 0xCE, 0x08, 0x1D, 0x89
- };
-
- static const unsigned char kat_RSA_PSS_SHA224[] = {
-- 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
-- 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
-- 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
-- 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
-- 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
-- 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
-- 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
-- 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
-- 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
-- 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
-- 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
-+ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA,
-+ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3,
-+ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3,
-+ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3,
-+ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7,
-+ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53,
-+ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A,
-+ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE,
-+ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06,
-+ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08,
-+ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D,
-+ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07,
-+ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70,
-+ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64,
-+ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17,
-+ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69,
-+ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97,
-+ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D,
-+ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5,
-+ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B,
-+ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD,
-+ 0x2D, 0x84, 0x03, 0xB7
- };
-
- static const unsigned char kat_RSA_PSS_SHA256[] = {
-- 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
-- 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
-- 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
-- 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
-- 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
-- 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
-- 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
-- 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
-- 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
-- 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
-- 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
-+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
-+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
-+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,
-+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,
-+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,
-+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,
-+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,
-+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,
-+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,
-+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,
-+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,
-+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,
-+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,
-+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,
-+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,
-+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,
-+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,
-+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,
-+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,
-+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,
-+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,
-+ 0x2B, 0x31, 0xB9, 0x7D
- };
-
- static const unsigned char kat_RSA_PSS_SHA384[] = {
-- 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
-- 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
-- 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
-- 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
-- 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
-- 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
-- 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
-- 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
-- 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
-- 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
-- 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
-+ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D,
-+ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03,
-+ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27,
-+ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC,
-+ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1,
-+ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6,
-+ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA,
-+ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB,
-+ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3,
-+ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5,
-+ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70,
-+ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E,
-+ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C,
-+ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0,
-+ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62,
-+ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07,
-+ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88,
-+ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7,
-+ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5,
-+ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D,
-+ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF,
-+ 0x90, 0xD2, 0xA6, 0x2B
- };
-
- static const unsigned char kat_RSA_PSS_SHA512[] = {
-- 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
-- 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
-- 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
-- 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
-- 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
-- 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
-- 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
-- 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
-- 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
-- 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
-- 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
-+ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32,
-+ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06,
-+ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D,
-+ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B,
-+ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D,
-+ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44,
-+ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B,
-+ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D,
-+ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD,
-+ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C,
-+ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1,
-+ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A,
-+ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE,
-+ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D,
-+ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F,
-+ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF,
-+ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F,
-+ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94,
-+ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE,
-+ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A,
-+ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0,
-+ 0x17, 0x2C, 0x13, 0xE0
- };
-
- static const unsigned char kat_RSA_SHA1[] = {
-- 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
-- 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
-- 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
-- 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
-- 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
-- 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
-- 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
-- 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
-- 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
-- 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
-- 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
-+ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA,
-+ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C,
-+ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE,
-+ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94,
-+ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08,
-+ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC,
-+ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0,
-+ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54,
-+ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F,
-+ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A,
-+ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF,
-+ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD,
-+ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8,
-+ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5,
-+ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F,
-+ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF,
-+ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60,
-+ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9,
-+ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC,
-+ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37,
-+ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF,
-+ 0x27, 0x90, 0xE2, 0x01
- };
-
- static const unsigned char kat_RSA_SHA224[] = {
-- 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
-- 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
-- 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
-- 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
-- 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
-- 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
-- 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
-- 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
-- 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
-- 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
-- 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
-+ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86,
-+ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8,
-+ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89,
-+ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39,
-+ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3,
-+ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E,
-+ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8,
-+ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4,
-+ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66,
-+ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6,
-+ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC,
-+ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9,
-+ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53,
-+ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA,
-+ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45,
-+ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC,
-+ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33,
-+ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5,
-+ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8,
-+ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83,
-+ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B,
-+ 0xDB, 0x70, 0x00, 0xF6
- };
-
- static const unsigned char kat_RSA_SHA256[] = {
-- 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
-- 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
-- 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
-- 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
-- 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
-- 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
-- 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
-- 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
-- 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
-- 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
-- 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
-+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
-+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
-+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,
-+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,
-+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,
-+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,
-+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,
-+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,
-+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,
-+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,
-+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,
-+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,
-+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,
-+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,
-+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,
-+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,
-+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,
-+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,
-+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,
-+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,
-+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,
-+ 0x47, 0x9D, 0x18, 0xD7
- };
-
- static const unsigned char kat_RSA_SHA384[] = {
-- 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
-- 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
-- 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
-- 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
-- 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
-- 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
-- 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
-- 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
-- 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
-- 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
-- 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
-+ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00,
-+ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D,
-+ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2,
-+ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B,
-+ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF,
-+ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1,
-+ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C,
-+ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E,
-+ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76,
-+ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4,
-+ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9,
-+ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4,
-+ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56,
-+ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39,
-+ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00,
-+ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F,
-+ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D,
-+ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26,
-+ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9,
-+ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD,
-+ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4,
-+ 0x7E, 0x37, 0x1D, 0x96
- };
-
- static const unsigned char kat_RSA_SHA512[] = {
-- 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
-- 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
-- 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
-- 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
-- 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
-- 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
-- 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
-- 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
-- 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
-- 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
-- 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
-+ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3,
-+ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F,
-+ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02,
-+ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B,
-+ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3,
-+ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1,
-+ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79,
-+ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1,
-+ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E,
-+ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1,
-+ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED,
-+ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE,
-+ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69,
-+ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2,
-+ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F,
-+ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3,
-+ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B,
-+ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86,
-+ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F,
-+ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A,
-+ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E,
-+ 0x43, 0xA8, 0x34, 0x0A
- };
-
--static const unsigned char kat_RSA_X931_SHA1[] = {
-- 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
-- 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
-- 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
-- 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
-- 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
-- 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
-- 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
-- 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
-- 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
-- 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
-- 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
--};
-+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, int ptlen)
-+ {
-+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
-+ int ret = 0;
-+ int len;
-
--static const unsigned char kat_RSA_X931_SHA256[] = {
-- 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
-- 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
-- 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
-- 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
-- 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
-- 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
-- 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
-- 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
-- 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
-- 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
-- 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
--};
-+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ctbuf)
-+ goto err;
-
--static const unsigned char kat_RSA_X931_SHA384[] = {
-- 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
-- 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
-- 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
-- 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
-- 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
-- 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
-- 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
-- 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
-- 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
-- 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
-- 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
--};
-+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len <= 0)
-+ goto err;
-+ /* Check ciphertext doesn't match plaintext */
-+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))
-+ goto err;
-
--static const unsigned char kat_RSA_X931_SHA512[] = {
-- 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
-- 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
-- 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
-- 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
-- 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
-- 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
-- 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
-- 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
-- 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
-- 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
-- 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
--};
-+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ptbuf)
-+ goto err;
-+
-+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len != ptlen)
-+ goto err;
-+ if (memcmp(ptbuf, plaintext, len))
-+ goto err;
-+
-+ ret = 1;
-
-+ err:
-+ if (ctbuf)
-+ OPENSSL_free(ctbuf);
-+ if (ptbuf)
-+ OPENSSL_free(ptbuf);
-+ return ret;
-+ }
-
- int FIPS_selftest_rsa()
- {
-@@ -353,7 +487,7 @@ int FIPS_selftest_rsa()
- if ((pk=EVP_PKEY_new()) == NULL)
- goto err;
-
-- EVP_PKEY_assign_RSA(pk, key);
-+ EVP_PKEY_set1_RSA(pk, key);
-
- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
- kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
-@@ -407,36 +541,15 @@ int FIPS_selftest_rsa()
- "RSA SHA512 PSS"))
- goto err;
-
--
-- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-- kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1),
-- EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931,
-- "RSA SHA1 X931"))
-- goto err;
-- /* NB: SHA224 not supported in X9.31 */
-- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-- kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256),
-- EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931,
-- "RSA SHA256 X931"))
-- goto err;
-- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-- kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384),
-- EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931,
-- "RSA SHA384 X931"))
-- goto err;
-- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-- kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512),
-- EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931,
-- "RSA SHA512 X931"))
-+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
- goto err;
-
--
- ret = 1;
-
- err:
- if (pk)
- EVP_PKEY_free(pk);
-- else if (key)
-+ if (key)
- RSA_free(key);
- return ret;
- }
-diff -up openssl-1.0.1e/crypto/fips/Makefile.fips-reqs openssl-1.0.1e/crypto/fips/Makefile
---- openssl-1.0.1e/crypto/fips/Makefile.fips-reqs 2013-12-18 12:17:20.000000000 +0100
-+++ openssl-1.0.1e/crypto/fips/Makefile 2013-12-18 17:14:20.348337362 +0100
-@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
- fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
- fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
- fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-- fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c
-+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \
-+ fips_dh_selftest.c
-
- LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
- fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
- fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
- fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
-- fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o
-+ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o \
-+ fips_dh_selftest.o
-
- LIBCRYPTO=-L.. -lcrypto
-
-diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips-reqs openssl-1.0.1e/crypto/rand/md_rand.c
---- openssl-1.0.1e/crypto/rand/md_rand.c.fips-reqs 2013-12-18 12:17:09.763636936 +0100
-+++ openssl-1.0.1e/crypto/rand/md_rand.c 2013-12-18 12:17:09.800637730 +0100
-@@ -143,12 +143,6 @@ static long md_count[2]={0,0};
- static double entropy=0;
- static int initialized=0;
-
--static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
-- * holds CRYPTO_LOCK_RAND
-- * (to prevent double locking) */
--/* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
--static CRYPTO_THREADID locking_threadid; /* valid iff crypto_lock_rand is set */
--
-
- #ifdef PREDICT
- int rand_predictable=0;
-@@ -196,7 +190,7 @@ static void ssleay_rand_add(const void *
- long md_c[2];
- unsigned char local_md[MD_DIGEST_LENGTH];
- EVP_MD_CTX m;
-- int do_not_lock;
-+ int locked;
-
- /*
- * (Based on the rand(3) manpage)
-@@ -213,19 +207,8 @@ static void ssleay_rand_add(const void *
- * hash function.
- */
-
-- /* check if we already have the lock */
-- if (crypto_lock_rand)
-- {
-- CRYPTO_THREADID cur;
-- CRYPTO_THREADID_current(&cur);
-- CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-- do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
-- CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
-- }
-- else
-- do_not_lock = 0;
-+ locked = private_RAND_lock(1);
-
-- if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- st_idx=state_index;
-
- /* use our own copies of the counters so that even
-@@ -257,7 +240,8 @@ static void ssleay_rand_add(const void *
-
- md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
-
-- if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
-
- EVP_MD_CTX_init(&m);
- for (i=0; i<num; i+=MD_DIGEST_LENGTH)
-@@ -308,7 +292,7 @@ static void ssleay_rand_add(const void *
- }
- EVP_MD_CTX_cleanup(&m);
-
-- if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ locked = private_RAND_lock(1);
- /* Don't just copy back local_md into md -- this could mean that
- * other thread's seeding remains without effect (except for
- * the incremented counter). By XORing it we keep at least as
-@@ -319,7 +303,8 @@ static void ssleay_rand_add(const void *
- }
- if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
- entropy += add;
-- if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
-
- #if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
- assert(md_c[1] == md_count[1]);
-@@ -344,6 +329,7 @@ static int ssleay_rand_bytes(unsigned ch
- pid_t curr_pid = getpid();
- #endif
- int do_stir_pool = 0;
-+ int locked;
-
- #ifdef PREDICT
- if (rand_predictable)
-@@ -381,13 +367,7 @@ static int ssleay_rand_bytes(unsigned ch
- * global 'md'.
- */
-
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
--
-- /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-- CRYPTO_THREADID_current(&locking_threadid);
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
-- crypto_lock_rand = 1;
-+ locked = private_RAND_lock(1);
-
- /* always poll for external entropy in FIPS mode, drbg provides the
- * expansion
-@@ -461,9 +441,8 @@ static int ssleay_rand_bytes(unsigned ch
-
- md_count[0] += 1;
-
-- /* before unlocking, we must clear 'crypto_lock_rand' */
-- crypto_lock_rand = 0;
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
-
- while (num > 0)
- {
-@@ -515,10 +494,11 @@ static int ssleay_rand_bytes(unsigned ch
- MD_Init(&m);
- MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
- MD_Update(&m,local_md,MD_DIGEST_LENGTH);
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ locked = private_RAND_lock(1);
- MD_Update(&m,md,MD_DIGEST_LENGTH);
- MD_Final(&m,md);
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
-
- EVP_MD_CTX_cleanup(&m);
- if (ok)
-@@ -548,32 +528,10 @@ static int ssleay_rand_pseudo_bytes(unsi
-
- static int ssleay_rand_status(void)
- {
-- CRYPTO_THREADID cur;
- int ret;
-- int do_not_lock;
-+ int locked;
-
-- CRYPTO_THREADID_current(&cur);
-- /* check if we already have the lock
-- * (could happen if a RAND_poll() implementation calls RAND_status()) */
-- if (crypto_lock_rand)
-- {
-- CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-- do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
-- CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
-- }
-- else
-- do_not_lock = 0;
--
-- if (!do_not_lock)
-- {
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
--
-- /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
-- CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-- CRYPTO_THREADID_cpy(&locking_threadid, &cur);
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
-- crypto_lock_rand = 1;
-- }
-+ locked = private_RAND_lock(1);
-
- if (!initialized)
- {
-@@ -583,13 +541,8 @@ static int ssleay_rand_status(void)
-
- ret = entropy >= ENTROPY_NEEDED;
-
-- if (!do_not_lock)
-- {
-- /* before unlocking, we must clear 'crypto_lock_rand' */
-- crypto_lock_rand = 0;
--
-- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-- }
-+ if (locked)
-+ private_RAND_lock(0);
-
- return ret;
- }
-diff -up openssl-1.0.1e/crypto/rand/rand.h.fips-reqs openssl-1.0.1e/crypto/rand/rand.h
---- openssl-1.0.1e/crypto/rand/rand.h.fips-reqs 2013-12-18 12:17:09.764636958 +0100
-+++ openssl-1.0.1e/crypto/rand/rand.h 2013-12-18 12:17:09.800637730 +0100
-@@ -124,6 +124,8 @@ void RAND_set_fips_drbg_type(int type, i
- int RAND_init_fips(void);
- #endif
-
-+int private_RAND_lock(int lock);
-+
- /* BEGIN ERROR CODES */
- /* The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
-diff -up openssl-1.0.1e/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1e/crypto/rand/rand_lcl.h
---- openssl-1.0.1e/crypto/rand/rand_lcl.h.fips-reqs 2013-12-18 12:17:09.507631447 +0100
-+++ openssl-1.0.1e/crypto/rand/rand_lcl.h 2013-12-18 12:17:09.800637730 +0100
-@@ -112,7 +112,7 @@
- #ifndef HEADER_RAND_LCL_H
- #define HEADER_RAND_LCL_H
-
--#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
-+#define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */
-
-
- #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
-diff -up openssl-1.0.1e/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1e/crypto/rand/rand_lib.c
---- openssl-1.0.1e/crypto/rand/rand_lib.c.fips-reqs 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rand/rand_lib.c 2013-12-18 18:16:45.625850730 +0100
-@@ -181,6 +181,41 @@ int RAND_status(void)
- return 0;
- }
-
-+int private_RAND_lock(int lock)
-+ {
-+ static int crypto_lock_rand;
-+ static CRYPTO_THREADID locking_threadid;
-+ int do_lock;
-+
-+ if (!lock)
-+ {
-+ crypto_lock_rand = 0;
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return 0;
-+ }
-+
-+ /* check if we already have the lock */
-+ if (crypto_lock_rand)
-+ {
-+ CRYPTO_THREADID cur;
-+ CRYPTO_THREADID_current(&cur);
-+ CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
-+ do_lock = !!CRYPTO_THREADID_cmp(&locking_threadid, &cur);
-+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
-+ }
-+ else
-+ do_lock = 1;
-+ if (do_lock)
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
-+ CRYPTO_THREADID_current(&locking_threadid);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
-+ crypto_lock_rand = 1;
-+ }
-+ return do_lock;
-+ }
-+
- #ifdef OPENSSL_FIPS
-
- /* FIPS DRBG initialisation code. This sets up the DRBG for use by the
-@@ -239,12 +274,16 @@ static int drbg_rand_add(DRBG_CTX *ctx,
- double entropy)
- {
- RAND_SSLeay()->add(in, inlen, entropy);
-+ if (FIPS_rand_status())
-+ FIPS_drbg_reseed(ctx, NULL, 0);
- return 1;
- }
-
- static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
- {
- RAND_SSLeay()->seed(in, inlen);
-+ if (FIPS_rand_status())
-+ FIPS_drbg_reseed(ctx, NULL, 0);
- return 1;
- }
-
-diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1e/crypto/rsa/rsa_gen.c
---- openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips-reqs 2013-12-18 12:17:09.764636958 +0100
-+++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2013-12-19 17:40:58.483154314 +0100
-@@ -1,5 +1,6 @@
- /* crypto/rsa/rsa_gen.c */
- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * Copyright (C) 2013 Red Hat, Inc.
- * All rights reserved.
- *
- * This package is an SSL implementation written
-@@ -165,6 +166,236 @@ int RSA_generate_key_ex(RSA *rsa, int bi
- return rsa_builtin_keygen(rsa, bits, e_value, cb);
- }
-
-+#ifdef OPENSSL_FIPS
-+static int FIPS_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
-+ {
-+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
-+ BIGNUM local_r0, local_d, local_p;
-+ BIGNUM *pr0, *d, *p;
-+ BN_CTX *ctx = NULL;
-+ int ok = -1;
-+ int i;
-+ int n = 0;
-+ int test = 0;
-+ int pbits = bits/2;
-+
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if ((pbits & 0xFF) || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits != 2048 && bits != 3072))
-+ {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);
-+ return 0;
-+ }
-+
-+ ctx = BN_CTX_new();
-+ if (ctx == NULL) goto err;
-+ BN_CTX_start(ctx);
-+ r0 = BN_CTX_get(ctx);
-+ r1 = BN_CTX_get(ctx);
-+ r2 = BN_CTX_get(ctx);
-+ r3 = BN_CTX_get(ctx);
-+
-+ if (r3 == NULL) goto err;
-+
-+ /* We need the RSA components non-NULL */
-+ if (!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
-+ if (!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
-+ if (!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
-+ if (!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
-+ if (!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
-+ if (!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
-+ if (!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
-+ if (!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
-+
-+ if (!BN_set_word(r0, RSA_F4)) goto err;
-+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256)
-+ {
-+ ok = 0; /* we set our own err */
-+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_BAD_E_VALUE);
-+ goto err;
-+ }
-+
-+ /* prepare approximate minimum p and q */
-+ if (!BN_set_word(r0, 0xB504F334)) goto err;
-+ if (!BN_lshift(r0, r0, pbits - 32)) goto err;
-+
-+ /* prepare minimum p and q difference */
-+ if (!BN_one(r3)) goto err;
-+ if (!BN_lshift(r3, r3, pbits - 100)) goto err;
-+
-+ BN_copy(rsa->e, e_value);
-+
-+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
-+ test = 1;
-+
-+retry:
-+ /* generate p and q */
-+ for (i = 0; i < 5 * pbits; i++)
-+ {
-+ ploop:
-+ if (!test)
-+ if (!BN_rand(rsa->p, pbits, 0, 1)) goto err;
-+ if (BN_cmp(rsa->p, r0) < 0)
-+ {
-+ if (test) goto err;
-+ goto ploop;
-+ }
-+
-+ if (!BN_sub(r2, rsa->p, BN_value_one())) goto err;
-+ if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err;
-+ if (BN_is_one(r1))
-+ {
-+ int r;
-+ r = BN_is_prime_fasttest_ex(rsa->p, pbits>1024?4:5, ctx, 0, cb);
-+ if (r == -1 || (test && r <= 0)) goto err;
-+ if (r > 0) break;
-+ }
-+
-+ if(!BN_GENCB_call(cb, 2, n++))
-+ goto err;
-+ }
-+
-+ if(!BN_GENCB_call(cb, 3, 0))
-+ goto err;
-+
-+ if(i >= 5*pbits)
-+ /* prime not found */
-+ goto err;
-+
-+ for (i = 0; i < 5 * pbits; i++)
-+ {
-+ qloop:
-+ if (!test)
-+ if (!BN_rand(rsa->q, pbits, 0, 1)) goto err;
-+ if (BN_cmp(rsa->q, r0) < 0)
-+ {
-+ if (test) goto err;
-+ goto qloop;
-+ }
-+ if (!BN_sub(r2, rsa->q, rsa->p)) goto err;
-+ if (BN_ucmp(r2, r3) <= 0)
-+ {
-+ if (test) goto err;
-+ goto qloop;
-+ }
-+
-+ if (!BN_sub(r2, rsa->q, BN_value_one())) goto err;
-+ if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err;
-+ if (BN_is_one(r1))
-+ {
-+ int r;
-+ r = BN_is_prime_fasttest_ex(rsa->q, pbits>1024?4:5, ctx, 0, cb);
-+ if (r == -1 || (test && r <= 0)) goto err;
-+ if (r > 0) break;
-+ }
-+
-+ if(!BN_GENCB_call(cb, 2, n++))
-+ goto err;
-+ }
-+
-+ if(!BN_GENCB_call(cb, 3, 1))
-+ goto err;
-+
-+ if(i >= 5*pbits)
-+ /* prime not found */
-+ goto err;
-+
-+ if (test)
-+ {
-+ /* do not try to calculate the remaining key values */
-+ BN_clear(rsa->n);
-+ ok = 1;
-+ goto err;
-+ }
-+
-+ if (BN_cmp(rsa->p,rsa->q) < 0)
-+ {
-+ tmp=rsa->p;
-+ rsa->p=rsa->q;
-+ rsa->q=tmp;
-+ }
-+
-+ /* calculate n */
-+ if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
-+
-+ /* calculate d */
-+ if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
-+ if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
-+
-+ if (!BN_gcd(r0, r1, r2, ctx)) goto err;
-+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-+ {
-+ pr0 = &local_r0;
-+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
-+ }
-+ else
-+ pr0 = r0;
-+ if (!BN_div(r0, NULL, r1, pr0, ctx)) goto err;
-+ if (!BN_mul(r0,r0,r2,ctx)) goto err; /* lcm(p-1, q-1) */
-+
-+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-+ {
-+ pr0 = &local_r0;
-+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
-+ }
-+ else
-+ pr0 = r0;
-+ if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */
-+
-+ if (BN_num_bits(rsa->d) < pbits) goto retry; /* d is too small */
-+
-+ /* set up d for correct BN_FLG_CONSTTIME flag */
-+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-+ {
-+ d = &local_d;
-+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-+ }
-+ else
-+ d = rsa->d;
-+
-+ /* calculate d mod (p-1) */
-+ if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
-+
-+ /* calculate d mod (q-1) */
-+ if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
-+
-+ /* calculate inverse of q mod p */
-+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-+ {
-+ p = &local_p;
-+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-+ }
-+ else
-+ p = rsa->p;
-+ if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
-+
-+ if (fips_rsa_pairwise_fail)
-+ BN_add_word(rsa->n, 1);
-+
-+ if(!fips_check_rsa(rsa))
-+ goto err;
-+
-+ ok=1;
-+err:
-+ if (ok == -1)
-+ {
-+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
-+ ok = 0;
-+ }
-+ if (ctx != NULL)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+
-+ return ok;
-+ }
-+#endif
-+
- static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
- {
- BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
-@@ -176,17 +407,12 @@ static int rsa_builtin_keygen(RSA *rsa,
- #ifdef OPENSSL_FIPS
- if (FIPS_module_mode())
- {
-- if(FIPS_selftest_failed())
-- {
-- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED);
-- return 0;
-- }
--
- if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
- {
- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);
- return 0;
- }
-+ return FIPS_rsa_builtin_keygen(rsa, bits, e_value, cb);
- }
- #endif
-
-@@ -301,17 +527,6 @@ static int rsa_builtin_keygen(RSA *rsa,
- p = rsa->p;
- if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
-
--#ifdef OPENSSL_FIPS
-- if (FIPS_module_mode())
-- {
-- if (fips_rsa_pairwise_fail)
-- BN_add_word(rsa->n, 1);
--
-- if(!fips_check_rsa(rsa))
-- goto err;
-- }
--#endif
--
- ok=1;
- err:
- if (ok == -1)
-diff -up openssl-1.0.1e/ssl/t1_enc.c.fips-reqs openssl-1.0.1e/ssl/t1_enc.c
---- openssl-1.0.1e/ssl/t1_enc.c.fips-reqs 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/t1_enc.c 2013-12-18 12:17:09.801637751 +0100
-@@ -291,6 +291,27 @@ static int tls1_PRF(long digest_mask,
- err:
- return ret;
- }
-+
-+int private_tls1_PRF(long digest_mask,
-+ const void *seed1, int seed1_len,
-+ const void *seed2, int seed2_len,
-+ const void *seed3, int seed3_len,
-+ const void *seed4, int seed4_len,
-+ const void *seed5, int seed5_len,
-+ const unsigned char *sec, int slen,
-+ unsigned char *out1,
-+ unsigned char *out2, int olen)
-+ {
-+ return tls1_PRF(digest_mask,
-+ seed1, seed1_len,
-+ seed2, seed2_len,
-+ seed3, seed3_len,
-+ seed4, seed4_len,
-+ seed5, seed5_len,
-+ sec, slen,
-+ out1, out2, olen);
-+ }
-+
- static int tls1_generate_key_block(SSL *s, unsigned char *km,
- unsigned char *tmp, int num)
- {
diff --git a/SOURCES/openssl-1.0.1e-no-md5-verify.patch b/SOURCES/openssl-1.0.1e-no-md5-verify.patch
deleted file mode 100644
index f379735..0000000
--- a/SOURCES/openssl-1.0.1e-no-md5-verify.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.1e/crypto/asn1/a_verify.c
---- openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/a_verify.c 2013-11-13 16:30:04.628791616 +0100
-@@ -56,6 +56,9 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
-+
- #include <stdio.h>
- #include <time.h>
-
-@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
- goto err;
- ret = -1;
- }
-+ else if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL)
-+ {
-+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
-+ goto err;
-+ }
- else
- {
- const EVP_MD *type;
diff --git a/SOURCES/openssl-1.0.1e-pkcs12-memleak.patch b/SOURCES/openssl-1.0.1e-pkcs12-memleak.patch
deleted file mode 100644
index 261b16e..0000000
--- a/SOURCES/openssl-1.0.1e-pkcs12-memleak.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/crypto/pkcs12/p12_kiss.c.memleak openssl-1.0.1e/crypto/pkcs12/p12_kiss.c
---- openssl-1.0.1e/crypto/pkcs12/p12_kiss.c.memleak 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/pkcs12/p12_kiss.c 2016-01-14 17:45:56.346941782 +0100
-@@ -269,7 +269,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag
- int len, r;
- unsigned char *data;
- len = ASN1_STRING_to_UTF8(&data, fname);
-- if(len > 0) {
-+ if(len >= 0) {
- r = X509_alias_set1(x509, data, len);
- OPENSSL_free(data);
- if (!r)
diff --git a/SOURCES/openssl-1.0.1e-ppc-asm-update.patch b/SOURCES/openssl-1.0.1e-ppc-asm-update.patch
deleted file mode 100644
index 91efede..0000000
--- a/SOURCES/openssl-1.0.1e-ppc-asm-update.patch
+++ /dev/null
@@ -1,6677 +0,0 @@
-diff --git a/Configure b/Configure
-index 9c803dc..5a5c2d8 100755
---- a/Configure
-+++ b/Configure
-@@ -139,8 +139,8 @@ my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes
- my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";
- my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
- my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
--my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";
--my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::";
-+my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";
-+my $ppc32_asm=$ppc64_asm;
- my $no_asm=":::::::::::::::void";
-
- # As for $BSDthreads. Idea is to maintain "collective" set of flags,
-@@ -357,6 +357,7 @@ my %table=(
- ####
- "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
- "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -462,8 +463,8 @@ my %table=(
-
- #### IBM's AIX.
- "aix3-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
--"aix-gcc", "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",
--"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
-+"aix-gcc", "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:$ppc32_asm:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",
-+"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:$ppc64_asm:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
- # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
- # at build time. $OBJECT_MODE is respected at ./config stage!
- "aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-@@ -1525,7 +1526,7 @@ else {
- $wp_obj="wp_block.o";
- }
- $cmll_obj=$cmll_enc unless ($cmll_obj =~ /.o$/);
--if ($modes_obj =~ /ghash/)
-+if ($modes_obj =~ /ghash\-/)
- {
- $cflags.=" -DGHASH_ASM";
- }
-diff --git a/config b/config
-index 88b9bc6..8b80802 100755
---- a/config
-+++ b/config
-@@ -587,13 +587,20 @@ case "$GUESSOS" in
- fi
- ;;
- ppc64-*-linux2)
-- echo "WARNING! If you wish to build 64-bit library, then you have to"
-- echo " invoke './Configure linux-ppc64' *manually*."
-- if [ "$TEST" = "false" -a -t 1 ]; then
-- echo " You have about 5 seconds to press Ctrl-C to abort."
-- (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
-+ if [ -z "$KERNEL_BITS" ]; then
-+ echo "WARNING! If you wish to build 64-bit library, then you have to"
-+ echo " invoke './Configure linux-ppc64' *manually*."
-+ if [ "$TEST" = "false" -a -t 1 ]; then
-+ echo " You have about 5 seconds to press Ctrl-C to abort."
-+ (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
-+ fi
-+ fi
-+ if [ "$KERNEL_BITS" = "64" ]; then
-+ OUT="linux-ppc64"
-+ else
-+ OUT="linux-ppc"
-+ (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32"
- fi
-- OUT="linux-ppc"
- ;;
- ppc-*-linux2) OUT="linux-ppc" ;;
- ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
-diff --git a/crypto/aes/Makefile b/crypto/aes/Makefile
-index 45ede0a..847f4ee 100644
---- a/crypto/aes/Makefile
-+++ b/crypto/aes/Makefile
-@@ -71,6 +71,10 @@ aes-sparcv9.s: asm/aes-sparcv9.pl
-
- aes-ppc.s: asm/aes-ppc.pl
- $(PERL) asm/aes-ppc.pl $(PERLASM_SCHEME) $@
-+vpaes-ppc.s: asm/vpaes-ppc.pl
-+ $(PERL) asm/vpaes-ppc.pl $(PERLASM_SCHEME) $@
-+aesp8-ppc.s: asm/aesp8-ppc.pl
-+ $(PERL) asm/aesp8-ppc.pl $(PERLASM_SCHEME) $@
-
- aes-parisc.s: asm/aes-parisc.pl
- $(PERL) asm/aes-parisc.pl $(PERLASM_SCHEME) $@
-diff --git a/crypto/aes/asm/aes-ppc.pl b/crypto/aes/asm/aes-ppc.pl
-index 7c52cbe..7a99fc3 100644
---- a/crypto/aes/asm/aes-ppc.pl
-+++ b/crypto/aes/asm/aes-ppc.pl
-@@ -45,6 +45,8 @@ if ($flavour =~ /64/) {
- $PUSH ="stw";
- } else { die "nonsense $flavour"; }
-
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-@@ -68,7 +70,7 @@ $key="r5";
- $Tbl0="r3";
- $Tbl1="r6";
- $Tbl2="r7";
--$Tbl3="r2";
-+$Tbl3=$out; # stay away from "r2"; $out is offloaded to stack
-
- $s0="r8";
- $s1="r9";
-@@ -76,7 +78,7 @@ $s2="r10";
- $s3="r11";
-
- $t0="r12";
--$t1="r13";
-+$t1="r0"; # stay away from "r13";
- $t2="r14";
- $t3="r15";
-
-@@ -100,9 +102,6 @@ $acc13="r29";
- $acc14="r30";
- $acc15="r31";
-
--# stay away from TLS pointer
--if ($SIZE_T==8) { die if ($t1 ne "r13"); $t1="r0"; }
--else { die if ($Tbl3 ne "r2"); $Tbl3=$t0; $t0="r0"; }
- $mask80=$Tbl2;
- $mask1b=$Tbl3;
-
-@@ -337,8 +336,7 @@ $code.=<<___;
- $STU $sp,-$FRAME($sp)
- mflr r0
-
-- $PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
-- $PUSH r13,`$FRAME-$SIZE_T*19`($sp)
-+ $PUSH $out,`$FRAME-$SIZE_T*19`($sp)
- $PUSH r14,`$FRAME-$SIZE_T*18`($sp)
- $PUSH r15,`$FRAME-$SIZE_T*17`($sp)
- $PUSH r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -365,16 +363,61 @@ $code.=<<___;
- bne Lenc_unaligned
-
- Lenc_unaligned_ok:
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- lwz $s0,0($inp)
- lwz $s1,4($inp)
- lwz $s2,8($inp)
- lwz $s3,12($inp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $t0,0($inp)
-+ lwz $t1,4($inp)
-+ lwz $t2,8($inp)
-+ lwz $t3,12($inp)
-+ rotlwi $s0,$t0,8
-+ rotlwi $s1,$t1,8
-+ rotlwi $s2,$t2,8
-+ rotlwi $s3,$t3,8
-+ rlwimi $s0,$t0,24,0,7
-+ rlwimi $s1,$t1,24,0,7
-+ rlwimi $s2,$t2,24,0,7
-+ rlwimi $s3,$t3,24,0,7
-+ rlwimi $s0,$t0,24,16,23
-+ rlwimi $s1,$t1,24,16,23
-+ rlwimi $s2,$t2,24,16,23
-+ rlwimi $s3,$t3,24,16,23
-+___
-+$code.=<<___;
- bl LAES_Te
- bl Lppc_AES_encrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ rotlwi $t0,$s0,8
-+ rotlwi $t1,$s1,8
-+ rotlwi $t2,$s2,8
-+ rotlwi $t3,$s3,8
-+ rlwimi $t0,$s0,24,0,7
-+ rlwimi $t1,$s1,24,0,7
-+ rlwimi $t2,$s2,24,0,7
-+ rlwimi $t3,$s3,24,0,7
-+ rlwimi $t0,$s0,24,16,23
-+ rlwimi $t1,$s1,24,16,23
-+ rlwimi $t2,$s2,24,16,23
-+ rlwimi $t3,$s3,24,16,23
-+ stw $t0,0($out)
-+ stw $t1,4($out)
-+ stw $t2,8($out)
-+ stw $t3,12($out)
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- stw $s0,0($out)
- stw $s1,4($out)
- stw $s2,8($out)
- stw $s3,12($out)
-+___
-+$code.=<<___;
- b Lenc_done
-
- Lenc_unaligned:
-@@ -417,6 +460,7 @@ Lenc_xpage:
-
- bl LAES_Te
- bl Lppc_AES_encrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-
- extrwi $acc00,$s0,8,0
- extrwi $acc01,$s0,8,8
-@@ -449,8 +493,6 @@ Lenc_xpage:
-
- Lenc_done:
- $POP r0,`$FRAME+$LRSAVE`($sp)
-- $POP $toc,`$FRAME-$SIZE_T*20`($sp)
-- $POP r13,`$FRAME-$SIZE_T*19`($sp)
- $POP r14,`$FRAME-$SIZE_T*18`($sp)
- $POP r15,`$FRAME-$SIZE_T*17`($sp)
- $POP r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -764,6 +806,7 @@ Lenc_compact_done:
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .AES_encrypt,.-.AES_encrypt
-
- .globl .AES_decrypt
- .align 7
-@@ -771,8 +814,7 @@ Lenc_compact_done:
- $STU $sp,-$FRAME($sp)
- mflr r0
-
-- $PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
-- $PUSH r13,`$FRAME-$SIZE_T*19`($sp)
-+ $PUSH $out,`$FRAME-$SIZE_T*19`($sp)
- $PUSH r14,`$FRAME-$SIZE_T*18`($sp)
- $PUSH r15,`$FRAME-$SIZE_T*17`($sp)
- $PUSH r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -799,16 +841,61 @@ Lenc_compact_done:
- bne Ldec_unaligned
-
- Ldec_unaligned_ok:
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- lwz $s0,0($inp)
- lwz $s1,4($inp)
- lwz $s2,8($inp)
- lwz $s3,12($inp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $t0,0($inp)
-+ lwz $t1,4($inp)
-+ lwz $t2,8($inp)
-+ lwz $t3,12($inp)
-+ rotlwi $s0,$t0,8
-+ rotlwi $s1,$t1,8
-+ rotlwi $s2,$t2,8
-+ rotlwi $s3,$t3,8
-+ rlwimi $s0,$t0,24,0,7
-+ rlwimi $s1,$t1,24,0,7
-+ rlwimi $s2,$t2,24,0,7
-+ rlwimi $s3,$t3,24,0,7
-+ rlwimi $s0,$t0,24,16,23
-+ rlwimi $s1,$t1,24,16,23
-+ rlwimi $s2,$t2,24,16,23
-+ rlwimi $s3,$t3,24,16,23
-+___
-+$code.=<<___;
- bl LAES_Td
- bl Lppc_AES_decrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ rotlwi $t0,$s0,8
-+ rotlwi $t1,$s1,8
-+ rotlwi $t2,$s2,8
-+ rotlwi $t3,$s3,8
-+ rlwimi $t0,$s0,24,0,7
-+ rlwimi $t1,$s1,24,0,7
-+ rlwimi $t2,$s2,24,0,7
-+ rlwimi $t3,$s3,24,0,7
-+ rlwimi $t0,$s0,24,16,23
-+ rlwimi $t1,$s1,24,16,23
-+ rlwimi $t2,$s2,24,16,23
-+ rlwimi $t3,$s3,24,16,23
-+ stw $t0,0($out)
-+ stw $t1,4($out)
-+ stw $t2,8($out)
-+ stw $t3,12($out)
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- stw $s0,0($out)
- stw $s1,4($out)
- stw $s2,8($out)
- stw $s3,12($out)
-+___
-+$code.=<<___;
- b Ldec_done
-
- Ldec_unaligned:
-@@ -851,6 +938,7 @@ Ldec_xpage:
-
- bl LAES_Td
- bl Lppc_AES_decrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-
- extrwi $acc00,$s0,8,0
- extrwi $acc01,$s0,8,8
-@@ -883,8 +971,6 @@ Ldec_xpage:
-
- Ldec_done:
- $POP r0,`$FRAME+$LRSAVE`($sp)
-- $POP $toc,`$FRAME-$SIZE_T*20`($sp)
-- $POP r13,`$FRAME-$SIZE_T*19`($sp)
- $POP r14,`$FRAME-$SIZE_T*18`($sp)
- $POP r15,`$FRAME-$SIZE_T*17`($sp)
- $POP r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -1355,6 +1441,7 @@ Ldec_compact_done:
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .AES_decrypt,.-.AES_decrypt
-
- .asciz "AES for PPC, CRYPTOGAMS by <appro\@openssl.org>"
- .align 7
-diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
-new file mode 100755
-index 0000000..3ee8979
---- /dev/null
-+++ b/crypto/aes/asm/aesp8-ppc.pl
-@@ -0,0 +1,1940 @@
-+#!/usr/bin/env perl
-+#
-+# ====================================================================
-+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
-+# project. The module is, however, dual licensed under OpenSSL and
-+# CRYPTOGAMS licenses depending on where you obtain it. For further
-+# details see http://www.openssl.org/~appro/cryptogams/.
-+# ====================================================================
-+#
-+# This module implements support for AES instructions as per PowerISA
-+# specification version 2.07, first implemented by POWER8 processor.
-+# The module is endian-agnostic in sense that it supports both big-
-+# and little-endian cases. Data alignment in parallelizable modes is
-+# handled with VSX loads and stores, which implies MSR.VSX flag being
-+# set. It should also be noted that ISA specification doesn't prohibit
-+# alignment exceptions for these instructions on page boundaries.
-+# Initially alignment was handled in pure AltiVec/VMX way [when data
-+# is aligned programmatically, which in turn guarantees exception-
-+# free execution], but it turned to hamper performance when vcipher
-+# instructions are interleaved. It's reckoned that eventual
-+# misalignment penalties at page boundaries are in average lower
-+# than additional overhead in pure AltiVec approach.
-+
-+$flavour = shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T =8;
-+ $LRSAVE =2*$SIZE_T;
-+ $STU ="stdu";
-+ $POP ="ld";
-+ $PUSH ="std";
-+ $UCMP ="cmpld";
-+ $SHL ="sldi";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T =4;
-+ $LRSAVE =$SIZE_T;
-+ $STU ="stwu";
-+ $POP ="lwz";
-+ $PUSH ="stw";
-+ $UCMP ="cmplw";
-+ $SHL ="slwi";
-+} else { die "nonsense $flavour"; }
-+
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";
-+
-+$FRAME=8*$SIZE_T;
-+$prefix="aes_p8";
-+
-+$sp="r1";
-+$vrsave="r12";
-+
-+#########################################################################
-+{{{ # Key setup procedures #
-+my ($inp,$bits,$out,$ptr,$cnt,$rounds)=map("r$_",(3..8));
-+my ($zero,$in0,$in1,$key,$rcon,$mask,$tmp)=map("v$_",(0..6));
-+my ($stage,$outperm,$outmask,$outhead,$outtail)=map("v$_",(7..11));
-+
-+$code.=<<___;
-+.machine "any"
-+
-+.text
-+
-+.align 7
-+rcon:
-+.long 0x01000000, 0x01000000, 0x01000000, 0x01000000 ?rev
-+.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
-+.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
-+.long 0,0,0,0 ?asis
-+Lconsts:
-+ mflr r0
-+ bcl 20,31,\$+4
-+ mflr $ptr #vvvvv "distance between . and rcon
-+ addi $ptr,$ptr,-0x48
-+ mtlr r0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.asciz "AES for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
-+
-+.globl .${prefix}_set_encrypt_key
-+.align 5
-+.${prefix}_set_encrypt_key:
-+Lset_encrypt_key:
-+ mflr r11
-+ $PUSH r11,$LRSAVE($sp)
-+
-+ li $ptr,-1
-+ ${UCMP}i $inp,0
-+ beq- Lenc_key_abort # if ($inp==0) return -1;
-+ ${UCMP}i $out,0
-+ beq- Lenc_key_abort # if ($out==0) return -1;
-+ li $ptr,-2
-+ cmpwi $bits,128
-+ blt- Lenc_key_abort
-+ cmpwi $bits,256
-+ bgt- Lenc_key_abort
-+ andi. r0,$bits,0x3f
-+ bne- Lenc_key_abort
-+
-+ lis r0,0xfff0
-+ mfspr $vrsave,256
-+ mtspr 256,r0
-+
-+ bl Lconsts
-+ mtlr r11
-+
-+ neg r9,$inp
-+ lvx $in0,0,$inp
-+ addi $inp,$inp,15 # 15 is not typo
-+ lvsr $key,0,r9 # borrow $key
-+ li r8,0x20
-+ cmpwi $bits,192
-+ lvx $in1,0,$inp
-+ le?vspltisb $mask,0x0f # borrow $mask
-+ lvx $rcon,0,$ptr
-+ le?vxor $key,$key,$mask # adjust for byte swap
-+ lvx $mask,r8,$ptr
-+ addi $ptr,$ptr,0x10
-+ vperm $in0,$in0,$in1,$key # align [and byte swap in LE]
-+ li $cnt,8
-+ vxor $zero,$zero,$zero
-+ mtctr $cnt
-+
-+ ?lvsr $outperm,0,$out
-+ vspltisb $outmask,-1
-+ lvx $outhead,0,$out
-+ ?vperm $outmask,$zero,$outmask,$outperm
-+
-+ blt Loop128
-+ addi $inp,$inp,8
-+ beq L192
-+ addi $inp,$inp,8
-+ b L256
-+
-+.align 4
-+Loop128:
-+ vperm $key,$in0,$in0,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in0,$in0,$key
-+ bdnz Loop128
-+
-+ lvx $rcon,0,$ptr # last two round keys
-+
-+ vperm $key,$in0,$in0,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in0,$in0,$key
-+
-+ vperm $key,$in0,$in0,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vxor $in0,$in0,$key
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+
-+ addi $inp,$out,15 # 15 is not typo
-+ addi $out,$out,0x50
-+
-+ li $rounds,10
-+ b Ldone
-+
-+.align 4
-+L192:
-+ lvx $tmp,0,$inp
-+ li $cnt,4
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+ vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
-+ vspltisb $key,8 # borrow $key
-+ mtctr $cnt
-+ vsububm $mask,$mask,$key # adjust the mask
-+
-+Loop192:
-+ vperm $key,$in1,$in1,$mask # roate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vcipherlast $key,$key,$rcon
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+
-+ vsldoi $stage,$zero,$in1,8
-+ vspltw $tmp,$in0,3
-+ vxor $tmp,$tmp,$in1
-+ vsldoi $in1,$zero,$in1,12 # >>32
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in1,$in1,$tmp
-+ vxor $in0,$in0,$key
-+ vxor $in1,$in1,$key
-+ vsldoi $stage,$stage,$in0,8
-+
-+ vperm $key,$in1,$in1,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$stage,$stage,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vsldoi $stage,$in0,$in1,8
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vperm $outtail,$stage,$stage,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vspltw $tmp,$in0,3
-+ vxor $tmp,$tmp,$in1
-+ vsldoi $in1,$zero,$in1,12 # >>32
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in1,$in1,$tmp
-+ vxor $in0,$in0,$key
-+ vxor $in1,$in1,$key
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $inp,$out,15 # 15 is not typo
-+ addi $out,$out,16
-+ bdnz Loop192
-+
-+ li $rounds,12
-+ addi $out,$out,0x20
-+ b Ldone
-+
-+.align 4
-+L256:
-+ lvx $tmp,0,$inp
-+ li $cnt,7
-+ li $rounds,14
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+ vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
-+ mtctr $cnt
-+
-+Loop256:
-+ vperm $key,$in1,$in1,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in1,$in1,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in0,$in0,$key
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $inp,$out,15 # 15 is not typo
-+ addi $out,$out,16
-+ bdz Ldone
-+
-+ vspltw $key,$in0,3 # just splat
-+ vsldoi $tmp,$zero,$in1,12 # >>32
-+ vsbox $key,$key
-+
-+ vxor $in1,$in1,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in1,$in1,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in1,$in1,$tmp
-+
-+ vxor $in1,$in1,$key
-+ b Loop256
-+
-+.align 4
-+Ldone:
-+ lvx $in1,0,$inp # redundant in aligned case
-+ vsel $in1,$outhead,$in1,$outmask
-+ stvx $in1,0,$inp
-+ li $ptr,0
-+ mtspr 256,$vrsave
-+ stw $rounds,0($out)
-+
-+Lenc_key_abort:
-+ mr r3,$ptr
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,1,0,0,3,0
-+ .long 0
-+.size .${prefix}_set_encrypt_key,.-.${prefix}_set_encrypt_key
-+
-+.globl .${prefix}_set_decrypt_key
-+.align 5
-+.${prefix}_set_decrypt_key:
-+ $STU $sp,-$FRAME($sp)
-+ mflr r10
-+ $PUSH r10,$FRAME+$LRSAVE($sp)
-+ bl Lset_encrypt_key
-+ mtlr r10
-+
-+ cmpwi r3,0
-+ bne- Ldec_key_abort
-+
-+ slwi $cnt,$rounds,4
-+ subi $inp,$out,240 # first round key
-+ srwi $rounds,$rounds,1
-+ add $out,$inp,$cnt # last round key
-+ mtctr $rounds
-+
-+Ldeckey:
-+ lwz r0, 0($inp)
-+ lwz r6, 4($inp)
-+ lwz r7, 8($inp)
-+ lwz r8, 12($inp)
-+ addi $inp,$inp,16
-+ lwz r9, 0($out)
-+ lwz r10,4($out)
-+ lwz r11,8($out)
-+ lwz r12,12($out)
-+ stw r0, 0($out)
-+ stw r6, 4($out)
-+ stw r7, 8($out)
-+ stw r8, 12($out)
-+ subi $out,$out,16
-+ stw r9, -16($inp)
-+ stw r10,-12($inp)
-+ stw r11,-8($inp)
-+ stw r12,-4($inp)
-+ bdnz Ldeckey
-+
-+ xor r3,r3,r3 # return value
-+Ldec_key_abort:
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,4,1,0x80,0,3,0
-+ .long 0
-+.size .${prefix}_set_decrypt_key,.-.${prefix}_set_decrypt_key
-+___
-+}}}
-+#########################################################################
-+{{{ # Single block en- and decrypt procedures #
-+sub gen_block () {
-+my $dir = shift;
-+my $n = $dir eq "de" ? "n" : "";
-+my ($inp,$out,$key,$rounds,$idx)=map("r$_",(3..7));
-+
-+$code.=<<___;
-+.globl .${prefix}_${dir}crypt
-+.align 5
-+.${prefix}_${dir}crypt:
-+ lwz $rounds,240($key)
-+ lis r0,0xfc00
-+ mfspr $vrsave,256
-+ li $idx,15 # 15 is not typo
-+ mtspr 256,r0
-+
-+ lvx v0,0,$inp
-+ neg r11,$out
-+ lvx v1,$idx,$inp
-+ lvsl v2,0,$inp # inpperm
-+ le?vspltisb v4,0x0f
-+ ?lvsl v3,0,r11 # outperm
-+ le?vxor v2,v2,v4
-+ li $idx,16
-+ vperm v0,v0,v1,v2 # align [and byte swap in LE]
-+ lvx v1,0,$key
-+ ?lvsl v5,0,$key # keyperm
-+ srwi $rounds,$rounds,1
-+ lvx v2,$idx,$key
-+ addi $idx,$idx,16
-+ subi $rounds,$rounds,1
-+ ?vperm v1,v1,v2,v5 # align round key
-+
-+ vxor v0,v0,v1
-+ lvx v1,$idx,$key
-+ addi $idx,$idx,16
-+ mtctr $rounds
-+
-+Loop_${dir}c:
-+ ?vperm v2,v2,v1,v5
-+ v${n}cipher v0,v0,v2
-+ lvx v2,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm v1,v1,v2,v5
-+ v${n}cipher v0,v0,v1
-+ lvx v1,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_${dir}c
-+
-+ ?vperm v2,v2,v1,v5
-+ v${n}cipher v0,v0,v2
-+ lvx v2,$idx,$key
-+ ?vperm v1,v1,v2,v5
-+ v${n}cipherlast v0,v0,v1
-+
-+ vspltisb v2,-1
-+ vxor v1,v1,v1
-+ li $idx,15 # 15 is not typo
-+ ?vperm v2,v1,v2,v3 # outmask
-+ le?vxor v3,v3,v4
-+ lvx v1,0,$out # outhead
-+ vperm v0,v0,v0,v3 # rotate [and byte swap in LE]
-+ vsel v1,v1,v0,v2
-+ lvx v4,$idx,$out
-+ stvx v1,0,$out
-+ vsel v0,v0,v4,v2
-+ stvx v0,$idx,$out
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,3,0
-+ .long 0
-+.size .${prefix}_${dir}crypt,.-.${prefix}_${dir}crypt
-+___
-+}
-+&gen_block("en");
-+&gen_block("de");
-+}}}
-+#########################################################################
-+{{{ # CBC en- and decrypt procedures #
-+my ($inp,$out,$len,$key,$ivp,$enc,$rounds,$idx)=map("r$_",(3..10));
-+my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
-+my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm)=
-+ map("v$_",(4..10));
-+$code.=<<___;
-+.globl .${prefix}_cbc_encrypt
-+.align 5
-+.${prefix}_cbc_encrypt:
-+ ${UCMP}i $len,16
-+ bltlr-
-+
-+ cmpwi $enc,0 # test direction
-+ lis r0,0xffe0
-+ mfspr $vrsave,256
-+ mtspr 256,r0
-+
-+ li $idx,15
-+ vxor $rndkey0,$rndkey0,$rndkey0
-+ le?vspltisb $tmp,0x0f
-+
-+ lvx $ivec,0,$ivp # load [unaligned] iv
-+ lvsl $inpperm,0,$ivp
-+ lvx $inptail,$idx,$ivp
-+ le?vxor $inpperm,$inpperm,$tmp
-+ vperm $ivec,$ivec,$inptail,$inpperm
-+
-+ neg r11,$inp
-+ ?lvsl $keyperm,0,$key # prepare for unaligned key
-+ lwz $rounds,240($key)
-+
-+ lvsr $inpperm,0,r11 # prepare for unaligned load
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,15 # 15 is not typo
-+ le?vxor $inpperm,$inpperm,$tmp
-+
-+ ?lvsr $outperm,0,$out # prepare for unaligned store
-+ vspltisb $outmask,-1
-+ lvx $outhead,0,$out
-+ ?vperm $outmask,$rndkey0,$outmask,$outperm
-+ le?vxor $outperm,$outperm,$tmp
-+
-+ srwi $rounds,$rounds,1
-+ li $idx,16
-+ subi $rounds,$rounds,1
-+ beq Lcbc_dec
-+
-+Lcbc_enc:
-+ vmr $inout,$inptail
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,16
-+ mtctr $rounds
-+ subi $len,$len,16 # len-=16
-+
-+ lvx $rndkey0,0,$key
-+ vperm $inout,$inout,$inptail,$inpperm
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vxor $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ vxor $inout,$inout,$ivec
-+
-+Loop_cbc_enc:
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vcipher $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_cbc_enc
-+
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ li $idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vcipherlast $ivec,$inout,$rndkey0
-+ ${UCMP}i $len,16
-+
-+ vperm $tmp,$ivec,$ivec,$outperm
-+ vsel $inout,$outhead,$tmp,$outmask
-+ vmr $outhead,$tmp
-+ stvx $inout,0,$out
-+ addi $out,$out,16
-+ bge Lcbc_enc
-+
-+ b Lcbc_done
-+
-+.align 4
-+Lcbc_dec:
-+ ${UCMP}i $len,128
-+ bge _aesp8_cbc_decrypt8x
-+ vmr $tmp,$inptail
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,16
-+ mtctr $rounds
-+ subi $len,$len,16 # len-=16
-+
-+ lvx $rndkey0,0,$key
-+ vperm $tmp,$tmp,$inptail,$inpperm
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vxor $inout,$tmp,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+
-+Loop_cbc_dec:
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vncipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vncipher $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_cbc_dec
-+
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vncipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ li $idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vncipherlast $inout,$inout,$rndkey0
-+ ${UCMP}i $len,16
-+
-+ vxor $inout,$inout,$ivec
-+ vmr $ivec,$tmp
-+ vperm $tmp,$inout,$inout,$outperm
-+ vsel $inout,$outhead,$tmp,$outmask
-+ vmr $outhead,$tmp
-+ stvx $inout,0,$out
-+ addi $out,$out,16
-+ bge Lcbc_dec
-+
-+Lcbc_done:
-+ addi $out,$out,-1
-+ lvx $inout,0,$out # redundant in aligned case
-+ vsel $inout,$outhead,$inout,$outmask
-+ stvx $inout,0,$out
-+
-+ neg $enc,$ivp # write [unaligned] iv
-+ li $idx,15 # 15 is not typo
-+ vxor $rndkey0,$rndkey0,$rndkey0
-+ vspltisb $outmask,-1
-+ le?vspltisb $tmp,0x0f
-+ ?lvsl $outperm,0,$enc
-+ ?vperm $outmask,$rndkey0,$outmask,$outperm
-+ le?vxor $outperm,$outperm,$tmp
-+ lvx $outhead,0,$ivp
-+ vperm $ivec,$ivec,$ivec,$outperm
-+ vsel $inout,$outhead,$ivec,$outmask
-+ lvx $inptail,$idx,$ivp
-+ stvx $inout,0,$ivp
-+ vsel $inout,$ivec,$inptail,$outmask
-+ stvx $inout,$idx,$ivp
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,6,0
-+ .long 0
-+___
-+#########################################################################
-+{{ # Optimized CBC decrypt procedure #
-+my $key_="r11";
-+my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
-+my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10..13));
-+my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(14..21));
-+my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
-+ # v26-v31 last 6 round keys
-+my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
-+
-+$code.=<<___;
-+.align 5
-+_aesp8_cbc_decrypt8x:
-+ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
-+ li r10,`$FRAME+8*16+15`
-+ li r11,`$FRAME+8*16+31`
-+ stvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ li r0,-1
-+ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
-+ li $x10,0x10
-+ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ li $x20,0x20
-+ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ li $x30,0x30
-+ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ li $x40,0x40
-+ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ li $x50,0x50
-+ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ li $x60,0x60
-+ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ li $x70,0x70
-+ mtspr 256,r0
-+
-+ subi $rounds,$rounds,3 # -4 in total
-+ subi $len,$len,128 # bias
-+
-+ lvx $rndkey0,$x00,$key # load key schedule
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ lvx v31,$x00,$key
-+ ?vperm $rndkey0,$rndkey0,v30,$keyperm
-+ addi $key_,$sp,$FRAME+15
-+ mtctr $rounds
-+
-+Load_cbc_dec_key:
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ stvx v24,$x00,$key_ # off-load round[1]
-+ ?vperm v25,v31,v30,$keyperm
-+ lvx v31,$x00,$key
-+ stvx v25,$x10,$key_ # off-load round[2]
-+ addi $key_,$key_,0x20
-+ bdnz Load_cbc_dec_key
-+
-+ lvx v26,$x10,$key
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v27,$x20,$key
-+ stvx v24,$x00,$key_ # off-load round[3]
-+ ?vperm v25,v31,v26,$keyperm
-+ lvx v28,$x30,$key
-+ stvx v25,$x10,$key_ # off-load round[4]
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ ?vperm v26,v26,v27,$keyperm
-+ lvx v29,$x40,$key
-+ ?vperm v27,v27,v28,$keyperm
-+ lvx v30,$x50,$key
-+ ?vperm v28,v28,v29,$keyperm
-+ lvx v31,$x60,$key
-+ ?vperm v29,v29,v30,$keyperm
-+ lvx $out0,$x70,$key # borrow $out0
-+ ?vperm v30,v30,v31,$keyperm
-+ lvx v24,$x00,$key_ # pre-load round[1]
-+ ?vperm v31,v31,$out0,$keyperm
-+ lvx v25,$x10,$key_ # pre-load round[2]
-+
-+ #lvx $inptail,0,$inp # "caller" already did this
-+ #addi $inp,$inp,15 # 15 is not typo
-+ subi $inp,$inp,15 # undo "caller"
-+
-+ le?li $idx,8
-+ lvx_u $in0,$x00,$inp # load first 8 "words"
-+ le?lvsl $inpperm,0,$idx
-+ le?vspltisb $tmp,0x0f
-+ lvx_u $in1,$x10,$inp
-+ le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
-+ lvx_u $in2,$x20,$inp
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ lvx_u $in3,$x30,$inp
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ lvx_u $in4,$x40,$inp
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ vxor $out0,$in0,$rndkey0
-+ lvx_u $in5,$x50,$inp
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ vxor $out1,$in1,$rndkey0
-+ lvx_u $in6,$x60,$inp
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ vxor $out2,$in2,$rndkey0
-+ lvx_u $in7,$x70,$inp
-+ addi $inp,$inp,0x80
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ vxor $out3,$in3,$rndkey0
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vxor $out4,$in4,$rndkey0
-+ le?vperm $in7,$in7,$in7,$inpperm
-+ vxor $out5,$in5,$rndkey0
-+ vxor $out6,$in6,$rndkey0
-+ vxor $out7,$in7,$rndkey0
-+
-+ mtctr $rounds
-+ b Loop_cbc_dec8x
-+.align 5
-+Loop_cbc_dec8x:
-+ vncipher $out0,$out0,v24
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+ lvx v24,$x20,$key_ # round[3]
-+ addi $key_,$key_,0x20
-+
-+ vncipher $out0,$out0,v25
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+ lvx v25,$x10,$key_ # round[4]
-+ bdnz Loop_cbc_dec8x
-+
-+ subic $len,$len,128 # $len-=128
-+ vncipher $out0,$out0,v24
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+
-+ subfe. r0,r0,r0 # borrow?-1:0
-+ vncipher $out0,$out0,v25
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+
-+ and r0,r0,$len
-+ vncipher $out0,$out0,v26
-+ vncipher $out1,$out1,v26
-+ vncipher $out2,$out2,v26
-+ vncipher $out3,$out3,v26
-+ vncipher $out4,$out4,v26
-+ vncipher $out5,$out5,v26
-+ vncipher $out6,$out6,v26
-+ vncipher $out7,$out7,v26
-+
-+ add $inp,$inp,r0 # $inp is adjusted in such
-+ # way that at exit from the
-+ # loop inX-in7 are loaded
-+ # with last "words"
-+ vncipher $out0,$out0,v27
-+ vncipher $out1,$out1,v27
-+ vncipher $out2,$out2,v27
-+ vncipher $out3,$out3,v27
-+ vncipher $out4,$out4,v27
-+ vncipher $out5,$out5,v27
-+ vncipher $out6,$out6,v27
-+ vncipher $out7,$out7,v27
-+
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ vncipher $out0,$out0,v28
-+ vncipher $out1,$out1,v28
-+ vncipher $out2,$out2,v28
-+ vncipher $out3,$out3,v28
-+ vncipher $out4,$out4,v28
-+ vncipher $out5,$out5,v28
-+ vncipher $out6,$out6,v28
-+ vncipher $out7,$out7,v28
-+ lvx v24,$x00,$key_ # re-pre-load round[1]
-+
-+ vncipher $out0,$out0,v29
-+ vncipher $out1,$out1,v29
-+ vncipher $out2,$out2,v29
-+ vncipher $out3,$out3,v29
-+ vncipher $out4,$out4,v29
-+ vncipher $out5,$out5,v29
-+ vncipher $out6,$out6,v29
-+ vncipher $out7,$out7,v29
-+ lvx v25,$x10,$key_ # re-pre-load round[2]
-+
-+ vncipher $out0,$out0,v30
-+ vxor $ivec,$ivec,v31 # xor with last round key
-+ vncipher $out1,$out1,v30
-+ vxor $in0,$in0,v31
-+ vncipher $out2,$out2,v30
-+ vxor $in1,$in1,v31
-+ vncipher $out3,$out3,v30
-+ vxor $in2,$in2,v31
-+ vncipher $out4,$out4,v30
-+ vxor $in3,$in3,v31
-+ vncipher $out5,$out5,v30
-+ vxor $in4,$in4,v31
-+ vncipher $out6,$out6,v30
-+ vxor $in5,$in5,v31
-+ vncipher $out7,$out7,v30
-+ vxor $in6,$in6,v31
-+
-+ vncipherlast $out0,$out0,$ivec
-+ vncipherlast $out1,$out1,$in0
-+ lvx_u $in0,$x00,$inp # load next input block
-+ vncipherlast $out2,$out2,$in1
-+ lvx_u $in1,$x10,$inp
-+ vncipherlast $out3,$out3,$in2
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ lvx_u $in2,$x20,$inp
-+ vncipherlast $out4,$out4,$in3
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ lvx_u $in3,$x30,$inp
-+ vncipherlast $out5,$out5,$in4
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ lvx_u $in4,$x40,$inp
-+ vncipherlast $out6,$out6,$in5
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ lvx_u $in5,$x50,$inp
-+ vncipherlast $out7,$out7,$in6
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ lvx_u $in6,$x60,$inp
-+ vmr $ivec,$in7
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ lvx_u $in7,$x70,$inp
-+ addi $inp,$inp,0x80
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vxor $out0,$in0,$rndkey0
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $in7,$in7,$in7,$inpperm
-+ vxor $out1,$in1,$rndkey0
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ vxor $out2,$in2,$rndkey0
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ vxor $out3,$in3,$rndkey0
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ vxor $out4,$in4,$rndkey0
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x50,$out
-+ vxor $out5,$in5,$rndkey0
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x60,$out
-+ vxor $out6,$in6,$rndkey0
-+ stvx_u $out7,$x70,$out
-+ addi $out,$out,0x80
-+ vxor $out7,$in7,$rndkey0
-+
-+ mtctr $rounds
-+ beq Loop_cbc_dec8x # did $len-=128 borrow?
-+
-+ addic. $len,$len,128
-+ beq Lcbc_dec8x_done
-+ nop
-+ nop
-+
-+Loop_cbc_dec8x_tail: # up to 7 "words" tail...
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+ lvx v24,$x20,$key_ # round[3]
-+ addi $key_,$key_,0x20
-+
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+ lvx v25,$x10,$key_ # round[4]
-+ bdnz Loop_cbc_dec8x_tail
-+
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+
-+ vncipher $out1,$out1,v26
-+ vncipher $out2,$out2,v26
-+ vncipher $out3,$out3,v26
-+ vncipher $out4,$out4,v26
-+ vncipher $out5,$out5,v26
-+ vncipher $out6,$out6,v26
-+ vncipher $out7,$out7,v26
-+
-+ vncipher $out1,$out1,v27
-+ vncipher $out2,$out2,v27
-+ vncipher $out3,$out3,v27
-+ vncipher $out4,$out4,v27
-+ vncipher $out5,$out5,v27
-+ vncipher $out6,$out6,v27
-+ vncipher $out7,$out7,v27
-+
-+ vncipher $out1,$out1,v28
-+ vncipher $out2,$out2,v28
-+ vncipher $out3,$out3,v28
-+ vncipher $out4,$out4,v28
-+ vncipher $out5,$out5,v28
-+ vncipher $out6,$out6,v28
-+ vncipher $out7,$out7,v28
-+
-+ vncipher $out1,$out1,v29
-+ vncipher $out2,$out2,v29
-+ vncipher $out3,$out3,v29
-+ vncipher $out4,$out4,v29
-+ vncipher $out5,$out5,v29
-+ vncipher $out6,$out6,v29
-+ vncipher $out7,$out7,v29
-+
-+ vncipher $out1,$out1,v30
-+ vxor $ivec,$ivec,v31 # last round key
-+ vncipher $out2,$out2,v30
-+ vxor $in1,$in1,v31
-+ vncipher $out3,$out3,v30
-+ vxor $in2,$in2,v31
-+ vncipher $out4,$out4,v30
-+ vxor $in3,$in3,v31
-+ vncipher $out5,$out5,v30
-+ vxor $in4,$in4,v31
-+ vncipher $out6,$out6,v30
-+ vxor $in5,$in5,v31
-+ vncipher $out7,$out7,v30
-+ vxor $in6,$in6,v31
-+
-+ cmplwi $len,32 # switch($len)
-+ blt Lcbc_dec8x_one
-+ nop
-+ beq Lcbc_dec8x_two
-+ cmplwi $len,64
-+ blt Lcbc_dec8x_three
-+ nop
-+ beq Lcbc_dec8x_four
-+ cmplwi $len,96
-+ blt Lcbc_dec8x_five
-+ nop
-+ beq Lcbc_dec8x_six
-+
-+Lcbc_dec8x_seven:
-+ vncipherlast $out1,$out1,$ivec
-+ vncipherlast $out2,$out2,$in1
-+ vncipherlast $out3,$out3,$in2
-+ vncipherlast $out4,$out4,$in3
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x00,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x10,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x20,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x30,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x40,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x50,$out
-+ stvx_u $out7,$x60,$out
-+ addi $out,$out,0x70
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_six:
-+ vncipherlast $out2,$out2,$ivec
-+ vncipherlast $out3,$out3,$in2
-+ vncipherlast $out4,$out4,$in3
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x00,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x10,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x20,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x30,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x40,$out
-+ stvx_u $out7,$x50,$out
-+ addi $out,$out,0x60
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_five:
-+ vncipherlast $out3,$out3,$ivec
-+ vncipherlast $out4,$out4,$in3
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x00,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x10,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x20,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x30,$out
-+ stvx_u $out7,$x40,$out
-+ addi $out,$out,0x50
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_four:
-+ vncipherlast $out4,$out4,$ivec
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x00,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x10,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x20,$out
-+ stvx_u $out7,$x30,$out
-+ addi $out,$out,0x40
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_three:
-+ vncipherlast $out5,$out5,$ivec
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x00,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x10,$out
-+ stvx_u $out7,$x20,$out
-+ addi $out,$out,0x30
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_two:
-+ vncipherlast $out6,$out6,$ivec
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x00,$out
-+ stvx_u $out7,$x10,$out
-+ addi $out,$out,0x20
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_one:
-+ vncipherlast $out7,$out7,$ivec
-+ vmr $ivec,$in7
-+
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out7,0,$out
-+ addi $out,$out,0x10
-+
-+Lcbc_dec8x_done:
-+ le?vperm $ivec,$ivec,$ivec,$inpperm
-+ stvx_u $ivec,0,$ivp # write [unaligned] iv
-+
-+ li r10,`$FRAME+15`
-+ li r11,`$FRAME+31`
-+ stvx $inpperm,r10,$sp # wipe copies of round keys
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+
-+ mtspr 256,$vrsave
-+ lvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0x80,6,6,0
-+ .long 0
-+.size .${prefix}_cbc_encrypt,.-.${prefix}_cbc_encrypt
-+___
-+}} }}}
-+
-+#########################################################################
-+{{{ # CTR procedure[s] #
-+my ($inp,$out,$len,$key,$ivp,$x10,$rounds,$idx)=map("r$_",(3..10));
-+my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
-+my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm,$one)=
-+ map("v$_",(4..11));
-+my $dat=$tmp;
-+
-+$code.=<<___;
-+.globl .${prefix}_ctr32_encrypt_blocks
-+.align 5
-+.${prefix}_ctr32_encrypt_blocks:
-+ ${UCMP}i $len,1
-+ bltlr-
-+
-+ lis r0,0xfff0
-+ mfspr $vrsave,256
-+ mtspr 256,r0
-+
-+ li $idx,15
-+ vxor $rndkey0,$rndkey0,$rndkey0
-+ le?vspltisb $tmp,0x0f
-+
-+ lvx $ivec,0,$ivp # load [unaligned] iv
-+ lvsl $inpperm,0,$ivp
-+ lvx $inptail,$idx,$ivp
-+ vspltisb $one,1
-+ le?vxor $inpperm,$inpperm,$tmp
-+ vperm $ivec,$ivec,$inptail,$inpperm
-+ vsldoi $one,$rndkey0,$one,1
-+
-+ neg r11,$inp
-+ ?lvsl $keyperm,0,$key # prepare for unaligned key
-+ lwz $rounds,240($key)
-+
-+ lvsr $inpperm,0,r11 # prepare for unaligned load
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,15 # 15 is not typo
-+ le?vxor $inpperm,$inpperm,$tmp
-+
-+ srwi $rounds,$rounds,1
-+ li $idx,16
-+ subi $rounds,$rounds,1
-+
-+ ${UCMP}i $len,8
-+ bge _aesp8_ctr32_encrypt8x
-+
-+ ?lvsr $outperm,0,$out # prepare for unaligned store
-+ vspltisb $outmask,-1
-+ lvx $outhead,0,$out
-+ ?vperm $outmask,$rndkey0,$outmask,$outperm
-+ le?vxor $outperm,$outperm,$tmp
-+
-+ lvx $rndkey0,0,$key
-+ mtctr $rounds
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vxor $inout,$ivec,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ b Loop_ctr32_enc
-+
-+.align 5
-+Loop_ctr32_enc:
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vcipher $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_ctr32_enc
-+
-+ vadduwm $ivec,$ivec,$one
-+ vmr $dat,$inptail
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,16
-+ subic. $len,$len,1 # blocks--
-+
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ vperm $dat,$dat,$inptail,$inpperm
-+ li $idx,16
-+ ?vperm $rndkey1,$rndkey0,$rndkey1,$keyperm
-+ lvx $rndkey0,0,$key
-+ vxor $dat,$dat,$rndkey1 # last round key
-+ vcipherlast $inout,$inout,$dat
-+
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ vperm $inout,$inout,$inout,$outperm
-+ vsel $dat,$outhead,$inout,$outmask
-+ mtctr $rounds
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vmr $outhead,$inout
-+ vxor $inout,$ivec,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ stvx $dat,0,$out
-+ addi $out,$out,16
-+ bne Loop_ctr32_enc
-+
-+ addi $out,$out,-1
-+ lvx $inout,0,$out # redundant in aligned case
-+ vsel $inout,$outhead,$inout,$outmask
-+ stvx $inout,0,$out
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,6,0
-+ .long 0
-+___
-+#########################################################################
-+{{ # Optimized CTR procedure #
-+my $key_="r11";
-+my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
-+my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10,12..14));
-+my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(15..22));
-+my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
-+ # v26-v31 last 6 round keys
-+my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
-+my ($two,$three,$four)=($outhead,$outperm,$outmask);
-+
-+$code.=<<___;
-+.align 5
-+_aesp8_ctr32_encrypt8x:
-+ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
-+ li r10,`$FRAME+8*16+15`
-+ li r11,`$FRAME+8*16+31`
-+ stvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ li r0,-1
-+ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
-+ li $x10,0x10
-+ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ li $x20,0x20
-+ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ li $x30,0x30
-+ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ li $x40,0x40
-+ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ li $x50,0x50
-+ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ li $x60,0x60
-+ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ li $x70,0x70
-+ mtspr 256,r0
-+
-+ subi $rounds,$rounds,3 # -4 in total
-+
-+ lvx $rndkey0,$x00,$key # load key schedule
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ lvx v31,$x00,$key
-+ ?vperm $rndkey0,$rndkey0,v30,$keyperm
-+ addi $key_,$sp,$FRAME+15
-+ mtctr $rounds
-+
-+Load_ctr32_enc_key:
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ stvx v24,$x00,$key_ # off-load round[1]
-+ ?vperm v25,v31,v30,$keyperm
-+ lvx v31,$x00,$key
-+ stvx v25,$x10,$key_ # off-load round[2]
-+ addi $key_,$key_,0x20
-+ bdnz Load_ctr32_enc_key
-+
-+ lvx v26,$x10,$key
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v27,$x20,$key
-+ stvx v24,$x00,$key_ # off-load round[3]
-+ ?vperm v25,v31,v26,$keyperm
-+ lvx v28,$x30,$key
-+ stvx v25,$x10,$key_ # off-load round[4]
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ ?vperm v26,v26,v27,$keyperm
-+ lvx v29,$x40,$key
-+ ?vperm v27,v27,v28,$keyperm
-+ lvx v30,$x50,$key
-+ ?vperm v28,v28,v29,$keyperm
-+ lvx v31,$x60,$key
-+ ?vperm v29,v29,v30,$keyperm
-+ lvx $out0,$x70,$key # borrow $out0
-+ ?vperm v30,v30,v31,$keyperm
-+ lvx v24,$x00,$key_ # pre-load round[1]
-+ ?vperm v31,v31,$out0,$keyperm
-+ lvx v25,$x10,$key_ # pre-load round[2]
-+
-+ vadduwm $two,$one,$one
-+ subi $inp,$inp,15 # undo "caller"
-+ $SHL $len,$len,4
-+
-+ vadduwm $out1,$ivec,$one # counter values ...
-+ vadduwm $out2,$ivec,$two
-+ vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
-+ le?li $idx,8
-+ vadduwm $out3,$out1,$two
-+ vxor $out1,$out1,$rndkey0
-+ le?lvsl $inpperm,0,$idx
-+ vadduwm $out4,$out2,$two
-+ vxor $out2,$out2,$rndkey0
-+ le?vspltisb $tmp,0x0f
-+ vadduwm $out5,$out3,$two
-+ vxor $out3,$out3,$rndkey0
-+ le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
-+ vadduwm $out6,$out4,$two
-+ vxor $out4,$out4,$rndkey0
-+ vadduwm $out7,$out5,$two
-+ vxor $out5,$out5,$rndkey0
-+ vadduwm $ivec,$out6,$two # next counter value
-+ vxor $out6,$out6,$rndkey0
-+ vxor $out7,$out7,$rndkey0
-+
-+ mtctr $rounds
-+ b Loop_ctr32_enc8x
-+.align 5
-+Loop_ctr32_enc8x:
-+ vcipher $out0,$out0,v24
-+ vcipher $out1,$out1,v24
-+ vcipher $out2,$out2,v24
-+ vcipher $out3,$out3,v24
-+ vcipher $out4,$out4,v24
-+ vcipher $out5,$out5,v24
-+ vcipher $out6,$out6,v24
-+ vcipher $out7,$out7,v24
-+Loop_ctr32_enc8x_middle:
-+ lvx v24,$x20,$key_ # round[3]
-+ addi $key_,$key_,0x20
-+
-+ vcipher $out0,$out0,v25
-+ vcipher $out1,$out1,v25
-+ vcipher $out2,$out2,v25
-+ vcipher $out3,$out3,v25
-+ vcipher $out4,$out4,v25
-+ vcipher $out5,$out5,v25
-+ vcipher $out6,$out6,v25
-+ vcipher $out7,$out7,v25
-+ lvx v25,$x10,$key_ # round[4]
-+ bdnz Loop_ctr32_enc8x
-+
-+ subic r11,$len,256 # $len-256, borrow $key_
-+ vcipher $out0,$out0,v24
-+ vcipher $out1,$out1,v24
-+ vcipher $out2,$out2,v24
-+ vcipher $out3,$out3,v24
-+ vcipher $out4,$out4,v24
-+ vcipher $out5,$out5,v24
-+ vcipher $out6,$out6,v24
-+ vcipher $out7,$out7,v24
-+
-+ subfe r0,r0,r0 # borrow?-1:0
-+ vcipher $out0,$out0,v25
-+ vcipher $out1,$out1,v25
-+ vcipher $out2,$out2,v25
-+ vcipher $out3,$out3,v25
-+ vcipher $out4,$out4,v25
-+ vcipher $out5,$out5,v25
-+ vcipher $out6,$out6,v25
-+ vcipher $out7,$out7,v25
-+
-+ and r0,r0,r11
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ vcipher $out0,$out0,v26
-+ vcipher $out1,$out1,v26
-+ vcipher $out2,$out2,v26
-+ vcipher $out3,$out3,v26
-+ vcipher $out4,$out4,v26
-+ vcipher $out5,$out5,v26
-+ vcipher $out6,$out6,v26
-+ vcipher $out7,$out7,v26
-+ lvx v24,$x00,$key_ # re-pre-load round[1]
-+
-+ subic $len,$len,129 # $len-=129
-+ vcipher $out0,$out0,v27
-+ addi $len,$len,1 # $len-=128 really
-+ vcipher $out1,$out1,v27
-+ vcipher $out2,$out2,v27
-+ vcipher $out3,$out3,v27
-+ vcipher $out4,$out4,v27
-+ vcipher $out5,$out5,v27
-+ vcipher $out6,$out6,v27
-+ vcipher $out7,$out7,v27
-+ lvx v25,$x10,$key_ # re-pre-load round[2]
-+
-+ vcipher $out0,$out0,v28
-+ lvx_u $in0,$x00,$inp # load input
-+ vcipher $out1,$out1,v28
-+ lvx_u $in1,$x10,$inp
-+ vcipher $out2,$out2,v28
-+ lvx_u $in2,$x20,$inp
-+ vcipher $out3,$out3,v28
-+ lvx_u $in3,$x30,$inp
-+ vcipher $out4,$out4,v28
-+ lvx_u $in4,$x40,$inp
-+ vcipher $out5,$out5,v28
-+ lvx_u $in5,$x50,$inp
-+ vcipher $out6,$out6,v28
-+ lvx_u $in6,$x60,$inp
-+ vcipher $out7,$out7,v28
-+ lvx_u $in7,$x70,$inp
-+ addi $inp,$inp,0x80
-+
-+ vcipher $out0,$out0,v29
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ vcipher $out1,$out1,v29
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ vcipher $out2,$out2,v29
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ vcipher $out3,$out3,v29
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ vcipher $out4,$out4,v29
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ vcipher $out5,$out5,v29
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ vcipher $out6,$out6,v29
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vcipher $out7,$out7,v29
-+ le?vperm $in7,$in7,$in7,$inpperm
-+
-+ add $inp,$inp,r0 # $inp is adjusted in such
-+ # way that at exit from the
-+ # loop inX-in7 are loaded
-+ # with last "words"
-+ subfe. r0,r0,r0 # borrow?-1:0
-+ vcipher $out0,$out0,v30
-+ vxor $in0,$in0,v31 # xor with last round key
-+ vcipher $out1,$out1,v30
-+ vxor $in1,$in1,v31
-+ vcipher $out2,$out2,v30
-+ vxor $in2,$in2,v31
-+ vcipher $out3,$out3,v30
-+ vxor $in3,$in3,v31
-+ vcipher $out4,$out4,v30
-+ vxor $in4,$in4,v31
-+ vcipher $out5,$out5,v30
-+ vxor $in5,$in5,v31
-+ vcipher $out6,$out6,v30
-+ vxor $in6,$in6,v31
-+ vcipher $out7,$out7,v30
-+ vxor $in7,$in7,v31
-+
-+ bne Lctr32_enc8x_break # did $len-129 borrow?
-+
-+ vcipherlast $in0,$out0,$in0
-+ vcipherlast $in1,$out1,$in1
-+ vadduwm $out1,$ivec,$one # counter values ...
-+ vcipherlast $in2,$out2,$in2
-+ vadduwm $out2,$ivec,$two
-+ vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
-+ vcipherlast $in3,$out3,$in3
-+ vadduwm $out3,$out1,$two
-+ vxor $out1,$out1,$rndkey0
-+ vcipherlast $in4,$out4,$in4
-+ vadduwm $out4,$out2,$two
-+ vxor $out2,$out2,$rndkey0
-+ vcipherlast $in5,$out5,$in5
-+ vadduwm $out5,$out3,$two
-+ vxor $out3,$out3,$rndkey0
-+ vcipherlast $in6,$out6,$in6
-+ vadduwm $out6,$out4,$two
-+ vxor $out4,$out4,$rndkey0
-+ vcipherlast $in7,$out7,$in7
-+ vadduwm $out7,$out5,$two
-+ vxor $out5,$out5,$rndkey0
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ vadduwm $ivec,$out6,$two # next counter value
-+ vxor $out6,$out6,$rndkey0
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ vxor $out7,$out7,$rndkey0
-+ mtctr $rounds
-+
-+ vcipher $out0,$out0,v24
-+ stvx_u $in0,$x00,$out
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ vcipher $out1,$out1,v24
-+ stvx_u $in1,$x10,$out
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ vcipher $out2,$out2,v24
-+ stvx_u $in2,$x20,$out
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ vcipher $out3,$out3,v24
-+ stvx_u $in3,$x30,$out
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ vcipher $out4,$out4,v24
-+ stvx_u $in4,$x40,$out
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vcipher $out5,$out5,v24
-+ stvx_u $in5,$x50,$out
-+ le?vperm $in7,$in7,$in7,$inpperm
-+ vcipher $out6,$out6,v24
-+ stvx_u $in6,$x60,$out
-+ vcipher $out7,$out7,v24
-+ stvx_u $in7,$x70,$out
-+ addi $out,$out,0x80
-+
-+ b Loop_ctr32_enc8x_middle
-+
-+.align 5
-+Lctr32_enc8x_break:
-+ cmpwi $len,-0x60
-+ blt Lctr32_enc8x_one
-+ nop
-+ beq Lctr32_enc8x_two
-+ cmpwi $len,-0x40
-+ blt Lctr32_enc8x_three
-+ nop
-+ beq Lctr32_enc8x_four
-+ cmpwi $len,-0x20
-+ blt Lctr32_enc8x_five
-+ nop
-+ beq Lctr32_enc8x_six
-+ cmpwi $len,0x00
-+ blt Lctr32_enc8x_seven
-+
-+Lctr32_enc8x_eight:
-+ vcipherlast $out0,$out0,$in0
-+ vcipherlast $out1,$out1,$in1
-+ vcipherlast $out2,$out2,$in2
-+ vcipherlast $out3,$out3,$in3
-+ vcipherlast $out4,$out4,$in4
-+ vcipherlast $out5,$out5,$in5
-+ vcipherlast $out6,$out6,$in6
-+ vcipherlast $out7,$out7,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x50,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x60,$out
-+ stvx_u $out7,$x70,$out
-+ addi $out,$out,0x80
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_seven:
-+ vcipherlast $out0,$out0,$in1
-+ vcipherlast $out1,$out1,$in2
-+ vcipherlast $out2,$out2,$in3
-+ vcipherlast $out3,$out3,$in4
-+ vcipherlast $out4,$out4,$in5
-+ vcipherlast $out5,$out5,$in6
-+ vcipherlast $out6,$out6,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x50,$out
-+ stvx_u $out6,$x60,$out
-+ addi $out,$out,0x70
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_six:
-+ vcipherlast $out0,$out0,$in2
-+ vcipherlast $out1,$out1,$in3
-+ vcipherlast $out2,$out2,$in4
-+ vcipherlast $out3,$out3,$in5
-+ vcipherlast $out4,$out4,$in6
-+ vcipherlast $out5,$out5,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ stvx_u $out5,$x50,$out
-+ addi $out,$out,0x60
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_five:
-+ vcipherlast $out0,$out0,$in3
-+ vcipherlast $out1,$out1,$in4
-+ vcipherlast $out2,$out2,$in5
-+ vcipherlast $out3,$out3,$in6
-+ vcipherlast $out4,$out4,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ stvx_u $out4,$x40,$out
-+ addi $out,$out,0x50
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_four:
-+ vcipherlast $out0,$out0,$in4
-+ vcipherlast $out1,$out1,$in5
-+ vcipherlast $out2,$out2,$in6
-+ vcipherlast $out3,$out3,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ stvx_u $out3,$x30,$out
-+ addi $out,$out,0x40
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_three:
-+ vcipherlast $out0,$out0,$in5
-+ vcipherlast $out1,$out1,$in6
-+ vcipherlast $out2,$out2,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ stvx_u $out2,$x20,$out
-+ addi $out,$out,0x30
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lctr32_enc8x_two:
-+ vcipherlast $out0,$out0,$in6
-+ vcipherlast $out1,$out1,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ stvx_u $out1,$x10,$out
-+ addi $out,$out,0x20
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lctr32_enc8x_one:
-+ vcipherlast $out0,$out0,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ stvx_u $out0,0,$out
-+ addi $out,$out,0x10
-+
-+Lctr32_enc8x_done:
-+ li r10,`$FRAME+15`
-+ li r11,`$FRAME+31`
-+ stvx $inpperm,r10,$sp # wipe copies of round keys
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+
-+ mtspr 256,$vrsave
-+ lvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0x80,6,6,0
-+ .long 0
-+.size .${prefix}_ctr32_encrypt_blocks,.-.${prefix}_ctr32_encrypt_blocks
-+___
-+}} }}}
-+
-+my $consts=1;
-+foreach(split("\n",$code)) {
-+ s/\`([^\`]*)\`/eval($1)/geo;
-+
-+ # constants table endian-specific conversion
-+ if ($consts && m/\.(long|byte)\s+(.+)\s+(\?[a-z]*)$/o) {
-+ my $conv=$3;
-+ my @bytes=();
-+
-+ # convert to endian-agnostic format
-+ if ($1 eq "long") {
-+ foreach (split(/,\s*/,$2)) {
-+ my $l = /^0/?oct:int;
-+ push @bytes,($l>>24)&0xff,($l>>16)&0xff,($l>>8)&0xff,$l&0xff;
-+ }
-+ } else {
-+ @bytes = map(/^0/?oct:int,split(/,\s*/,$2));
-+ }
-+
-+ # little-endian conversion
-+ if ($flavour =~ /le$/o) {
-+ SWITCH: for($conv) {
-+ /\?inv/ && do { @bytes=map($_^0xf,@bytes); last; };
-+ /\?rev/ && do { @bytes=reverse(@bytes); last; };
-+ }
-+ }
-+
-+ #emit
-+ print ".byte\t",join(',',map (sprintf("0x%02x",$_),@bytes)),"\n";
-+ next;
-+ }
-+ $consts=0 if (m/Lconsts:/o); # end of table
-+
-+ # instructions prefixed with '?' are endian-specific and need
-+ # to be adjusted accordingly...
-+ if ($flavour =~ /le$/o) { # little-endian
-+ s/le\?//o or
-+ s/be\?/#be#/o or
-+ s/\?lvsr/lvsl/o or
-+ s/\?lvsl/lvsr/o or
-+ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/o or
-+ s/\?(vsldoi\s+v[0-9]+,\s*)(v[0-9]+,)\s*(v[0-9]+,\s*)([0-9]+)/$1$3$2 16-$4/o or
-+ s/\?(vspltw\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9])/$1$2 3-$3/o;
-+ } else { # big-endian
-+ s/le\?/#le#/o or
-+ s/be\?//o or
-+ s/\?([a-z]+)/$1/o;
-+ }
-+
-+ print $_,"\n";
-+}
-+
-+close STDOUT;
-diff --git a/crypto/aes/asm/vpaes-ppc.pl b/crypto/aes/asm/vpaes-ppc.pl
-new file mode 100644
-index 0000000..7fda60e
---- /dev/null
-+++ b/crypto/aes/asm/vpaes-ppc.pl
-@@ -0,0 +1,1512 @@
-+#!/usr/bin/env perl
-+
-+######################################################################
-+## Constant-time SSSE3 AES core implementation.
-+## version 0.1
-+##
-+## By Mike Hamburg (Stanford University), 2009
-+## Public domain.
-+##
-+## For details see http://shiftleft.org/papers/vector_aes/ and
-+## http://crypto.stanford.edu/vpaes/.
-+
-+# CBC encrypt/decrypt performance in cycles per byte processed with
-+# 128-bit key.
-+#
-+# aes-ppc.pl this
-+# G4e 35.5/52.1/(23.8) 11.9(*)/15.4
-+# POWER6 42.7/54.3/(28.2) 63.0/92.8(**)
-+# POWER7 32.3/42.9/(18.4) 18.5/23.3
-+#
-+# (*) This is ~10% worse than reported in paper. The reason is
-+# twofold. This module doesn't make any assumption about
-+# key schedule (or data for that matter) alignment and handles
-+# it in-line. Secondly it, being transliterated from
-+# vpaes-x86_64.pl, relies on "nested inversion" better suited
-+# for Intel CPUs.
-+# (**) Inadequate POWER6 performance is due to astronomic AltiVec
-+# latency, 9 cycles per simple logical operation.
-+
-+$flavour = shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T =8;
-+ $LRSAVE =2*$SIZE_T;
-+ $STU ="stdu";
-+ $POP ="ld";
-+ $PUSH ="std";
-+ $UCMP ="cmpld";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T =4;
-+ $LRSAVE =$SIZE_T;
-+ $STU ="stwu";
-+ $POP ="lwz";
-+ $PUSH ="stw";
-+ $UCMP ="cmplw";
-+} else { die "nonsense $flavour"; }
-+
-+$sp="r1";
-+$FRAME=6*$SIZE_T+13*16; # 13*16 is for v20-v31 offload
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";
-+
-+$code.=<<___;
-+.machine "any"
-+
-+.text
-+
-+.align 7 # totally strategic alignment
-+_vpaes_consts:
-+Lk_mc_forward: # mc_forward
-+ .long 0x01020300, 0x05060704, 0x090a0b08, 0x0d0e0f0c ?inv
-+ .long 0x05060704, 0x090a0b08, 0x0d0e0f0c, 0x01020300 ?inv
-+ .long 0x090a0b08, 0x0d0e0f0c, 0x01020300, 0x05060704 ?inv
-+ .long 0x0d0e0f0c, 0x01020300, 0x05060704, 0x090a0b08 ?inv
-+Lk_mc_backward: # mc_backward
-+ .long 0x03000102, 0x07040506, 0x0b08090a, 0x0f0c0d0e ?inv
-+ .long 0x0f0c0d0e, 0x03000102, 0x07040506, 0x0b08090a ?inv
-+ .long 0x0b08090a, 0x0f0c0d0e, 0x03000102, 0x07040506 ?inv
-+ .long 0x07040506, 0x0b08090a, 0x0f0c0d0e, 0x03000102 ?inv
-+Lk_sr: # sr
-+ .long 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f ?inv
-+ .long 0x00050a0f, 0x04090e03, 0x080d0207, 0x0c01060b ?inv
-+ .long 0x0009020b, 0x040d060f, 0x08010a03, 0x0c050e07 ?inv
-+ .long 0x000d0a07, 0x04010e0b, 0x0805020f, 0x0c090603 ?inv
-+
-+##
-+## "Hot" constants
-+##
-+Lk_inv: # inv, inva
-+ .long 0xf001080d, 0x0f06050e, 0x020c0b0a, 0x09030704 ?rev
-+ .long 0xf0070b0f, 0x060a0401, 0x09080502, 0x0c0e0d03 ?rev
-+Lk_ipt: # input transform (lo, hi)
-+ .long 0x00702a5a, 0x98e8b2c2, 0x08782252, 0x90e0baca ?rev
-+ .long 0x004d7c31, 0x7d30014c, 0x81ccfdb0, 0xfcb180cd ?rev
-+Lk_sbo: # sbou, sbot
-+ .long 0x00c7bd6f, 0x176dd2d0, 0x78a802c5, 0x7abfaa15 ?rev
-+ .long 0x006abb5f, 0xa574e4cf, 0xfa352b41, 0xd1901e8e ?rev
-+Lk_sb1: # sb1u, sb1t
-+ .long 0x0023e2fa, 0x15d41836, 0xefd92e0d, 0xc1ccf73b ?rev
-+ .long 0x003e50cb, 0x8fe19bb1, 0x44f52a14, 0x6e7adfa5 ?rev
-+Lk_sb2: # sb2u, sb2t
-+ .long 0x0029e10a, 0x4088eb69, 0x4a2382ab, 0xc863a1c2 ?rev
-+ .long 0x0024710b, 0xc6937ae2, 0xcd2f98bc, 0x55e9b75e ?rev
-+
-+##
-+## Decryption stuff
-+##
-+Lk_dipt: # decryption input transform
-+ .long 0x005f540b, 0x045b500f, 0x1a454e11, 0x1e414a15 ?rev
-+ .long 0x00650560, 0xe683e386, 0x94f191f4, 0x72177712 ?rev
-+Lk_dsbo: # decryption sbox final output
-+ .long 0x0040f97e, 0x53ea8713, 0x2d3e94d4, 0xb96daac7 ?rev
-+ .long 0x001d4493, 0x0f56d712, 0x9c8ec5d8, 0x59814bca ?rev
-+Lk_dsb9: # decryption sbox output *9*u, *9*t
-+ .long 0x00d6869a, 0x53031c85, 0xc94c994f, 0x501fd5ca ?rev
-+ .long 0x0049d7ec, 0x89173bc0, 0x65a5fbb2, 0x9e2c5e72 ?rev
-+Lk_dsbd: # decryption sbox output *D*u, *D*t
-+ .long 0x00a2b1e6, 0xdfcc577d, 0x39442a88, 0x139b6ef5 ?rev
-+ .long 0x00cbc624, 0xf7fae23c, 0xd3efde15, 0x0d183129 ?rev
-+Lk_dsbb: # decryption sbox output *B*u, *B*t
-+ .long 0x0042b496, 0x926422d0, 0x04d4f2b0, 0xf6462660 ?rev
-+ .long 0x006759cd, 0xa69894c1, 0x6baa5532, 0x3e0cfff3 ?rev
-+Lk_dsbe: # decryption sbox output *E*u, *E*t
-+ .long 0x00d0d426, 0x9692f246, 0xb0f6b464, 0x04604222 ?rev
-+ .long 0x00c1aaff, 0xcda6550c, 0x323e5998, 0x6bf36794 ?rev
-+
-+##
-+## Key schedule constants
-+##
-+Lk_dksd: # decryption key schedule: invskew x*D
-+ .long 0x0047e4a3, 0x5d1ab9fe, 0xf9be1d5a, 0xa4e34007 ?rev
-+ .long 0x008336b5, 0xf477c241, 0x1e9d28ab, 0xea69dc5f ?rev
-+Lk_dksb: # decryption key schedule: invskew x*B
-+ .long 0x00d55085, 0x1fca4f9a, 0x994cc91c, 0x8653d603 ?rev
-+ .long 0x004afcb6, 0xa7ed5b11, 0xc882347e, 0x6f2593d9 ?rev
-+Lk_dkse: # decryption key schedule: invskew x*E + 0x63
-+ .long 0x00d6c91f, 0xca1c03d5, 0x86504f99, 0x4c9a8553 ?rev
-+ .long 0xe87bdc4f, 0x059631a2, 0x8714b320, 0x6af95ecd ?rev
-+Lk_dks9: # decryption key schedule: invskew x*9
-+ .long 0x00a7d97e, 0xc86f11b6, 0xfc5b2582, 0x3493ed4a ?rev
-+ .long 0x00331427, 0x62517645, 0xcefddae9, 0xac9fb88b ?rev
-+
-+Lk_rcon: # rcon
-+ .long 0xb6ee9daf, 0xb991831f, 0x817d7c4d, 0x08982a70 ?asis
-+Lk_s63:
-+ .long 0x5b5b5b5b, 0x5b5b5b5b, 0x5b5b5b5b, 0x5b5b5b5b ?asis
-+
-+Lk_opt: # output transform
-+ .long 0x0060b6d6, 0x29499fff, 0x0868bede, 0x214197f7 ?rev
-+ .long 0x00ecbc50, 0x51bded01, 0xe00c5cb0, 0xb15d0de1 ?rev
-+Lk_deskew: # deskew tables: inverts the sbox's "skew"
-+ .long 0x00e3a447, 0x40a3e407, 0x1af9be5d, 0x5ab9fe1d ?rev
-+ .long 0x0069ea83, 0xdcb5365f, 0x771e9df4, 0xabc24128 ?rev
-+.align 5
-+Lconsts:
-+ mflr r0
-+ bcl 20,31,\$+4
-+ mflr r12 #vvvvv "distance between . and _vpaes_consts
-+ addi r12,r12,-0x308
-+ mtlr r0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.asciz "Vector Permutation AES for AltiVec, Mike Hamburg (Stanford University)"
-+.align 6
-+___
-+�
-+my ($inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm) = map("v$_",(26..31));
-+{
-+my ($inp,$out,$key) = map("r$_",(3..5));
-+
-+my ($invlo,$invhi,$iptlo,$ipthi,$sbou,$sbot) = map("v$_",(10..15));
-+my ($sb1u,$sb1t,$sb2u,$sb2t) = map("v$_",(16..19));
-+my ($sb9u,$sb9t,$sbdu,$sbdt,$sbbu,$sbbt,$sbeu,$sbet)=map("v$_",(16..23));
-+
-+$code.=<<___;
-+##
-+## _aes_preheat
-+##
-+## Fills register %r10 -> .aes_consts (so you can -fPIC)
-+## and %xmm9-%xmm15 as specified below.
-+##
-+.align 4
-+_vpaes_encrypt_preheat:
-+ mflr r8
-+ bl Lconsts
-+ mtlr r8
-+ li r11, 0xc0 # Lk_inv
-+ li r10, 0xd0
-+ li r9, 0xe0 # Lk_ipt
-+ li r8, 0xf0
-+ vxor v7, v7, v7 # 0x00..00
-+ vspltisb v8,4 # 0x04..04
-+ vspltisb v9,0x0f # 0x0f..0f
-+ lvx $invlo, r12, r11
-+ li r11, 0x100
-+ lvx $invhi, r12, r10
-+ li r10, 0x110
-+ lvx $iptlo, r12, r9
-+ li r9, 0x120
-+ lvx $ipthi, r12, r8
-+ li r8, 0x130
-+ lvx $sbou, r12, r11
-+ li r11, 0x140
-+ lvx $sbot, r12, r10
-+ li r10, 0x150
-+ lvx $sb1u, r12, r9
-+ lvx $sb1t, r12, r8
-+ lvx $sb2u, r12, r11
-+ lvx $sb2t, r12, r10
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## _aes_encrypt_core
-+##
-+## AES-encrypt %xmm0.
-+##
-+## Inputs:
-+## %xmm0 = input
-+## %xmm9-%xmm15 as in _vpaes_preheat
-+## (%rdx) = scheduled keys
-+##
-+## Output in %xmm0
-+## Clobbers %xmm1-%xmm6, %r9, %r10, %r11, %rax
-+##
-+##
-+.align 5
-+_vpaes_encrypt_core:
-+ lwz r8, 240($key) # pull rounds
-+ li r9, 16
-+ lvx v5, 0, $key # vmovdqu (%r9), %xmm5 # round0 key
-+ li r11, 0x10
-+ lvx v6, r9, $key
-+ addi r9, r9, 16
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ addi r10, r11, 0x40
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0
-+ vperm v0, $iptlo, $iptlo, v0 # vpshufb %xmm1, %xmm2, %xmm1
-+ vperm v1, $ipthi, $ipthi, v1 # vpshufb %xmm0, %xmm3, %xmm2
-+ vxor v0, v0, v5 # vpxor %xmm5, %xmm1, %xmm0
-+ vxor v0, v0, v1 # vpxor %xmm2, %xmm0, %xmm0
-+ mtctr r8
-+ b Lenc_entry
-+
-+.align 4
-+Lenc_loop:
-+ # middle of middle round
-+ vperm v4, $sb1t, v7, v2 # vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u
-+ lvx v1, r12, r11 # vmovdqa -0x40(%r11,%r10), %xmm1 # .Lk_mc_forward[]
-+ addi r11, r11, 16
-+ vperm v0, $sb1u, v7, v3 # vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t
-+ vxor v4, v4, v5 # vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
-+ andi. r11, r11, 0x30 # and \$0x30, %r11 # ... mod 4
-+ vperm v5, $sb2t, v7, v2 # vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u
-+ vxor v0, v0, v4 # vpxor %xmm4, %xmm0, %xmm0 # 0 = A
-+ vperm v2, $sb2u, v7, v3 # vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t
-+ lvx v4, r12, r10 # vmovdqa (%r11,%r10), %xmm4 # .Lk_mc_backward[]
-+ addi r10, r11, 0x40
-+ vperm v3, v0, v7, v1 # vpshufb %xmm1, %xmm0, %xmm3 # 0 = B
-+ vxor v2, v2, v5 # vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A
-+ vperm v0, v0, v7, v4 # vpshufb %xmm4, %xmm0, %xmm0 # 3 = D
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B
-+ vperm v4, v3, v7, v1 # vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C
-+ vxor v0, v0, v3 # vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D
-+ vxor v0, v0, v4 # vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D
-+
-+Lenc_entry:
-+ # top of round
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0 # 1 = i
-+ vperm v5, $invhi, $invhi, v0 # vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k
-+ vxor v0, v0, v1 # vpxor %xmm0, %xmm1, %xmm1 # 0 = j
-+ vperm v3, $invlo, $invlo, v1 # vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
-+ vperm v4, $invlo, $invlo, v0 # vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
-+ vand v0, v0, v9
-+ vxor v3, v3, v5 # vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
-+ vxor v4, v4, v5 # vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
-+ vperm v2, $invlo, v7, v3 # vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
-+ vmr v5, v6
-+ lvx v6, r9, $key # vmovdqu (%r9), %xmm5
-+ vperm v3, $invlo, v7, v4 # vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
-+ addi r9, r9, 16
-+ vxor v2, v2, v0 # vpxor %xmm1, %xmm2, %xmm2 # 2 = io
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ vxor v3, v3, v1 # vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
-+ bdnz Lenc_loop
-+
-+ # middle of last round
-+ addi r10, r11, 0x80
-+ # vmovdqa -0x60(%r10), %xmm4 # 3 : sbou .Lk_sbo
-+ # vmovdqa -0x50(%r10), %xmm0 # 0 : sbot .Lk_sbo+16
-+ vperm v4, $sbou, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
-+ lvx v1, r12, r10 # vmovdqa 0x40(%r11,%r10), %xmm1 # .Lk_sr[]
-+ vperm v0, $sbot, v7, v3 # vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t
-+ vxor v4, v4, v5 # vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
-+ vxor v0, v0, v4 # vpxor %xmm4, %xmm0, %xmm0 # 0 = A
-+ vperm v0, v0, v7, v1 # vpshufb %xmm1, %xmm0, %xmm0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.globl .vpaes_encrypt
-+.align 5
-+.vpaes_encrypt:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r6
-+ mfspr r7, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r7,`$FRAME-4`($sp) # save vrsave
-+ li r0, -1
-+ $PUSH r6,`$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r0 # preserve all AltiVec registers
-+
-+ bl _vpaes_encrypt_preheat
-+
-+ ?lvsl $inpperm, 0, $inp # prepare for unaligned access
-+ lvx v0, 0, $inp
-+ addi $inp, $inp, 15 # 15 is not a typo
-+ ?lvsr $outperm, 0, $out
-+ ?lvsl $keyperm, 0, $key # prepare for unaligned access
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ lvx $inptail, 0, $inp # redundant in aligned case
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ lvx $outhead, 0, $out
-+ ?vperm v0, v0, $inptail, $inpperm
-+
-+ bl _vpaes_encrypt_core
-+
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 15 # 15 is not a typo
-+ ########
-+
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtlr r6
-+ mtspr 256, r7 # restore vrsave
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_encrypt,.-.vpaes_encrypt
-+
-+.align 4
-+_vpaes_decrypt_preheat:
-+ mflr r8
-+ bl Lconsts
-+ mtlr r8
-+ li r11, 0xc0 # Lk_inv
-+ li r10, 0xd0
-+ li r9, 0x160 # Ldipt
-+ li r8, 0x170
-+ vxor v7, v7, v7 # 0x00..00
-+ vspltisb v8,4 # 0x04..04
-+ vspltisb v9,0x0f # 0x0f..0f
-+ lvx $invlo, r12, r11
-+ li r11, 0x180
-+ lvx $invhi, r12, r10
-+ li r10, 0x190
-+ lvx $iptlo, r12, r9
-+ li r9, 0x1a0
-+ lvx $ipthi, r12, r8
-+ li r8, 0x1b0
-+ lvx $sbou, r12, r11
-+ li r11, 0x1c0
-+ lvx $sbot, r12, r10
-+ li r10, 0x1d0
-+ lvx $sb9u, r12, r9
-+ li r9, 0x1e0
-+ lvx $sb9t, r12, r8
-+ li r8, 0x1f0
-+ lvx $sbdu, r12, r11
-+ li r11, 0x200
-+ lvx $sbdt, r12, r10
-+ li r10, 0x210
-+ lvx $sbbu, r12, r9
-+ lvx $sbbt, r12, r8
-+ lvx $sbeu, r12, r11
-+ lvx $sbet, r12, r10
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## Decryption core
-+##
-+## Same API as encryption core.
-+##
-+.align 4
-+_vpaes_decrypt_core:
-+ lwz r8, 240($key) # pull rounds
-+ li r9, 16
-+ lvx v5, 0, $key # vmovdqu (%r9), %xmm4 # round0 key
-+ li r11, 0x30
-+ lvx v6, r9, $key
-+ addi r9, r9, 16
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0
-+ vperm v0, $iptlo, $iptlo, v0 # vpshufb %xmm1, %xmm2, %xmm2
-+ vperm v1, $ipthi, $ipthi, v1 # vpshufb %xmm0, %xmm1, %xmm0
-+ vxor v0, v0, v5 # vpxor %xmm4, %xmm2, %xmm2
-+ vxor v0, v0, v1 # vpxor %xmm2, %xmm0, %xmm0
-+ mtctr r8
-+ b Ldec_entry
-+
-+.align 4
-+Ldec_loop:
-+#
-+# Inverse mix columns
-+#
-+ lvx v0, r12, r11 # v5 and v0 are flipped
-+ # vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u
-+ # vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t
-+ vperm v4, $sb9u, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u
-+ subi r11, r11, 16
-+ vperm v1, $sb9t, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t
-+ andi. r11, r11, 0x30
-+ vxor v5, v5, v4 # vpxor %xmm4, %xmm0, %xmm0
-+ # vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu
-+ vxor v5, v5, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+ # vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt
-+
-+ vperm v4, $sbdu, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu
-+ vperm v5, v5, v7, v0 # vpshufb %xmm5, %xmm0, %xmm0 # MC ch
-+ vperm v1, $sbdt, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt
-+ vxor v5, v5, v4 # vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
-+ # vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu
-+ vxor v5, v5, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+ # vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt
-+
-+ vperm v4, $sbbu, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu
-+ vperm v5, v5, v7, v0 # vpshufb %xmm5, %xmm0, %xmm0 # MC ch
-+ vperm v1, $sbbt, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt
-+ vxor v5, v5, v4 # vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
-+ # vmovdqa 0x40(%r10), %xmm4 # 4 : sbeu
-+ vxor v5, v5, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+ # vmovdqa 0x50(%r10), %xmm1 # 0 : sbet
-+
-+ vperm v4, $sbeu, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu
-+ vperm v5, v5, v7, v0 # vpshufb %xmm5, %xmm0, %xmm0 # MC ch
-+ vperm v1, $sbet, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet
-+ vxor v0, v5, v4 # vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
-+ vxor v0, v0, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+
-+Ldec_entry:
-+ # top of round
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0 # 1 = i
-+ vperm v2, $invhi, $invhi, v0 # vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
-+ vxor v0, v0, v1 # vpxor %xmm0, %xmm1, %xmm1 # 0 = j
-+ vperm v3, $invlo, $invlo, v1 # vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
-+ vperm v4, $invlo, $invlo, v0 # vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
-+ vand v0, v0, v9
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
-+ vxor v4, v4, v2 # vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
-+ vperm v2, $invlo, v7, v3 # vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
-+ vmr v5, v6
-+ lvx v6, r9, $key # vmovdqu (%r9), %xmm0
-+ vperm v3, $invlo, v7, v4 # vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
-+ addi r9, r9, 16
-+ vxor v2, v2, v0 # vpxor %xmm1, %xmm2, %xmm2 # 2 = io
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ vxor v3, v3, v1 # vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
-+ bdnz Ldec_loop
-+
-+ # middle of last round
-+ addi r10, r11, 0x80
-+ # vmovdqa 0x60(%r10), %xmm4 # 3 : sbou
-+ vperm v4, $sbou, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
-+ # vmovdqa 0x70(%r10), %xmm1 # 0 : sbot
-+ lvx v2, r12, r10 # vmovdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160
-+ vperm v1, $sbot, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t
-+ vxor v4, v4, v5 # vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k
-+ vxor v0, v1, v4 # vpxor %xmm4, %xmm1, %xmm0 # 0 = A
-+ vperm v0, v0, v7, v2 # vpshufb %xmm2, %xmm0, %xmm0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.globl .vpaes_decrypt
-+.align 5
-+.vpaes_decrypt:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r6
-+ mfspr r7, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r7,`$FRAME-4`($sp) # save vrsave
-+ li r0, -1
-+ $PUSH r6,`$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r0 # preserve all AltiVec registers
-+
-+ bl _vpaes_decrypt_preheat
-+
-+ ?lvsl $inpperm, 0, $inp # prepare for unaligned access
-+ lvx v0, 0, $inp
-+ addi $inp, $inp, 15 # 15 is not a typo
-+ ?lvsr $outperm, 0, $out
-+ ?lvsl $keyperm, 0, $key
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ lvx $inptail, 0, $inp # redundant in aligned case
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ lvx $outhead, 0, $out
-+ ?vperm v0, v0, $inptail, $inpperm
-+
-+ bl _vpaes_decrypt_core
-+
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 15 # 15 is not a typo
-+ ########
-+
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtlr r6
-+ mtspr 256, r7 # restore vrsave
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_decrypt,.-.vpaes_decrypt
-+
-+.globl .vpaes_cbc_encrypt
-+.align 5
-+.vpaes_cbc_encrypt:
-+ ${UCMP}i r5,16
-+ bltlr-
-+
-+ $STU $sp,-`($FRAME+2*$SIZE_T)`($sp)
-+ mflr r0
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mfspr r12, 256
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r12,`$FRAME-4`($sp) # save vrsave
-+ $PUSH r30,`$FRAME+$SIZE_T*0`($sp)
-+ $PUSH r31,`$FRAME+$SIZE_T*1`($sp)
-+ li r9, -16
-+ $PUSH r0, `$FRAME+$SIZE_T*2+$LRSAVE`($sp)
-+
-+ and r30, r5, r9 # copy length&-16
-+ mr r5, r6 # copy pointer to key
-+ mr r31, r7 # copy pointer to iv
-+ blt Lcbc_abort
-+ cmpwi r8, 0 # test direction
-+ li r6, -1
-+ mr r7, r12 # copy vrsave
-+ mtspr 256, r6 # preserve all AltiVec registers
-+
-+ lvx v24, 0, r31 # load [potentially unaligned] iv
-+ li r9, 15
-+ ?lvsl $inpperm, 0, r31
-+ lvx v25, r9, r31
-+ ?vperm v24, v24, v25, $inpperm
-+
-+ neg r8, $inp # prepare for unaligned access
-+ vxor v7, v7, v7
-+ ?lvsl $keyperm, 0, $key
-+ ?lvsr $outperm, 0, $out
-+ ?lvsr $inpperm, 0, r8 # -$inp
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ lvx $inptail, 0, $inp
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ addi $inp, $inp, 15 # 15 is not a typo
-+ lvx $outhead, 0, $out
-+
-+ beq Lcbc_decrypt
-+
-+ bl _vpaes_encrypt_preheat
-+ li r0, 16
-+
-+Lcbc_enc_loop:
-+ vmr v0, $inptail
-+ lvx $inptail, 0, $inp
-+ addi $inp, $inp, 16
-+ ?vperm v0, v0, $inptail, $inpperm
-+ vxor v0, v0, v24 # ^= iv
-+
-+ bl _vpaes_encrypt_core
-+
-+ vmr v24, v0 # put aside iv
-+ sub. r30, r30, r0 # len -= 16
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 16
-+ bne Lcbc_enc_loop
-+
-+ b Lcbc_done
-+
-+.align 5
-+Lcbc_decrypt:
-+ bl _vpaes_decrypt_preheat
-+ li r0, 16
-+
-+Lcbc_dec_loop:
-+ vmr v0, $inptail
-+ lvx $inptail, 0, $inp
-+ addi $inp, $inp, 16
-+ ?vperm v0, v0, $inptail, $inpperm
-+ vmr v25, v0 # put aside input
-+
-+ bl _vpaes_decrypt_core
-+
-+ vxor v0, v0, v24 # ^= iv
-+ vmr v24, v25
-+ sub. r30, r30, r0 # len -= 16
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 16
-+ bne Lcbc_dec_loop
-+
-+Lcbc_done:
-+ addi $out, $out, -1
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+ neg r8, r31 # write [potentially unaligned] iv
-+ ?lvsl $outperm, 0, r8
-+ li r6, 15
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ lvx $outhead, 0, r31
-+ vperm v24, v24, v24, $outperm # rotate right/left
-+ vsel v0, $outhead, v24, $outmask
-+ lvx v1, r6, r31
-+ stvx v0, 0, r31
-+ vsel v1, v24, v1, $outmask
-+ stvx v1, r6, r31
-+
-+ mtspr 256, r7 # restore vrsave
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+Lcbc_abort:
-+ $POP r0, `$FRAME+$SIZE_T*2+$LRSAVE`($sp)
-+ $POP r30,`$FRAME+$SIZE_T*0`($sp)
-+ $POP r31,`$FRAME+$SIZE_T*1`($sp)
-+ mtlr r0
-+ addi $sp,$sp,`$FRAME+$SIZE_T*2`
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,2,6,0
-+ .long 0
-+.size .vpaes_cbc_encrypt,.-.vpaes_cbc_encrypt
-+___
-+}�
-+{
-+my ($inp,$bits,$out)=map("r$_",(3..5));
-+my $dir="cr1";
-+my ($invlo,$invhi,$iptlo,$ipthi,$rcon) = map("v$_",(10..13,24));
-+
-+$code.=<<___;
-+########################################################
-+## ##
-+## AES key schedule ##
-+## ##
-+########################################################
-+.align 4
-+_vpaes_key_preheat:
-+ mflr r8
-+ bl Lconsts
-+ mtlr r8
-+ li r11, 0xc0 # Lk_inv
-+ li r10, 0xd0
-+ li r9, 0xe0 # L_ipt
-+ li r8, 0xf0
-+
-+ vspltisb v8,4 # 0x04..04
-+ vxor v9,v9,v9 # 0x00..00
-+ lvx $invlo, r12, r11 # Lk_inv
-+ li r11, 0x120
-+ lvx $invhi, r12, r10
-+ li r10, 0x130
-+ lvx $iptlo, r12, r9 # Lk_ipt
-+ li r9, 0x220
-+ lvx $ipthi, r12, r8
-+ li r8, 0x230
-+
-+ lvx v14, r12, r11 # Lk_sb1
-+ li r11, 0x240
-+ lvx v15, r12, r10
-+ li r10, 0x250
-+
-+ lvx v16, r12, r9 # Lk_dksd
-+ li r9, 0x260
-+ lvx v17, r12, r8
-+ li r8, 0x270
-+ lvx v18, r12, r11 # Lk_dksb
-+ li r11, 0x280
-+ lvx v19, r12, r10
-+ li r10, 0x290
-+ lvx v20, r12, r9 # Lk_dkse
-+ li r9, 0x2a0
-+ lvx v21, r12, r8
-+ li r8, 0x2b0
-+ lvx v22, r12, r11 # Lk_dks9
-+ lvx v23, r12, r10
-+
-+ lvx v24, r12, r9 # Lk_rcon
-+ lvx v25, 0, r12 # Lk_mc_forward[0]
-+ lvx v26, r12, r8 # Lks63
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.align 4
-+_vpaes_schedule_core:
-+ mflr r7
-+
-+ bl _vpaes_key_preheat # load the tables
-+
-+ #lvx v0, 0, $inp # vmovdqu (%rdi), %xmm0 # load key (unaligned)
-+ neg r8, $inp # prepare for unaligned access
-+ lvx v0, 0, $inp
-+ addi $inp, $inp, 15 # 15 is not typo
-+ ?lvsr $inpperm, 0, r8 # -$inp
-+ lvx v6, 0, $inp # v6 serves as inptail
-+ addi $inp, $inp, 8
-+ ?vperm v0, v0, v6, $inpperm
-+
-+ # input transform
-+ vmr v3, v0 # vmovdqa %xmm0, %xmm3
-+ bl _vpaes_schedule_transform
-+ vmr v7, v0 # vmovdqa %xmm0, %xmm7
-+
-+ bne $dir, Lschedule_am_decrypting
-+
-+ # encrypting, output zeroth round key after transform
-+ li r8, 0x30 # mov \$0x30,%r8d
-+ addi r10, r12, 0x80 # lea .Lk_sr(%rip),%r10
-+
-+ ?lvsr $outperm, 0, $out # prepare for unaligned access
-+ vnor $outmask, v9, v9 # 0xff..ff
-+ lvx $outhead, 0, $out
-+ ?vperm $outmask, v9, $outmask, $outperm
-+
-+ #stvx v0, 0, $out # vmovdqu %xmm0, (%rdx)
-+ vperm v1, v0, v0, $outperm # rotate right/left
-+ vsel v2, $outhead, v1, $outmask
-+ vmr $outhead, v1
-+ stvx v2, 0, $out
-+ b Lschedule_go
-+
-+Lschedule_am_decrypting:
-+ srwi r8, $bits, 1 # shr \$1,%r8d
-+ andi. r8, r8, 32 # and \$32,%r8d
-+ xori r8, r8, 32 # xor \$32,%r8d # nbits==192?0:32
-+ addi r10, r12, 0x80 # lea .Lk_sr(%rip),%r10
-+ # decrypting, output zeroth round key after shiftrows
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10), %xmm1
-+ vperm v4, v3, v3, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+
-+ neg r0, $out # prepare for unaligned access
-+ ?lvsl $outperm, 0, r0
-+ addi $out, $out, 15 # 15 is not typo
-+ vnor $outmask, v9, v9 # 0xff..ff
-+ lvx $outhead, 0, $out
-+ ?vperm $outmask, $outmask, v9, $outperm
-+
-+ #stvx v4, 0, $out # vmovdqu %xmm3, (%rdx)
-+ vperm v4, v4, v4, $outperm # rotate right/left
-+ vsel v2, $outhead, v4, $outmask
-+ vmr $outhead, v4
-+ stvx v2, 0, $out
-+ xori r8, r8, 0x30 # xor \$0x30, %r8
-+
-+Lschedule_go:
-+ cmplwi $bits, 192 # cmp \$192, %esi
-+ bgt Lschedule_256
-+ beq Lschedule_192
-+ # 128: fall though
-+
-+##
-+## .schedule_128
-+##
-+## 128-bit specific part of key schedule.
-+##
-+## This schedule is really simple, because all its parts
-+## are accomplished by the subroutines.
-+##
-+Lschedule_128:
-+ li r0, 10 # mov \$10, %esi
-+ mtctr r0
-+
-+Loop_schedule_128:
-+ bl _vpaes_schedule_round
-+ bdz Lschedule_mangle_last # dec %esi
-+ bl _vpaes_schedule_mangle # write output
-+ b Loop_schedule_128
-+
-+##
-+## .aes_schedule_192
-+##
-+## 192-bit specific part of key schedule.
-+##
-+## The main body of this schedule is the same as the 128-bit
-+## schedule, but with more smearing. The long, high side is
-+## stored in %xmm7 as before, and the short, low side is in
-+## the high bits of %xmm6.
-+##
-+## This schedule is somewhat nastier, however, because each
-+## round produces 192 bits of key material, or 1.5 round keys.
-+## Therefore, on each cycle we do 2 rounds and produce 3 round
-+## keys.
-+##
-+.align 4
-+Lschedule_192:
-+ li r0, 4 # mov \$4, %esi
-+ lvx v0, 0, $inp
-+ ?vperm v0, v6, v0, $inpperm
-+ ?vsldoi v0, v3, v0, 8 # vmovdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned)
-+ bl _vpaes_schedule_transform # input transform
-+ ?vsldoi v6, v0, v9, 8
-+ ?vsldoi v6, v9, v6, 8 # clobber "low" side with zeros
-+ mtctr r0
-+
-+Loop_schedule_192:
-+ bl _vpaes_schedule_round
-+ ?vsldoi v0, v6, v0, 8 # vpalignr \$8,%xmm6,%xmm0,%xmm0
-+ bl _vpaes_schedule_mangle # save key n
-+ bl _vpaes_schedule_192_smear
-+ bl _vpaes_schedule_mangle # save key n+1
-+ bl _vpaes_schedule_round
-+ bdz Lschedule_mangle_last # dec %esi
-+ bl _vpaes_schedule_mangle # save key n+2
-+ bl _vpaes_schedule_192_smear
-+ b Loop_schedule_192
-+
-+##
-+## .aes_schedule_256
-+##
-+## 256-bit specific part of key schedule.
-+##
-+## The structure here is very similar to the 128-bit
-+## schedule, but with an additional "low side" in
-+## %xmm6. The low side's rounds are the same as the
-+## high side's, except no rcon and no rotation.
-+##
-+.align 4
-+Lschedule_256:
-+ li r0, 7 # mov \$7, %esi
-+ addi $inp, $inp, 8
-+ lvx v0, 0, $inp # vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned)
-+ ?vperm v0, v6, v0, $inpperm
-+ bl _vpaes_schedule_transform # input transform
-+ mtctr r0
-+
-+Loop_schedule_256:
-+ bl _vpaes_schedule_mangle # output low result
-+ vmr v6, v0 # vmovdqa %xmm0, %xmm6 # save cur_lo in xmm6
-+
-+ # high round
-+ bl _vpaes_schedule_round
-+ bdz Lschedule_mangle_last # dec %esi
-+ bl _vpaes_schedule_mangle
-+
-+ # low round. swap xmm7 and xmm6
-+ ?vspltw v0, v0, 3 # vpshufd \$0xFF, %xmm0, %xmm0
-+ vmr v5, v7 # vmovdqa %xmm7, %xmm5
-+ vmr v7, v6 # vmovdqa %xmm6, %xmm7
-+ bl _vpaes_schedule_low_round
-+ vmr v7, v5 # vmovdqa %xmm5, %xmm7
-+
-+ b Loop_schedule_256
-+##
-+## .aes_schedule_mangle_last
-+##
-+## Mangler for last round of key schedule
-+## Mangles %xmm0
-+## when encrypting, outputs out(%xmm0) ^ 63
-+## when decrypting, outputs unskew(%xmm0)
-+##
-+## Always called right before return... jumps to cleanup and exits
-+##
-+.align 4
-+Lschedule_mangle_last:
-+ # schedule last round key from xmm0
-+ li r11, 0x2e0 # lea .Lk_deskew(%rip),%r11
-+ li r9, 0x2f0
-+ bne $dir, Lschedule_mangle_last_dec
-+
-+ # encrypting
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10),%xmm1
-+ li r11, 0x2c0 # lea .Lk_opt(%rip), %r11 # prepare to output transform
-+ li r9, 0x2d0 # prepare to output transform
-+ vperm v0, v0, v0, v1 # vpshufb %xmm1, %xmm0, %xmm0 # output permute
-+
-+ lvx $iptlo, r11, r12 # reload $ipt
-+ lvx $ipthi, r9, r12
-+ addi $out, $out, 16 # add \$16, %rdx
-+ vxor v0, v0, v26 # vpxor .Lk_s63(%rip), %xmm0, %xmm0
-+ bl _vpaes_schedule_transform # output transform
-+
-+ #stvx v0, r0, $out # vmovdqu %xmm0, (%rdx) # save last key
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v2, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v2, 0, $out
-+
-+ addi $out, $out, 15 # 15 is not typo
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+ b Lschedule_mangle_done
-+
-+.align 4
-+Lschedule_mangle_last_dec:
-+ lvx $iptlo, r11, r12 # reload $ipt
-+ lvx $ipthi, r9, r12
-+ addi $out, $out, -16 # add \$-16, %rdx
-+ vxor v0, v0, v26 # vpxor .Lk_s63(%rip), %xmm0, %xmm0
-+ bl _vpaes_schedule_transform # output transform
-+
-+ #stvx v0, r0, $out # vmovdqu %xmm0, (%rdx) # save last key
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v2, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v2, 0, $out
-+
-+ addi $out, $out, -15 # -15 is not typo
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+Lschedule_mangle_done:
-+ mtlr r7
-+ # cleanup
-+ vxor v0, v0, v0 # vpxor %xmm0, %xmm0, %xmm0
-+ vxor v1, v1, v1 # vpxor %xmm1, %xmm1, %xmm1
-+ vxor v2, v2, v2 # vpxor %xmm2, %xmm2, %xmm2
-+ vxor v3, v3, v3 # vpxor %xmm3, %xmm3, %xmm3
-+ vxor v4, v4, v4 # vpxor %xmm4, %xmm4, %xmm4
-+ vxor v5, v5, v5 # vpxor %xmm5, %xmm5, %xmm5
-+ vxor v6, v6, v6 # vpxor %xmm6, %xmm6, %xmm6
-+ vxor v7, v7, v7 # vpxor %xmm7, %xmm7, %xmm7
-+
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_192_smear
-+##
-+## Smear the short, low side in the 192-bit key schedule.
-+##
-+## Inputs:
-+## %xmm7: high side, b a x y
-+## %xmm6: low side, d c 0 0
-+## %xmm13: 0
-+##
-+## Outputs:
-+## %xmm6: b+c+d b+c 0 0
-+## %xmm0: b+c+d b+c b a
-+##
-+.align 4
-+_vpaes_schedule_192_smear:
-+ ?vspltw v0, v7, 3
-+ ?vsldoi v1, v9, v6, 12 # vpshufd \$0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0
-+ ?vsldoi v0, v7, v0, 8 # vpshufd \$0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a
-+ vxor v6, v6, v1 # vpxor %xmm1, %xmm6, %xmm6 # -> c+d c 0 0
-+ vxor v6, v6, v0 # vpxor %xmm0, %xmm6, %xmm6 # -> b+c+d b+c b a
-+ vmr v0, v6
-+ ?vsldoi v6, v6, v9, 8
-+ ?vsldoi v6, v9, v6, 8 # clobber low side with zeros
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_round
-+##
-+## Runs one main round of the key schedule on %xmm0, %xmm7
-+##
-+## Specifically, runs subbytes on the high dword of %xmm0
-+## then rotates it by one byte and xors into the low dword of
-+## %xmm7.
-+##
-+## Adds rcon from low byte of %xmm8, then rotates %xmm8 for
-+## next rcon.
-+##
-+## Smears the dwords of %xmm7 by xoring the low into the
-+## second low, result into third, result into highest.
-+##
-+## Returns results in %xmm7 = %xmm0.
-+## Clobbers %xmm1-%xmm4, %r11.
-+##
-+.align 4
-+_vpaes_schedule_round:
-+ # extract rcon from xmm8
-+ #vxor v4, v4, v4 # vpxor %xmm4, %xmm4, %xmm4
-+ ?vsldoi v1, $rcon, v9, 15 # vpalignr \$15, %xmm8, %xmm4, %xmm1
-+ ?vsldoi $rcon, $rcon, $rcon, 15 # vpalignr \$15, %xmm8, %xmm8, %xmm8
-+ vxor v7, v7, v1 # vpxor %xmm1, %xmm7, %xmm7
-+
-+ # rotate
-+ ?vspltw v0, v0, 3 # vpshufd \$0xFF, %xmm0, %xmm0
-+ ?vsldoi v0, v0, v0, 1 # vpalignr \$1, %xmm0, %xmm0, %xmm0
-+
-+ # fall through...
-+
-+ # low round: same as high round, but no rotation and no rcon.
-+_vpaes_schedule_low_round:
-+ # smear xmm7
-+ ?vsldoi v1, v9, v7, 12 # vpslldq \$4, %xmm7, %xmm1
-+ vxor v7, v7, v1 # vpxor %xmm1, %xmm7, %xmm7
-+ vspltisb v1, 0x0f # 0x0f..0f
-+ ?vsldoi v4, v9, v7, 8 # vpslldq \$8, %xmm7, %xmm4
-+
-+ # subbytes
-+ vand v1, v1, v0 # vpand %xmm9, %xmm0, %xmm1 # 0 = k
-+ vsrb v0, v0, v8 # vpsrlb \$4, %xmm0, %xmm0 # 1 = i
-+ vxor v7, v7, v4 # vpxor %xmm4, %xmm7, %xmm7
-+ vperm v2, $invhi, v9, v1 # vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
-+ vxor v1, v1, v0 # vpxor %xmm0, %xmm1, %xmm1 # 0 = j
-+ vperm v3, $invlo, v9, v0 # vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
-+ vperm v4, $invlo, v9, v1 # vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
-+ vxor v7, v7, v26 # vpxor .Lk_s63(%rip), %xmm7, %xmm7
-+ vperm v3, $invlo, v9, v3 # vpshufb %xmm3, %xmm10, %xmm3 # 2 = 1/iak
-+ vxor v4, v4, v2 # vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
-+ vperm v2, $invlo, v9, v4 # vpshufb %xmm4, %xmm10, %xmm2 # 3 = 1/jak
-+ vxor v3, v3, v1 # vpxor %xmm1, %xmm3, %xmm3 # 2 = io
-+ vxor v2, v2, v0 # vpxor %xmm0, %xmm2, %xmm2 # 3 = jo
-+ vperm v4, v15, v9, v3 # vpshufb %xmm3, %xmm13, %xmm4 # 4 = sbou
-+ vperm v1, v14, v9, v2 # vpshufb %xmm2, %xmm12, %xmm1 # 0 = sb1t
-+ vxor v1, v1, v4 # vpxor %xmm4, %xmm1, %xmm1 # 0 = sbox output
-+
-+ # add in smeared stuff
-+ vxor v0, v1, v7 # vpxor %xmm7, %xmm1, %xmm0
-+ vxor v7, v1, v7 # vmovdqa %xmm0, %xmm7
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_transform
-+##
-+## Linear-transform %xmm0 according to tables at (%r11)
-+##
-+## Requires that %xmm9 = 0x0F0F... as in preheat
-+## Output in %xmm0
-+## Clobbers %xmm2
-+##
-+.align 4
-+_vpaes_schedule_transform:
-+ #vand v1, v0, v9 # vpand %xmm9, %xmm0, %xmm1
-+ vsrb v2, v0, v8 # vpsrlb \$4, %xmm0, %xmm0
-+ # vmovdqa (%r11), %xmm2 # lo
-+ vperm v0, $iptlo, $iptlo, v0 # vpshufb %xmm1, %xmm2, %xmm2
-+ # vmovdqa 16(%r11), %xmm1 # hi
-+ vperm v2, $ipthi, $ipthi, v2 # vpshufb %xmm0, %xmm1, %xmm0
-+ vxor v0, v0, v2 # vpxor %xmm2, %xmm0, %xmm0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_mangle
-+##
-+## Mangle xmm0 from (basis-transformed) standard version
-+## to our version.
-+##
-+## On encrypt,
-+## xor with 0x63
-+## multiply by circulant 0,1,1,1
-+## apply shiftrows transform
-+##
-+## On decrypt,
-+## xor with 0x63
-+## multiply by "inverse mixcolumns" circulant E,B,D,9
-+## deskew
-+## apply shiftrows transform
-+##
-+##
-+## Writes out to (%rdx), and increments or decrements it
-+## Keeps track of round number mod 4 in %r8
-+## Preserves xmm0
-+## Clobbers xmm1-xmm5
-+##
-+.align 4
-+_vpaes_schedule_mangle:
-+ #vmr v4, v0 # vmovdqa %xmm0, %xmm4 # save xmm0 for later
-+ # vmovdqa .Lk_mc_forward(%rip),%xmm5
-+ bne $dir, Lschedule_mangle_dec
-+
-+ # encrypting
-+ vxor v4, v0, v26 # vpxor .Lk_s63(%rip), %xmm0, %xmm4
-+ addi $out, $out, 16 # add \$16, %rdx
-+ vperm v4, v4, v4, v25 # vpshufb %xmm5, %xmm4, %xmm4
-+ vperm v1, v4, v4, v25 # vpshufb %xmm5, %xmm4, %xmm1
-+ vperm v3, v1, v1, v25 # vpshufb %xmm5, %xmm1, %xmm3
-+ vxor v4, v4, v1 # vpxor %xmm1, %xmm4, %xmm4
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10), %xmm1
-+ vxor v3, v3, v4 # vpxor %xmm4, %xmm3, %xmm3
-+
-+ vperm v3, v3, v3, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ addi r8, r8, -16 # add \$-16, %r8
-+ andi. r8, r8, 0x30 # and \$0x30, %r8
-+
-+ #stvx v3, 0, $out # vmovdqu %xmm3, (%rdx)
-+ vperm v1, v3, v3, $outperm # rotate right/left
-+ vsel v2, $outhead, v1, $outmask
-+ vmr $outhead, v1
-+ stvx v2, 0, $out
-+ blr
-+
-+.align 4
-+Lschedule_mangle_dec:
-+ # inverse mix columns
-+ # lea .Lk_dksd(%rip),%r11
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm4, %xmm1 # 1 = hi
-+ #and v4, v0, v9 # vpand %xmm9, %xmm4, %xmm4 # 4 = lo
-+
-+ # vmovdqa 0x00(%r11), %xmm2
-+ vperm v2, v16, v16, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ # vmovdqa 0x10(%r11), %xmm3
-+ vperm v3, v17, v17, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3
-+ vperm v3, v3, v9, v25 # vpshufb %xmm5, %xmm3, %xmm3
-+
-+ # vmovdqa 0x20(%r11), %xmm2
-+ vperm v2, v18, v18, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ vxor v2, v2, v3 # vpxor %xmm3, %xmm2, %xmm2
-+ # vmovdqa 0x30(%r11), %xmm3
-+ vperm v3, v19, v19, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3
-+ vperm v3, v3, v9, v25 # vpshufb %xmm5, %xmm3, %xmm3
-+
-+ # vmovdqa 0x40(%r11), %xmm2
-+ vperm v2, v20, v20, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ vxor v2, v2, v3 # vpxor %xmm3, %xmm2, %xmm2
-+ # vmovdqa 0x50(%r11), %xmm3
-+ vperm v3, v21, v21, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3
-+
-+ # vmovdqa 0x60(%r11), %xmm2
-+ vperm v2, v22, v22, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ vperm v3, v3, v9, v25 # vpshufb %xmm5, %xmm3, %xmm3
-+ # vmovdqa 0x70(%r11), %xmm4
-+ vperm v4, v23, v23, v1 # vpshufb %xmm1, %xmm4, %xmm4
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10), %xmm1
-+ vxor v2, v2, v3 # vpxor %xmm3, %xmm2, %xmm2
-+ vxor v3, v4, v2 # vpxor %xmm2, %xmm4, %xmm3
-+
-+ addi $out, $out, -16 # add \$-16, %rdx
-+
-+ vperm v3, v3, v3, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ addi r8, r8, -16 # add \$-16, %r8
-+ andi. r8, r8, 0x30 # and \$0x30, %r8
-+
-+ #stvx v3, 0, $out # vmovdqu %xmm3, (%rdx)
-+ vperm v1, v3, v3, $outperm # rotate right/left
-+ vsel v2, $outhead, v1, $outmask
-+ vmr $outhead, v1
-+ stvx v2, 0, $out
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.globl .vpaes_set_encrypt_key
-+.align 5
-+.vpaes_set_encrypt_key:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r0
-+ mfspr r6, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r6,`$FRAME-4`($sp) # save vrsave
-+ li r7, -1
-+ $PUSH r0, `$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r7 # preserve all AltiVec registers
-+
-+ srwi r9, $bits, 5 # shr \$5,%eax
-+ addi r9, r9, 6 # add \$5,%eax
-+ stw r9, 240($out) # mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5;
-+
-+ cmplw $dir, $bits, $bits # set encrypt direction
-+ li r8, 0x30 # mov \$0x30,%r8d
-+ bl _vpaes_schedule_core
-+
-+ $POP r0, `$FRAME+$LRSAVE`($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtspr 256, r6 # restore vrsave
-+ mtlr r0
-+ xor r3, r3, r3
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_set_encrypt_key,.-.vpaes_set_encrypt_key
-+
-+.globl .vpaes_set_decrypt_key
-+.align 4
-+.vpaes_set_decrypt_key:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r0
-+ mfspr r6, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r6,`$FRAME-4`($sp) # save vrsave
-+ li r7, -1
-+ $PUSH r0, `$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r7 # preserve all AltiVec registers
-+
-+ srwi r9, $bits, 5 # shr \$5,%eax
-+ addi r9, r9, 6 # add \$5,%eax
-+ stw r9, 240($out) # mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5;
-+
-+ slwi r9, r9, 4 # shl \$4,%eax
-+ add $out, $out, r9 # lea (%rdx,%rax),%rdx
-+
-+ cmplwi $dir, $bits, 0 # set decrypt direction
-+ srwi r8, $bits, 1 # shr \$1,%r8d
-+ andi. r8, r8, 32 # and \$32,%r8d
-+ xori r8, r8, 32 # xor \$32,%r8d # nbits==192?0:32
-+ bl _vpaes_schedule_core
-+
-+ $POP r0, `$FRAME+$LRSAVE`($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtspr 256, r6 # restore vrsave
-+ mtlr r0
-+ xor r3, r3, r3
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_set_decrypt_key,.-.vpaes_set_decrypt_key
-+___
-+}
-+
-+my $consts=1;
-+foreach (split("\n",$code)) {
-+ s/\`([^\`]*)\`/eval $1/geo;
-+
-+ # constants table endian-specific conversion
-+ if ($consts && m/\.long\s+(.+)\s+(\?[a-z]*)$/o) {
-+ my $conv=$2;
-+ my @bytes=();
-+
-+ # convert to endian-agnostic format
-+ foreach (split(/,\s+/,$1)) {
-+ my $l = /^0/?oct:int;
-+ push @bytes,($l>>24)&0xff,($l>>16)&0xff,($l>>8)&0xff,$l&0xff;
-+ }
-+
-+ # little-endian conversion
-+ if ($flavour =~ /le$/o) {
-+ SWITCH: for($conv) {
-+ /\?inv/ && do { @bytes=map($_^0xf,@bytes); last; };
-+ /\?rev/ && do { @bytes=reverse(@bytes); last; };
-+ }
-+ }
-+
-+ #emit
-+ print ".byte\t",join(',',map (sprintf("0x%02x",$_),@bytes)),"\n";
-+ next;
-+ }
-+ $consts=0 if (m/Lconsts:/o); # end of table
-+
-+ # instructions prefixed with '?' are endian-specific and need
-+ # to be adjusted accordingly...
-+ if ($flavour =~ /le$/o) { # little-endian
-+ s/\?lvsr/lvsl/o or
-+ s/\?lvsl/lvsr/o or
-+ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/o or
-+ s/\?(vsldoi\s+v[0-9]+,\s*)(v[0-9]+,)\s*(v[0-9]+,\s*)([0-9]+)/$1$3$2 16-$4/o or
-+ s/\?(vspltw\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9])/$1$2 3-$3/o;
-+ } else { # big-endian
-+ s/\?([a-z]+)/$1/o;
-+ }
-+
-+ print $_,"\n";
-+}
-+
-+close STDOUT;
-diff --git a/crypto/aes/asm/vpaes-x86_64.pl b/crypto/aes/asm/vpaes-x86_64.pl
-index 41f2e46..bd7f45b 100644
---- a/crypto/aes/asm/vpaes-x86_64.pl
-+++ b/crypto/aes/asm/vpaes-x86_64.pl
-@@ -1060,7 +1060,7 @@ _vpaes_consts:
- .Lk_dsbo: # decryption sbox final output
- .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
- .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C
--.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
-+.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
- .align 64
- .size _vpaes_consts,.-_vpaes_consts
- ___
-diff --git a/crypto/bn/asm/ppc-mont.pl b/crypto/bn/asm/ppc-mont.pl
-index f9b6992..da69c6a 100644
---- a/crypto/bn/asm/ppc-mont.pl
-+++ b/crypto/bn/asm/ppc-mont.pl
-@@ -325,6 +325,7 @@ Lcopy: ; copy or in-place refresh
- .long 0
- .byte 0,12,4,0,0x80,12,6,0
- .long 0
-+.size .bn_mul_mont_int,.-.bn_mul_mont_int
-
- .asciz "Montgomery Multiplication for PPC, CRYPTOGAMS by <appro\@openssl.org>"
- ___
-diff --git a/crypto/bn/asm/ppc.pl b/crypto/bn/asm/ppc.pl
-index 1249ce2..04df1fe 100644
---- a/crypto/bn/asm/ppc.pl
-+++ b/crypto/bn/asm/ppc.pl
-@@ -392,6 +392,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .bn_sqr_comba4,.-.bn_sqr_comba4
-
- #
- # NOTE: The following label name should be changed to
-@@ -819,6 +820,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .bn_sqr_comba8,.-.bn_sqr_comba8
-
- #
- # NOTE: The following label name should be changed to
-@@ -972,6 +974,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_mul_comba4,.-.bn_mul_comba4
-
- #
- # NOTE: The following label name should be changed to
-@@ -1510,6 +1513,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_mul_comba8,.-.bn_mul_comba8
-
- #
- # NOTE: The following label name should be changed to
-@@ -1560,6 +1564,7 @@ Lppcasm_sub_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size .bn_sub_words,.-.bn_sub_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1605,6 +1610,7 @@ Lppcasm_add_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size .bn_add_words,.-.bn_add_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1720,6 +1726,7 @@ Lppcasm_div9:
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_div_words,.-.bn_div_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1761,6 +1768,7 @@ Lppcasm_sqr_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_sqr_words,.-.bn_sqr_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1866,6 +1874,7 @@ Lppcasm_mw_OVER:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size bn_mul_words,.-bn_mul_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1991,6 +2000,7 @@ Lppcasm_maw_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size .bn_mul_add_words,.-.bn_mul_add_words
- .align 4
- EOF
- $data =~ s/\`([^\`]*)\`/eval $1/gem;
-diff --git a/crypto/bn/asm/ppc64-mont.pl b/crypto/bn/asm/ppc64-mont.pl
-index a14e769..68e3733 100644
---- a/crypto/bn/asm/ppc64-mont.pl
-+++ b/crypto/bn/asm/ppc64-mont.pl
-@@ -1,7 +1,7 @@
- #!/usr/bin/env perl
-
- # ====================================================================
--# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
-+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
- # project. The module is, however, dual licensed under OpenSSL and
- # CRYPTOGAMS licenses depending on where you obtain it. For further
- # details see http://www.openssl.org/~appro/cryptogams/.
-@@ -65,6 +65,14 @@
- # others alternative would be to break dependence on upper halves of
- # GPRs by sticking to 32-bit integer operations...
-
-+# December 2012
-+
-+# Remove above mentioned dependence on GPRs' upper halves in 32-bit
-+# build. No signal masking overhead, but integer instructions are
-+# *more* numerous... It's still "universally" faster than 32-bit
-+# ppc-mont.pl, but improvement coefficient is not as impressive
-+# for longer keys...
-+
- $flavour = shift;
-
- if ($flavour =~ /32/) {
-@@ -110,6 +118,9 @@ $tp="r10";
- $j="r11";
- $i="r12";
- # non-volatile registers
-+$c1="r19";
-+$n1="r20";
-+$a1="r21";
- $nap_d="r22"; # interleaved ap and np in double format
- $a0="r23"; # ap[0]
- $t0="r24"; # temporary registers
-@@ -180,8 +191,8 @@ $T3a="f30"; $T3b="f31";
- # . .
- # +-------------------------------+
- # . .
--# -12*size_t +-------------------------------+
--# | 10 saved gpr, r22-r31 |
-+# -13*size_t +-------------------------------+
-+# | 13 saved gpr, r19-r31 |
- # . .
- # . .
- # -12*8 +-------------------------------+
-@@ -215,6 +226,9 @@ $code=<<___;
- mr $i,$sp
- $STUX $sp,$sp,$tp ; alloca
-
-+ $PUSH r19,`-12*8-13*$SIZE_T`($i)
-+ $PUSH r20,`-12*8-12*$SIZE_T`($i)
-+ $PUSH r21,`-12*8-11*$SIZE_T`($i)
- $PUSH r22,`-12*8-10*$SIZE_T`($i)
- $PUSH r23,`-12*8-9*$SIZE_T`($i)
- $PUSH r24,`-12*8-8*$SIZE_T`($i)
-@@ -237,40 +251,26 @@ $code=<<___;
- stfd f29,`-3*8`($i)
- stfd f30,`-2*8`($i)
- stfd f31,`-1*8`($i)
--___
--$code.=<<___ if ($SIZE_T==8);
-- ld $a0,0($ap) ; pull ap[0] value
-- ld $n0,0($n0) ; pull n0[0] value
-- ld $t3,0($bp) ; bp[0]
--___
--$code.=<<___ if ($SIZE_T==4);
-- mr $t1,$n0
-- lwz $a0,0($ap) ; pull ap[0,1] value
-- lwz $t0,4($ap)
-- lwz $n0,0($t1) ; pull n0[0,1] value
-- lwz $t1,4($t1)
-- lwz $t3,0($bp) ; bp[0,1]
-- lwz $t2,4($bp)
-- insrdi $a0,$t0,32,0
-- insrdi $n0,$t1,32,0
-- insrdi $t3,$t2,32,0
--___
--$code.=<<___;
-+
- addi $tp,$sp,`$FRAME+$TRANSFER+8+64`
- li $i,-64
- add $nap_d,$tp,$num
- and $nap_d,$nap_d,$i ; align to 64 bytes
--�
-- mulld $t7,$a0,$t3 ; ap[0]*bp[0]
- ; nap_d is off by 1, because it's used with stfdu/lfdu
- addi $nap_d,$nap_d,-8
- srwi $j,$num,`3+1` ; counter register, num/2
-- mulld $t7,$t7,$n0 ; tp[0]*n0
- addi $j,$j,-1
- addi $tp,$sp,`$FRAME+$TRANSFER-8`
- li $carry,0
- mtctr $j
-+___
-+�
-+$code.=<<___ if ($SIZE_T==8);
-+ ld $a0,0($ap) ; pull ap[0] value
-+ ld $t3,0($bp) ; bp[0]
-+ ld $n0,0($n0) ; pull n0[0] value
-
-+ mulld $t7,$a0,$t3 ; ap[0]*bp[0]
- ; transfer bp[0] to FPU as 4x16-bit values
- extrdi $t0,$t3,16,48
- extrdi $t1,$t3,16,32
-@@ -280,6 +280,8 @@ $code.=<<___;
- std $t1,`$FRAME+8`($sp)
- std $t2,`$FRAME+16`($sp)
- std $t3,`$FRAME+24`($sp)
-+
-+ mulld $t7,$t7,$n0 ; tp[0]*n0
- ; transfer (ap[0]*bp[0])*n0 to FPU as 4x16-bit values
- extrdi $t4,$t7,16,48
- extrdi $t5,$t7,16,32
-@@ -289,21 +291,61 @@ $code.=<<___;
- std $t5,`$FRAME+40`($sp)
- std $t6,`$FRAME+48`($sp)
- std $t7,`$FRAME+56`($sp)
--___
--$code.=<<___ if ($SIZE_T==8);
-- lwz $t0,4($ap) ; load a[j] as 32-bit word pair
-- lwz $t1,0($ap)
-- lwz $t2,12($ap) ; load a[j+1] as 32-bit word pair
-+
-+ extrdi $t0,$a0,32,32 ; lwz $t0,4($ap)
-+ extrdi $t1,$a0,32,0 ; lwz $t1,0($ap)
-+ lwz $t2,12($ap) ; load a[1] as 32-bit word pair
- lwz $t3,8($ap)
-- lwz $t4,4($np) ; load n[j] as 32-bit word pair
-+ lwz $t4,4($np) ; load n[0] as 32-bit word pair
- lwz $t5,0($np)
-- lwz $t6,12($np) ; load n[j+1] as 32-bit word pair
-+ lwz $t6,12($np) ; load n[1] as 32-bit word pair
- lwz $t7,8($np)
- ___
- $code.=<<___ if ($SIZE_T==4);
-- lwz $t0,0($ap) ; load a[j..j+3] as 32-bit word pairs
-- lwz $t1,4($ap)
-- lwz $t2,8($ap)
-+ lwz $a0,0($ap) ; pull ap[0,1] value
-+ mr $n1,$n0
-+ lwz $a1,4($ap)
-+ li $c1,0
-+ lwz $t1,0($bp) ; bp[0,1]
-+ lwz $t3,4($bp)
-+ lwz $n0,0($n1) ; pull n0[0,1] value
-+ lwz $n1,4($n1)
-+
-+ mullw $t4,$a0,$t1 ; mulld ap[0]*bp[0]
-+ mulhwu $t5,$a0,$t1
-+ mullw $t6,$a1,$t1
-+ mullw $t7,$a0,$t3
-+ add $t5,$t5,$t6
-+ add $t5,$t5,$t7
-+ ; transfer bp[0] to FPU as 4x16-bit values
-+ extrwi $t0,$t1,16,16
-+ extrwi $t1,$t1,16,0
-+ extrwi $t2,$t3,16,16
-+ extrwi $t3,$t3,16,0
-+ std $t0,`$FRAME+0`($sp) ; yes, std in 32-bit build
-+ std $t1,`$FRAME+8`($sp)
-+ std $t2,`$FRAME+16`($sp)
-+ std $t3,`$FRAME+24`($sp)
-+
-+ mullw $t0,$t4,$n0 ; mulld tp[0]*n0
-+ mulhwu $t1,$t4,$n0
-+ mullw $t2,$t5,$n0
-+ mullw $t3,$t4,$n1
-+ add $t1,$t1,$t2
-+ add $t1,$t1,$t3
-+ ; transfer (ap[0]*bp[0])*n0 to FPU as 4x16-bit values
-+ extrwi $t4,$t0,16,16
-+ extrwi $t5,$t0,16,0
-+ extrwi $t6,$t1,16,16
-+ extrwi $t7,$t1,16,0
-+ std $t4,`$FRAME+32`($sp) ; yes, std in 32-bit build
-+ std $t5,`$FRAME+40`($sp)
-+ std $t6,`$FRAME+48`($sp)
-+ std $t7,`$FRAME+56`($sp)
-+
-+ mr $t0,$a0 ; lwz $t0,0($ap)
-+ mr $t1,$a1 ; lwz $t1,4($ap)
-+ lwz $t2,8($ap) ; load a[j..j+3] as 32-bit word pairs
- lwz $t3,12($ap)
- lwz $t4,0($np) ; load n[j..j+3] as 32-bit word pairs
- lwz $t5,4($np)
-@@ -319,7 +361,7 @@ $code.=<<___;
- lfd $nb,`$FRAME+40`($sp)
- lfd $nc,`$FRAME+48`($sp)
- lfd $nd,`$FRAME+56`($sp)
-- std $t0,`$FRAME+64`($sp)
-+ std $t0,`$FRAME+64`($sp) ; yes, std even in 32-bit build
- std $t1,`$FRAME+72`($sp)
- std $t2,`$FRAME+80`($sp)
- std $t3,`$FRAME+88`($sp)
-@@ -441,7 +483,7 @@ $code.=<<___ if ($SIZE_T==4);
- lwz $t7,12($np)
- ___
- $code.=<<___;
-- std $t0,`$FRAME+64`($sp)
-+ std $t0,`$FRAME+64`($sp) ; yes, std even in 32-bit build
- std $t1,`$FRAME+72`($sp)
- std $t2,`$FRAME+80`($sp)
- std $t3,`$FRAME+88`($sp)
-@@ -449,6 +491,9 @@ $code.=<<___;
- std $t5,`$FRAME+104`($sp)
- std $t6,`$FRAME+112`($sp)
- std $t7,`$FRAME+120`($sp)
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- ld $t0,`$FRAME+0`($sp)
- ld $t1,`$FRAME+8`($sp)
- ld $t2,`$FRAME+16`($sp)
-@@ -457,6 +502,20 @@ $code.=<<___;
- ld $t5,`$FRAME+40`($sp)
- ld $t6,`$FRAME+48`($sp)
- ld $t7,`$FRAME+56`($sp)
-+___
-+} else {
-+$code.=<<___;
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+___
-+}
-+$code.=<<___;
- lfd $A0,`$FRAME+64`($sp)
- lfd $A1,`$FRAME+72`($sp)
- lfd $A2,`$FRAME+80`($sp)
-@@ -488,7 +547,9 @@ $code.=<<___;
- fmadd $T0b,$A0,$bb,$dotb
- stfd $A2,24($nap_d) ; save a[j+1] in double format
- stfd $A3,32($nap_d)
--
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- fmadd $T1a,$A0,$bc,$T1a
- fmadd $T1b,$A0,$bd,$T1b
- fmadd $T2a,$A1,$bc,$T2a
-@@ -561,11 +622,123 @@ $code.=<<___;
- stfd $T3b,`$FRAME+56`($sp)
- std $t0,8($tp) ; tp[j-1]
- stdu $t4,16($tp) ; tp[j]
-+___
-+} else {
-+$code.=<<___;
-+ fmadd $T1a,$A0,$bc,$T1a
-+ fmadd $T1b,$A0,$bd,$T1b
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ fmadd $T2a,$A1,$bc,$T2a
-+ fmadd $T2b,$A1,$bd,$T2b
-+ stfd $N0,40($nap_d) ; save n[j] in double format
-+ stfd $N1,48($nap_d)
-+ srwi $c1,$t1,16
-+ insrwi $carry,$t1,16,0
-+ fmadd $T3a,$A2,$bc,$T3a
-+ fmadd $T3b,$A2,$bd,$T3b
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ fmul $dota,$A3,$bc
-+ fmul $dotb,$A3,$bd
-+ stfd $N2,56($nap_d) ; save n[j+1] in double format
-+ stfdu $N3,64($nap_d)
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+
-+ fmadd $T1a,$N1,$na,$T1a
-+ fmadd $T1b,$N1,$nb,$T1b
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ fmadd $T2a,$N2,$na,$T2a
-+ fmadd $T2b,$N2,$nb,$T2b
-+ srwi $c1,$t5,16
-+ insrwi $carry,$t5,16,0
-+ fmadd $T3a,$N3,$na,$T3a
-+ fmadd $T3b,$N3,$nb,$T3b
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ fmadd $T0a,$N0,$na,$T0a
-+ fmadd $T0b,$N0,$nb,$T0b
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ srwi $c1,$t7,16
-+ insrwi $carry,$t7,16,0
-+
-+ fmadd $T1a,$N0,$nc,$T1a
-+ fmadd $T1b,$N0,$nd,$T1b
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ fmadd $T2a,$N1,$nc,$T2a
-+ fmadd $T2b,$N1,$nd,$T2b
-+ stw $t0,12($tp) ; tp[j-1]
-+ stw $t4,8($tp)
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+ fmadd $T3a,$N2,$nc,$T3a
-+ fmadd $T3b,$N2,$nd,$T3b
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ fmadd $dota,$N3,$nc,$dota
-+ fmadd $dotb,$N3,$nd,$dotb
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ srwi $c1,$t7,16
-+ insrwi $carry,$t7,16,0
-+
-+ fctid $T0a,$T0a
-+ fctid $T0b,$T0b
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ fctid $T1a,$T1a
-+ fctid $T1b,$T1b
-+ srwi $c1,$t1,16
-+ insrwi $carry,$t1,16,0
-+ fctid $T2a,$T2a
-+ fctid $T2b,$T2b
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ fctid $T3a,$T3a
-+ fctid $T3b,$T3b
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ srwi $c1,$t5,16
-+ insrwi $carry,$t5,16,0
-+
-+ stfd $T0a,`$FRAME+0`($sp)
-+ stfd $T0b,`$FRAME+8`($sp)
-+ stfd $T1a,`$FRAME+16`($sp)
-+ stfd $T1b,`$FRAME+24`($sp)
-+ stfd $T2a,`$FRAME+32`($sp)
-+ stfd $T2b,`$FRAME+40`($sp)
-+ stfd $T3a,`$FRAME+48`($sp)
-+ stfd $T3b,`$FRAME+56`($sp)
-+ stw $t2,20($tp) ; tp[j]
-+ stwu $t0,16($tp)
-+___
-+}
-+$code.=<<___;
- bdnz- L1st
- �
- fctid $dota,$dota
- fctid $dotb,$dotb
--
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- ld $t0,`$FRAME+0`($sp)
- ld $t1,`$FRAME+8`($sp)
- ld $t2,`$FRAME+16`($sp)
-@@ -611,33 +784,117 @@ $code.=<<___;
- insrdi $t6,$t7,48,0
- srdi $ovf,$t7,48
- std $t6,8($tp) ; tp[num-1]
-+___
-+} else {
-+$code.=<<___;
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+ stfd $dota,`$FRAME+64`($sp)
-+ stfd $dotb,`$FRAME+72`($sp)
-
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ stw $t0,12($tp) ; tp[j-1]
-+ stw $t4,8($tp)
-+
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+ stw $t2,20($tp) ; tp[j]
-+ stwu $t0,16($tp)
-+
-+ lwz $t7,`$FRAME+64`($sp)
-+ lwz $t6,`$FRAME+68`($sp)
-+ lwz $t5,`$FRAME+72`($sp)
-+ lwz $t4,`$FRAME+76`($sp)
-+
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+
-+ insrwi $t6,$t4,16,0
-+ srwi $t4,$t4,16
-+ insrwi $t4,$t5,16,0
-+ srwi $ovf,$t5,16
-+ stw $t6,12($tp) ; tp[num-1]
-+ stw $t4,8($tp)
-+___
-+}
-+$code.=<<___;
- slwi $t7,$num,2
- subf $nap_d,$t7,$nap_d ; rewind pointer
- �
- li $i,8 ; i=1
- .align 5
- Louter:
--___
--$code.=<<___ if ($SIZE_T==8);
-- ldx $t3,$bp,$i ; bp[i]
--___
--$code.=<<___ if ($SIZE_T==4);
-- add $t0,$bp,$i
-- lwz $t3,0($t0) ; bp[i,i+1]
-- lwz $t0,4($t0)
-- insrdi $t3,$t0,32,0
--___
--$code.=<<___;
-- ld $t6,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
-- mulld $t7,$a0,$t3 ; ap[0]*bp[i]
--
- addi $tp,$sp,`$FRAME+$TRANSFER`
-- add $t7,$t7,$t6 ; ap[0]*bp[i]+tp[0]
- li $carry,0
-- mulld $t7,$t7,$n0 ; tp[0]*n0
- mtctr $j
-+___
-+$code.=<<___ if ($SIZE_T==8);
-+ ldx $t3,$bp,$i ; bp[i]
-
-+ ld $t6,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
-+ mulld $t7,$a0,$t3 ; ap[0]*bp[i]
-+ add $t7,$t7,$t6 ; ap[0]*bp[i]+tp[0]
- ; transfer bp[i] to FPU as 4x16-bit values
- extrdi $t0,$t3,16,48
- extrdi $t1,$t3,16,32
-@@ -647,6 +904,8 @@ $code.=<<___;
- std $t1,`$FRAME+8`($sp)
- std $t2,`$FRAME+16`($sp)
- std $t3,`$FRAME+24`($sp)
-+
-+ mulld $t7,$t7,$n0 ; tp[0]*n0
- ; transfer (ap[0]*bp[i]+tp[0])*n0 to FPU as 4x16-bit values
- extrdi $t4,$t7,16,48
- extrdi $t5,$t7,16,32
-@@ -656,7 +915,50 @@ $code.=<<___;
- std $t5,`$FRAME+40`($sp)
- std $t6,`$FRAME+48`($sp)
- std $t7,`$FRAME+56`($sp)
-+___
-+$code.=<<___ if ($SIZE_T==4);
-+ add $t0,$bp,$i
-+ li $c1,0
-+ lwz $t1,0($t0) ; bp[i,i+1]
-+ lwz $t3,4($t0)
-+
-+ mullw $t4,$a0,$t1 ; ap[0]*bp[i]
-+ lwz $t0,`$FRAME+$TRANSFER+8+4`($sp) ; tp[0]
-+ mulhwu $t5,$a0,$t1
-+ lwz $t2,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
-+ mullw $t6,$a1,$t1
-+ mullw $t7,$a0,$t3
-+ add $t5,$t5,$t6
-+ add $t5,$t5,$t7
-+ addc $t4,$t4,$t0 ; ap[0]*bp[i]+tp[0]
-+ adde $t5,$t5,$t2
-+ ; transfer bp[i] to FPU as 4x16-bit values
-+ extrwi $t0,$t1,16,16
-+ extrwi $t1,$t1,16,0
-+ extrwi $t2,$t3,16,16
-+ extrwi $t3,$t3,16,0
-+ std $t0,`$FRAME+0`($sp) ; yes, std in 32-bit build
-+ std $t1,`$FRAME+8`($sp)
-+ std $t2,`$FRAME+16`($sp)
-+ std $t3,`$FRAME+24`($sp)
-
-+ mullw $t0,$t4,$n0 ; mulld tp[0]*n0
-+ mulhwu $t1,$t4,$n0
-+ mullw $t2,$t5,$n0
-+ mullw $t3,$t4,$n1
-+ add $t1,$t1,$t2
-+ add $t1,$t1,$t3
-+ ; transfer (ap[0]*bp[i]+tp[0])*n0 to FPU as 4x16-bit values
-+ extrwi $t4,$t0,16,16
-+ extrwi $t5,$t0,16,0
-+ extrwi $t6,$t1,16,16
-+ extrwi $t7,$t1,16,0
-+ std $t4,`$FRAME+32`($sp) ; yes, std in 32-bit build
-+ std $t5,`$FRAME+40`($sp)
-+ std $t6,`$FRAME+48`($sp)
-+ std $t7,`$FRAME+56`($sp)
-+___
-+$code.=<<___;
- lfd $A0,8($nap_d) ; load a[j] in double format
- lfd $A1,16($nap_d)
- lfd $A2,24($nap_d) ; load a[j+1] in double format
-@@ -769,7 +1071,9 @@ Linner:
- fmul $dotb,$A3,$bd
- lfd $A2,24($nap_d) ; load a[j+1] in double format
- lfd $A3,32($nap_d)
--
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- fmadd $T1a,$N1,$na,$T1a
- fmadd $T1b,$N1,$nb,$T1b
- ld $t0,`$FRAME+0`($sp)
-@@ -856,10 +1160,131 @@ $code.=<<___;
- addze $carry,$carry
- std $t3,-16($tp) ; tp[j-1]
- std $t5,-8($tp) ; tp[j]
-+___
-+} else {
-+$code.=<<___;
-+ fmadd $T1a,$N1,$na,$T1a
-+ fmadd $T1b,$N1,$nb,$T1b
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ fmadd $T2a,$N2,$na,$T2a
-+ fmadd $T2b,$N2,$nb,$T2b
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ fmadd $T3a,$N3,$na,$T3a
-+ fmadd $T3b,$N3,$nb,$T3b
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ fmadd $T0a,$N0,$na,$T0a
-+ fmadd $T0b,$N0,$nb,$T0b
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+ srwi $c1,$t1,16
-+ insrwi $carry,$t1,16,0
-+
-+ fmadd $T1a,$N0,$nc,$T1a
-+ fmadd $T1b,$N0,$nd,$T1b
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ fmadd $T2a,$N1,$nc,$T2a
-+ fmadd $T2b,$N1,$nd,$T2b
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+ fmadd $T3a,$N2,$nc,$T3a
-+ fmadd $T3b,$N2,$nd,$T3b
-+ lwz $t2,12($tp) ; tp[j]
-+ lwz $t3,8($tp)
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ fmadd $dota,$N3,$nc,$dota
-+ fmadd $dotb,$N3,$nd,$dotb
-+ srwi $c1,$t5,16
-+ insrwi $carry,$t5,16,0
-+
-+ fctid $T0a,$T0a
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ fctid $T0b,$T0b
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ srwi $c1,$t7,16
-+ insrwi $carry,$t7,16,0
-+ fctid $T1a,$T1a
-+ addc $t0,$t0,$t2
-+ adde $t4,$t4,$t3
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ fctid $T1b,$T1b
-+ addze $carry,$carry
-+ addze $c1,$c1
-+ stw $t0,4($tp) ; tp[j-1]
-+ stw $t4,0($tp)
-+ fctid $T2a,$T2a
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ fctid $T2b,$T2b
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ fctid $T3a,$T3a
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+ fctid $T3b,$T3b
-+
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ lwz $t6,20($tp)
-+ lwzu $t7,16($tp)
-+ addc $t0,$t0,$carry
-+ stfd $T0a,`$FRAME+0`($sp)
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ stfd $T0b,`$FRAME+8`($sp)
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t4,$t4,$carry
-+ stfd $T1a,`$FRAME+16`($sp)
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ stfd $T1b,`$FRAME+24`($sp)
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+
-+ addc $t2,$t2,$t6
-+ stfd $T2a,`$FRAME+32`($sp)
-+ adde $t0,$t0,$t7
-+ stfd $T2b,`$FRAME+40`($sp)
-+ addze $carry,$carry
-+ stfd $T3a,`$FRAME+48`($sp)
-+ addze $c1,$c1
-+ stfd $T3b,`$FRAME+56`($sp)
-+ stw $t2,-4($tp) ; tp[j]
-+ stw $t0,-8($tp)
-+___
-+}
-+$code.=<<___;
- bdnz- Linner
- �
- fctid $dota,$dota
- fctid $dotb,$dotb
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- ld $t0,`$FRAME+0`($sp)
- ld $t1,`$FRAME+8`($sp)
- ld $t2,`$FRAME+16`($sp)
-@@ -926,7 +1351,116 @@ $code.=<<___;
- insrdi $t6,$t7,48,0
- srdi $ovf,$t7,48
- std $t6,0($tp) ; tp[num-1]
-+___
-+} else {
-+$code.=<<___;
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+ stfd $dota,`$FRAME+64`($sp)
-+ stfd $dotb,`$FRAME+72`($sp)
-
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ lwz $t2,12($tp) ; tp[j]
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ lwz $t3,8($tp)
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+
-+ addc $t0,$t0,$t2
-+ adde $t4,$t4,$t3
-+ addze $carry,$carry
-+ addze $c1,$c1
-+ stw $t0,4($tp) ; tp[j-1]
-+ stw $t4,0($tp)
-+
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ lwz $t6,20($tp)
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ lwzu $t7,16($tp)
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+
-+ addc $t2,$t2,$t6
-+ adde $t0,$t0,$t7
-+ lwz $t7,`$FRAME+64`($sp)
-+ lwz $t6,`$FRAME+68`($sp)
-+ addze $carry,$carry
-+ addze $c1,$c1
-+ lwz $t5,`$FRAME+72`($sp)
-+ lwz $t4,`$FRAME+76`($sp)
-+
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ stw $t2,-4($tp) ; tp[j]
-+ stw $t0,-8($tp)
-+ addc $t6,$t6,$ovf
-+ addze $t7,$t7
-+ srwi $carry,$t6,16
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+
-+ insrwi $t6,$t4,16,0
-+ srwi $t4,$t4,16
-+ insrwi $t4,$t5,16,0
-+ srwi $ovf,$t5,16
-+ stw $t6,4($tp) ; tp[num-1]
-+ stw $t4,0($tp)
-+___
-+}
-+$code.=<<___;
- slwi $t7,$num,2
- addi $i,$i,8
- subf $nap_d,$t7,$nap_d ; rewind pointer
-@@ -994,14 +1528,14 @@ $code.=<<___ if ($SIZE_T==4);
- mtctr $j
-
- .align 4
--Lsub: ld $t0,8($tp) ; load tp[j..j+3] in 64-bit word order
-- ldu $t2,16($tp)
-+Lsub: lwz $t0,12($tp) ; load tp[j..j+3] in 64-bit word order
-+ lwz $t1,8($tp)
-+ lwz $t2,20($tp)
-+ lwzu $t3,16($tp)
- lwz $t4,4($np) ; load np[j..j+3] in 32-bit word order
- lwz $t5,8($np)
- lwz $t6,12($np)
- lwzu $t7,16($np)
-- extrdi $t1,$t0,32,0
-- extrdi $t3,$t2,32,0
- subfe $t4,$t4,$t0 ; tp[j]-np[j]
- stw $t0,4($ap) ; save tp[j..j+3] in 32-bit word order
- subfe $t5,$t5,$t1 ; tp[j+1]-np[j+1]
-@@ -1052,6 +1586,9 @@ ___
- $code.=<<___;
- $POP $i,0($sp)
- li r3,1 ; signal "handled"
-+ $POP r19,`-12*8-13*$SIZE_T`($i)
-+ $POP r20,`-12*8-12*$SIZE_T`($i)
-+ $POP r21,`-12*8-11*$SIZE_T`($i)
- $POP r22,`-12*8-10*$SIZE_T`($i)
- $POP r23,`-12*8-9*$SIZE_T`($i)
- $POP r24,`-12*8-8*$SIZE_T`($i)
-@@ -1077,8 +1614,9 @@ $code.=<<___;
- mr $sp,$i
- blr
- .long 0
-- .byte 0,12,4,0,0x8c,10,6,0
-+ .byte 0,12,4,0,0x8c,13,6,0
- .long 0
-+.size .$fname,.-.$fname
-
- .asciz "Montgomery Multiplication for PPC64, CRYPTOGAMS by <appro\@openssl.org>"
- ___
-diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
-index 1bfb5d9..51137fd 100644
---- a/crypto/evp/e_aes.c
-+++ b/crypto/evp/e_aes.c
-@@ -153,6 +153,20 @@ void AES_xts_decrypt(const char *inp,char *out,size_t len,
- const unsigned char iv[16]);
- #endif
-
-+#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
-+# include "ppc_arch.h"
-+# ifdef VPAES_ASM
-+# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
-+# endif
-+# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
-+# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
-+# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
-+# define HWAES_encrypt aes_p8_encrypt
-+# define HWAES_decrypt aes_p8_decrypt
-+# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
-+# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
-+#endif
-+
- #if defined(AES_ASM) && !defined(I386_ONLY) && ( \
- ((defined(__i386) || defined(__i386__) || \
- defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
-diff --git a/crypto/modes/Makefile b/crypto/modes/Makefile
-index c825b12..e684e02 100644
---- a/crypto/modes/Makefile
-+++ b/crypto/modes/Makefile
-@@ -56,6 +56,10 @@ ghash-alpha.s: asm/ghash-alpha.pl
- $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
- ghash-parisc.s: asm/ghash-parisc.pl
- $(PERL) asm/ghash-parisc.pl $(PERLASM_SCHEME) $@
-+ghashv8-armx.S: asm/ghashv8-armx.pl
-+ $(PERL) asm/ghashv8-armx.pl $(PERLASM_SCHEME) $@
-+ghashp8-ppc.s: asm/ghashp8-ppc.pl
-+ $(PERL) asm/ghashp8-ppc.pl $(PERLASM_SCHEME) $@
-
- # GNU make "catch all"
- ghash-%.S: asm/ghash-%.pl; $(PERL) $< $(PERLASM_SCHEME) $@
-diff --git a/crypto/modes/asm/ghashp8-ppc.pl b/crypto/modes/asm/ghashp8-ppc.pl
-new file mode 100755
-index 0000000..e76a58c
---- /dev/null
-+++ b/crypto/modes/asm/ghashp8-ppc.pl
-@@ -0,0 +1,234 @@
-+#!/usr/bin/env perl
-+#
-+# ====================================================================
-+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
-+# project. The module is, however, dual licensed under OpenSSL and
-+# CRYPTOGAMS licenses depending on where you obtain it. For further
-+# details see http://www.openssl.org/~appro/cryptogams/.
-+# ====================================================================
-+#
-+# GHASH for for PowerISA v2.07.
-+#
-+# July 2014
-+#
-+# Accurate performance measurements are problematic, because it's
-+# always virtualized setup with possibly throttled processor.
-+# Relative comparison is therefore more informative. This initial
-+# version is ~2.1x slower than hardware-assisted AES-128-CTR, ~12x
-+# faster than "4-bit" integer-only compiler-generated 64-bit code.
-+# "Initial version" means that there is room for futher improvement.
-+
-+$flavour=shift;
-+$output =shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T=8;
-+ $LRSAVE=2*$SIZE_T;
-+ $STU="stdu";
-+ $POP="ld";
-+ $PUSH="std";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T=4;
-+ $LRSAVE=$SIZE_T;
-+ $STU="stwu";
-+ $POP="lwz";
-+ $PUSH="stw";
-+} else { die "nonsense $flavour"; }
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
-+
-+my ($Xip,$Htbl,$inp,$len)=map("r$_",(3..6)); # argument block
-+
-+my ($Xl,$Xm,$Xh,$IN)=map("v$_",(0..3));
-+my ($zero,$t0,$t1,$t2,$xC2,$H,$Hh,$Hl,$lemask)=map("v$_",(4..12));
-+my $vrsave="r12";
-+
-+$code=<<___;
-+.machine "any"
-+
-+.text
-+
-+.globl .gcm_init_p8
-+.align 5
-+.gcm_init_p8:
-+ lis r0,0xfff0
-+ li r8,0x10
-+ mfspr $vrsave,256
-+ li r9,0x20
-+ mtspr 256,r0
-+ li r10,0x30
-+ lvx_u $H,0,r4 # load H
-+
-+ vspltisb $xC2,-16 # 0xf0
-+ vspltisb $t0,1 # one
-+ vaddubm $xC2,$xC2,$xC2 # 0xe0
-+ vxor $zero,$zero,$zero
-+ vor $xC2,$xC2,$t0 # 0xe1
-+ vsldoi $xC2,$xC2,$zero,15 # 0xe1...
-+ vsldoi $t1,$zero,$t0,1 # ...1
-+ vaddubm $xC2,$xC2,$xC2 # 0xc2...
-+ vspltisb $t2,7
-+ vor $xC2,$xC2,$t1 # 0xc2....01
-+ vspltb $t1,$H,0 # most significant byte
-+ vsl $H,$H,$t0 # H<<=1
-+ vsrab $t1,$t1,$t2 # broadcast carry bit
-+ vand $t1,$t1,$xC2
-+ vxor $H,$H,$t1 # twisted H
-+
-+ vsldoi $H,$H,$H,8 # twist even more ...
-+ vsldoi $xC2,$zero,$xC2,8 # 0xc2.0
-+ vsldoi $Hl,$zero,$H,8 # ... and split
-+ vsldoi $Hh,$H,$zero,8
-+
-+ stvx_u $xC2,0,r3 # save pre-computed table
-+ stvx_u $Hl,r8,r3
-+ stvx_u $H, r9,r3
-+ stvx_u $Hh,r10,r3
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,2,0
-+ .long 0
-+.size .gcm_init_p8,.-.gcm_init_p8
-+
-+.globl .gcm_gmult_p8
-+.align 5
-+.gcm_gmult_p8:
-+ lis r0,0xfff8
-+ li r8,0x10
-+ mfspr $vrsave,256
-+ li r9,0x20
-+ mtspr 256,r0
-+ li r10,0x30
-+ lvx_u $IN,0,$Xip # load Xi
-+
-+ lvx_u $Hl,r8,$Htbl # load pre-computed table
-+ le?lvsl $lemask,r0,r0
-+ lvx_u $H, r9,$Htbl
-+ le?vspltisb $t0,0x07
-+ lvx_u $Hh,r10,$Htbl
-+ le?vxor $lemask,$lemask,$t0
-+ lvx_u $xC2,0,$Htbl
-+ le?vperm $IN,$IN,$IN,$lemask
-+ vxor $zero,$zero,$zero
-+
-+ vpmsumd $Xl,$IN,$Hl # H.lo�Xi.lo
-+ vpmsumd $Xm,$IN,$H # H.hi�Xi.lo+H.lo�Xi.hi
-+ vpmsumd $Xh,$IN,$Hh # H.hi�Xi.hi
-+
-+ vpmsumd $t2,$Xl,$xC2 # 1st phase
-+
-+ vsldoi $t0,$Xm,$zero,8
-+ vsldoi $t1,$zero,$Xm,8
-+ vxor $Xl,$Xl,$t0
-+ vxor $Xh,$Xh,$t1
-+
-+ vsldoi $Xl,$Xl,$Xl,8
-+ vxor $Xl,$Xl,$t2
-+
-+ vsldoi $t1,$Xl,$Xl,8 # 2nd phase
-+ vpmsumd $Xl,$Xl,$xC2
-+ vxor $t1,$t1,$Xh
-+ vxor $Xl,$Xl,$t1
-+
-+ le?vperm $Xl,$Xl,$Xl,$lemask
-+ stvx_u $Xl,0,$Xip # write out Xi
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,2,0
-+ .long 0
-+.size .gcm_gmult_p8,.-.gcm_gmult_p8
-+
-+.globl .gcm_ghash_p8
-+.align 5
-+.gcm_ghash_p8:
-+ lis r0,0xfff8
-+ li r8,0x10
-+ mfspr $vrsave,256
-+ li r9,0x20
-+ mtspr 256,r0
-+ li r10,0x30
-+ lvx_u $Xl,0,$Xip # load Xi
-+
-+ lvx_u $Hl,r8,$Htbl # load pre-computed table
-+ le?lvsl $lemask,r0,r0
-+ lvx_u $H, r9,$Htbl
-+ le?vspltisb $t0,0x07
-+ lvx_u $Hh,r10,$Htbl
-+ le?vxor $lemask,$lemask,$t0
-+ lvx_u $xC2,0,$Htbl
-+ le?vperm $Xl,$Xl,$Xl,$lemask
-+ vxor $zero,$zero,$zero
-+
-+ lvx_u $IN,0,$inp
-+ addi $inp,$inp,16
-+ subi $len,$len,16
-+ le?vperm $IN,$IN,$IN,$lemask
-+ vxor $IN,$IN,$Xl
-+ b Loop
-+
-+.align 5
-+Loop:
-+ subic $len,$len,16
-+ vpmsumd $Xl,$IN,$Hl # H.lo�Xi.lo
-+ subfe. r0,r0,r0 # borrow?-1:0
-+ vpmsumd $Xm,$IN,$H # H.hi�Xi.lo+H.lo�Xi.hi
-+ and r0,r0,$len
-+ vpmsumd $Xh,$IN,$Hh # H.hi�Xi.hi
-+ add $inp,$inp,r0
-+
-+ vpmsumd $t2,$Xl,$xC2 # 1st phase
-+
-+ vsldoi $t0,$Xm,$zero,8
-+ vsldoi $t1,$zero,$Xm,8
-+ vxor $Xl,$Xl,$t0
-+ vxor $Xh,$Xh,$t1
-+
-+ vsldoi $Xl,$Xl,$Xl,8
-+ vxor $Xl,$Xl,$t2
-+ lvx_u $IN,0,$inp
-+ addi $inp,$inp,16
-+
-+ vsldoi $t1,$Xl,$Xl,8 # 2nd phase
-+ vpmsumd $Xl,$Xl,$xC2
-+ le?vperm $IN,$IN,$IN,$lemask
-+ vxor $t1,$t1,$Xh
-+ vxor $IN,$IN,$t1
-+ vxor $IN,$IN,$Xl
-+ beq Loop # did $len-=16 borrow?
-+
-+ vxor $Xl,$Xl,$t1
-+ le?vperm $Xl,$Xl,$Xl,$lemask
-+ stvx_u $Xl,0,$Xip # write out Xi
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,4,0
-+ .long 0
-+.size .gcm_ghash_p8,.-.gcm_ghash_p8
-+
-+.asciz "GHASH for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
-+.align 2
-+___
-+
-+foreach (split("\n",$code)) {
-+ if ($flavour =~ /le$/o) { # little-endian
-+ s/le\?//o or
-+ s/be\?/#be#/o;
-+ } else {
-+ s/le\?/#le#/o or
-+ s/be\?//o;
-+ }
-+ print $_,"\n";
-+}
-+
-+close STDOUT; # enforce flush
-diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
-index 0e6ff8b..6f8e7ee 100644
---- a/crypto/modes/gcm128.c
-+++ b/crypto/modes/gcm128.c
-@@ -671,6 +671,21 @@ void gcm_ghash_4bit_x86(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len
- void gcm_gmult_neon(u64 Xi[2],const u128 Htable[16]);
- void gcm_ghash_neon(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
- # endif
-+# elif defined(__sparc__) || defined(__sparc)
-+# include "sparc_arch.h"
-+# define GHASH_ASM_SPARC
-+# define GCM_FUNCREF_4BIT
-+extern unsigned int OPENSSL_sparcv9cap_P[];
-+void gcm_init_vis3(u128 Htable[16],const u64 Xi[2]);
-+void gcm_gmult_vis3(u64 Xi[2],const u128 Htable[16]);
-+void gcm_ghash_vis3(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
-+#elif defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
-+# include "ppc_arch.h"
-+# define GHASH_ASM_PPC
-+# define GCM_FUNCREF_4BIT
-+void gcm_init_p8(u128 Htable[16],const u64 Xi[2]);
-+void gcm_gmult_p8(u64 Xi[2],const u128 Htable[16]);
-+void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
- # endif
- #endif
-
-@@ -747,6 +762,16 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
- ctx->gmult = gcm_gmult_4bit;
- ctx->ghash = gcm_ghash_4bit;
- }
-+# elif defined(GHASH_ASM_PPC)
-+ if (OPENSSL_ppccap_P & PPC_CRYPTO207) {
-+ gcm_init_p8(ctx->Htable,ctx->H.u);
-+ ctx->gmult = gcm_gmult_p8;
-+ ctx->ghash = gcm_ghash_p8;
-+ } else {
-+ gcm_init_4bit(ctx->Htable,ctx->H.u);
-+ ctx->gmult = gcm_gmult_4bit;
-+ ctx->ghash = gcm_ghash_4bit;
-+ }
- # else
- gcm_init_4bit(ctx->Htable,ctx->H.u);
- # endif
-diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl
-index a3edd98..f89e814 100755
---- a/crypto/perlasm/ppc-xlate.pl
-+++ b/crypto/perlasm/ppc-xlate.pl
-@@ -27,7 +27,8 @@ my $globl = sub {
- /osx/ && do { $name = "_$name";
- last;
- };
-- /linux.*32/ && do { $ret .= ".globl $name\n";
-+ /linux.*(32|64le)/
-+ && do { $ret .= ".globl $name\n";
- $ret .= ".type $name,\@function";
- last;
- };
-@@ -37,7 +38,6 @@ my $globl = sub {
- $ret .= ".align 3\n";
- $ret .= "$name:\n";
- $ret .= ".quad .$name,.TOC.\@tocbase,0\n";
-- $ret .= ".size $name,24\n";
- $ret .= ".previous\n";
-
- $name = ".$name";
-@@ -50,7 +50,9 @@ my $globl = sub {
- $ret;
- };
- my $text = sub {
-- ($flavour =~ /aix/) ? ".csect" : ".text";
-+ my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text";
-+ $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/);
-+ $ret;
- };
- my $machine = sub {
- my $junk = shift;
-@@ -62,9 +64,12 @@ my $machine = sub {
- ".machine $arch";
- };
- my $size = sub {
-- if ($flavour =~ /linux.*32/)
-+ if ($flavour =~ /linux/)
- { shift;
-- ".size " . join(",",@_);
-+ my $name = shift; $name =~ s|^[\.\_]||;
-+ my $ret = ".size $name,.-".($flavour=~/64$/?".":"").$name;
-+ $ret .= "\n.size .$name,.-.$name" if ($flavour=~/64$/);
-+ $ret;
- }
- else
- { ""; }
-@@ -77,6 +82,25 @@ my $asciz = sub {
- else
- { ""; }
- };
-+my $quad = sub {
-+ shift;
-+ my @ret;
-+ my ($hi,$lo);
-+ for (@_) {
-+ if (/^0x([0-9a-f]*?)([0-9a-f]{1,8})$/io)
-+ { $hi=$1?"0x$1":"0"; $lo="0x$2"; }
-+ elsif (/^([0-9]+)$/o)
-+ { $hi=$1>>32; $lo=$1&0xffffffff; } # error-prone with 32-bit perl
-+ else
-+ { $hi=undef; $lo=$_; }
-+
-+ if (defined($hi))
-+ { push(@ret,$flavour=~/le$/o?".long\t$lo,$hi":".long\t$hi,$lo"); }
-+ else
-+ { push(@ret,".quad $lo"); }
-+ }
-+ join("\n",@ret);
-+};
-
- ################################################################
- # simplified mnemonics not handled by at least one assembler
-@@ -122,6 +146,46 @@ my $extrdi = sub {
- $b = ($b+$n)&63; $n = 64-$n;
- " rldicl $ra,$rs,$b,$n";
- };
-+my $vmr = sub {
-+ my ($f,$vx,$vy) = @_;
-+ " vor $vx,$vy,$vy";
-+};
-+
-+# PowerISA 2.06 stuff
-+sub vsxmem_op {
-+ my ($f, $vrt, $ra, $rb, $op) = @_;
-+ " .long ".sprintf "0x%X",(31<<26)|($vrt<<21)|($ra<<16)|($rb<<11)|($op*2+1);
-+}
-+# made-up unaligned memory reference AltiVec/VMX instructions
-+my $lvx_u = sub { vsxmem_op(@_, 844); }; # lxvd2x
-+my $stvx_u = sub { vsxmem_op(@_, 972); }; # stxvd2x
-+my $lvdx_u = sub { vsxmem_op(@_, 588); }; # lxsdx
-+my $stvdx_u = sub { vsxmem_op(@_, 716); }; # stxsdx
-+my $lvx_4w = sub { vsxmem_op(@_, 780); }; # lxvw4x
-+my $stvx_4w = sub { vsxmem_op(@_, 908); }; # stxvw4x
-+
-+# PowerISA 2.07 stuff
-+sub vcrypto_op {
-+ my ($f, $vrt, $vra, $vrb, $op) = @_;
-+ " .long ".sprintf "0x%X",(4<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|$op;
-+}
-+my $vcipher = sub { vcrypto_op(@_, 1288); };
-+my $vcipherlast = sub { vcrypto_op(@_, 1289); };
-+my $vncipher = sub { vcrypto_op(@_, 1352); };
-+my $vncipherlast= sub { vcrypto_op(@_, 1353); };
-+my $vsbox = sub { vcrypto_op(@_, 0, 1480); };
-+my $vshasigmad = sub { my ($st,$six)=splice(@_,-2); vcrypto_op(@_, $st<<4|$six, 1730); };
-+my $vshasigmaw = sub { my ($st,$six)=splice(@_,-2); vcrypto_op(@_, $st<<4|$six, 1666); };
-+my $vpmsumb = sub { vcrypto_op(@_, 1032); };
-+my $vpmsumd = sub { vcrypto_op(@_, 1224); };
-+my $vpmsubh = sub { vcrypto_op(@_, 1096); };
-+my $vpmsumw = sub { vcrypto_op(@_, 1160); };
-+my $vaddudm = sub { vcrypto_op(@_, 192); };
-+
-+my $mtsle = sub {
-+ my ($f, $arg) = @_;
-+ " .long ".sprintf "0x%X",(31<<26)|($arg<<21)|(147*2);
-+};
-
- while($line=<>) {
-
-@@ -138,7 +202,10 @@ while($line=<>) {
- {
- $line =~ s|(^[\.\w]+)\:\s*||;
- my $label = $1;
-- printf "%s:",($GLOBALS{$label} or $label) if ($label);
-+ if ($label) {
-+ printf "%s:",($GLOBALS{$label} or $label);
-+ printf "\n.localentry\t$GLOBALS{$label},0" if ($GLOBALS{$label} && $flavour =~ /linux.*64le/);
-+ }
- }
-
- {
-@@ -147,7 +214,7 @@ while($line=<>) {
- my $mnemonic = $2;
- my $f = $3;
- my $opcode = eval("\$$mnemonic");
-- $line =~ s|\bc?[rf]([0-9]+)\b|$1|g if ($c ne "." and $flavour !~ /osx/);
-+ $line =~ s/\b(c?[rf]|v|vs)([0-9]+)\b/$2/g if ($c ne "." and $flavour !~ /osx/);
- if (ref($opcode) eq 'CODE') { $line = &$opcode($f,split(',',$line)); }
- elsif ($mnemonic) { $line = $c.$mnemonic.$f."\t".$line; }
- }
-diff --git a/crypto/ppc_arch.h b/crypto/ppc_arch.h
-new file mode 100644
-index 0000000..1192edf
---- /dev/null
-+++ b/crypto/ppc_arch.h
-@@ -0,0 +1,10 @@
-+#ifndef __PPC_ARCH_H__
-+#define __PPC_ARCH_H__
-+
-+extern unsigned int OPENSSL_ppccap_P;
-+
-+#define PPC_FPU64 (1<<0)
-+#define PPC_ALTIVEC (1<<1)
-+#define PPC_CRYPTO207 (1<<2)
-+
-+#endif
-diff --git a/crypto/ppccap.c b/crypto/ppccap.c
-index f71ba66..13c2ca5 100644
---- a/crypto/ppccap.c
-+++ b/crypto/ppccap.c
-@@ -4,13 +4,15 @@
- #include <setjmp.h>
- #include <signal.h>
- #include <unistd.h>
-+#if defined(__linux) || defined(_AIX)
-+#include <sys/utsname.h>
-+#endif
- #include <crypto.h>
- #include <openssl/bn.h>
-
--#define PPC_FPU64 (1<<0)
--#define PPC_ALTIVEC (1<<1)
-+#include "ppc_arch.h"
-
--static int OPENSSL_ppccap_P = 0;
-+unsigned int OPENSSL_ppccap_P = 0;
-
- static sigset_t all_masked;
-
-@@ -22,7 +24,7 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_U
-
- if (sizeof(size_t)==4)
- {
--#if (defined(__APPLE__) && defined(__MACH__))
-+#if 1 || (defined(__APPLE__) && defined(__MACH__))
- if (num>=8 && (num&3)==0 && (OPENSSL_ppccap_P&PPC_FPU64))
- return bn_mul_mont_fpu64(rp,ap,bp,np,n0,num);
- #else
-@@ -50,11 +52,28 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_U
- }
- #endif
-
-+void sha256_block_p8(void *ctx,const void *inp,size_t len);
-+void sha256_block_ppc(void *ctx,const void *inp,size_t len);
-+void sha256_block_data_order(void *ctx,const void *inp,size_t len)
-+ {
-+ OPENSSL_ppccap_P&PPC_CRYPTO207? sha256_block_p8(ctx,inp,len):
-+ sha256_block_ppc(ctx,inp,len);
-+ }
-+
-+void sha512_block_p8(void *ctx,const void *inp,size_t len);
-+void sha512_block_ppc(void *ctx,const void *inp,size_t len);
-+void sha512_block_data_order(void *ctx,const void *inp,size_t len)
-+ {
-+ OPENSSL_ppccap_P&PPC_CRYPTO207? sha512_block_p8(ctx,inp,len):
-+ sha512_block_ppc(ctx,inp,len);
-+ }
-+
- static sigjmp_buf ill_jmp;
- static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
-
- void OPENSSL_ppc64_probe(void);
- void OPENSSL_altivec_probe(void);
-+void OPENSSL_crypto207_probe(void);
-
- void OPENSSL_cpuid_setup(void)
- {
-@@ -85,12 +104,14 @@ void OPENSSL_cpuid_setup(void)
- OPENSSL_ppccap_P = 0;
-
- #if defined(_AIX)
-- if (sizeof(size_t)==4
-+ if (sizeof(size_t)==4)
-+ {
-+ struct utsname uts;
- # if defined(_SC_AIX_KERNEL_BITMODE)
-- && sysconf(_SC_AIX_KERNEL_BITMODE)!=64
-+ if (sysconf(_SC_AIX_KERNEL_BITMODE)!=64) return;
- # endif
-- )
-- return;
-+ if (uname(&uts)!=0 || atoi(uts.version)<6) return;
-+ }
- #endif
-
- memset(&ill_act,0,sizeof(ill_act));
-@@ -102,6 +123,10 @@ void OPENSSL_cpuid_setup(void)
-
- if (sizeof(size_t)==4)
- {
-+#ifdef __linux
-+ struct utsname uts;
-+ if (uname(&uts)==0 && strcmp(uts.machine,"ppc64")==0)
-+#endif
- if (sigsetjmp(ill_jmp,1) == 0)
- {
- OPENSSL_ppc64_probe();
-@@ -119,6 +144,11 @@ void OPENSSL_cpuid_setup(void)
- {
- OPENSSL_altivec_probe();
- OPENSSL_ppccap_P |= PPC_ALTIVEC;
-+ if (sigsetjmp(ill_jmp,1) == 0)
-+ {
-+ OPENSSL_crypto207_probe();
-+ OPENSSL_ppccap_P |= PPC_CRYPTO207;
-+ }
- }
-
- sigaction (SIGILL,&ill_oact,NULL);
-diff --git a/crypto/ppccpuid.pl b/crypto/ppccpuid.pl
-index 4ba736a..56cc851 100755
---- a/crypto/ppccpuid.pl
-+++ b/crypto/ppccpuid.pl
-@@ -31,6 +31,7 @@ $code=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_ppc64_probe,.-.OPENSSL_ppc64_probe
-
- .globl .OPENSSL_altivec_probe
- .align 4
-@@ -39,6 +40,17 @@ $code=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_altivec_probe,.-..OPENSSL_altivec_probe
-+
-+.globl .OPENSSL_crypto207_probe
-+.align 4
-+.OPENSSL_crypto207_probe:
-+ lvx_u v0,0,r1
-+ vcipher v0,v0,v0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_crypto207_probe,.-.OPENSSL_crypto207_probe
-
- .globl .OPENSSL_wipe_cpu
- .align 4
-@@ -71,6 +83,7 @@ $code=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_wipe_cpu,.-.OPENSSL_wipe_cpu
-
- .globl .OPENSSL_atomic_add
- .align 4
-@@ -84,6 +97,7 @@ Ladd: lwarx r5,0,r3
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .OPENSSL_atomic_add,.-.OPENSSL_atomic_add
-
- .globl .OPENSSL_rdtsc
- .align 4
-@@ -93,6 +107,7 @@ Ladd: lwarx r5,0,r3
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_rdtsc,.-.OPENSSL_rdtsc
-
- .globl .OPENSSL_cleanse
- .align 4
-@@ -125,7 +140,99 @@ Laligned:
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .OPENSSL_cleanse,.-.OPENSSL_cleanse
-+___
-+{
-+my ($out,$cnt,$max)=("r3","r4","r5");
-+my ($tick,$lasttick)=("r6","r7");
-+my ($diff,$lastdiff)=("r8","r9");
-+
-+$code.=<<___;
-+.globl .OPENSSL_instrument_bus
-+.align 4
-+.OPENSSL_instrument_bus:
-+ mtctr $cnt
-+
-+ mftb $lasttick # collect 1st tick
-+ li $diff,0
-+
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+
-+Loop: mftb $tick
-+ sub $diff,$tick,$lasttick
-+ mr $lasttick,$tick
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+ addi $out,$out,4 # ++$out
-+ bdnz Loop
-+
-+ mr r3,$cnt
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,2,0
-+ .long 0
-+.size .OPENSSL_instrument_bus,.-.OPENSSL_instrument_bus
-+
-+.globl .OPENSSL_instrument_bus2
-+.align 4
-+.OPENSSL_instrument_bus2:
-+ mr r0,$cnt
-+ slwi $cnt,$cnt,2
-+
-+ mftb $lasttick # collect 1st tick
-+ li $diff,0
-+
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+
-+ mftb $tick # collect 1st diff
-+ sub $diff,$tick,$lasttick
-+ mr $lasttick,$tick
-+ mr $lastdiff,$diff
-+Loop2:
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+
-+ addic. $max,$max,-1
-+ beq Ldone2
-+
-+ mftb $tick
-+ sub $diff,$tick,$lasttick
-+ mr $lasttick,$tick
-+ cmplw 7,$diff,$lastdiff
-+ mr $lastdiff,$diff
-+
-+ mfcr $tick # pull cr
-+ not $tick,$tick # flip bits
-+ rlwinm $tick,$tick,1,29,29 # isolate flipped eq bit and scale
-+
-+ sub. $cnt,$cnt,$tick # conditional --$cnt
-+ add $out,$out,$tick # conditional ++$out
-+ bne Loop2
-+
-+Ldone2:
-+ srwi $cnt,$cnt,2
-+ sub r3,r0,$cnt
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,3,0
-+ .long 0
-+.size .OPENSSL_instrument_bus2,.-.OPENSSL_instrument_bus2
- ___
-+}
-
- $code =~ s/\`([^\`]*)\`/eval $1/gem;
- print $code;
-diff --git a/crypto/sha/Makefile b/crypto/sha/Makefile
-index 6d191d3..58c6705 100644
---- a/crypto/sha/Makefile
-+++ b/crypto/sha/Makefile
-@@ -73,6 +73,8 @@ sha512-sparcv9.s:asm/sha512-sparcv9.pl; $(PERL) asm/sha512-sparcv9.pl $@ $(CFLAG
- sha1-ppc.s: asm/sha1-ppc.pl; $(PERL) asm/sha1-ppc.pl $(PERLASM_SCHEME) $@
- sha256-ppc.s: asm/sha512-ppc.pl; $(PERL) asm/sha512-ppc.pl $(PERLASM_SCHEME) $@
- sha512-ppc.s: asm/sha512-ppc.pl; $(PERL) asm/sha512-ppc.pl $(PERLASM_SCHEME) $@
-+sha256p8-ppc.s: asm/sha512p8-ppc.pl; $(PERL) asm/sha512p8-ppc.pl $(PERLASM_SCHEME) $@
-+sha512p8-ppc.s: asm/sha512p8-ppc.pl; $(PERL) asm/sha512p8-ppc.pl $(PERLASM_SCHEME) $@
-
- sha1-parisc.s: asm/sha1-parisc.pl; $(PERL) asm/sha1-parisc.pl $(PERLASM_SCHEME) $@
- sha256-parisc.s:asm/sha512-parisc.pl; $(PERL) asm/sha512-parisc.pl $(PERLASM_SCHEME) $@
-diff --git a/crypto/sha/asm/sha1-ppc.pl b/crypto/sha/asm/sha1-ppc.pl
-index 2140dd2..df59896 100755
---- a/crypto/sha/asm/sha1-ppc.pl
-+++ b/crypto/sha/asm/sha1-ppc.pl
-@@ -9,8 +9,7 @@
-
- # I let hardware handle unaligned input(*), except on page boundaries
- # (see below for details). Otherwise straightforward implementation
--# with X vector in register bank. The module is big-endian [which is
--# not big deal as there're no little-endian targets left around].
-+# with X vector in register bank.
- #
- # (*) this means that this module is inappropriate for PPC403? Does
- # anybody know if pre-POWER3 can sustain unaligned load?
-@@ -38,6 +37,10 @@ if ($flavour =~ /64/) {
- $PUSH ="stw";
- } else { die "nonsense $flavour"; }
-
-+# Define endianess based on flavour
-+# i.e.: linux64le
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-@@ -68,14 +71,28 @@ $T ="r12";
- @X=("r16","r17","r18","r19","r20","r21","r22","r23",
- "r24","r25","r26","r27","r28","r29","r30","r31");
-
-+sub loadbe {
-+my ($dst, $src, $temp_reg) = @_;
-+$code.=<<___ if (!$LITTLE_ENDIAN);
-+ lwz $dst,$src
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $temp_reg,$src
-+ rotlwi $dst,$temp_reg,8
-+ rlwimi $dst,$temp_reg,24,0,7
-+ rlwimi $dst,$temp_reg,24,16,23
-+___
-+}
-+
- sub BODY_00_19 {
- my ($i,$a,$b,$c,$d,$e,$f)=@_;
- my $j=$i+1;
--$code.=<<___ if ($i==0);
-- lwz @X[$i],`$i*4`($inp)
--___
-+
-+ # Since the last value of $f is discarded, we can use
-+ # it as a temp reg to swap byte-order when needed.
-+ loadbe("@X[$i]","`$i*4`($inp)",$f) if ($i==0);
-+ loadbe("@X[$j]","`$j*4`($inp)",$f) if ($i<15);
- $code.=<<___ if ($i<15);
-- lwz @X[$j],`$j*4`($inp)
- add $f,$K,$e
- rotlwi $e,$a,5
- add $f,$f,@X[$i]
-@@ -108,31 +125,31 @@ my ($i,$a,$b,$c,$d,$e,$f)=@_;
- my $j=$i+1;
- $code.=<<___ if ($i<79);
- add $f,$K,$e
-+ xor $t0,$b,$d
- rotlwi $e,$a,5
- xor @X[$j%16],@X[$j%16],@X[($j+2)%16]
- add $f,$f,@X[$i%16]
-- xor $t0,$b,$c
-+ xor $t0,$t0,$c
- xor @X[$j%16],@X[$j%16],@X[($j+8)%16]
-- add $f,$f,$e
-+ add $f,$f,$t0
- rotlwi $b,$b,30
-- xor $t0,$t0,$d
- xor @X[$j%16],@X[$j%16],@X[($j+13)%16]
-- add $f,$f,$t0
-+ add $f,$f,$e
- rotlwi @X[$j%16],@X[$j%16],1
- ___
- $code.=<<___ if ($i==79);
- add $f,$K,$e
-+ xor $t0,$b,$d
- rotlwi $e,$a,5
- lwz r16,0($ctx)
- add $f,$f,@X[$i%16]
-- xor $t0,$b,$c
-+ xor $t0,$t0,$c
- lwz r17,4($ctx)
-- add $f,$f,$e
-+ add $f,$f,$t0
- rotlwi $b,$b,30
- lwz r18,8($ctx)
-- xor $t0,$t0,$d
- lwz r19,12($ctx)
-- add $f,$f,$t0
-+ add $f,$f,$e
- lwz r20,16($ctx)
- ___
- }
-@@ -316,6 +333,7 @@ $code.=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .sha1_block_data_order,.-.sha1_block_data_order
- ___
- $code.=<<___;
- .asciz "SHA1 block transform for PPC, CRYPTOGAMS by <appro\@fy.chalmers.se>"
-diff --git a/crypto/sha/asm/sha512-ppc.pl b/crypto/sha/asm/sha512-ppc.pl
-index 6b44a68..734f3c1 100755
---- a/crypto/sha/asm/sha512-ppc.pl
-+++ b/crypto/sha/asm/sha512-ppc.pl
-@@ -1,7 +1,7 @@
- #!/usr/bin/env perl
-
- # ====================================================================
--# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
-+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
- # project. The module is, however, dual licensed under OpenSSL and
- # CRYPTOGAMS licenses depending on where you obtain it. For further
- # details see http://www.openssl.org/~appro/cryptogams/.
-@@ -9,8 +9,7 @@
-
- # I let hardware handle unaligned input, except on page boundaries
- # (see below for details). Otherwise straightforward implementation
--# with X vector in register bank. The module is big-endian [which is
--# not big deal as there're no little-endian targets left around].
-+# with X vector in register bank.
-
- # sha256 | sha512
- # -m64 -m32 | -m64 -m32
-@@ -56,6 +55,8 @@ if ($flavour =~ /64/) {
- $PUSH="stw";
- } else { die "nonsense $flavour"; }
-
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-@@ -64,7 +65,7 @@ die "can't locate ppc-xlate.pl";
- open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
-
- if ($output =~ /512/) {
-- $func="sha512_block_data_order";
-+ $func="sha512_block_ppc";
- $SZ=8;
- @Sigma0=(28,34,39);
- @Sigma1=(14,18,41);
-@@ -76,7 +77,7 @@ if ($output =~ /512/) {
- $ROR="rotrdi";
- $SHR="srdi";
- } else {
-- $func="sha256_block_data_order";
-+ $func="sha256_block_ppc";
- $SZ=4;
- @Sigma0=( 2,13,22);
- @Sigma1=( 6,11,25);
-@@ -110,7 +111,7 @@ $B ="r9";
- $C ="r10";
- $D ="r11";
- $E ="r12";
--$F ="r13"; $F="r2" if ($SIZE_T==8);# reassigned to exempt TLS pointer
-+$F =$t1; $t1 = "r0"; # stay away from "r13";
- $G ="r14";
- $H ="r15";
-
-@@ -118,24 +119,23 @@ $H ="r15";
- @X=("r16","r17","r18","r19","r20","r21","r22","r23",
- "r24","r25","r26","r27","r28","r29","r30","r31");
-
--$inp="r31"; # reassigned $inp! aliases with @X[15]
-+$inp="r31" if($SZ==4 || $SIZE_T==8); # reassigned $inp! aliases with @X[15]
-
- sub ROUND_00_15 {
- my ($i,$a,$b,$c,$d,$e,$f,$g,$h)=@_;
- $code.=<<___;
-- $LD $T,`$i*$SZ`($Tbl)
- $ROR $a0,$e,$Sigma1[0]
- $ROR $a1,$e,$Sigma1[1]
- and $t0,$f,$e
-- andc $t1,$g,$e
-- add $T,$T,$h
- xor $a0,$a0,$a1
-+ add $h,$h,$t1
-+ andc $t1,$g,$e
- $ROR $a1,$a1,`$Sigma1[2]-$Sigma1[1]`
- or $t0,$t0,$t1 ; Ch(e,f,g)
-- add $T,$T,@X[$i]
-+ add $h,$h,@X[$i%16]
- xor $a0,$a0,$a1 ; Sigma1(e)
-- add $T,$T,$t0
-- add $T,$T,$a0
-+ add $h,$h,$t0
-+ add $h,$h,$a0
-
- $ROR $a0,$a,$Sigma0[0]
- $ROR $a1,$a,$Sigma0[1]
-@@ -146,9 +146,14 @@ $code.=<<___;
- xor $t0,$t0,$t1
- and $t1,$b,$c
- xor $a0,$a0,$a1 ; Sigma0(a)
-- add $d,$d,$T
-+ add $d,$d,$h
- xor $t0,$t0,$t1 ; Maj(a,b,c)
-- add $h,$T,$a0
-+___
-+$code.=<<___ if ($i<15);
-+ $LD $t1,`($i+1)*$SZ`($Tbl)
-+___
-+$code.=<<___;
-+ add $h,$h,$a0
- add $h,$h,$t0
-
- ___
-@@ -169,10 +174,11 @@ $code.=<<___;
- add @X[$i],@X[$i],@X[($i+9)%16]
- xor $a0,$a0,$a1 ; sigma0(X[(i+1)&0x0f])
- xor $t0,$t0,$t1 ; sigma1(X[(i+14)&0x0f])
-+ $LD $t1,`$i*$SZ`($Tbl)
- add @X[$i],@X[$i],$a0
- add @X[$i],@X[$i],$t0
- ___
--&ROUND_00_15($i,$a,$b,$c,$d,$e,$f,$g,$h);
-+&ROUND_00_15($i+16,$a,$b,$c,$d,$e,$f,$g,$h);
- }
-
- $code=<<___;
-@@ -188,8 +194,6 @@ $func:
-
- $PUSH $ctx,`$FRAME-$SIZE_T*22`($sp)
-
-- $PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
-- $PUSH r13,`$FRAME-$SIZE_T*19`($sp)
- $PUSH r14,`$FRAME-$SIZE_T*18`($sp)
- $PUSH r15,`$FRAME-$SIZE_T*17`($sp)
- $PUSH r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -209,7 +213,10 @@ $func:
- $PUSH r30,`$FRAME-$SIZE_T*2`($sp)
- $PUSH r31,`$FRAME-$SIZE_T*1`($sp)
- $PUSH r0,`$FRAME+$LRSAVE`($sp)
-+___
-
-+if ($SZ==4 || $SIZE_T==8) {
-+$code.=<<___;
- $LD $A,`0*$SZ`($ctx)
- mr $inp,r4 ; incarnate $inp
- $LD $B,`1*$SZ`($ctx)
-@@ -219,7 +226,16 @@ $func:
- $LD $F,`5*$SZ`($ctx)
- $LD $G,`6*$SZ`($ctx)
- $LD $H,`7*$SZ`($ctx)
-+___
-+} else {
-+ for ($i=16;$i<32;$i++) {
-+ $code.=<<___;
-+ lwz r$i,`$LITTLE_ENDIAN^(4*($i-16))`($ctx)
-+___
-+ }
-+}
-
-+$code.=<<___;
- bl LPICmeup
- LPICedup:
- andi. r0,$inp,3
-@@ -255,6 +271,9 @@ Lunaligned:
- Lcross_page:
- li $t1,`16*$SZ/4`
- mtctr $t1
-+___
-+if ($SZ==4 || $SIZE_T==8) {
-+$code.=<<___;
- addi r20,$sp,$LOCALS ; aligned spot below the frame
- Lmemcpy:
- lbz r16,0($inp)
-@@ -268,7 +287,26 @@ Lmemcpy:
- stb r19,3(r20)
- addi r20,r20,4
- bdnz Lmemcpy
-+___
-+} else {
-+$code.=<<___;
-+ addi r12,$sp,$LOCALS ; aligned spot below the frame
-+Lmemcpy:
-+ lbz r8,0($inp)
-+ lbz r9,1($inp)
-+ lbz r10,2($inp)
-+ lbz r11,3($inp)
-+ addi $inp,$inp,4
-+ stb r8,0(r12)
-+ stb r9,1(r12)
-+ stb r10,2(r12)
-+ stb r11,3(r12)
-+ addi r12,r12,4
-+ bdnz Lmemcpy
-+___
-+}
-
-+$code.=<<___;
- $PUSH $inp,`$FRAME-$SIZE_T*26`($sp) ; save real inp
- addi $t1,$sp,`$LOCALS+16*$SZ` ; fictitious end pointer
- addi $inp,$sp,$LOCALS ; fictitious inp pointer
-@@ -283,8 +321,6 @@ Lmemcpy:
-
- Ldone:
- $POP r0,`$FRAME+$LRSAVE`($sp)
-- $POP $toc,`$FRAME-$SIZE_T*20`($sp)
-- $POP r13,`$FRAME-$SIZE_T*19`($sp)
- $POP r14,`$FRAME-$SIZE_T*18`($sp)
- $POP r15,`$FRAME-$SIZE_T*17`($sp)
- $POP r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -309,27 +345,48 @@ Ldone:
- .long 0
- .byte 0,12,4,1,0x80,18,3,0
- .long 0
-+___
-
-+if ($SZ==4 || $SIZE_T==8) {
-+$code.=<<___;
- .align 4
- Lsha2_block_private:
-+ $LD $t1,0($Tbl)
- ___
- for($i=0;$i<16;$i++) {
--$code.=<<___ if ($SZ==4);
-+$code.=<<___ if ($SZ==4 && !$LITTLE_ENDIAN);
- lwz @X[$i],`$i*$SZ`($inp)
- ___
-+$code.=<<___ if ($SZ==4 && $LITTLE_ENDIAN);
-+ lwz $a0,`$i*$SZ`($inp)
-+ rotlwi @X[$i],$a0,8
-+ rlwimi @X[$i],$a0,24,0,7
-+ rlwimi @X[$i],$a0,24,16,23
-+___
- # 64-bit loads are split to 2x32-bit ones, as CPU can't handle
- # unaligned 64-bit loads, only 32-bit ones...
--$code.=<<___ if ($SZ==8);
-+$code.=<<___ if ($SZ==8 && !$LITTLE_ENDIAN);
- lwz $t0,`$i*$SZ`($inp)
- lwz @X[$i],`$i*$SZ+4`($inp)
- insrdi @X[$i],$t0,32,0
- ___
-+$code.=<<___ if ($SZ==8 && $LITTLE_ENDIAN);
-+ lwz $a0,`$i*$SZ`($inp)
-+ lwz $a1,`$i*$SZ+4`($inp)
-+ rotlwi $t0,$a0,8
-+ rotlwi @X[$i],$a1,8
-+ rlwimi $t0,$a0,24,0,7
-+ rlwimi @X[$i],$a1,24,0,7
-+ rlwimi $t0,$a0,24,16,23
-+ rlwimi @X[$i],$a1,24,16,23
-+ insrdi @X[$i],$t0,32,0
-+___
- &ROUND_00_15($i,@V);
- unshift(@V,pop(@V));
- }
- $code.=<<___;
-- li $T,`$rounds/16-1`
-- mtctr $T
-+ li $t0,`$rounds/16-1`
-+ mtctr $t0
- .align 4
- Lrounds:
- addi $Tbl,$Tbl,`16*$SZ`
-@@ -377,7 +434,282 @@ $code.=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size $func,.-$func
-+___
-+} else {
-+########################################################################
-+# SHA512 for PPC32, X vector is off-loaded to stack...
-+#
-+# | sha512
-+# | -m32
-+# ----------------------+-----------------------
-+# PPC74x0,gcc-4.0.1 | +48%
-+# POWER6,gcc-4.4.6 | +124%(*)
-+# POWER7,gcc-4.4.6 | +79%(*)
-+# e300,gcc-4.1.0 | +167%
-+#
-+# (*) ~1/3 of -m64 result [and ~20% better than -m32 code generated
-+# by xlc-12.1]
-+
-+my $XOFF=$LOCALS;
-+
-+my @V=map("r$_",(16..31)); # A..H
-+
-+my ($s0,$s1,$t0,$t1,$t2,$t3,$a0,$a1,$a2,$a3)=map("r$_",(0,5,6,8..12,14,15));
-+my ($x0,$x1)=("r3","r4"); # zaps $ctx and $inp
-+
-+sub ROUND_00_15_ppc32 {
-+my ($i, $ahi,$alo,$bhi,$blo,$chi,$clo,$dhi,$dlo,
-+ $ehi,$elo,$fhi,$flo,$ghi,$glo,$hhi,$hlo)=@_;
-+
-+$code.=<<___;
-+ lwz $t2,`$SZ*($i%16)+($LITTLE_ENDIAN^4)`($Tbl)
-+ xor $a0,$flo,$glo
-+ lwz $t3,`$SZ*($i%16)+($LITTLE_ENDIAN^0)`($Tbl)
-+ xor $a1,$fhi,$ghi
-+ addc $hlo,$hlo,$t0 ; h+=x[i]
-+ stw $t0,`$XOFF+0+$SZ*($i%16)`($sp) ; save x[i]
-+
-+ srwi $s0,$elo,$Sigma1[0]
-+ srwi $s1,$ehi,$Sigma1[0]
-+ and $a0,$a0,$elo
-+ adde $hhi,$hhi,$t1
-+ and $a1,$a1,$ehi
-+ stw $t1,`$XOFF+4+$SZ*($i%16)`($sp)
-+ srwi $t0,$elo,$Sigma1[1]
-+ srwi $t1,$ehi,$Sigma1[1]
-+ addc $hlo,$hlo,$t2 ; h+=K512[i]
-+ insrwi $s0,$ehi,$Sigma1[0],0
-+ insrwi $s1,$elo,$Sigma1[0],0
-+ xor $a0,$a0,$glo ; Ch(e,f,g)
-+ adde $hhi,$hhi,$t3
-+ xor $a1,$a1,$ghi
-+ insrwi $t0,$ehi,$Sigma1[1],0
-+ insrwi $t1,$elo,$Sigma1[1],0
-+ addc $hlo,$hlo,$a0 ; h+=Ch(e,f,g)
-+ srwi $t2,$ehi,$Sigma1[2]-32
-+ srwi $t3,$elo,$Sigma1[2]-32
-+ xor $s0,$s0,$t0
-+ xor $s1,$s1,$t1
-+ insrwi $t2,$elo,$Sigma1[2]-32,0
-+ insrwi $t3,$ehi,$Sigma1[2]-32,0
-+ xor $a0,$alo,$blo ; a^b, b^c in next round
-+ adde $hhi,$hhi,$a1
-+ xor $a1,$ahi,$bhi
-+ xor $s0,$s0,$t2 ; Sigma1(e)
-+ xor $s1,$s1,$t3
-+
-+ srwi $t0,$alo,$Sigma0[0]
-+ and $a2,$a2,$a0
-+ addc $hlo,$hlo,$s0 ; h+=Sigma1(e)
-+ and $a3,$a3,$a1
-+ srwi $t1,$ahi,$Sigma0[0]
-+ srwi $s0,$ahi,$Sigma0[1]-32
-+ adde $hhi,$hhi,$s1
-+ srwi $s1,$alo,$Sigma0[1]-32
-+ insrwi $t0,$ahi,$Sigma0[0],0
-+ insrwi $t1,$alo,$Sigma0[0],0
-+ xor $a2,$a2,$blo ; Maj(a,b,c)
-+ addc $dlo,$dlo,$hlo ; d+=h
-+ xor $a3,$a3,$bhi
-+ insrwi $s0,$alo,$Sigma0[1]-32,0
-+ insrwi $s1,$ahi,$Sigma0[1]-32,0
-+ adde $dhi,$dhi,$hhi
-+ srwi $t2,$ahi,$Sigma0[2]-32
-+ srwi $t3,$alo,$Sigma0[2]-32
-+ xor $s0,$s0,$t0
-+ addc $hlo,$hlo,$a2 ; h+=Maj(a,b,c)
-+ xor $s1,$s1,$t1
-+ insrwi $t2,$alo,$Sigma0[2]-32,0
-+ insrwi $t3,$ahi,$Sigma0[2]-32,0
-+ adde $hhi,$hhi,$a3
-+___
-+$code.=<<___ if ($i>=15);
-+ lwz $t0,`$XOFF+0+$SZ*(($i+2)%16)`($sp)
-+ lwz $t1,`$XOFF+4+$SZ*(($i+2)%16)`($sp)
-+___
-+$code.=<<___ if ($i<15 && !$LITTLE_ENDIAN);
-+ lwz $t1,`$SZ*($i+1)+0`($inp)
-+ lwz $t0,`$SZ*($i+1)+4`($inp)
- ___
-+$code.=<<___ if ($i<15 && $LITTLE_ENDIAN);
-+ lwz $a2,`$SZ*($i+1)+0`($inp)
-+ lwz $a3,`$SZ*($i+1)+4`($inp)
-+ rotlwi $t1,$a2,8
-+ rotlwi $t0,$a3,8
-+ rlwimi $t1,$a2,24,0,7
-+ rlwimi $t0,$a3,24,0,7
-+ rlwimi $t1,$a2,24,16,23
-+ rlwimi $t0,$a3,24,16,23
-+___
-+$code.=<<___;
-+ xor $s0,$s0,$t2 ; Sigma0(a)
-+ xor $s1,$s1,$t3
-+ addc $hlo,$hlo,$s0 ; h+=Sigma0(a)
-+ adde $hhi,$hhi,$s1
-+___
-+$code.=<<___ if ($i==15);
-+ lwz $x0,`$XOFF+0+$SZ*(($i+1)%16)`($sp)
-+ lwz $x1,`$XOFF+4+$SZ*(($i+1)%16)`($sp)
-+___
-+}
-+sub ROUND_16_xx_ppc32 {
-+my ($i, $ahi,$alo,$bhi,$blo,$chi,$clo,$dhi,$dlo,
-+ $ehi,$elo,$fhi,$flo,$ghi,$glo,$hhi,$hlo)=@_;
-+
-+$code.=<<___;
-+ srwi $s0,$t0,$sigma0[0]
-+ srwi $s1,$t1,$sigma0[0]
-+ srwi $t2,$t0,$sigma0[1]
-+ srwi $t3,$t1,$sigma0[1]
-+ insrwi $s0,$t1,$sigma0[0],0
-+ insrwi $s1,$t0,$sigma0[0],0
-+ srwi $a0,$t0,$sigma0[2]
-+ insrwi $t2,$t1,$sigma0[1],0
-+ insrwi $t3,$t0,$sigma0[1],0
-+ insrwi $a0,$t1,$sigma0[2],0
-+ xor $s0,$s0,$t2
-+ lwz $t2,`$XOFF+0+$SZ*(($i+14)%16)`($sp)
-+ srwi $a1,$t1,$sigma0[2]
-+ xor $s1,$s1,$t3
-+ lwz $t3,`$XOFF+4+$SZ*(($i+14)%16)`($sp)
-+ xor $a0,$a0,$s0
-+ srwi $s0,$t2,$sigma1[0]
-+ xor $a1,$a1,$s1
-+ srwi $s1,$t3,$sigma1[0]
-+ addc $x0,$x0,$a0 ; x[i]+=sigma0(x[i+1])
-+ srwi $a0,$t3,$sigma1[1]-32
-+ insrwi $s0,$t3,$sigma1[0],0
-+ insrwi $s1,$t2,$sigma1[0],0
-+ adde $x1,$x1,$a1
-+ srwi $a1,$t2,$sigma1[1]-32
-+
-+ insrwi $a0,$t2,$sigma1[1]-32,0
-+ srwi $t2,$t2,$sigma1[2]
-+ insrwi $a1,$t3,$sigma1[1]-32,0
-+ insrwi $t2,$t3,$sigma1[2],0
-+ xor $s0,$s0,$a0
-+ lwz $a0,`$XOFF+0+$SZ*(($i+9)%16)`($sp)
-+ srwi $t3,$t3,$sigma1[2]
-+ xor $s1,$s1,$a1
-+ lwz $a1,`$XOFF+4+$SZ*(($i+9)%16)`($sp)
-+ xor $s0,$s0,$t2
-+ addc $x0,$x0,$a0 ; x[i]+=x[i+9]
-+ xor $s1,$s1,$t3
-+ adde $x1,$x1,$a1
-+ addc $x0,$x0,$s0 ; x[i]+=sigma1(x[i+14])
-+ adde $x1,$x1,$s1
-+___
-+ ($t0,$t1,$x0,$x1) = ($x0,$x1,$t0,$t1);
-+ &ROUND_00_15_ppc32(@_);
-+}
-+
-+$code.=<<___;
-+.align 4
-+Lsha2_block_private:
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
-+ lwz $t1,0($inp)
-+ xor $a2,@V[3],@V[5] ; B^C, magic seed
-+ lwz $t0,4($inp)
-+ xor $a3,@V[2],@V[4]
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $a1,0($inp)
-+ xor $a2,@V[3],@V[5] ; B^C, magic seed
-+ lwz $a0,4($inp)
-+ xor $a3,@V[2],@V[4]
-+ rotlwi $t1,$a1,8
-+ rotlwi $t0,$a0,8
-+ rlwimi $t1,$a1,24,0,7
-+ rlwimi $t0,$a0,24,0,7
-+ rlwimi $t1,$a1,24,16,23
-+ rlwimi $t0,$a0,24,16,23
-+___
-+for($i=0;$i<16;$i++) {
-+ &ROUND_00_15_ppc32($i,@V);
-+ unshift(@V,pop(@V)); unshift(@V,pop(@V));
-+ ($a0,$a1,$a2,$a3) = ($a2,$a3,$a0,$a1);
-+}
-+$code.=<<___;
-+ li $a0,`$rounds/16-1`
-+ mtctr $a0
-+.align 4
-+Lrounds:
-+ addi $Tbl,$Tbl,`16*$SZ`
-+___
-+for(;$i<32;$i++) {
-+ &ROUND_16_xx_ppc32($i,@V);
-+ unshift(@V,pop(@V)); unshift(@V,pop(@V));
-+ ($a0,$a1,$a2,$a3) = ($a2,$a3,$a0,$a1);
-+}
-+$code.=<<___;
-+ bdnz- Lrounds
-+
-+ $POP $ctx,`$FRAME-$SIZE_T*22`($sp)
-+ $POP $inp,`$FRAME-$SIZE_T*23`($sp) ; inp pointer
-+ $POP $num,`$FRAME-$SIZE_T*24`($sp) ; end pointer
-+ subi $Tbl,$Tbl,`($rounds-16)*$SZ` ; rewind Tbl
-+
-+ lwz $t0,`$LITTLE_ENDIAN^0`($ctx)
-+ lwz $t1,`$LITTLE_ENDIAN^4`($ctx)
-+ lwz $t2,`$LITTLE_ENDIAN^8`($ctx)
-+ lwz $t3,`$LITTLE_ENDIAN^12`($ctx)
-+ lwz $a0,`$LITTLE_ENDIAN^16`($ctx)
-+ lwz $a1,`$LITTLE_ENDIAN^20`($ctx)
-+ lwz $a2,`$LITTLE_ENDIAN^24`($ctx)
-+ addc @V[1],@V[1],$t1
-+ lwz $a3,`$LITTLE_ENDIAN^28`($ctx)
-+ adde @V[0],@V[0],$t0
-+ lwz $t0,`$LITTLE_ENDIAN^32`($ctx)
-+ addc @V[3],@V[3],$t3
-+ lwz $t1,`$LITTLE_ENDIAN^36`($ctx)
-+ adde @V[2],@V[2],$t2
-+ lwz $t2,`$LITTLE_ENDIAN^40`($ctx)
-+ addc @V[5],@V[5],$a1
-+ lwz $t3,`$LITTLE_ENDIAN^44`($ctx)
-+ adde @V[4],@V[4],$a0
-+ lwz $a0,`$LITTLE_ENDIAN^48`($ctx)
-+ addc @V[7],@V[7],$a3
-+ lwz $a1,`$LITTLE_ENDIAN^52`($ctx)
-+ adde @V[6],@V[6],$a2
-+ lwz $a2,`$LITTLE_ENDIAN^56`($ctx)
-+ addc @V[9],@V[9],$t1
-+ lwz $a3,`$LITTLE_ENDIAN^60`($ctx)
-+ adde @V[8],@V[8],$t0
-+ stw @V[0],`$LITTLE_ENDIAN^0`($ctx)
-+ stw @V[1],`$LITTLE_ENDIAN^4`($ctx)
-+ addc @V[11],@V[11],$t3
-+ stw @V[2],`$LITTLE_ENDIAN^8`($ctx)
-+ stw @V[3],`$LITTLE_ENDIAN^12`($ctx)
-+ adde @V[10],@V[10],$t2
-+ stw @V[4],`$LITTLE_ENDIAN^16`($ctx)
-+ stw @V[5],`$LITTLE_ENDIAN^20`($ctx)
-+ addc @V[13],@V[13],$a1
-+ stw @V[6],`$LITTLE_ENDIAN^24`($ctx)
-+ stw @V[7],`$LITTLE_ENDIAN^28`($ctx)
-+ adde @V[12],@V[12],$a0
-+ stw @V[8],`$LITTLE_ENDIAN^32`($ctx)
-+ stw @V[9],`$LITTLE_ENDIAN^36`($ctx)
-+ addc @V[15],@V[15],$a3
-+ stw @V[10],`$LITTLE_ENDIAN^40`($ctx)
-+ stw @V[11],`$LITTLE_ENDIAN^44`($ctx)
-+ adde @V[14],@V[14],$a2
-+ stw @V[12],`$LITTLE_ENDIAN^48`($ctx)
-+ stw @V[13],`$LITTLE_ENDIAN^52`($ctx)
-+ stw @V[14],`$LITTLE_ENDIAN^56`($ctx)
-+ stw @V[15],`$LITTLE_ENDIAN^60`($ctx)
-+
-+ addi $inp,$inp,`16*$SZ` ; advance inp
-+ $PUSH $inp,`$FRAME-$SIZE_T*23`($sp)
-+ $UCMP $inp,$num
-+ bne Lsha2_block_private
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.size $func,.-$func
-+___
-+}
-
- # Ugly hack here, because PPC assembler syntax seem to vary too
- # much from platforms to platform...
-@@ -395,46 +727,46 @@ LPICmeup:
- .space `64-9*4`
- ___
- $code.=<<___ if ($SZ==8);
-- .long 0x428a2f98,0xd728ae22,0x71374491,0x23ef65cd
-- .long 0xb5c0fbcf,0xec4d3b2f,0xe9b5dba5,0x8189dbbc
-- .long 0x3956c25b,0xf348b538,0x59f111f1,0xb605d019
-- .long 0x923f82a4,0xaf194f9b,0xab1c5ed5,0xda6d8118
-- .long 0xd807aa98,0xa3030242,0x12835b01,0x45706fbe
-- .long 0x243185be,0x4ee4b28c,0x550c7dc3,0xd5ffb4e2
-- .long 0x72be5d74,0xf27b896f,0x80deb1fe,0x3b1696b1
-- .long 0x9bdc06a7,0x25c71235,0xc19bf174,0xcf692694
-- .long 0xe49b69c1,0x9ef14ad2,0xefbe4786,0x384f25e3
-- .long 0x0fc19dc6,0x8b8cd5b5,0x240ca1cc,0x77ac9c65
-- .long 0x2de92c6f,0x592b0275,0x4a7484aa,0x6ea6e483
-- .long 0x5cb0a9dc,0xbd41fbd4,0x76f988da,0x831153b5
-- .long 0x983e5152,0xee66dfab,0xa831c66d,0x2db43210
-- .long 0xb00327c8,0x98fb213f,0xbf597fc7,0xbeef0ee4
-- .long 0xc6e00bf3,0x3da88fc2,0xd5a79147,0x930aa725
-- .long 0x06ca6351,0xe003826f,0x14292967,0x0a0e6e70
-- .long 0x27b70a85,0x46d22ffc,0x2e1b2138,0x5c26c926
-- .long 0x4d2c6dfc,0x5ac42aed,0x53380d13,0x9d95b3df
-- .long 0x650a7354,0x8baf63de,0x766a0abb,0x3c77b2a8
-- .long 0x81c2c92e,0x47edaee6,0x92722c85,0x1482353b
-- .long 0xa2bfe8a1,0x4cf10364,0xa81a664b,0xbc423001
-- .long 0xc24b8b70,0xd0f89791,0xc76c51a3,0x0654be30
-- .long 0xd192e819,0xd6ef5218,0xd6990624,0x5565a910
-- .long 0xf40e3585,0x5771202a,0x106aa070,0x32bbd1b8
-- .long 0x19a4c116,0xb8d2d0c8,0x1e376c08,0x5141ab53
-- .long 0x2748774c,0xdf8eeb99,0x34b0bcb5,0xe19b48a8
-- .long 0x391c0cb3,0xc5c95a63,0x4ed8aa4a,0xe3418acb
-- .long 0x5b9cca4f,0x7763e373,0x682e6ff3,0xd6b2b8a3
-- .long 0x748f82ee,0x5defb2fc,0x78a5636f,0x43172f60
-- .long 0x84c87814,0xa1f0ab72,0x8cc70208,0x1a6439ec
-- .long 0x90befffa,0x23631e28,0xa4506ceb,0xde82bde9
-- .long 0xbef9a3f7,0xb2c67915,0xc67178f2,0xe372532b
-- .long 0xca273ece,0xea26619c,0xd186b8c7,0x21c0c207
-- .long 0xeada7dd6,0xcde0eb1e,0xf57d4f7f,0xee6ed178
-- .long 0x06f067aa,0x72176fba,0x0a637dc5,0xa2c898a6
-- .long 0x113f9804,0xbef90dae,0x1b710b35,0x131c471b
-- .long 0x28db77f5,0x23047d84,0x32caab7b,0x40c72493
-- .long 0x3c9ebe0a,0x15c9bebc,0x431d67c4,0x9c100d4c
-- .long 0x4cc5d4be,0xcb3e42b6,0x597f299c,0xfc657e2a
-- .long 0x5fcb6fab,0x3ad6faec,0x6c44198c,0x4a475817
-+ .quad 0x428a2f98d728ae22,0x7137449123ef65cd
-+ .quad 0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
-+ .quad 0x3956c25bf348b538,0x59f111f1b605d019
-+ .quad 0x923f82a4af194f9b,0xab1c5ed5da6d8118
-+ .quad 0xd807aa98a3030242,0x12835b0145706fbe
-+ .quad 0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
-+ .quad 0x72be5d74f27b896f,0x80deb1fe3b1696b1
-+ .quad 0x9bdc06a725c71235,0xc19bf174cf692694
-+ .quad 0xe49b69c19ef14ad2,0xefbe4786384f25e3
-+ .quad 0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65
-+ .quad 0x2de92c6f592b0275,0x4a7484aa6ea6e483
-+ .quad 0x5cb0a9dcbd41fbd4,0x76f988da831153b5
-+ .quad 0x983e5152ee66dfab,0xa831c66d2db43210
-+ .quad 0xb00327c898fb213f,0xbf597fc7beef0ee4
-+ .quad 0xc6e00bf33da88fc2,0xd5a79147930aa725
-+ .quad 0x06ca6351e003826f,0x142929670a0e6e70
-+ .quad 0x27b70a8546d22ffc,0x2e1b21385c26c926
-+ .quad 0x4d2c6dfc5ac42aed,0x53380d139d95b3df
-+ .quad 0x650a73548baf63de,0x766a0abb3c77b2a8
-+ .quad 0x81c2c92e47edaee6,0x92722c851482353b
-+ .quad 0xa2bfe8a14cf10364,0xa81a664bbc423001
-+ .quad 0xc24b8b70d0f89791,0xc76c51a30654be30
-+ .quad 0xd192e819d6ef5218,0xd69906245565a910
-+ .quad 0xf40e35855771202a,0x106aa07032bbd1b8
-+ .quad 0x19a4c116b8d2d0c8,0x1e376c085141ab53
-+ .quad 0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
-+ .quad 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
-+ .quad 0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
-+ .quad 0x748f82ee5defb2fc,0x78a5636f43172f60
-+ .quad 0x84c87814a1f0ab72,0x8cc702081a6439ec
-+ .quad 0x90befffa23631e28,0xa4506cebde82bde9
-+ .quad 0xbef9a3f7b2c67915,0xc67178f2e372532b
-+ .quad 0xca273eceea26619c,0xd186b8c721c0c207
-+ .quad 0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
-+ .quad 0x06f067aa72176fba,0x0a637dc5a2c898a6
-+ .quad 0x113f9804bef90dae,0x1b710b35131c471b
-+ .quad 0x28db77f523047d84,0x32caab7b40c72493
-+ .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
-+ .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a
-+ .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817
- ___
- $code.=<<___ if ($SZ==4);
- .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
-diff --git a/crypto/sha/asm/sha512p8-ppc.pl b/crypto/sha/asm/sha512p8-ppc.pl
-new file mode 100755
-index 0000000..a316b31
---- /dev/null
-+++ b/crypto/sha/asm/sha512p8-ppc.pl
-@@ -0,0 +1,423 @@
-+#!/usr/bin/env perl
-+
-+# ====================================================================
-+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
-+# project. The module is, however, dual licensed under OpenSSL and
-+# CRYPTOGAMS licenses depending on where you obtain it. For further
-+# details see http://www.openssl.org/~appro/cryptogams/.
-+# ====================================================================
-+
-+# SHA256/512 for PowerISA v2.07.
-+#
-+# Accurate performance measurements are problematic, because it's
-+# always virtualized setup with possibly throttled processor.
-+# Relative comparison is therefore more informative. This module is
-+# ~60% faster than integer-only sha512-ppc.pl. To anchor to something
-+# else, SHA256 is 24% slower than sha1-ppc.pl and 2.5x slower than
-+# hardware-assisted aes-128-cbc encrypt. SHA512 is 20% faster than
-+# sha1-ppc.pl and 1.6x slower than aes-128-cbc. Another interesting
-+# result is degree of computational resources' utilization. POWER8 is
-+# "massively multi-threaded chip" and difference between single- and
-+# maximum multi-process benchmark results tells that utlization is
-+# whooping 94%. For sha512-ppc.pl we get [not unimpressive] 84% and
-+# for sha1-ppc.pl - 73%. 100% means that multi-process result equals
-+# to single-process one, given that all threads end up on the same
-+# physical core.
-+
-+$flavour=shift;
-+$output =shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T=8;
-+ $LRSAVE=2*$SIZE_T;
-+ $STU="stdu";
-+ $POP="ld";
-+ $PUSH="std";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T=4;
-+ $LRSAVE=$SIZE_T;
-+ $STU="stwu";
-+ $POP="lwz";
-+ $PUSH="stw";
-+} else { die "nonsense $flavour"; }
-+
-+$LENDIAN=($flavour=~/le/);
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
-+
-+if ($output =~ /512/) {
-+ $bits=512;
-+ $SZ=8;
-+ $sz="d";
-+ $rounds=80;
-+} else {
-+ $bits=256;
-+ $SZ=4;
-+ $sz="w";
-+ $rounds=64;
-+}
-+
-+$func="sha${bits}_block_p8";
-+$FRAME=8*$SIZE_T;
-+
-+$sp ="r1";
-+$toc="r2";
-+$ctx="r3";
-+$inp="r4";
-+$num="r5";
-+$Tbl="r6";
-+$idx="r7";
-+$lrsave="r8";
-+$offload="r11";
-+$vrsave="r12";
-+($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,10,26..31));
-+
-+@V=($A,$B,$C,$D,$E,$F,$G,$H)=map("v$_",(0..7));
-+@X=map("v$_",(8..23));
-+($Ki,$Func,$S0,$S1,$s0,$s1,$lemask)=map("v$_",(24..31));
-+
-+sub ROUND {
-+my ($i,$a,$b,$c,$d,$e,$f,$g,$h)=@_;
-+my $j=($i+1)%16;
-+
-+$code.=<<___ if ($i<15 && ($i%(16/$SZ))==(16/$SZ-1));
-+ lvx_u @X[$i+1],0,$inp ; load X[i] in advance
-+ addi $inp,$inp,16
-+___
-+$code.=<<___ if ($i<16 && ($i%(16/$SZ)));
-+ vsldoi @X[$i],@X[$i-1],@X[$i-1],$SZ
-+___
-+$code.=<<___ if ($LENDIAN && $i<16 && ($i%(16/$SZ))==0);
-+ vperm @X[$i],@X[$i],@X[$i],$lemask
-+___
-+$code.=<<___;
-+ `"vshasigma${sz} $s0,@X[($j+1)%16],0,0" if ($i>=15)`
-+ vsel $Func,$g,$f,$e ; Ch(e,f,g)
-+ vshasigma${sz} $S1,$e,1,15 ; Sigma1(e)
-+ vaddu${sz}m $h,$h,@X[$i%16] ; h+=X[i]
-+ vshasigma${sz} $S0,$a,1,0 ; Sigma0(a)
-+ `"vshasigma${sz} $s1,@X[($j+14)%16],0,15" if ($i>=15)`
-+ vaddu${sz}m $h,$h,$Func ; h+=Ch(e,f,g)
-+ vxor $Func,$a,$b
-+ `"vaddu${sz}m @X[$j],@X[$j],@X[($j+9)%16]" if ($i>=15)`
-+ vaddu${sz}m $h,$h,$S1 ; h+=Sigma1(e)
-+ vsel $Func,$b,$c,$Func ; Maj(a,b,c)
-+ vaddu${sz}m $g,$g,$Ki ; future h+=K[i]
-+ vaddu${sz}m $d,$d,$h ; d+=h
-+ vaddu${sz}m $S0,$S0,$Func ; Sigma0(a)+Maj(a,b,c)
-+ `"vaddu${sz}m @X[$j],@X[$j],$s0" if ($i>=15)`
-+ lvx $Ki,$idx,$Tbl ; load next K[i]
-+ addi $idx,$idx,16
-+ vaddu${sz}m $h,$h,$S0 ; h+=Sigma0(a)+Maj(a,b,c)
-+ `"vaddu${sz}m @X[$j],@X[$j],$s1" if ($i>=15)`
-+___
-+}
-+
-+$code=<<___;
-+.machine "any"
-+.text
-+
-+.globl $func
-+.align 6
-+$func:
-+ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
-+ mflr $lrsave
-+ li r10,`$FRAME+8*16+15`
-+ li r11,`$FRAME+8*16+31`
-+ stvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ mfspr $vrsave,256
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ li r11,-1
-+ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
-+ li $x10,0x10
-+ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ li $x20,0x20
-+ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ li $x30,0x30
-+ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ li $x40,0x40
-+ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ li $x50,0x50
-+ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ li $x60,0x60
-+ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ li $x70,0x70
-+ $PUSH $lrsave,`$FRAME+21*16+6*$SIZE_T+$LRSAVE`($sp)
-+ mtspr 256,r11
-+
-+ bl LPICmeup
-+ addi $offload,$sp,$FRAME+15
-+___
-+$code.=<<___ if ($LENDIAN);
-+ li $idx,8
-+ lvsl $lemask,0,$idx
-+ vspltisb $Ki,0x0f
-+ vxor $lemask,$lemask,$Ki
-+___
-+$code.=<<___ if ($SZ==4);
-+ lvx_4w $A,$x00,$ctx
-+ lvx_4w $E,$x10,$ctx
-+ vsldoi $B,$A,$A,4 # unpack
-+ vsldoi $C,$A,$A,8
-+ vsldoi $D,$A,$A,12
-+ vsldoi $F,$E,$E,4
-+ vsldoi $G,$E,$E,8
-+ vsldoi $H,$E,$E,12
-+___
-+$code.=<<___ if ($SZ==8);
-+ lvx_u $A,$x00,$ctx
-+ lvx_u $C,$x10,$ctx
-+ lvx_u $E,$x20,$ctx
-+ vsldoi $B,$A,$A,8 # unpack
-+ lvx_u $G,$x30,$ctx
-+ vsldoi $D,$C,$C,8
-+ vsldoi $F,$E,$E,8
-+ vsldoi $H,$G,$G,8
-+___
-+$code.=<<___;
-+ li r0,`($rounds-16)/16` # inner loop counter
-+ b Loop
-+.align 5
-+Loop:
-+ lvx $Ki,$x00,$Tbl
-+ li $idx,16
-+ lvx_u @X[0],0,$inp
-+ addi $inp,$inp,16
-+ stvx $A,$x00,$offload # offload $A-$H
-+ stvx $B,$x10,$offload
-+ stvx $C,$x20,$offload
-+ stvx $D,$x30,$offload
-+ stvx $E,$x40,$offload
-+ stvx $F,$x50,$offload
-+ stvx $G,$x60,$offload
-+ stvx $H,$x70,$offload
-+ vaddu${sz}m $H,$H,$Ki # h+K[i]
-+ lvx $Ki,$idx,$Tbl
-+ addi $idx,$idx,16
-+___
-+for ($i=0;$i<16;$i++) { &ROUND($i,@V); unshift(@V,pop(@V)); }
-+$code.=<<___;
-+ mtctr r0
-+ b L16_xx
-+.align 5
-+L16_xx:
-+___
-+for (;$i<32;$i++) { &ROUND($i,@V); unshift(@V,pop(@V)); }
-+$code.=<<___;
-+ bdnz L16_xx
-+
-+ lvx @X[2],$x00,$offload
-+ subic. $num,$num,1
-+ lvx @X[3],$x10,$offload
-+ vaddu${sz}m $A,$A,@X[2]
-+ lvx @X[4],$x20,$offload
-+ vaddu${sz}m $B,$B,@X[3]
-+ lvx @X[5],$x30,$offload
-+ vaddu${sz}m $C,$C,@X[4]
-+ lvx @X[6],$x40,$offload
-+ vaddu${sz}m $D,$D,@X[5]
-+ lvx @X[7],$x50,$offload
-+ vaddu${sz}m $E,$E,@X[6]
-+ lvx @X[8],$x60,$offload
-+ vaddu${sz}m $F,$F,@X[7]
-+ lvx @X[9],$x70,$offload
-+ vaddu${sz}m $G,$G,@X[8]
-+ vaddu${sz}m $H,$H,@X[9]
-+ bne Loop
-+___
-+$code.=<<___ if ($SZ==4);
-+ lvx @X[0],$idx,$Tbl
-+ addi $idx,$idx,16
-+ vperm $A,$A,$B,$Ki # pack the answer
-+ lvx @X[1],$idx,$Tbl
-+ vperm $E,$E,$F,$Ki
-+ vperm $A,$A,$C,@X[0]
-+ vperm $E,$E,$G,@X[0]
-+ vperm $A,$A,$D,@X[1]
-+ vperm $E,$E,$H,@X[1]
-+ stvx_4w $A,$x00,$ctx
-+ stvx_4w $E,$x10,$ctx
-+___
-+$code.=<<___ if ($SZ==8);
-+ vperm $A,$A,$B,$Ki # pack the answer
-+ vperm $C,$C,$D,$Ki
-+ vperm $E,$E,$F,$Ki
-+ vperm $G,$G,$H,$Ki
-+ stvx_u $A,$x00,$ctx
-+ stvx_u $C,$x10,$ctx
-+ stvx_u $E,$x20,$ctx
-+ stvx_u $G,$x30,$ctx
-+___
-+$code.=<<___;
-+ li r10,`$FRAME+8*16+15`
-+ mtlr $lrsave
-+ li r11,`$FRAME+8*16+31`
-+ mtspr 256,$vrsave
-+ lvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
-+ blr
-+ .long 0
-+ .byte 0,12,4,1,0x80,6,3,0
-+ .long 0
-+.size $func,.-$func
-+___
-+
-+# Ugly hack here, because PPC assembler syntax seem to vary too
-+# much from platforms to platform...
-+$code.=<<___;
-+.align 6
-+LPICmeup:
-+ mflr r0
-+ bcl 20,31,\$+4
-+ mflr $Tbl ; vvvvvv "distance" between . and 1st data entry
-+ addi $Tbl,$Tbl,`64-8`
-+ mtlr r0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+ .space `64-9*4`
-+___
-+
-+if ($SZ==8) {
-+ local *table = sub {
-+ foreach(@_) { $code.=".quad $_,$_\n"; }
-+ };
-+ table(
-+ "0x428a2f98d728ae22","0x7137449123ef65cd",
-+ "0xb5c0fbcfec4d3b2f","0xe9b5dba58189dbbc",
-+ "0x3956c25bf348b538","0x59f111f1b605d019",
-+ "0x923f82a4af194f9b","0xab1c5ed5da6d8118",
-+ "0xd807aa98a3030242","0x12835b0145706fbe",
-+ "0x243185be4ee4b28c","0x550c7dc3d5ffb4e2",
-+ "0x72be5d74f27b896f","0x80deb1fe3b1696b1",
-+ "0x9bdc06a725c71235","0xc19bf174cf692694",
-+ "0xe49b69c19ef14ad2","0xefbe4786384f25e3",
-+ "0x0fc19dc68b8cd5b5","0x240ca1cc77ac9c65",
-+ "0x2de92c6f592b0275","0x4a7484aa6ea6e483",
-+ "0x5cb0a9dcbd41fbd4","0x76f988da831153b5",
-+ "0x983e5152ee66dfab","0xa831c66d2db43210",
-+ "0xb00327c898fb213f","0xbf597fc7beef0ee4",
-+ "0xc6e00bf33da88fc2","0xd5a79147930aa725",
-+ "0x06ca6351e003826f","0x142929670a0e6e70",
-+ "0x27b70a8546d22ffc","0x2e1b21385c26c926",
-+ "0x4d2c6dfc5ac42aed","0x53380d139d95b3df",
-+ "0x650a73548baf63de","0x766a0abb3c77b2a8",
-+ "0x81c2c92e47edaee6","0x92722c851482353b",
-+ "0xa2bfe8a14cf10364","0xa81a664bbc423001",
-+ "0xc24b8b70d0f89791","0xc76c51a30654be30",
-+ "0xd192e819d6ef5218","0xd69906245565a910",
-+ "0xf40e35855771202a","0x106aa07032bbd1b8",
-+ "0x19a4c116b8d2d0c8","0x1e376c085141ab53",
-+ "0x2748774cdf8eeb99","0x34b0bcb5e19b48a8",
-+ "0x391c0cb3c5c95a63","0x4ed8aa4ae3418acb",
-+ "0x5b9cca4f7763e373","0x682e6ff3d6b2b8a3",
-+ "0x748f82ee5defb2fc","0x78a5636f43172f60",
-+ "0x84c87814a1f0ab72","0x8cc702081a6439ec",
-+ "0x90befffa23631e28","0xa4506cebde82bde9",
-+ "0xbef9a3f7b2c67915","0xc67178f2e372532b",
-+ "0xca273eceea26619c","0xd186b8c721c0c207",
-+ "0xeada7dd6cde0eb1e","0xf57d4f7fee6ed178",
-+ "0x06f067aa72176fba","0x0a637dc5a2c898a6",
-+ "0x113f9804bef90dae","0x1b710b35131c471b",
-+ "0x28db77f523047d84","0x32caab7b40c72493",
-+ "0x3c9ebe0a15c9bebc","0x431d67c49c100d4c",
-+ "0x4cc5d4becb3e42b6","0x597f299cfc657e2a",
-+ "0x5fcb6fab3ad6faec","0x6c44198c4a475817","0");
-+$code.=<<___ if (!$LENDIAN);
-+.quad 0x0001020304050607,0x1011121314151617
-+___
-+$code.=<<___ if ($LENDIAN); # quad-swapped
-+.quad 0x1011121314151617,0x0001020304050607
-+___
-+} else {
-+ local *table = sub {
-+ foreach(@_) { $code.=".long $_,$_,$_,$_\n"; }
-+ };
-+ table(
-+ "0x428a2f98","0x71374491","0xb5c0fbcf","0xe9b5dba5",
-+ "0x3956c25b","0x59f111f1","0x923f82a4","0xab1c5ed5",
-+ "0xd807aa98","0x12835b01","0x243185be","0x550c7dc3",
-+ "0x72be5d74","0x80deb1fe","0x9bdc06a7","0xc19bf174",
-+ "0xe49b69c1","0xefbe4786","0x0fc19dc6","0x240ca1cc",
-+ "0x2de92c6f","0x4a7484aa","0x5cb0a9dc","0x76f988da",
-+ "0x983e5152","0xa831c66d","0xb00327c8","0xbf597fc7",
-+ "0xc6e00bf3","0xd5a79147","0x06ca6351","0x14292967",
-+ "0x27b70a85","0x2e1b2138","0x4d2c6dfc","0x53380d13",
-+ "0x650a7354","0x766a0abb","0x81c2c92e","0x92722c85",
-+ "0xa2bfe8a1","0xa81a664b","0xc24b8b70","0xc76c51a3",
-+ "0xd192e819","0xd6990624","0xf40e3585","0x106aa070",
-+ "0x19a4c116","0x1e376c08","0x2748774c","0x34b0bcb5",
-+ "0x391c0cb3","0x4ed8aa4a","0x5b9cca4f","0x682e6ff3",
-+ "0x748f82ee","0x78a5636f","0x84c87814","0x8cc70208",
-+ "0x90befffa","0xa4506ceb","0xbef9a3f7","0xc67178f2","0");
-+$code.=<<___ if (!$LENDIAN);
-+.long 0x00010203,0x10111213,0x10111213,0x10111213
-+.long 0x00010203,0x04050607,0x10111213,0x10111213
-+.long 0x00010203,0x04050607,0x08090a0b,0x10111213
-+___
-+$code.=<<___ if ($LENDIAN); # word-swapped
-+.long 0x10111213,0x10111213,0x10111213,0x00010203
-+.long 0x10111213,0x10111213,0x04050607,0x00010203
-+.long 0x10111213,0x08090a0b,0x04050607,0x00010203
-+___
-+}
-+$code.=<<___;
-+.asciz "SHA${bits} for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
-+.align 2
-+___
-+
-+$code =~ s/\`([^\`]*)\`/eval $1/gem;
-+print $code;
-+close STDOUT;
diff --git a/SOURCES/openssl-1.0.1e-req-keylen.patch b/SOURCES/openssl-1.0.1e-req-keylen.patch
deleted file mode 100644
index 1574bb8..0000000
--- a/SOURCES/openssl-1.0.1e-req-keylen.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -up openssl-1.0.1e/apps/req.c.keylen openssl-1.0.1e/apps/req.c
---- openssl-1.0.1e/apps/req.c.keylen 2014-02-12 14:58:29.000000000 +0100
-+++ openssl-1.0.1e/apps/req.c 2014-02-14 13:52:48.692325000 +0100
-@@ -644,6 +644,12 @@ bad:
- if (inrand)
- app_RAND_load_files(inrand);
-
-+ if (newkey <= 0)
-+ {
-+ if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
-+ newkey=DEFAULT_KEY_LENGTH;
-+ }
-+
- if (keyalg)
- {
- genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
-@@ -651,12 +657,6 @@ bad:
- if (!genctx)
- goto end;
- }
--
-- if (newkey <= 0)
-- {
-- if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
-- newkey=DEFAULT_KEY_LENGTH;
-- }
-
- if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
- {
-@@ -1649,6 +1649,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO
- keylen = atol(p + 1);
- *pkeylen = keylen;
- }
-+ else
-+ keylen = *pkeylen;
- }
- else if (p)
- paramfile = p + 1;
diff --git a/SOURCES/openssl-1.0.1e-rpmbuild.patch b/SOURCES/openssl-1.0.1e-rpmbuild.patch
deleted file mode 100644
index 14b2ba9..0000000
--- a/SOURCES/openssl-1.0.1e-rpmbuild.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-diff -up openssl-1.0.1e/Configure.rpmbuild openssl-1.0.1e/Configure
---- openssl-1.0.1e/Configure.rpmbuild 2014-08-13 19:19:53.211005598 +0200
-+++ openssl-1.0.1e/Configure 2014-08-13 19:29:21.704099285 +0200
-@@ -345,24 +345,24 @@ my %table=(
- ####
- # *-generic* is endian-neutral target, but ./config is free to
- # throw in -D[BL]_ENDIAN, whichever appropriate...
--"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # It's believed that majority of ARM toolchains predefine appropriate -march.
- # If you compiler does not, do complement config command line with one!
--"linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-armv4", "gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- #### IA-32 targets...
- "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
- ####
--"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
--"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
--"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
--"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### So called "highgprs" target for z/Architecture CPUs
- # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
- # /proc/cpuinfo. The idea is to preserve most significant bits of
-@@ -376,16 +376,17 @@ my %table=(
- # ldconfig and run-time linker to autodiscover. Unfortunately it
- # doesn't work just yet, because of couple of bugs in glibc
- # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
--"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
-+"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
- #### SPARC Linux setups
- # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
- # assisted with debugging of following two configs.
--"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # it's a real mess with -mcpu=ultrasparc option under Linux, but
- # -Wa,-Av8plus should do the trick no matter what.
--"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # GCC 3.1 is a requirement
--"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-aarch64","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### Alpha Linux with GNU C and Compaq C setups
- # Special notes:
- # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -399,8 +400,8 @@ my %table=(
- #
- # <appro@fy.chalmers.se>
- #
--"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-
-@@ -1675,7 +1676,7 @@ while (<IN>)
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
- {
- my $sotmp = $1;
-- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
- }
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
- {
-diff -up openssl-1.0.1e/Makefile.org.rpmbuild openssl-1.0.1e/Makefile.org
---- openssl-1.0.1e/Makefile.org.rpmbuild 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/Makefile.org 2014-08-13 19:19:53.218005759 +0200
-@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
- SHLIB_MAJOR=
- SHLIB_MINOR=
- SHLIB_EXT=
-+SHLIB_SONAMEVER=10
- PLATFORM=dist
- OPTIONS=
- CONFIGURE_ARGS=
-@@ -333,10 +334,9 @@ clean-shared:
- link-shared:
- @ set -e; for i in $(SHLIBDIRS); do \
- $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- symlink.$(SHLIB_TARGET); \
-- libs="$$libs -l$$i"; \
- done
-
- build-shared: do_$(SHLIB_TARGET) link-shared
-@@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
- libs="$(LIBKRB5) $$libs"; \
- fi; \
- $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- LIBDEPS="$$libs $(EX_LIBS)" \
- link_a.$(SHLIB_TARGET); \
diff --git a/SOURCES/openssl-1.0.1e-sctp-updates.patch b/SOURCES/openssl-1.0.1e-sctp-updates.patch
deleted file mode 100644
index b152189..0000000
--- a/SOURCES/openssl-1.0.1e-sctp-updates.patch
+++ /dev/null
@@ -1,313 +0,0 @@
-diff -up openssl-1.0.1e/crypto/bio/bio.h.sctp openssl-1.0.1e/crypto/bio/bio.h
---- openssl-1.0.1e/crypto/bio/bio.h.sctp 2016-04-07 13:54:03.296270801 +0200
-+++ openssl-1.0.1e/crypto/bio/bio.h 2016-04-07 14:02:53.436214294 +0200
-@@ -175,6 +175,8 @@ extern "C" {
- #define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45 /* Next DTLS handshake timeout to
- * adjust socket timeouts */
-
-+#define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD 49
-+
- #ifndef OPENSSL_NO_SCTP
- /* SCTP stuff */
- #define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE 50
-@@ -607,6 +609,8 @@ int BIO_ctrl_reset_read_request(BIO *b);
- (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer)
- #define BIO_dgram_set_peer(b,peer) \
- (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)
-+#define BIO_dgram_get_mtu_overhead(b) \
-+ (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL)
-
- /* These two aren't currently implemented */
- /* int BIO_get_ex_num(BIO *bio); */
-diff -up openssl-1.0.1e/crypto/bio/bss_dgram.c.sctp openssl-1.0.1e/crypto/bio/bss_dgram.c
---- openssl-1.0.1e/crypto/bio/bss_dgram.c.sctp 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/bio/bss_dgram.c 2016-04-07 14:02:53.437214317 +0200
-@@ -454,6 +454,36 @@ static int dgram_write(BIO *b, const cha
- return(ret);
- }
-
-+static long dgram_get_mtu_overhead(bio_dgram_data *data)
-+ {
-+ long ret;
-+
-+ switch (data->peer.sa.sa_family)
-+ {
-+ case AF_INET:
-+ /* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
-+ ret = 28;
-+ break;
-+#if OPENSSL_USE_IPV6
-+ case AF_INET6:
-+#ifdef IN6_IS_ADDR_V4MAPPED
-+ if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
-+ /* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
-+ ret = 28;
-+ else
-+#endif
-+ /* Assume this is UDP - 40 bytes for IP, 8 bytes for UDP */
-+ ret = 48;
-+ break;
-+#endif
-+ default:
-+ /* We don't know. Go with the historical default */
-+ ret = 28;
-+ break;
-+ }
-+ return ret;
-+ }
-+
- static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
- {
- long ret=1;
-@@ -630,23 +660,24 @@ static long dgram_ctrl(BIO *b, int cmd,
- #endif
- break;
- case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
-+ ret = -dgram_get_mtu_overhead(data);
- switch (data->peer.sa.sa_family)
- {
- case AF_INET:
-- ret = 576 - 20 - 8;
-+ ret += 576;
- break;
- #if OPENSSL_USE_IPV6
- case AF_INET6:
- #ifdef IN6_IS_ADDR_V4MAPPED
- if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
-- ret = 576 - 20 - 8;
-+ ret += 576;
- else
- #endif
-- ret = 1280 - 40 - 8;
-+ ret += 1280;
- break;
- #endif
- default:
-- ret = 576 - 20 - 8;
-+ ret += 576;
- break;
- }
- break;
-@@ -847,6 +878,9 @@ static long dgram_ctrl(BIO *b, int cmd,
- ret = 0;
- break;
- #endif
-+ case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
-+ ret = dgram_get_mtu_overhead(data);
-+ break;
- default:
- ret=0;
- break;
-@@ -906,8 +940,8 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
- memset(authchunks, 0, sizeof(sockopt_len));
- ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
- OPENSSL_assert(ret >= 0);
--
-- for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
-+
-+ for (p = (unsigned char*) authchunks->gauth_chunks;
- p < (unsigned char*) authchunks + sockopt_len;
- p += sizeof(uint8_t))
- {
-@@ -1197,7 +1231,7 @@ static int dgram_sctp_read(BIO *b, char
- ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
- OPENSSL_assert(ii >= 0);
-
-- for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
-+ for (p = (unsigned char*) authchunks->gauth_chunks;
- p < (unsigned char*) authchunks + optlen;
- p += sizeof(uint8_t))
- {
-@@ -1367,6 +1401,10 @@ static long dgram_sctp_ctrl(BIO *b, int
- * Returns always 1.
- */
- break;
-+ case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
-+ /* We allow transport protocol fragmentation so this is irrelevant */
-+ ret = 0;
-+ break;
- case BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE:
- if (num > 0)
- data->in_handshake = 1;
-@@ -1399,6 +1437,7 @@ static long dgram_sctp_ctrl(BIO *b, int
- memcpy(&authkey->sca_key[0], ptr, 64 * sizeof(uint8_t));
-
- ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_KEY, authkey, sockopt_len);
-+ OPENSSL_free(authkey);
- if (ret < 0) break;
-
- /* Reset active key */
-diff -up openssl-1.0.1e/ssl/d1_both.c.sctp openssl-1.0.1e/ssl/d1_both.c
---- openssl-1.0.1e/ssl/d1_both.c.sctp 2016-04-07 14:09:35.193261496 +0200
-+++ openssl-1.0.1e/ssl/d1_both.c 2016-04-07 14:11:18.838592357 +0200
-@@ -1458,14 +1458,17 @@ int dtls1_shutdown(SSL *s)
- {
- int ret;
- #ifndef OPENSSL_NO_SCTP
-- if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
-+ BIO *wbio;
-+
-+ wbio = SSL_get_wbio(s);
-+ if (wbio != NULL && BIO_dgram_is_sctp(wbio) &&
- !(s->shutdown & SSL_SENT_SHUTDOWN))
- {
-- ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
-+ ret = BIO_dgram_sctp_wait_for_dry(wbio);
- if (ret < 0) return -1;
-
- if (ret == 0)
-- BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1, NULL);
-+ BIO_ctrl(wbio, BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1, NULL);
- }
- #endif
- ret = ssl3_shutdown(s);
-diff -up openssl-1.0.1e/ssl/d1_clnt.c.sctp openssl-1.0.1e/ssl/d1_clnt.c
---- openssl-1.0.1e/ssl/d1_clnt.c.sctp 2016-04-07 13:54:03.505275509 +0200
-+++ openssl-1.0.1e/ssl/d1_clnt.c 2016-04-07 14:06:48.581511870 +0200
-@@ -338,9 +338,13 @@ int dtls1_connect(SSL *s)
- snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
- DTLS1_SCTP_AUTH_LABEL);
-
-- SSL_export_keying_material(s, sctpauthkey,
-+ if (SSL_export_keying_material(s, sctpauthkey,
- sizeof(sctpauthkey), labelbuffer,
-- sizeof(labelbuffer), NULL, 0, 0);
-+ sizeof(labelbuffer), NULL, 0, 0) <= 0)
-+ {
-+ ret = -1;
-+ goto end;
-+ }
-
- BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
- sizeof(sctpauthkey), sctpauthkey);
-@@ -479,9 +483,13 @@ int dtls1_connect(SSL *s)
- snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
- DTLS1_SCTP_AUTH_LABEL);
-
-- SSL_export_keying_material(s, sctpauthkey,
-+ if (SSL_export_keying_material(s, sctpauthkey,
- sizeof(sctpauthkey), labelbuffer,
-- sizeof(labelbuffer), NULL, 0, 0);
-+ sizeof(labelbuffer), NULL, 0, 0) <= 0)
-+ {
-+ ret = -1;
-+ goto end;
-+ }
-
- BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
- sizeof(sctpauthkey), sctpauthkey);
-@@ -538,13 +546,6 @@ int dtls1_connect(SSL *s)
- SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
- if (ret <= 0) goto end;
-
--#ifndef OPENSSL_NO_SCTP
-- /* Change to new shared key of SCTP-Auth,
-- * will be ignored if no SCTP used.
-- */
-- BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
--#endif
--
- s->state=SSL3_ST_CW_FINISHED_A;
- s->init_num=0;
-
-@@ -571,6 +572,16 @@ int dtls1_connect(SSL *s)
- goto end;
- }
-
-+#ifndef OPENSSL_NO_SCTP
-+ if (s->hit)
-+ {
-+ /* Change to new shared key of SCTP-Auth,
-+ * will be ignored if no SCTP used.
-+ */
-+ BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
-+ }
-+#endif
-+
- dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
- break;
-
-@@ -613,6 +624,13 @@ int dtls1_connect(SSL *s)
- }
- else
- {
-+#ifndef OPENSSL_NO_SCTP
-+ /* Change to new shared key of SCTP-Auth,
-+ * will be ignored if no SCTP used.
-+ */
-+ BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
-+#endif
-+
- #ifndef OPENSSL_NO_TLSEXT
- /* Allow NewSessionTicket if ticket expected */
- if (s->tlsext_ticket_expected)
-diff -up openssl-1.0.1e/ssl/d1_srvr.c.sctp openssl-1.0.1e/ssl/d1_srvr.c
---- openssl-1.0.1e/ssl/d1_srvr.c.sctp 2016-04-07 13:54:03.529276050 +0200
-+++ openssl-1.0.1e/ssl/d1_srvr.c 2016-04-07 14:08:56.110382568 +0200
-@@ -395,9 +395,13 @@ int dtls1_accept(SSL *s)
- snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
- DTLS1_SCTP_AUTH_LABEL);
-
-- SSL_export_keying_material(s, sctpauthkey,
-+ if (SSL_export_keying_material(s, sctpauthkey,
- sizeof(sctpauthkey), labelbuffer,
-- sizeof(labelbuffer), NULL, 0, 0);
-+ sizeof(labelbuffer), NULL, 0, 0) <= 0)
-+ {
-+ ret = -1;
-+ goto end;
-+ }
-
- BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
- sizeof(sctpauthkey), sctpauthkey);
-@@ -609,9 +613,13 @@ int dtls1_accept(SSL *s)
- snprintf((char *) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
- DTLS1_SCTP_AUTH_LABEL);
-
-- SSL_export_keying_material(s, sctpauthkey,
-+ if (SSL_export_keying_material(s, sctpauthkey,
- sizeof(sctpauthkey), labelbuffer,
-- sizeof(labelbuffer), NULL, 0, 0);
-+ sizeof(labelbuffer), NULL, 0, 0) <= 0)
-+ {
-+ ret = -1;
-+ goto end;
-+ }
-
- BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
- sizeof(sctpauthkey), sctpauthkey);
-@@ -713,10 +721,13 @@ int dtls1_accept(SSL *s)
- if (ret <= 0) goto end;
-
- #ifndef OPENSSL_NO_SCTP
-- /* Change to new shared key of SCTP-Auth,
-- * will be ignored if no SCTP used.
-- */
-- BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
-+ if (!s->hit)
-+ {
-+ /* Change to new shared key of SCTP-Auth,
-+ * will be ignored if no SCTP used.
-+ */
-+ BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
-+ }
- #endif
-
- s->state=SSL3_ST_SW_FINISHED_A;
-@@ -741,7 +752,16 @@ int dtls1_accept(SSL *s)
- if (ret <= 0) goto end;
- s->state=SSL3_ST_SW_FLUSH;
- if (s->hit)
-+ {
- s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
-+
-+#ifndef OPENSSL_NO_SCTP
-+ /* Change to new shared key of SCTP-Auth,
-+ * will be ignored if no SCTP used.
-+ */
-+ BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
-+#endif
-+ }
- else
- {
- s->s3->tmp.next_state=SSL_ST_OK;
diff --git a/SOURCES/openssl-1.0.1e-secure-getenv.patch b/SOURCES/openssl-1.0.1e-secure-getenv.patch
deleted file mode 100644
index eb8034d..0000000
--- a/SOURCES/openssl-1.0.1e-secure-getenv.patch
+++ /dev/null
@@ -1,244 +0,0 @@
-diff -up openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_api.c
---- openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/conf/conf_api.c 2013-02-19 13:02:02.531188124 +0100
-@@ -63,6 +63,8 @@
- # define NDEBUG
- #endif
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <assert.h>
- #include <stdlib.h>
- #include <string.h>
-@@ -142,7 +144,7 @@ char *_CONF_get_string(const CONF *conf,
- if (v != NULL) return(v->value);
- if (strcmp(section,"ENV") == 0)
- {
-- p=getenv(name);
-+ p=secure_getenv(name);
- if (p != NULL) return(p);
- }
- }
-@@ -155,7 +157,7 @@ char *_CONF_get_string(const CONF *conf,
- return(NULL);
- }
- else
-- return(getenv(name));
-+ return (secure_getenv(name));
- }
-
- #if 0 /* There's no way to provide error checking with this function, so
-diff -up openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_mod.c
---- openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/conf/conf_mod.c 2013-02-19 13:02:02.531188124 +0100
-@@ -56,6 +56,8 @@
- *
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <ctype.h>
- #include <openssl/crypto.h>
-@@ -548,8 +550,8 @@ char *CONF_get1_default_config_file(void
- char *file;
- int len;
-
-- file = getenv("OPENSSL_CONF");
-- if (file)
-+ file = secure_getenv("OPENSSL_CONF");
-+ if (file)
- return BUF_strdup(file);
-
- len = strlen(X509_get_default_cert_area());
-diff -up openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1e/crypto/engine/eng_list.c
---- openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/engine/eng_list.c 2013-02-19 13:02:02.536188233 +0100
-@@ -61,6 +61,8 @@
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "eng_int.h"
-
- /* The linked-list of pointers to engine types. engine_list_head
-@@ -399,9 +401,9 @@ ENGINE *ENGINE_by_id(const char *id)
- if (strcmp(id, "dynamic"))
- {
- #ifdef OPENSSL_SYS_VMS
-- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
-+ if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
- #else
-- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
-+ if((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
- #endif
- iterator = ENGINE_by_id("dynamic");
- if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
-diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1e/crypto/md5/md5_dgst.c
---- openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv 2013-02-19 13:02:02.492187275 +0100
-+++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-02-19 13:02:02.537188254 +0100
-@@ -56,6 +56,8 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include "md5_locl.h"
- #include <openssl/opensslv.h>
-@@ -74,7 +76,7 @@ const char MD5_version[]="MD5" OPENSSL_V
- int MD5_Init(MD5_CTX *c)
- #ifdef OPENSSL_FIPS
- {
-- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
-+ if (FIPS_mode() && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
- OpenSSLDie(__FILE__, __LINE__, \
- "Digest MD5 forbidden in FIPS mode!");
- return private_MD5_Init(c);
-diff -up openssl-1.0.1e/crypto/o_init.c.secure-getenv openssl-1.0.1e/crypto/o_init.c
---- openssl-1.0.1e/crypto/o_init.c.secure-getenv 2013-02-19 13:02:02.428185882 +0100
-+++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 13:02:02.538188276 +0100
-@@ -52,6 +52,8 @@
- *
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <e_os.h>
- #include <openssl/err.h>
- #ifdef OPENSSL_FIPS
-@@ -71,7 +73,7 @@ static void init_fips_mode(void)
- char buf[2] = "0";
- int fd;
-
-- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
-+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
- {
- buf[0] = '1';
- }
-diff -up openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv openssl-1.0.1e/crypto/rand/randfile.c
---- openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rand/randfile.c 2013-02-19 13:03:06.971591052 +0100
-@@ -60,6 +60,8 @@
- #if !defined(OPENSSL_SYS_VXWORKS)
- #define _XOPEN_SOURCE 500
- #endif
-+/* for secure_getenv */
-+#define _GNU_SOURCE
-
- #include <errno.h>
- #include <stdio.h>
-@@ -277,8 +279,7 @@ const char *RAND_file_name(char *buf, si
- struct stat sb;
- #endif
-
-- if (OPENSSL_issetugid() == 0)
-- s=getenv("RANDFILE");
-+ s=secure_getenv("RANDFILE");
- if (s != NULL && *s && strlen(s) + 1 < size)
- {
- if (BUF_strlcpy(buf,s,size) >= size)
-@@ -286,8 +287,7 @@ const char *RAND_file_name(char *buf, si
- }
- else
- {
-- if (OPENSSL_issetugid() == 0)
-- s=getenv("HOME");
-+ s=secure_getenv("HOME");
- #ifdef DEFAULT_HOME
- if (s == NULL)
- {
-diff -up openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1e/crypto/x509/by_dir.c
---- openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/x509/by_dir.c 2013-02-19 13:02:02.539188298 +0100
-@@ -56,6 +56,8 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -135,7 +137,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
- case X509_L_ADD_DIR:
- if (argl == X509_FILETYPE_DEFAULT)
- {
-- dir=(char *)getenv(X509_get_default_cert_dir_env());
-+ dir=(char *)secure_getenv(X509_get_default_cert_dir_env());
- if (dir)
- ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
- else
-diff -up openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv openssl-1.0.1e/crypto/x509/by_file.c
---- openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv 2013-02-19 13:02:02.236181701 +0100
-+++ openssl-1.0.1e/crypto/x509/by_file.c 2013-02-19 13:02:02.554188624 +0100
-@@ -56,6 +56,8 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -100,7 +102,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
- case X509_L_FILE_LOAD:
- if (argl == X509_FILETYPE_DEFAULT)
- {
-- file = (char *)getenv(X509_get_default_cert_file_env());
-+ file = (char *)secure_getenv(X509_get_default_cert_file_env());
- if (file)
- ok = (X509_load_cert_crl_file(ctx,file,
- X509_FILETYPE_PEM) != 0);
-diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1e/crypto/x509/x509_vfy.c
---- openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-02-19 13:02:02.556188668 +0100
-@@ -56,6 +56,8 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -481,7 +483,7 @@ static int check_chain_extensions(X509_S
- !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
- /* A hack to keep people who don't want to modify their
- software happy */
-- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
-+ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
- allow_proxy_certs = 1;
- purpose = ctx->param->purpose;
- }
-diff -up openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1e/engines/ccgost/gost_ctl.c
---- openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/engines/ccgost/gost_ctl.c 2013-02-19 13:02:02.557188690 +0100
-@@ -6,6 +6,8 @@
- * Implementation of control commands for GOST engine *
- * OpenSSL 0.9.9 libraries required *
- **********************************************************************/
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdlib.h>
- #include <string.h>
- #include <openssl/crypto.h>
-@@ -65,7 +67,7 @@ const char *get_gost_engine_param(int pa
- {
- return gost_params[param];
- }
-- tmp = getenv(gost_envnames[param]);
-+ tmp = secure_getenv(gost_envnames[param]);
- if (tmp)
- {
- if (gost_params[param]) OPENSSL_free(gost_params[param]);
-@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
- {
- const char *tmp;
- if (param <0 || param >GOST_PARAM_MAX) return 0;
-- tmp = getenv(gost_envnames[param]);
-+ tmp = secure_getenv(gost_envnames[param]);
- /* if there is value in the environment, use it, else -passed string * */
- if (!tmp) tmp=value;
- if (gost_params[param]) OPENSSL_free(gost_params[param]);
diff --git a/SOURCES/openssl-1.0.1e-sn-case.patch b/SOURCES/openssl-1.0.1e-sn-case.patch
deleted file mode 100644
index eb5955a..0000000
--- a/SOURCES/openssl-1.0.1e-sn-case.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/apps/s_server.c.sn-case openssl-1.0.1e/apps/s_server.c
---- openssl-1.0.1e/apps/s_server.c.sn-case 2014-09-17 15:31:51.000000000 +0200
-+++ openssl-1.0.1e/apps/s_server.c 2014-09-17 15:43:04.619321492 +0200
-@@ -744,7 +744,7 @@ static int MS_CALLBACK ssl_servername_cb
-
- if (servername)
- {
-- if (strcmp(servername,p->servername))
-+ if (strcasecmp(servername,p->servername))
- return p->extension_error;
- if (ctx2)
- {
diff --git a/SOURCES/openssl-1.0.1e-speed-doc.patch b/SOURCES/openssl-1.0.1e-speed-doc.patch
deleted file mode 100644
index 60527c8..0000000
--- a/SOURCES/openssl-1.0.1e-speed-doc.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-diff -up openssl-1.0.1e/apps/speed.c.speed-doc openssl-1.0.1e/apps/speed.c
---- openssl-1.0.1e/apps/speed.c.speed-doc 2016-01-15 14:21:57.447624338 +0100
-+++ openssl-1.0.1e/apps/speed.c 2016-01-15 14:22:37.044532716 +0100
-@@ -628,10 +628,6 @@ int MAIN(int argc, char **argv)
- int multi=0;
- #endif
-
--#ifndef TIMES
-- usertime=-1;
--#endif
--
- apps_startup();
- memset(results, 0, sizeof(results));
- #ifndef OPENSSL_NO_DSA
-@@ -1112,9 +1108,7 @@ int MAIN(int argc, char **argv)
-
- BIO_printf(bio_err,"\n");
- BIO_printf(bio_err,"Available options:\n");
--#if defined(TIMES) || defined(USE_TOD)
- BIO_printf(bio_err,"-elapsed measure time in real time instead of CPU user time.\n");
--#endif
- #ifndef OPENSSL_NO_ENGINE
- BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n");
- #endif
-diff -up openssl-1.0.1e/doc/apps/speed.pod.speed-doc openssl-1.0.1e/doc/apps/speed.pod
---- openssl-1.0.1e/doc/apps/speed.pod.speed-doc 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/speed.pod 2016-01-15 14:21:57.448624361 +0100
-@@ -8,6 +8,9 @@ speed - test library performance
-
- B<openssl speed>
- [B<-engine id>]
-+[B<-elapsed>]
-+[B<-evp algo>]
-+[B<-decrypt>]
- [B<md2>]
- [B<mdc2>]
- [B<md5>]
-@@ -49,6 +52,19 @@ to attempt to obtain a functional refere
- thus initialising it if needed. The engine will then be set as the default
- for all available algorithms.
-
-+=item B<-elapsed>
-+
-+Measure time in real time instead of CPU time. It can be useful when testing
-+speed of hardware engines.
-+
-+=item B<-evp algo>
-+
-+Use the specified cipher or message digest algorithm via the EVP interface.
-+
-+=item B<-decrypt>
-+
-+Time the decryption instead of encryption. Affects only the EVP testing.
-+
- =item B<[zero or more test algorithms]>
-
- If any options are given, B<speed> tests those algorithms, otherwise all of
diff --git a/SOURCES/openssl-1.0.1e-ssl2-no-ec.patch b/SOURCES/openssl-1.0.1e-ssl2-no-ec.patch
deleted file mode 100644
index 81ad472..0000000
--- a/SOURCES/openssl-1.0.1e-ssl2-no-ec.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff -up openssl-1.0.1e/ssl/s23_lib.c.ssl2noec openssl-1.0.1e/ssl/s23_lib.c
---- openssl-1.0.1e/ssl/s23_lib.c.ssl2noec 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s23_lib.c 2014-05-06 15:51:54.053293674 +0200
-@@ -107,6 +107,13 @@ int ssl23_put_cipher_by_char(const SSL_C
- long l;
-
- /* We can write SSLv2 and SSLv3 ciphers */
-+ /* but no ECC ciphers */
-+ if (c->algorithm_mkey == SSL_kECDHr ||
-+ c->algorithm_mkey == SSL_kECDHe ||
-+ c->algorithm_mkey == SSL_kEECDH ||
-+ c->algorithm_auth == SSL_aECDH ||
-+ c->algorithm_auth == SSL_aECDSA)
-+ return 0;
- if (p != NULL)
- {
- l=c->id;
diff --git a/SOURCES/openssl-1.0.1e-timestamp.patch b/SOURCES/openssl-1.0.1e-timestamp.patch
deleted file mode 100644
index d944666..0000000
--- a/SOURCES/openssl-1.0.1e-timestamp.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/crypto/ts/ts_rsp_sign.c.timestamp openssl-1.0.1e/crypto/ts/ts_rsp_sign.c
---- openssl-1.0.1e/crypto/ts/ts_rsp_sign.c.timestamp 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/ts/ts_rsp_sign.c 2016-01-14 17:35:44.495973697 +0100
-@@ -977,7 +977,7 @@ TS_RESP_set_genTime_with_precision(ASN1_
- if (precision > 0)
- {
- /* Add fraction of seconds (leave space for dot and null). */
-- BIO_snprintf(p, 2 + precision, ".%ld", usec);
-+ BIO_snprintf(p, 2 + precision, ".%06ld", usec);
- /* We cannot use the snprintf return value,
- because it might have been truncated. */
- p += strlen(p);
diff --git a/SOURCES/openssl-1.0.1e-trusted-first.patch b/SOURCES/openssl-1.0.1e-trusted-first.patch
deleted file mode 100644
index 08ab639..0000000
--- a/SOURCES/openssl-1.0.1e-trusted-first.patch
+++ /dev/null
@@ -1,330 +0,0 @@
-diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
---- openssl-1.0.1e/apps/apps.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/apps.c 2013-08-16 15:42:39.920534769 +0200
-@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg
- flags |= X509_V_FLAG_NOTIFY_POLICY;
- else if (!strcmp(arg, "-check_ss_sig"))
- flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
-+ else if (!strcmp(arg, "-trusted_first"))
-+ flags |= X509_V_FLAG_TRUSTED_FIRST;
- else
- return 0;
-
-diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c
---- openssl-1.0.1e/apps/cms.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/cms.c 2013-08-16 15:43:56.671213879 +0200
-@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
- BIO_printf (bio_err, "-text include or delete text MIME headers\n");
- BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
- BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
-+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
- BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
- BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
- #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c
---- openssl-1.0.1e/apps/ocsp.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/ocsp.c 2013-08-16 15:49:47.477572414 +0200
-@@ -595,6 +595,7 @@ int MAIN(int argc, char **argv)
- BIO_printf (bio_err, "-path path to use in OCSP request\n");
- BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
- BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
-+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
- BIO_printf (bio_err, "-VAfile file validator certificates file\n");
- BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
- BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
-diff -up openssl-1.0.1e/apps/s_client.c.trusted-first openssl-1.0.1e/apps/s_client.c
---- openssl-1.0.1e/apps/s_client.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/apps/s_client.c 2013-08-16 15:49:00.727542994 +0200
-@@ -298,6 +298,7 @@ static void sc_usage(void)
- BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
- BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
- BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
-+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
- BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
- BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
- BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
-diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c
---- openssl-1.0.1e/apps/smime.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/smime.c 2013-08-16 15:46:44.024875150 +0200
-@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
- BIO_printf (bio_err, "-text include or delete text MIME headers\n");
- BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
- BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
-+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
- BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
- BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
- #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_server.c
---- openssl-1.0.1e/apps/s_server.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/apps/s_server.c 2013-08-16 15:48:19.469634430 +0200
-@@ -501,6 +501,7 @@ static void sv_usage(void)
- BIO_printf(bio_err," -state - Print the SSL states\n");
- BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
- BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
-+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
- BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
- BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
- BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
-diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c
---- openssl-1.0.1e/apps/s_time.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/apps/s_time.c 2013-08-16 15:47:35.862674188 +0200
-@@ -179,6 +179,7 @@ static void s_time_usage(void)
- file if not specified by this option\n\
- -CApath arg - PEM format directory of CA's\n\
- -CAfile arg - PEM format file of CA's\n\
-+-trusted_first - Use trusted CA's first when building the trust chain\n\
- -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
-
- printf( "usage: s_time <args>\n\n" );
-diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c
---- openssl-1.0.1e/apps/ts.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/apps/ts.c 2013-08-16 15:45:27.766206812 +0200
-@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv)
- "ts -verify [-data file_to_hash] [-digest digest_bytes] "
- "[-queryfile request.tsq] "
- "-in response.tsr [-token_in] "
-- "-CApath ca_path -CAfile ca_file.pem "
-+ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
- "-untrusted cert_file.pem\n");
- cleanup:
- /* Clean up. */
-diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c
---- openssl-1.0.1e/apps/verify.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/verify.c 2013-08-16 15:46:09.720124654 +0200
-@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv)
-
- end:
- if (ret == 1) {
-- BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
-+ BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
- BIO_printf(bio_err," [-attime timestamp]");
- #ifndef OPENSSL_NO_ENGINE
- BIO_printf(bio_err," [-engine e]");
-diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c
---- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-08-16 15:42:39.864533545 +0200
-+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:42:39.921534791 +0200
-@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
-
- /* If we are self signed, we break */
- if (ctx->check_issued(ctx, x,x)) break;
-+ /* If asked see if we can find issuer in trusted store first */
-+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
-+ {
-+ ok = ctx->get_issuer(&xtmp, ctx, x);
-+ if (ok < 0)
-+ return ok;
-+ /* If successful for now free up cert so it
-+ * will be picked up again later.
-+ */
-+ if (ok > 0)
-+ {
-+ X509_free(xtmp);
-+ break;
-+ }
-+ }
-
- /* If we were passed a cert chain, use it first */
- if (ctx->untrusted != NULL)
-diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h
---- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-08-16 15:42:39.356522432 +0200
-+++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-08-16 15:42:39.922534813 +0200
-@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
- #define X509_V_FLAG_USE_DELTAS 0x2000
- /* Check selfsigned CA signature */
- #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
-+/* Use trusted store first */
-+#define X509_V_FLAG_TRUSTED_FIRST 0x8000
-
-
- #define X509_VP_FLAG_DEFAULT 0x1
-diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/cms.pod
---- openssl-1.0.1e/doc/apps/cms.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/cms.pod 2013-08-16 15:50:48.723921117 +0200
-@@ -35,6 +35,7 @@ B<openssl> B<cms>
- [B<-print>]
- [B<-CAfile file>]
- [B<-CApath dir>]
-+[B<-trusted_first>]
- [B<-md digest>]
- [B<-[cipher]>]
- [B<-nointern>]
-@@ -238,6 +239,12 @@ B<-verify>. This directory must be a sta
- is a hash of each subject name (using B<x509 -hash>) should be linked
- to each certificate.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before untrusted certificates
-+from the message when building the trust chain to verify certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-md digest>
-
- digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/ocsp.pod
---- openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/ocsp.pod 2013-08-16 15:52:20.106933403 +0200
-@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
- [B<-path>]
- [B<-CApath dir>]
- [B<-CAfile file>]
-+[B<-trusted_first>]
- [B<-VAfile file>]
- [B<-validity_period n>]
- [B<-status_age n>]
-@@ -138,6 +139,13 @@ or "/" by default.
- file or pathname containing trusted CA certificates. These are used to verify
- the signature on the OCSP response.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory over certificates provided
-+in the response or residing in other certificates file when building the trust
-+chain to verify responder certificate.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-verify_other file>
-
- file containing additional certificates to search when attempting to locate
-diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/apps/s_client.pod
---- openssl-1.0.1e/doc/apps/s_client.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-08-16 15:53:17.364194159 +0200
-@@ -17,6 +17,7 @@ B<openssl> B<s_client>
- [B<-pass arg>]
- [B<-CApath directory>]
- [B<-CAfile filename>]
-+[B<-trusted_first>]
- [B<-reconnect>]
- [B<-pause>]
- [B<-showcerts>]
-@@ -107,7 +108,7 @@ also used when building the client certi
- A file containing trusted certificates to use during server authentication
- and to use when attempting to build the client certificate chain.
-
--=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
-+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
-
- Set various certificate chain valiadition option. See the
- L<B<verify>|verify(1)> manual page for details.
-diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps/smime.pod
---- openssl-1.0.1e/doc/apps/smime.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/smime.pod 2013-08-16 15:56:12.497050767 +0200
-@@ -15,6 +15,9 @@ B<openssl> B<smime>
- [B<-pk7out>]
- [B<-[cipher]>]
- [B<-in file>]
-+[B<-CAfile file>]
-+[B<-CApath dir>]
-+[B<-trusted_first>]
- [B<-certfile file>]
- [B<-signer file>]
- [B<-recip file>]
-@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
- is a hash of each subject name (using B<x509 -hash>) should be linked
- to each certificate.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory over certificates provided
-+in the message when building the trust chain to verify a certificate.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-md digest>
-
- digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/apps/s_server.pod
---- openssl-1.0.1e/doc/apps/s_server.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
-+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-08-16 15:54:33.609873214 +0200
-@@ -33,6 +33,7 @@ B<openssl> B<s_server>
- [B<-state>]
- [B<-CApath directory>]
- [B<-CAfile filename>]
-+[B<-trusted_first>]
- [B<-nocert>]
- [B<-cipher cipherlist>]
- [B<-quiet>]
-@@ -168,6 +169,12 @@ and to use when attempting to build the
- is also used in the list of acceptable client CAs passed to the client when
- a certificate is requested.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before other certificates
-+when building the trust chain to verify client certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-state>
-
- prints out the SSL session states.
-diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/apps/s_time.pod
---- openssl-1.0.1e/doc/apps/s_time.pod.trusted-first 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/s_time.pod 2013-08-16 15:55:12.651732938 +0200
-@@ -14,6 +14,7 @@ B<openssl> B<s_time>
- [B<-key filename>]
- [B<-CApath directory>]
- [B<-CAfile filename>]
-+[B<-trusted_first>]
- [B<-reuse>]
- [B<-new>]
- [B<-verify depth>]
-@@ -76,6 +77,12 @@ also used when building the client certi
- A file containing trusted certificates to use during server authentication
- and to use when attempting to build the client certificate chain.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory over the certificates provided
-+by the server when building the trust chain to verify server certificate.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-new>
-
- performs the timing test using a new session ID for each connection.
-diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts.pod
---- openssl-1.0.1e/doc/apps/ts.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/ts.pod 2013-08-16 15:57:17.399479957 +0200
-@@ -46,6 +46,7 @@ B<-verify>
- [B<-token_in>]
- [B<-CApath> trusted_cert_path]
- [B<-CAfile> trusted_certs.pem]
-+[B<-trusted_first>]
- [B<-untrusted> cert_file.pem]
-
- =head1 DESCRIPTION
-@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
- or B<-CApath> must be specified.
- (Optional)
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before other certificates
-+when building the trust chain to verify certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-untrusted> cert_file.pem
-
- Set of additional untrusted certificates in PEM format which may be
-diff -up openssl-1.0.1e/doc/apps/verify.pod.trusted-first openssl-1.0.1e/doc/apps/verify.pod
---- openssl-1.0.1e/doc/apps/verify.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/doc/apps/verify.pod 2013-08-16 15:58:00.267423925 +0200
-@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
- B<openssl> B<verify>
- [B<-CApath directory>]
- [B<-CAfile file>]
-+[B<-trusted_first>]
- [B<-purpose purpose>]
- [B<-policy arg>]
- [B<-ignore_critical>]
-@@ -56,6 +57,12 @@ in PEM format concatenated together.
- A file of untrusted certificates. The file should contain multiple certificates
- in PEM format concatenated together.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before the certificates in the untrusted
-+file when building the trust chain to verify certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-purpose purpose>
-
- The intended use for the certificate. If this option is not specified,
diff --git a/SOURCES/openssl-1.0.1e-update-test-certs.patch b/SOURCES/openssl-1.0.1e-update-test-certs.patch
deleted file mode 100644
index e088eca..0000000
--- a/SOURCES/openssl-1.0.1e-update-test-certs.patch
+++ /dev/null
@@ -1,803 +0,0 @@
-From a0957d55059f0b6052235737f7441fc35da41afd Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Wed, 17 Jul 2013 16:30:04 +0100
-Subject: [PATCH] Scripts to recreate S/MIME test certificates.
-
-Add a script to generate keys and certificates for the S/MIME and CMS
-tests.
-
-Update certificates and add EC examples.
----
- test/smime-certs/ca.cnf | 66 ++++++++++++++++++++++++++++++++++
- test/smime-certs/mksmime-certs.sh | 61 +++++++++++++++++++++++++++++++
- test/smime-certs/smdsa1.pem | 75 +++++++++++++++++++++++----------------
- test/smime-certs/smdsa2.pem | 75 +++++++++++++++++++++++----------------
- test/smime-certs/smdsa3.pem | 75 +++++++++++++++++++++++----------------
- test/smime-certs/smec1.pem | 22 ++++++++++++
- test/smime-certs/smec2.pem | 23 ++++++++++++
- test/smime-certs/smroot.pem | 75 ++++++++++++++++++++++++---------------
- test/smime-certs/smrsa1.pem | 74 +++++++++++++++++++++++---------------
- test/smime-certs/smrsa2.pem | 74 +++++++++++++++++++++++---------------
- test/smime-certs/smrsa3.pem | 74 +++++++++++++++++++++++---------------
- 11 files changed, 489 insertions(+), 205 deletions(-)
- create mode 100644 test/smime-certs/ca.cnf
- create mode 100644 test/smime-certs/mksmime-certs.sh
- create mode 100644 test/smime-certs/smec1.pem
- create mode 100644 test/smime-certs/smec2.pem
-
-diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
-new file mode 100644
-index 0000000..5e8b108
---- /dev/null
-+++ b/test/smime-certs/ca.cnf
-@@ -0,0 +1,66 @@
-+#
-+# OpenSSL example configuration file for automated certificate creation.
-+#
-+
-+# This definition stops the following lines choking if HOME or CN
-+# is undefined.
-+HOME = .
-+RANDFILE = $ENV::HOME/.rnd
-+CN = "Not Defined"
-+default_ca = ca
-+
-+####################################################################
-+[ req ]
-+default_bits = 2048
-+default_keyfile = privkey.pem
-+# Don't prompt for fields: use those in section directly
-+prompt = no
-+distinguished_name = req_distinguished_name
-+x509_extensions = v3_ca # The extentions to add to the self signed cert
-+string_mask = utf8only
-+
-+# req_extensions = v3_req # The extensions to add to a certificate request
-+
-+[ req_distinguished_name ]
-+countryName = UK
-+
-+organizationName = OpenSSL Group
-+# Take CN from environment so it can come from a script.
-+commonName = $ENV::CN
-+
-+[ usr_cert ]
-+
-+# These extensions are added when 'ca' signs a request for an end entity
-+# certificate
-+
-+basicConstraints=critical, CA:FALSE
-+keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
-+
-+# PKIX recommendations harmless if included in all certificates.
-+subjectKeyIdentifier=hash
-+authorityKeyIdentifier=keyid
-+
-+[ dh_cert ]
-+
-+# These extensions are added when 'ca' signs a request for an end entity
-+# DH certificate
-+
-+basicConstraints=critical, CA:FALSE
-+keyUsage=critical, keyAgreement
-+
-+# PKIX recommendations harmless if included in all certificates.
-+subjectKeyIdentifier=hash
-+authorityKeyIdentifier=keyid
-+
-+[ v3_ca ]
-+
-+
-+# Extensions for a typical CA
-+
-+# PKIX recommendation.
-+
-+subjectKeyIdentifier=hash
-+authorityKeyIdentifier=keyid:always
-+basicConstraints = critical,CA:true
-+keyUsage = critical, cRLSign, keyCertSign
-+
-diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh
-new file mode 100644
-index 0000000..37c5633
---- /dev/null
-+++ b/test/smime-certs/mksmime-certs.sh
-@@ -0,0 +1,61 @@
-+#!/bin/sh
-+
-+# Utility to recreate S/MIME certificates
-+
-+OPENSSL=../../apps/openssl
-+OPENSSL_CONF=./ca.cnf
-+export OPENSSL_CONF
-+
-+# Root CA: create certificate directly
-+CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -nodes \
-+ -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650
-+
-+# EE RSA certificates: create request first
-+CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -nodes \
-+ -keyout smrsa1.pem -out req.pem -newkey rsa:2048
-+# Sign request: end entity extensions
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem
-+
-+CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -nodes \
-+ -keyout smrsa2.pem -out req.pem -newkey rsa:2048
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem
-+
-+CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -nodes \
-+ -keyout smrsa3.pem -out req.pem -newkey rsa:2048
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem
-+
-+# Create DSA parameters
-+
-+$OPENSSL dsaparam -out dsap.pem 2048
-+
-+CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -nodes \
-+ -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem
-+CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -nodes \
-+ -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem
-+CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -nodes \
-+ -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem
-+
-+# Create EC parameters
-+
-+$OPENSSL ecparam -out ecp.pem -name P-256
-+$OPENSSL ecparam -out ecp2.pem -name K-283
-+
-+CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -nodes \
-+ -keyout smec1.pem -out req.pem -newkey ec:ecp.pem
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem
-+CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -nodes \
-+ -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem
-+# Remove temp files.
-+rm -f req.pem ecp.pem ecp2.pem dsap.pem smroot.srl
-diff --git a/test/smime-certs/smdsa1.pem b/test/smime-certs/smdsa1.pem
-index d5677db..b424f67 100644
---- a/test/smime-certs/smdsa1.pem
-+++ b/test/smime-certs/smdsa1.pem
-@@ -1,34 +1,47 @@
-------BEGIN DSA PRIVATE KEY-----
--MIIBuwIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
--OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
--GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
--jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
--wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
--+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
--SJCBQw5zAoGATQlPPF+OeU8nu3rsdXGDiZdJzOkuCce3KQfTABA9C+Dk4CVcvBdd
--YRLGpnykumkNTO1sTO+4/Gphsuje1ujK9td4UEhdYqylCe5QjEMrszDlJtelDQF9
--C0yhdjKGTP0kxofLhsGckcuQvcKEKffT2pDDKJIy4vWQO0UyJl1vjLcCFG2uiGGx
--9fMUZq1v0ePD4Wo0Xkxo
-------END DSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
-+k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
-+zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
-+wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
-+v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
-+0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
-+rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
-+zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
-+DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
-+xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
-+ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
-+Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
-+TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0=
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsWMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-+MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
--CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
--mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
--jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
--CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
--kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
--xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBN
--CU88X455Tye7eux1cYOJl0nM6S4Jx7cpB9MAED0L4OTgJVy8F11hEsamfKS6aQ1M
--7WxM77j8amGy6N7W6Mr213hQSF1irKUJ7lCMQyuzMOUm16UNAX0LTKF2MoZM/STG
--h8uGwZyRy5C9woQp99PakMMokjLi9ZA7RTImXW+Mt6OBgzCBgDAdBgNVHQ4EFgQU
--4Qfbhpi5yqXaXuCLXj427mR25MkwHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
--aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
--c21pbWVkc2ExQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBAFrdUzKK1pWO
--kd02S423KUBc4GWWyiGlVoEO7WxVhHLJ8sm67X7OtJOwe0UGt+Nc5qLtyJYSirw8
--phjiTdNpQCTJ8+Kc56tWkJ6H7NAI4vTJtPL5BM/EmeYrVSU9JI9xhqpyKw9IBD+n
--hRJ79W9FaiJRvaAOX+TkyTukJrxAWRyv
-+ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
-+uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
-+7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
-+wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
-++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
-+Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
-+AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
-+0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
-+g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
-+0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
-+yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
-+7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
-+aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x
-+EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV
-+86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE
-+DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp
-+O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit
-+1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg
-+MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO
-+xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
-+MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx
-+d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3
-+MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z
-+Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt
-+17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf
-+0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smdsa2.pem b/test/smime-certs/smdsa2.pem
-index ef86c11..648447f 100644
---- a/test/smime-certs/smdsa2.pem
-+++ b/test/smime-certs/smdsa2.pem
-@@ -1,34 +1,47 @@
-------BEGIN DSA PRIVATE KEY-----
--MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
--OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
--GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
--jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
--wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
--+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
--SJCBQw5zAoGBAIPmO8BtJ+Yac58trrPwq9b/6VW3jQTWzTLWSH84/QQdqQa+Pz3v
--It/+hHM0daNF5uls8ICsPL1aLXmRx0pHvIyb0aAzYae4T4Jv/COPDMTdKbA1uitJ
--VbkGZrm+LIrs7I9lOkb4T0vI6kL/XdOCXY1469zsqCgJ/O2ibn6mq0nWAhR716o2
--Nf8SimTZYB0/CKje6M5ufA==
-------END DSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
-+k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
-+zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
-+wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
-+v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
-+0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
-+rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
-+zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
-+DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
-+xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
-+ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
-+Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
-+TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA==
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDpTCCAw6gAwIBAgIJAMtotfHYdEsXMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-+MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
--CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
--mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
--jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
--CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
--kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
--xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhQACgYEA
--g+Y7wG0n5hpzny2us/Cr1v/pVbeNBNbNMtZIfzj9BB2pBr4/Pe8i3/6EczR1o0Xm
--6WzwgKw8vVoteZHHSke8jJvRoDNhp7hPgm/8I48MxN0psDW6K0lVuQZmub4siuzs
--j2U6RvhPS8jqQv9d04JdjXjr3OyoKAn87aJufqarSdajgYMwgYAwHQYDVR0OBBYE
--FHsAGNfVltSYUq4hC+YVYwsYtA+dMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcXdsab
--rWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgbAMCAGA1UdEQQZMBeB
--FXNtaW1lZHNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCx9BtCbaYF
--FXjLClkuKXbESaDZA1biPgY25i00FsUzARuhCpqD2v+0tu5c33ZzIhL6xlvBRU5l
--6Atw/xpZhae+hdBEtxPJoGekLLrHOau7Md3XwDjV4lFgcEJkWZoaSOOIK+4D5jF0
--jZWtHjnwEzuLYlo7ScHSsbcQfjH0M1TP5A==
-+ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
-+uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
-+7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
-+wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
-++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
-+Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
-+AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
-+0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
-+g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
-+0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
-+yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
-+7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
-+aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E
-+h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt
-+tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa
-+LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn
-+3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0
-+KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg
-+MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k
-+qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
-+MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp
-+VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb
-+uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV
-+6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD
-+2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96
-+GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smdsa3.pem b/test/smime-certs/smdsa3.pem
-index eeb848d..77acc5e 100644
---- a/test/smime-certs/smdsa3.pem
-+++ b/test/smime-certs/smdsa3.pem
-@@ -1,34 +1,47 @@
-------BEGIN DSA PRIVATE KEY-----
--MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
--OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
--GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
--jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
--wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
--+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
--SJCBQw5zAoGAYzOpPmh8Je1IDauEXhgaLz14wqYUHHcrj2VWVJ6fRm8GhdQFJSI7
--GUk08pgKZSKic2lNqxuzW7/vFxKQ/nvzfytY16b+2i+BR4Q6yvMzCebE1hHVg0Ju
--TwfUMwoFEOhYP6ZwHSUiQl9IBMH9TNJCMwYMxfY+VOrURFsjGTRUgpwCFQCIGt5g
--Y+XZd0Sv69CatDIRYWvaIA==
-------END DSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
-+k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
-+zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
-+wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
-+v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
-+0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
-+rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
-+zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
-+DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
-+xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
-+ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
-+Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
-+TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY=
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsYMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-+MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
--CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
--mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
--jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
--CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
--kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
--xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBj
--M6k+aHwl7UgNq4ReGBovPXjCphQcdyuPZVZUnp9GbwaF1AUlIjsZSTTymAplIqJz
--aU2rG7Nbv+8XEpD+e/N/K1jXpv7aL4FHhDrK8zMJ5sTWEdWDQm5PB9QzCgUQ6Fg/
--pnAdJSJCX0gEwf1M0kIzBgzF9j5U6tREWyMZNFSCnKOBgzCBgDAdBgNVHQ4EFgQU
--VhpVXqQ/EzUMdxLvP7o9EhJ8h70wHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
--aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
--c21pbWVkc2EzQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBACM9e75EQa8m
--k/AZkH/tROqf3yeqijULl9x8FjFatqoY+29OM6oMGM425IqSkKd2ipz7OxO0SShu
--rE0O3edS7DvYBwvhWPviRaYBMyZ4iFJVup+fOzoYK/j/bASxS3BHQBwb2r4rhe25
--OlTyyFEk7DJyW18YFOG97S1P52oQ5f5x
-+ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
-+uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
-+7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
-+wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
-++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
-+Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
-+AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
-+0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
-+g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
-+0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
-+yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
-+7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
-+aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9
-+msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf
-+zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7
-+cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp
-+N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS
-+2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg
-+MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE
-+FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
-+MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask
-+pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK
-+YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM
-+khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i
-+Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv
-+4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smec1.pem b/test/smime-certs/smec1.pem
-new file mode 100644
-index 0000000..75a8626
---- /dev/null
-+++ b/test/smime-certs/smec1.pem
-@@ -0,0 +1,22 @@
-+-----BEGIN PRIVATE KEY-----
-+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgXzBRX9Z5Ib4LAVAS
-+DMlYvkj0SmLmYvWULe2LfyXRmpWhRANCAAS+SIj2FY2DouPRuNDp9WVpsqef58tV
-+3gIwV0EOV/xyYTzZhufZi/aBcXugWR1x758x4nHus2uEuEFi3Mr3K3+x
-+-----END PRIVATE KEY-----
-+-----BEGIN CERTIFICATE-----
-+MIICoDCCAYigAwIBAgIJANk5lu6mSyBGMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
-+CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
-+ZXN0IFMvTUlNRSBFRSBFQyAjMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL5I
-+iPYVjYOi49G40On1ZWmyp5/ny1XeAjBXQQ5X/HJhPNmG59mL9oFxe6BZHXHvnzHi
-+ce6za4S4QWLcyvcrf7GjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg
-+MB0GA1UdDgQWBBR/ybxC2DI+Jydhx1FMgPbMTmLzRzAfBgNVHSMEGDAWgBTJkVMK
-+Y3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEAdk9si83JjtgHHHGy
-+WcgWDfM0jzlWBsgFNQ9DwAuB7gJd/LG+5Ocajg5XdA5FXAdKkfwI6be3PdcVs3Bt
-+7f/fdKfBxfr9/SvFHnK7PVAX2x1wwS4HglX1lfoyq1boSvsiJOnAX3jsqXJ9TJiV
-+FlgRVnhnrw6zz3Xs/9ZDMTENUrqDHPNsDkKEi+9SqIsqDXpMCrGHP4ic+S8Rov1y
-+S+0XioMxVyXDp6XcL4PQ/NgHbw5/+UcS0me0atZ6pW68C0vi6xeU5vxojyuZxMI1
-+DXXwMhOXWaKff7KNhXDUN0g58iWlnyaCz4XQwFsbbFs88TQ1+e/aj3bbwTxUeyN7
-+qtcHJA==
-+-----END CERTIFICATE-----
-diff --git a/test/smime-certs/smec2.pem b/test/smime-certs/smec2.pem
-new file mode 100644
-index 0000000..457297a
---- /dev/null
-+++ b/test/smime-certs/smec2.pem
-@@ -0,0 +1,23 @@
-+-----BEGIN PRIVATE KEY-----
-+MIGPAgEAMBAGByqGSM49AgEGBSuBBAAQBHgwdgIBAQQjhHaq507MOBznelrLG/pl
-+brnnJi/iEJUUp+Pm3PEiteXqckmhTANKAAQF2zs6vobmoT+M+P2+9LZ7asvFBNi7
-+uCzLYF/8j1Scn/spczoC9vNzVhNw+Lg7dnjNL4EDIyYZLl7E0v69luzbvy+q44/8
-+6bQ=
-+-----END PRIVATE KEY-----
-+-----BEGIN CERTIFICATE-----
-+MIICpTCCAY2gAwIBAgIJANk5lu6mSyBHMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
-+CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
-+ZXN0IFMvTUlNRSBFRSBFQyAjMjBeMBAGByqGSM49AgEGBSuBBAAQA0oABAXbOzq+
-+huahP4z4/b70tntqy8UE2Lu4LMtgX/yPVJyf+ylzOgL283NWE3D4uDt2eM0vgQMj
-+JhkuXsTS/r2W7Nu/L6rjj/zptKNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
-+BAMCBeAwHQYDVR0OBBYEFGf+QSQlkN20PsNN7x+jmQIJBDcXMB8GA1UdIwQYMBaA
-+FMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBBQUAA4IBAQBaBBryl2Ez
-+ftBrGENXMKQP3bBEw4n9ely6HvYQi9IC7HyK0ktz7B2FcJ4z96q38JN3cLxV0DhK
-+xT/72pFmQwZVJngvRaol0k1B+bdmM03llxCw/uNNZejixDjHUI9gEfbigehd7QY0
-+uYDu4k4O35/z/XPQ6O5Kzw+J2vdzU8GXlMBbWeZWAmEfLGbk3Ux0ouITnSz0ty5P
-+rkHTo0uprlFcZAsrsNY5v5iuomYT7ZXAR3sqGZL1zPOKBnyfXeNFUfnKsZW7Fnlq
-+IlYBQIjqR1HGxxgCSy66f1oplhxSch4PUpk5tqrs6LeOqc2+xROy1T5YrB3yjVs0
-+4ZdCllHZkhop
-+-----END CERTIFICATE-----
-diff --git a/test/smime-certs/smroot.pem b/test/smime-certs/smroot.pem
-index a59eb26..d1a253f 100644
---- a/test/smime-certs/smroot.pem
-+++ b/test/smime-certs/smroot.pem
-@@ -1,30 +1,49 @@
-------BEGIN RSA PRIVATE KEY-----
--MIICXAIBAAKBgQDBV1Z/Q5gPF7lojc8pKUdyz5+Jf2B3vs4he6egekugWnoJduki
--9Lnae/JchB/soIX0co3nLc11NuFFlnAWJNMDJr08l5AHAJLYNHevF5l/f9oDQwvZ
--speKh1xpIAJNqCTzVeQ/ZLx6/GccIXV/xDuKIiovqJTPgR5WPkYKaw++lQIDAQAB
--AoGALXnUj5SflJU4+B2652ydMKUjWl0KnL/VjkyejgGV/j6py8Ybaixz9q8Gv7oY
--JDlRqMC1HfZJCFQDQrHy5VJ+CywA/H9WrqKo/Ch9U4tJAZtkig1Cmay/BAYixVu0
--xBeim10aKF6hxHH4Chg9We+OCuzWBWJhqveNjuDedL/i7JUCQQDlejovcwBUCbhJ
--U12qKOwlaboolWbl7yF3XdckTJZg7+1UqQHZH5jYZlLZyZxiaC92SNV0SyTLJZnS
--Jh5CO+VDAkEA16/pPcuVtMMz/R6SSPpRSIAa1stLs0mFSs3NpR4pdm0n42mu05pO
--1tJEt3a1g7zkreQBf53+Dwb+lA841EkjRwJBAIFmt0DifKDnCkBu/jZh9SfzwsH3
--3Zpzik+hXxxdA7+ODCrdUul449vDd5zQD5t+XKU61QNLDGhxv5e9XvrCg7kCQH/a
--3ldsVF0oDaxxL+QkxoREtCQ5tLEd1u7F2q6Tl56FDE0pe6Ih6bQ8RtG+g9EI60IN
--U7oTrOO5kLWx5E0q4ccCQAZVgoenn9MhRU1agKOCuM6LT2DxReTu4XztJzynej+8
--0J93n3ebanB1MlRpn1XJwhQ7gAC8ImaQKLJK5jdJzFc=
-------END RSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQXED5HyVWwq
-+nXyzmY317yMUJrIfsKvREG2C691dJNHgNg+oq5sjt/fzkyS84AvdOiicAsao4cYL
-+DulthaLpbC7msEBhvwAil0FNb5g3ERupe1KuTdUV1UuD/i6S2VoaNXUBBn1rD9Wc
-+BBc0lnx/4Wt92eQTI6925pt7ZHPQw2Olp7TQDElyi5qPxCem4uT0g3zbZsWqmmsI
-+MXbu+K3dEprzqA1ucKXbxUmZNkMwVs2XCmlLxrRUj8C3/zENtH17HWCznhR/IVcV
-+kgIuklkeiDsEhbWvUQumVXR7oPh/CPZAbjGqq5mVueHSHrp7brBVZKHZvoUka28Q
-+LWitq1W5AgMBAAECggEASkRnOMKfBeOmQy2Yl6K57eeg0sYgSDnDpd0FINWJ5x9c
-+b58FcjOXBodtYKlHIY6QXx3BsM0WaSEge4d+QBi7S+u8r+eXVwNYswXSArDQsk9R
-+Bl5MQkvisGciL3pvLmFLpIeASyS/BLJXMbAhU58PqK+jT2wr6idwxBuXivJ3ichu
-+ISdT1s2aMmnD86ulCD2DruZ4g0mmk5ffV+Cdj+WWkyvEaJW2GRYov2qdaqwSOxV4
-+Yve9qStvEIWAf2cISQjbnw2Ww6Z5ebrqlOz9etkmwIly6DTbrIneBnoqJlFFWGlF
-+ghuzc5RE2w1GbcKSOt0qXH44MTf/j0r86dlu7UIxgQKBgQDq0pEaiZuXHi9OQAOp
-+PsDEIznCU1bcTDJewANHag5DPEnMKLltTNyLaBRulMypI+CrDbou0nDr29VOzfXx
-+mNvi/c7RttOBOx7kXKvu0JUFKe2oIWRsg0KsyMX7UFMVaHFgrW+8DhQc7HK7URiw
-+nitOnA7YwIHRF9BMmcWcLFEYBQKBgQDC6LPbXV8COKO0YCfGXPnE7EZGD/p0Q92Z
-+8CoSefphEScSdO1IpxFXG7fOZ4x2GQb9q7D3IvaeKAqNjUjkuyxdB30lIWDBwSWw
-+fFgsa2SZwD5P60G/ar50YJr6LiF333aUMDVmC9swFfZERAEmGUz2NTrPWQdIx/lu
-+PyDtUR75JQKBgHaoCCJ8vl5SJl1IA5GV4Bo8IoeLTSzsY9d09zMy6BoZcMD1Ix2T
-+5S2cXhayoegl9PT6bsYSGHVWFCdJ86ktMI826TcXRzDaCvYhzc9THroJQcnfdbtP
-+aHWezkv7fsAmkoPjn75K7ubeo+r7Q5qbkg6a1PW58N8TRXIvkackzaVxAoGBALAq
-+qh3U+AHG9dgbrPeyo6KkuCOtX39ks8/mbfCDRZYkbb9V5f5r2tVz3R93IlK/7jyr
-+yWimtmde46Lrl33922w+T5OW5qBZllo9GWkUrDn3s5qClcuQjJIdmxYTSfbSCJiK
-+NkmE39lHkG5FVRB9f71tgTlWS6ox7TYDYxx83NTtAoGAUJPAkGt4yGAN4Pdebv53
-+bSEpAAULBHntiqDEOu3lVColHuZIucml/gbTpQDruE4ww4wE7dOhY8Q4wEBVYbRI
-+vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ
-+KfvPCYimQwBjVrEnSntLPR0=
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICaTCCAdKgAwIBAgIJAP6VN47boiXRMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDdaFw0xNjA1MTExMzUzMDdaMEQx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRU
--ZXN0IFMvTUlNRSBSU0EgUm9vdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
--wVdWf0OYDxe5aI3PKSlHcs+fiX9gd77OIXunoHpLoFp6CXbpIvS52nvyXIQf7KCF
--9HKN5y3NdTbhRZZwFiTTAya9PJeQBwCS2DR3rxeZf3/aA0ML2bKXiodcaSACTagk
--81XkP2S8evxnHCF1f8Q7iiIqL6iUz4EeVj5GCmsPvpUCAwEAAaNjMGEwHQYDVR0O
--BBYEFBPPS6e7iS6zOFcXdsabrWhb5e0XMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcX
--dsabrWhb5e0XMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqG
--SIb3DQEBBQUAA4GBAIECprq5viDvnDbkyOaiSr9ubMUmWqvycfAJMdPZRKcOZczS
--l+L9R9lF3JSqbt3knOe9u6bGDBOTY2285PdCCuHRVMk2Af1f6El1fqAlRUwNqipp
--r68sWFuRqrcRNtk6QQvXfkOhrqQBuDa7te/OVQLa2lGN9Dr2mQsD8ijctatG
-+MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx
-+CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
-+ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-+ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT
-+JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+
-+LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E
-+J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/
-+MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe
-+untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb
-+i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G
-+A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB
-+AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb
-+Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl
-+zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt
-+9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C
-+7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt
-+Emsny2ah6fU2z7PztrUy/A80
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smrsa1.pem b/test/smime-certs/smrsa1.pem
-index 2cf3148..d0d0b9e 100644
---- a/test/smime-certs/smrsa1.pem
-+++ b/test/smime-certs/smrsa1.pem
-@@ -1,31 +1,49 @@
-------BEGIN RSA PRIVATE KEY-----
--MIICXgIBAAKBgQC6A978j4pmPgUtUQqF+bjh6vdhwGOGZSD7xXgFTMjm88twfv+E
--ixkq2KXSDjD0ZXoQbdOaSbvGRQrIJpG2NGiKAFdYNrP025kCCdh5wF/aEI7KLEm7
--JlHwXpQsuj4wkMgmkFjL3Ty4Z55aNH+2pPQIa0k+ENJXm2gDuhqgBmduAwIDAQAB
--AoGBAJMuYu51aO2THyeHGwt81uOytcCbqGP7eoib62ZOJhxPRGYjpmuqX+R9/V5i
--KiwGavm63JYUx0WO9YP+uIZxm1BUATzkgkS74u5LP6ajhkZh6/Bck1oIYYkbVOXl
--JVrdENuH6U7nupznsyYgONByo+ykFPVUGmutgiaC7NMVo/MxAkEA6KLejWXdCIEn
--xr7hGph9NlvY9xuRIMexRV/WrddcFfCdjI1PciIupgrIkR65M9yr7atm1iU6/aRf
--KOr8rLZsSQJBAMyyXN71NsDNx4BP6rtJ/LJMP0BylznWkA7zWfGCbAYn9VhZVlSY
--Eu9Gyr7quD1ix7G3kInKVYOEEOpockBLz+sCQQCedyMmKjcQLfpMVYW8uhbAynvW
--h36qV5yXZxszO7nMcCTBsxhk5IfmLv5EbCs3+p9avCDGyoGOeUMg+kC33WORAkAg
--oUIarH4o5+SoeJTTfCzTA0KF9H5U0vYt2+73h7HOnWoHxl3zqDZEfEVvf50U8/0f
--QELDJETTbScBJtsnkq43AkEA38etvoZ2i4FJvvo7R/9gWBHVEcrGzcsCBYrNnIR1
--SZLRwHEGaiOK1wxMsWzqp7PJwL9z/M8A8DyOFBx3GPOniA==
-------END RSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXr9uzB/20QXKC
-+xhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK2bcj54XB26i1kXuOrxID
-+3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt+W6lSd6Hmfrk4GmE9LTU
-+/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JFYg4c7qt5RCk/w8kwrQ0D
-+orQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSebvt0APeqgRxSpCxqYnHs
-+CoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxMkjpJSv3/ekDG2CHYxXSH
-+XxpJstxZAgMBAAECggEASY4xsJaTEPwY3zxLqPdag2/yibBBW7ivz/9p80HQTlXp
-+KnbxXj8nNXLjCytAZ8A3P2t316PrrTdLP4ML5lGwkM4MNPhek00GY79syhozTa0i
-+cPHVJt+5Kwee/aVI9JmCiGAczh0yHyOM3+6ttIZvvXMVaSl4BUHvJ0ikQBc5YdzL
-+s6VM2gCOR6K6n+39QHDI/T7WwO9FFSNnpWFOCHwAWtyBMlleVj+xeZX8OZ/aT+35
-+27yjsGNBftWKku29VDineiQC+o+fZGJs6w4JZHoBSP8TfxP8fRCFVNA281G78Xak
-+cEnKXwZ54bpoSa3ThKl+56J6NHkkfRGb8Rgt/ipJYQKBgQD5DKb82mLw85iReqsT
-+8bkp408nPOBGz7KYnQsZqAVNGfehM02+dcN5z+w0jOj6GMPLPg5whlEo/O+rt9ze
-+j6c2+8/+B4Bt5oqCKoOCIndH68jl65+oUxFkcHYxa3zYKGC9Uvb+x2BtBmYgvDRG
-+ew6I2Q3Zyd2ThZhJygUZpsjsbQKBgQDdtNiGTkgWOm+WuqBI1LT5cQfoPfgI7/da
-+ZA+37NBUQRe0cM7ddEcNqx7E3uUa1JJOoOYv65VyGI33Ul+evI8h5WE5bupcCEFk
-+LolzbMc4YQUlsySY9eUXM8jQtfVtaWhuQaABt97l+9oADkrhA+YNdEu2yiz3T6W+
-+msI5AnvkHQKBgDEjuPMdF/aY6dqSjJzjzfgg3KZOUaZHJuML4XvPdjRPUlfhKo7Q
-+55/qUZ3Qy8tFBaTderXjGrJurc+A+LiFOaYUq2ZhDosguOWUA9yydjyfnkUXZ6or
-+sbvSoM+BeOGhnezdKNT+e90nLRF6cQoTD7war6vwM6L+8hxlGvqDuRNFAoGAD4K8
-+d0D4yB1Uez4ZQp8m/iCLRhM3zCBFtNw1QU/fD1Xye5w8zL96zRkAsRNLAgKHLdsR
-+355iuTXAkOIBcJCOjveGQsdgvAmT0Zdz5FBi663V91o+IDlryqDD1t40CnCKbtRG
-+hng/ruVczg4x7OYh7SUKuwIP/UlkNh6LogNreX0CgYBQF9troLex6X94VTi1V5hu
-+iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST
-+1iZkYwly9Xfjnpd0I00ZIlr2/B3+ZsK8w5cOW5Lpb7frol6+BkDnBjbNZI5kQndn
-+zQpuMJliRlrq/5JkIbH6SA==
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICizCCAfSgAwIBAgIJAMtotfHYdEsTMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
-+MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBSU0EgIzEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
--ALoD3vyPimY+BS1RCoX5uOHq92HAY4ZlIPvFeAVMyObzy3B+/4SLGSrYpdIOMPRl
--ehBt05pJu8ZFCsgmkbY0aIoAV1g2s/TbmQIJ2HnAX9oQjsosSbsmUfBelCy6PjCQ
--yCaQWMvdPLhnnlo0f7ak9AhrST4Q0lebaAO6GqAGZ24DAgMBAAGjgYMwgYAwHQYD
--VR0OBBYEFE2vMvKz5jrC7Lbdg68XwZ95iL/QMB8GA1UdIwQYMBaAFBPPS6e7iS6z
--OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
--EQQZMBeBFXNtaW1lcnNhMUBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQAi
--O3GOkUl646oLnOimc36i9wxZ1tejsqs8vMjJ0Pym6Uq9FE2JoGzJ6OhB1GOsEVmj
--9cQ5UNQcRYL3cqOFtl6f4Dpu/lhzfbaqgmLjv29G1mS0uuTZrixhlyCXjwcbOkNC
--I/+wvHHENYIK5+T/79M9LaZ2Qk4F9MNE1VMljdz9Qw==
-+ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-+AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK
-+2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt
-++W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF
-+Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe
-+bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM
-+kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-+VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV
-+HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
-+dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o
-+E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK
-+WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp
-+lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT
-+GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu
-+9Hjq6s316fk4Ne0EUF3PbA==
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smrsa2.pem b/test/smime-certs/smrsa2.pem
-index d41f69c..2f17cb2 100644
---- a/test/smime-certs/smrsa2.pem
-+++ b/test/smime-certs/smrsa2.pem
-@@ -1,31 +1,49 @@
-------BEGIN RSA PRIVATE KEY-----
--MIICWwIBAAKBgQCwBfryW4Vu5U9wNIDKspJO/N9YF4CcTlrCUyzVlKgb+8urHlSe
--59i5verR9IOCCXkemjOzZ/3nALTGqYZlnEvHp0Rjk+KdKXnKBIB+SRPpeu3LcXMT
--WPgsThPa0UQxedNKG0g6aG+kLhsDlFBCoxd09jJtSpb9jmroJOq0ZYEHLwIDAQAB
--AoGAKa/w4677Je1W5+r3SYoLDnvi5TkDs4D3C6ipKJgBTEdQz+DqB4w/DpZE4551
--+rkFn1LDxcxuHGRVa+tAMhZW97fwq9YUbjVZEyOz79qrX+BMyl/NbHkf1lIKDo3q
--dWalzQvop7nbzeLC+VmmviwZfLQUbA61AQl3jm4dswT4XykCQQDloDadEv/28NTx
--bvvywvyGuvJkCkEIycm4JrIInvwsd76h/chZ3oymrqzc7hkEtK6kThqlS5y+WXl6
--QzPruTKTAkEAxD2ro/VUoN+scIVaLmn0RBmZ67+9Pdn6pNSfjlK3s0T0EM6/iUWS
--M06l6L9wFS3/ceu1tIifsh9BeqOGTa+udQJARIFnybTBaIqw/NZ/lA1YCVn8tpvY
--iyaoZ6gjtS65TQrsdKeh/i3HCHNUXxUpoZ3F/H7QtD+6o49ODou+EbVOwQJAVmex
--A2gp8wuJKaINqxIL81AybZLnCCzKJ3lXJ5tUNyLNM/lUbGStktm2Q1zHRQwTxV07
--jFn7trn8YrtNjzcjYQJAUKIJRt38A8Jw3HoPT+D0WS2IgxjVL0eYGsZX1lyeammG
--6rfnQ3u5uP7mEK2EH2o8mDUpAE0gclWBU9UkKxJsGA==
-------END RSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcYC4tS2Uvn1Z2
-+iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iFAzAnwqR/UB1R67ETrsWq
-+V8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFpcXepPWQacpuBq2VvcKRD
-+lDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS0PZ9EZB63T1gmwaK1Rd5
-+U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1NcojhptIWyI0r7dgn5J3
-+NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0EFWyQf7iDxGaA93Y9ePB
-+Jv5iFZVZAgMBAAECggEBAILIPX856EHb0KclbhlpfY4grFcdg9LS04grrcTISQW1
-+J3p9nBpZ+snKe6I8Yx6lf5PiipPsSLlCliHiWpIzJZVQCkAQiSPiHttpEYgP2IYI
-+dH8dtznkdVbLRthZs0bnnPmpHCpW+iqpcYJ9eqkz0cvUNUGOjjWmwWmoRqwp/8CW
-+3S1qbkQiCh0Mk2fQeGar76R06kXQ9MKDEj14zyS3rJX+cokjEoMSlH8Sbmdh2mJz
-+XlNZcvqmeGJZwQWgbVVHOMUuZaKJiFa+lqvOdppbqSx0AsCRq6vjmjEYQEoOefYK
-+3IJM9IvqW5UNx0Cy4kQdjhZFFwMO/ALD3QyF21iP4gECgYEA+isQiaWdaY4UYxwK
-+Dg+pnSCKD7UGZUaCUIv9ds3CbntMOONFe0FxPsgcc4jRYQYj1rpQiFB8F11+qXGa
-+P/IHcnjr2+mTrNY4I9Bt1Lg+pHSS8QCgzeueFybYMLaSsXUo7tGwpvw6UUb6/YWI
-+LNCzZbrCLg1KZjGODhhxtvN45ZkCgYEA4YNSe+GMZlxgsvxbLs86WOm6DzJUPvxN
-+bWmni0+Oe0cbevgGEUjDVc895uMFnpvlgO49/C0AYJ+VVbStjIMgAeMnWj6OZoSX
-+q49rI8KmKUxKgORZiiaMqGWQ7Rxv68+4S8WANsjFxoUrE6dNV3uYDIUsiSLbZeI8
-+38KVTcLohcECgYEAiOdyWHGq0G4xl/9rPUCzCMsa4velNV09yYiiwBZgVgfhsawm
-+hQpOSBZJA60XMGqkyEkT81VgY4UF4QLLcD0qeCnWoXWVHFvrQyY4RNZDacpl87/t
-+QGO2E2NtolL3umesa+2TJ/8Whw46Iu2llSjtVDm9NGiPk5eA7xPPf1iEi9kCgYAb
-+0EmVE91wJoaarLtGS7LDkpgrFacEWbPnAbfzW62UENIX2Y1OBm5pH/Vfi7J+vHWS
-+8E9e0eIRCL2vY2hgQy/oa67H151SkZnvQ/IP6Ar8Xvd1bDSK8HQ6tMQqKm63Y9g0
-+KDjHCP4znOsSMnk8h/bZ3HcAtvbeWwftBR/LBnYNQQKBgA1leIXLLHRoX0VtS/7e
-+y7Xmn7gepj+gDbSuCs5wGtgw0RB/1z/S3QoS2TCbZzKPBo20+ivoRP7gcuFhduFR
-+hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n
-+yrLyf+8hjm6H6zkjqiOkHAl+
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICizCCAfSgAwIBAgIJAMtotfHYdEsUMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
-+MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBSU0EgIzIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
--ALAF+vJbhW7lT3A0gMqykk7831gXgJxOWsJTLNWUqBv7y6seVJ7n2Lm96tH0g4IJ
--eR6aM7Nn/ecAtMaphmWcS8enRGOT4p0pecoEgH5JE+l67ctxcxNY+CxOE9rRRDF5
--00obSDpob6QuGwOUUEKjF3T2Mm1Klv2Oaugk6rRlgQcvAgMBAAGjgYMwgYAwHQYD
--VR0OBBYEFIL/u+mEvaw7RuKLRuElfVkxSQjYMB8GA1UdIwQYMBaAFBPPS6e7iS6z
--OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
--EQQZMBeBFXNtaW1lcnNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQC2
--rXR5bm/9RtOMQPleNpd3y6uUX3oy+0CafK5Yl3PMnItjjnKJ0l1/DbLbDj2twehe
--ewaB8CROcBCA3AMLSmGvPKgUCFMGtWam3328M4fBHzon5ka7qDXzM+imkAly/Yx2
--YNdR/aNOug+5sXygHmTSKqiCpQjOIClzXoPVVeEVHw==
-+ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-+AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF
-+AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp
-+cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS
-+0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1
-+NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0
-+EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-+VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV
-+HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
-+I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47
-+Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv
-+/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c
-+XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv
-+6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i
-+NzYzLAPBkHCMY0Is3KKIBw==
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smrsa3.pem b/test/smime-certs/smrsa3.pem
-index c8cbe55..14c27f6 100644
---- a/test/smime-certs/smrsa3.pem
-+++ b/test/smime-certs/smrsa3.pem
-@@ -1,31 +1,49 @@
-------BEGIN RSA PRIVATE KEY-----
--MIICXAIBAAKBgQC6syTZtZNe1hRScFc4PUVyVLsr7+C1HDIZnOHmwFoLayX6RHwy
--ep/TkdwiPHnemVLuwvpSjLMLZkXy/J764kSHJrNeVl3UvmCVCOm40hAtK1+F39pM
--h8phkbPPD7i+hwq4/Vs79o46nzwbVKmzgoZBJhZ+codujUSYM3LjJ4aq+wIDAQAB
--AoGAE1Zixrnr3bLGwBMqtYSDIOhtyos59whImCaLr17U9MHQWS+mvYO98if1aQZi
--iQ/QazJ+wvYXxWJ+dEB+JvYwqrGeuAU6He/rAb4OShG4FPVU2D19gzRnaButWMeT
--/1lgXV08hegGBL7RQNaN7b0viFYMcKnSghleMP0/q+Y/oaECQQDkXEwDYJW13X9p
--ijS20ykWdY5lLknjkHRhhOYux0rlhOqsyMZjoUmwI2m0qj9yrIysKhrk4MZaM/uC
--hy0xp3hdAkEA0Uv/UY0Kwsgc+W6YxeypECtg1qCE6FBib8n4iFy/6VcWqhvE5xrs
--OdhKv9/p6aLjLneGd1sU+F8eS9LGyKIbNwJBAJPgbNzXA7uUZriqZb5qeTXxBDfj
--RLfXSHYKAKEULxz3+JvRHB9SR4yHMiFrCdExiZrHXUkPgYLSHLGG5a4824UCQD6T
--9XvhquUARkGCAuWy0/3Eqoihp/t6BWSdQ9Upviu7YUhtUxsyXo0REZB7F4pGrJx5
--GlhXgFaewgUzuUHFzlMCQCzJMMWslWpoLntnR6sMhBMhBFHSw+Y5CbxBmFrdtSkd
--VdtNO1VuDCTxjjW7W3Khj7LX4KZ1ye/5jfAgnnnXisc=
-------END RSA PRIVATE KEY-----
-+-----BEGIN PRIVATE KEY-----
-+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyK+BTAOJKJjji
-+OhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVCFoVBz5doMf3M6QIS2jL3
-+Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsFSTxytUVpfcByrubWiLKX
-+63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuWm/gavozkK103gQ+dUq4H
-+XamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enhav2sXDfOmZp/DYf9IqS7l
-+vFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p1diWRpaSn62bbkRN49j6
-+L2dVb+DfAgMBAAECggEAciwDl6zdVT6g/PbT/+SMA+7qgYHSN+1koEQaJpgjzGEP
-+lUUfj8TewCtzXaIoyj9IepBuXryBg6snNXpT/w3bqgYon/7zFBvxkUpDj4A5tvKf
-+BuY2fZFlpBvUu1Ju1eKrFCptBBBoA9mc+BUB/ze4ktrAdJFcxZoMlVScjqGB3GdR
-+OHw2x9BdWGCJBhiu9VHhAAb/LVWi6xgDumYSWZwN2yovg+7J91t5bsENeBRHycK+
-+i5dNFh1umIK9N0SH6bpHPnLHrCRchrQ6ZRRxL4ZBKA9jFRDeI7OOsJuCvhGyJ1se
-+snsLjr/Ahg00aiHCcC1SPQ6pmXAVBCG7hf4AX82V4QKBgQDaFDE+Fcpv84mFo4s9
-+wn4CZ8ymoNIaf5zPl/gpH7MGots4NT5+Ns+6zzJQ6TEpDjTPx+vDaabP7QGXwVZn
-+8NAHYvCQK37b+u9HrOt256YYRDOmnJFSbsJdmqzMEzpTNmQ8GuI37cZCS9CmSMv+
-+ab/plcwuv0cJRSC83NN2AFyu1QKBgQDRJzKIBQlpprF9rA0D5ZjLVW4OH18A0Mmm
-+oanw7qVutBaM4taFN4M851WnNIROyYIlkk2fNgW57Y4M8LER4zLrjU5HY4lB0BMX
-+LQWDbyz4Y7L4lVnnEKfQxWFt9avNZwiCxCxEKy/n/icmVCzc91j9uwKcupdzrN6E
-+yzPd1s5y4wKBgQCkJvzmAdsOp9/Fg1RFWcgmIWHvrzBXl+U+ceLveZf1j9K5nYJ7
-+2OBGer4iH1XM1I+2M4No5XcWHg3L4FEdDixY0wXHT6Y/CcThS+015Kqmq3fBmyrc
-+RNjzQoF9X5/QkSmkAIx1kvpgXtcgw70htRIrToGSUpKzDKDW6NYXhbA+PQKBgDJK
-+KH5IJ8E9kYPUMLT1Kc4KVpISvPcnPLVSPdhuqVx69MkfadFSTb4BKbkwiXegQCjk
-+isFzbeEM25EE9q6EYKP+sAm+RyyJ6W0zKBY4TynSXyAiWSGUAaXTL+AOqCaVVZiL
-+rtEdSUGQ/LzclIT0/HLV2oTw4KWxtTdc3LXEhpNdAoGBAM3LckiHENqtoeK2gVNw
-+IPeEuruEqoN4n+XltbEEv6Ymhxrs6T6HSKsEsLhqsUiIvIzH43KMm45SNYTn5eZh
-+yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF
-+RvOAi5wVkYylDxV4238MAZIq
-+-----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICizCCAfSgAwIBAgIJAMtotfHYdEsVMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-+MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
-+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
- CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBSU0EgIzMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
--ALqzJNm1k17WFFJwVzg9RXJUuyvv4LUcMhmc4ebAWgtrJfpEfDJ6n9OR3CI8ed6Z
--Uu7C+lKMswtmRfL8nvriRIcms15WXdS+YJUI6bjSEC0rX4Xf2kyHymGRs88PuL6H
--Crj9Wzv2jjqfPBtUqbOChkEmFn5yh26NRJgzcuMnhqr7AgMBAAGjgYMwgYAwHQYD
--VR0OBBYEFDsSFjNtYZzd0tTHafNS7tneQQj6MB8GA1UdIwQYMBaAFBPPS6e7iS6z
--OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
--EQQZMBeBFXNtaW1lcnNhM0BvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQBE
--tUDB+1Dqigu4p1xtdq7JRK6S+gfA7RWmhz0j2scb2zhpS12h37JLHsidGeKAzZYq
--jUjOrH/j3xcV5AnuJoqImJaN23nzzxtR4qGGX2mrq6EtObzdEGgCUaizsGM+0slJ
--PYxcy8KeY/63B1BpYhj2RjGkL6HrvuAaxVORa3acoA==
-+ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-+AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC
-+FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF
-+STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW
-+m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha
-+v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p
-+1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
-+VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV
-+HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
-+JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp
-+sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa
-+VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr
-+O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7
-+tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY
-+CscFo2Z2pYROGtZDmYqhRw==
- -----END CERTIFICATE-----
---
-1.9.1
-
diff --git a/SOURCES/openssl-1.0.1e-version.patch b/SOURCES/openssl-1.0.1e-version.patch
deleted file mode 100644
index e73f2c9..0000000
--- a/SOURCES/openssl-1.0.1e-version.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff -up openssl-1.0.1e/crypto/cversion.c.version openssl-1.0.1e/crypto/cversion.c
---- openssl-1.0.1e/crypto/cversion.c.version 2013-02-11 16:02:47.000000000 +0100
-+++ openssl-1.0.1e/crypto/cversion.c 2013-07-26 12:28:12.739161925 +0200
-@@ -62,7 +62,7 @@
- #include "buildinf.h"
- #endif
-
--const char *SSLeay_version(int t)
-+const char *_current_SSLeay_version(int t)
- {
- if (t == SSLEAY_VERSION)
- return OPENSSL_VERSION_TEXT;
-@@ -110,8 +110,25 @@ const char *SSLeay_version(int t)
- return("not available");
- }
-
--unsigned long SSLeay(void)
-+const char *_original_SSLeay_version(int t)
-+ {
-+ if (t == SSLEAY_VERSION)
-+ return "OpenSSL 1.0.0-fips 29 Mar 2010";
-+ else
-+ return _current_SSLeay_version(t);
-+ }
-+
-+unsigned long _original_SSLeay(void)
-+ {
-+ return(0x10000003);
-+ }
-+
-+unsigned long _current_SSLeay(void)
- {
- return(SSLEAY_VERSION_NUMBER);
- }
-
-+__asm__(".symver _original_SSLeay,SSLeay@");
-+__asm__(".symver _original_SSLeay_version,SSLeay_version@");
-+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1");
-+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.1");
-diff -up openssl-1.0.1e/Makefile.shared.version openssl-1.0.1e/Makefile.shared
---- openssl-1.0.1e/Makefile.shared.version 2013-07-26 12:23:43.615545603 +0200
-+++ openssl-1.0.1e/Makefile.shared 2013-07-26 12:23:43.701547398 +0200
-@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
- SHLIB_SUFFIX=; \
- ALLSYMSFLAGS='-Wl,--whole-archive'; \
- NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
- DO_GNU_APP=LDFLAGS="$(CFLAGS)"
-
-diff -up openssl-1.0.1e/version.map.version openssl-1.0.1e/version.map
---- openssl-1.0.1e/version.map.version 2013-07-26 12:23:43.701547398 +0200
-+++ openssl-1.0.1e/version.map 2013-07-26 12:29:10.698371472 +0200
-@@ -0,0 +1,8 @@
-+OPENSSL_1.0.1 {
-+ global:
-+ SSLeay;
-+ SSLeay_version;
-+ local:
-+ _original*;
-+ _current*;
-+};
diff --git a/SOURCES/openssl-1.0.1e-weak-ciphers.patch b/SOURCES/openssl-1.0.1e-weak-ciphers.patch
deleted file mode 100644
index 8657345..0000000
--- a/SOURCES/openssl-1.0.1e-weak-ciphers.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/ssl/ssl.h.weak-ciphers openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.weak-ciphers 2013-12-18 15:50:40.881620314 +0100
-+++ openssl-1.0.1e/ssl/ssl.h 2013-12-18 14:25:25.596566704 +0100
-@@ -331,7 +331,7 @@ extern "C" {
- /* The following cipher list is used by default.
- * It also is substituted when an application-defined cipher list string
- * starts with 'DEFAULT'. */
--#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
-+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
- /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
- * starts with a reasonable order, and all we have to do for DEFAULT is
- * throwing out anonymous and unencrypted ciphersuites!
diff --git a/SOURCES/openssl-1.0.1i-algo-doc.patch b/SOURCES/openssl-1.0.1i-algo-doc.patch
new file mode 100644
index 0000000..a19877d
--- /dev/null
+++ b/SOURCES/openssl-1.0.1i-algo-doc.patch
@@ -0,0 +1,77 @@
+diff -up openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod
+--- openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/crypto/EVP_DigestInit.pod 2014-08-07 11:18:01.290773970 +0200
+@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
+
+ EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
+ B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
+-function. B<type> will typically be supplied by a functionsuch as EVP_sha1().
++function. B<type> will typically be supplied by a function such as EVP_sha1().
+ If B<impl> is NULL then the default implementation of digest B<type> is used.
+
+ EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
+@@ -164,7 +164,8 @@ corresponding OBJECT IDENTIFIER or NID_u
+ EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
+ EVP_MD_CTX_block_size() return the digest or block size in bytes.
+
+-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
++EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
++EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_dss(),
+ EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
+ corresponding EVP_MD structures.
+
+diff -up openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod
+--- openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod.algo-doc 2014-08-06 23:10:56.000000000 +0200
++++ openssl-1.0.1i/doc/crypto/EVP_EncryptInit.pod 2014-08-07 10:55:25.100638252 +0200
+@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+
++ const EVP_CIPHER *EVP_des_ede3(void);
++ const EVP_CIPHER *EVP_des_ede3_ecb(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
++ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
++ const EVP_CIPHER *EVP_des_ede3_ofb(void);
++ const EVP_CIPHER *EVP_des_ede3_cbc(void);
++ const EVP_CIPHER *EVP_aes_128_ecb(void);
++ const EVP_CIPHER *EVP_aes_128_cbc(void);
++ const EVP_CIPHER *EVP_aes_128_cfb1(void);
++ const EVP_CIPHER *EVP_aes_128_cfb8(void);
++ const EVP_CIPHER *EVP_aes_128_cfb128(void);
++ const EVP_CIPHER *EVP_aes_128_ofb(void);
++ const EVP_CIPHER *EVP_aes_192_ecb(void);
++ const EVP_CIPHER *EVP_aes_192_cbc(void);
++ const EVP_CIPHER *EVP_aes_192_cfb1(void);
++ const EVP_CIPHER *EVP_aes_192_cfb8(void);
++ const EVP_CIPHER *EVP_aes_192_cfb128(void);
++ const EVP_CIPHER *EVP_aes_192_ofb(void);
++ const EVP_CIPHER *EVP_aes_256_ecb(void);
++ const EVP_CIPHER *EVP_aes_256_cbc(void);
++ const EVP_CIPHER *EVP_aes_256_cfb1(void);
++ const EVP_CIPHER *EVP_aes_256_cfb8(void);
++ const EVP_CIPHER *EVP_aes_256_cfb128(void);
++ const EVP_CIPHER *EVP_aes_256_ofb(void);
++
+ =head1 DESCRIPTION
+
+ The EVP cipher routines are a high level interface to certain
+@@ -297,6 +323,18 @@ Three key triple DES in CBC, ECB, CFB an
+
+ DESX algorithm in CBC mode.
+
++=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(), EVP_aes_128_ofb(void), EVP_aes_128_cfb1(void), EVP_aes_128_cfb8(void), EVP_aes_128_cfb128(void)
++
++AES with 128 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
++=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(), EVP_aes_192_ofb(void), EVP_aes_192_cfb1(void), EVP_aes_192_cfb8(void), EVP_aes_192_cfb128(void)
++
++AES with 192 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
++=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(), EVP_aes_256_ofb(void), EVP_aes_256_cfb1(void), EVP_aes_256_cfb8(void), EVP_aes_256_cfb128(void)
++
++AES with 256 bit key length in CBC, ECB, OFB and CFB modes respectively.
++
+ =item EVP_rc4(void)
+
+ RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
diff --git a/SOURCES/openssl-1.0.2a-apps-dgst.patch b/SOURCES/openssl-1.0.2a-apps-dgst.patch
new file mode 100644
index 0000000..2bb8327
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-apps-dgst.patch
@@ -0,0 +1,110 @@
+diff -up openssl-1.0.2a/apps/ca.c.dgst openssl-1.0.2a/apps/ca.c
+--- openssl-1.0.2a/apps/ca.c.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/ca.c 2015-04-21 17:01:38.841551616 +0200
+@@ -157,7 +157,7 @@ static const char *ca_usage[] = {
+ " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
+ " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
+ " -days arg - number of days to certify the certificate for\n",
+- " -md arg - md to use, one of md2, md5, sha or sha1\n",
++ " -md arg - md to use, see openssl dgst -h for list\n",
+ " -policy arg - The CA 'policy' to support\n",
+ " -keyfile arg - private key file\n",
+ " -keyform arg - private key file format (PEM or ENGINE)\n",
+diff -up openssl-1.0.2a/apps/enc.c.dgst openssl-1.0.2a/apps/enc.c
+--- openssl-1.0.2a/apps/enc.c.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/apps/enc.c 2015-04-21 17:01:38.841551616 +0200
+@@ -294,7 +294,7 @@ int MAIN(int argc, char **argv)
+ "%-14s the next argument is the md to use to create a key\n",
+ "-md");
+ BIO_printf(bio_err,
+- "%-14s from a passphrase. One of md2, md5, sha or sha1\n",
++ "%-14s from a passphrase. See openssl dgst -h for list.\n",
+ "");
+ BIO_printf(bio_err, "%-14s salt in hex is the next argument\n",
+ "-S");
+diff -up openssl-1.0.2a/apps/req.c.dgst openssl-1.0.2a/apps/req.c
+--- openssl-1.0.2a/apps/req.c.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/apps/req.c 2015-04-21 17:01:38.842551640 +0200
+@@ -414,7 +414,7 @@ int MAIN(int argc, char **argv)
+ " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
+ #endif
+ BIO_printf(bio_err,
+- " -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
++ " -[digest] Digest to sign with (see openssl dgst -h for list)\n");
+ BIO_printf(bio_err, " -config file request template file.\n");
+ BIO_printf(bio_err,
+ " -subj arg set or modify request subject\n");
+diff -up openssl-1.0.2a/apps/ts.c.dgst openssl-1.0.2a/apps/ts.c
+--- openssl-1.0.2a/apps/ts.c.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/apps/ts.c 2015-04-21 17:01:38.842551640 +0200
+@@ -337,7 +337,7 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err, "usage:\n"
+ "ts -query [-rand file%cfile%c...] [-config configfile] "
+ "[-data file_to_hash] [-digest digest_bytes]"
+- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
++ "[-<hashalg>] "
+ "[-policy object_id] [-no_nonce] [-cert] "
+ "[-in request.tsq] [-out request.tsq] [-text]\n",
+ LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+diff -up openssl-1.0.2a/apps/x509.c.dgst openssl-1.0.2a/apps/x509.c
+--- openssl-1.0.2a/apps/x509.c.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/x509.c 2015-04-21 17:01:38.842551640 +0200
+@@ -141,7 +141,7 @@ static const char *x509_usage[] = {
+ " -set_serial - serial number to use\n",
+ " -text - print the certificate in text form\n",
+ " -C - print out C code forms\n",
+- " -md2/-md5/-sha1/-mdc2 - digest to use\n",
++ " -<dgst> - digest to use, see openssl dgst -h output for list\n",
+ " -extfile - configuration file with X509V3 extensions to add\n",
+ " -extensions - section from config file with X509V3 extensions to add\n",
+ " -clrext - delete extensions before signing and input certificate\n",
+diff -up openssl-1.0.2a/doc/apps/ca.pod.dgst openssl-1.0.2a/doc/apps/ca.pod
+--- openssl-1.0.2a/doc/apps/ca.pod.dgst 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ca.pod 2015-04-21 17:01:38.842551640 +0200
+@@ -168,7 +168,8 @@ the number of days to certify the certif
+ =item B<-md alg>
+
+ the message digest to use. Possible values include md5, sha1 and mdc2.
+-This option also applies to CRLs.
++For full list of digests see openssl dgst -h output. This option also
++applies to CRLs.
+
+ =item B<-policy arg>
+
+diff -up openssl-1.0.2a/doc/apps/ocsp.pod.dgst openssl-1.0.2a/doc/apps/ocsp.pod
+--- openssl-1.0.2a/doc/apps/ocsp.pod.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-21 17:01:38.842551640 +0200
+@@ -219,7 +219,8 @@ check is not performed.
+ =item B<-md5|-sha1|-sha256|-ripemod160|...>
+
+ this option sets digest algorithm to use for certificate identification
+-in the OCSP request. By default SHA-1 is used.
++in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
++the list of available algorithms.
+
+ =back
+
+diff -up openssl-1.0.2a/doc/apps/req.pod.dgst openssl-1.0.2a/doc/apps/req.pod
+--- openssl-1.0.2a/doc/apps/req.pod.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/req.pod 2015-04-21 17:01:38.843551664 +0200
+@@ -201,7 +201,8 @@ will not be encrypted.
+
+ this specifies the message digest to sign the request with (such as
+ B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
+-the configuration file.
++the configuration file. For full list of possible digests see openssl
++dgst -h output.
+
+ Some public key algorithms may override this choice. For instance, DSA
+ signatures always use SHA1, GOST R 34.10 signatures always use
+diff -up openssl-1.0.2a/doc/apps/x509.pod.dgst openssl-1.0.2a/doc/apps/x509.pod
+--- openssl-1.0.2a/doc/apps/x509.pod.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/x509.pod 2015-04-21 17:01:38.843551664 +0200
+@@ -107,6 +107,7 @@ the digest to use. This affects any sign
+ digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
+ specified then SHA1 is used. If the key being used to sign with is a DSA key
+ then this option has no effect: SHA1 is always used with DSA keys.
++For full list of digests see openssl dgst -h output.
+
+ =item B<-engine id>
+
diff --git a/SOURCES/openssl-1.0.2a-compat-symbols.patch b/SOURCES/openssl-1.0.2a-compat-symbols.patch
new file mode 100644
index 0000000..1e0993e
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-compat-symbols.patch
@@ -0,0 +1,46 @@
+diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.compat openssl-1.0.2a/crypto/dsa/dsa_key.c
+--- openssl-1.0.2a/crypto/dsa/dsa_key.c.compat 2015-04-09 18:21:11.687977858 +0200
++++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-09 18:21:07.869889659 +0200
+@@ -68,6 +68,11 @@
+ # include <openssl/fips.h>
+ # include <openssl/evp.h>
+
++/* just a compatibility symbol - no-op */
++void FIPS_corrupt_dsa_keygen(void)
++{
++}
++
+ static int fips_check_dsa(DSA *dsa)
+ {
+ EVP_PKEY *pk;
+diff -up openssl-1.0.2a/crypto/engine/eng_all.c.compat openssl-1.0.2a/crypto/engine/eng_all.c
+--- openssl-1.0.2a/crypto/engine/eng_all.c.compat 2015-04-09 18:21:11.688977881 +0200
++++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-09 18:21:09.159919459 +0200
+@@ -63,6 +63,11 @@
+ # include <openssl/fips.h>
+ #endif
+
++/* just backwards compatibility symbol - no-op */
++void ENGINE_load_aesni(void)
++{
++}
++
+ void ENGINE_load_builtin_engines(void)
+ {
+ /* Some ENGINEs need this */
+diff -up openssl-1.0.2a/crypto/fips/fips.c.compat openssl-1.0.2a/crypto/fips/fips.c
+--- openssl-1.0.2a/crypto/fips/fips.c.compat 2015-04-09 18:21:11.689977904 +0200
++++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-09 18:21:09.925937154 +0200
+@@ -113,6 +113,12 @@ int FIPS_module_mode(void)
+ return ret;
+ }
+
++/* just a compat symbol - return NULL */
++const void *FIPS_rand_check(void)
++{
++ return NULL;
++}
++
+ int FIPS_selftest_failed(void)
+ {
+ int ret = 0;
diff --git a/SOURCES/openssl-1.0.2a-defaults.patch b/SOURCES/openssl-1.0.2a-defaults.patch
new file mode 100644
index 0000000..315a9b0
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-defaults.patch
@@ -0,0 +1,60 @@
+diff -up openssl-1.0.2a/apps/openssl.cnf.defaults openssl-1.0.2a/apps/openssl.cnf
+--- openssl-1.0.2a/apps/openssl.cnf.defaults 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/openssl.cnf 2015-04-20 14:37:10.112271850 +0200
+@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
+
+ default_days = 365 # how long to certify for
+ default_crl_days= 30 # how long before next CRL
+-default_md = default # use public key default MD
++default_md = sha256 # use SHA-256 by default
+ preserve = no # keep passed DN ordering
+
+ # A few difference way of specifying how similar the request should look
+@@ -104,6 +104,7 @@ emailAddress = optional
+ ####################################################################
+ [ req ]
+ default_bits = 2048
++default_md = sha256
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
+@@ -126,17 +127,18 @@ string_mask = utf8only
+
+ [ req_distinguished_name ]
+ countryName = Country Name (2 letter code)
+-countryName_default = AU
++countryName_default = XX
+ countryName_min = 2
+ countryName_max = 2
+
+ stateOrProvinceName = State or Province Name (full name)
+-stateOrProvinceName_default = Some-State
++#stateOrProvinceName_default = Default Province
+
+ localityName = Locality Name (eg, city)
++localityName_default = Default City
+
+ 0.organizationName = Organization Name (eg, company)
+-0.organizationName_default = Internet Widgits Pty Ltd
++0.organizationName_default = Default Company Ltd
+
+ # we can do this but it is not needed normally :-)
+ #1.organizationName = Second Organization Name (eg, company)
+@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
+ organizationalUnitName = Organizational Unit Name (eg, section)
+ #organizationalUnitName_default =
+
+-commonName = Common Name (e.g. server FQDN or YOUR name)
++commonName = Common Name (eg, your name or your server\'s hostname)
+ commonName_max = 64
+
+ emailAddress = Email Address
+@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
+ default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+ other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+-digests = md5, sha1 # Acceptable message digests (mandatory)
++digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+ accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+ clock_precision_digits = 0 # number of digits after dot. (optional)
+ ordering = yes # Is ordering defined for timestamps?
diff --git a/SOURCES/openssl-1.0.2a-dtls1-abi.patch b/SOURCES/openssl-1.0.2a-dtls1-abi.patch
new file mode 100644
index 0000000..a6a79d7
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-dtls1-abi.patch
@@ -0,0 +1,23 @@
+diff -up openssl-1.0.2a/ssl/dtls1.h.dtls1-abi openssl-1.0.2a/ssl/dtls1.h
+--- openssl-1.0.2a/ssl/dtls1.h.dtls1-abi 2015-04-21 10:49:57.984781143 +0200
++++ openssl-1.0.2a/ssl/dtls1.h 2015-04-21 16:41:37.835164264 +0200
+@@ -214,9 +214,6 @@ typedef struct dtls1_state_st {
+ * loss.
+ */
+ record_pqueue buffered_app_data;
+- /* Is set when listening for new connections with dtls1_listen() */
+- unsigned int listen;
+- unsigned int link_mtu; /* max on-the-wire DTLS packet size */
+ unsigned int mtu; /* max DTLS packet size */
+ struct hm_header_st w_msg_hdr;
+ struct hm_header_st r_msg_hdr;
+@@ -241,6 +238,9 @@ typedef struct dtls1_state_st {
+ * Cleared after the message has been processed.
+ */
+ unsigned int change_cipher_spec_ok;
++ /* Is set when listening for new connections with dtls1_listen() */
++ unsigned int listen;
++ unsigned int link_mtu; /* max on-the-wire DTLS packet size */
+ # ifndef OPENSSL_NO_SCTP
+ /* used when SSL_ST_XX_FLUSH is entered */
+ int next_state;
diff --git a/SOURCES/openssl-1.0.2a-env-zlib.patch b/SOURCES/openssl-1.0.2a-env-zlib.patch
new file mode 100644
index 0000000..328079b
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-env-zlib.patch
@@ -0,0 +1,39 @@
+diff -up openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
+--- openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2015-04-09 18:17:20.509637597 +0200
++++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-09 18:17:14.767504953 +0200
+@@ -47,6 +47,13 @@ Once the identities of the compression m
+ been standardized, the compression API will most likely be changed. Using
+ it in the current state is not recommended.
+
++It is also not recommended to use compression if data transfered contain
++untrusted parts that can be manipulated by an attacker as he could then
++get information about the encrypted data. See the CRIME attack. For
++that reason the default loading of the zlib compression method is
++disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
++is present during the library initialization.
++
+ =head1 RETURN VALUES
+
+ SSL_COMP_add_compression_method() may return the following values:
+diff -up openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib openssl-1.0.2a/ssl/ssl_ciph.c
+--- openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib 2015-04-09 18:17:20.510637620 +0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-09 18:17:20.264631937 +0200
+@@ -140,6 +140,8 @@
+ * OTHERWISE.
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <openssl/objects.h>
+ #ifndef OPENSSL_NO_COMP
+@@ -450,7 +452,8 @@ static void load_builtin_compressions(vo
+
+ MemCheck_off();
+ ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
+- if (ssl_comp_methods != NULL) {
++ if (ssl_comp_methods != NULL
++ && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
+ comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (comp != NULL) {
+ comp->method = COMP_zlib();
diff --git a/SOURCES/openssl-1.0.2a-fips-ctor.patch b/SOURCES/openssl-1.0.2a-fips-ctor.patch
new file mode 100644
index 0000000..65f652c
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-fips-ctor.patch
@@ -0,0 +1,174 @@
+diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-ctor openssl-1.0.2a/crypto/fips/fips.c
+--- openssl-1.0.2a/crypto/fips/fips.c.fips-ctor 2015-04-21 17:42:18.702765856 +0200
++++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-21 17:42:18.742766794 +0200
+@@ -60,6 +60,8 @@
+ #include <dlfcn.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
+ #include "fips_locl.h"
+
+ #ifdef OPENSSL_FIPS
+@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l
+ }
+
+ # define HMAC_PREFIX "."
+-# define HMAC_SUFFIX ".hmac"
++# ifndef HMAC_SUFFIX
++# define HMAC_SUFFIX ".hmac"
++# endif
+ # define READ_BUFFER_LENGTH 16384
+
+ static char *make_hmac_path(const char *origpath)
+@@ -279,20 +283,14 @@ static int compute_file_hmac(const char
+ return rv;
+ }
+
+-static int FIPSCHECK_verify(const char *libname, const char *symbolname)
++static int FIPSCHECK_verify(const char *path)
+ {
+- char path[PATH_MAX + 1];
+- int rv;
++ int rv = 0;
+ FILE *hf;
+ char *hmacpath, *p;
+ char *hmac = NULL;
+ size_t n;
+
+- rv = get_library_path(libname, symbolname, path, sizeof(path));
+-
+- if (rv < 0)
+- return 0;
+-
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ return 0;
+@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *
+ return 1;
+ }
+
++static int verify_checksums(void)
++{
++ int rv;
++ char path[PATH_MAX + 1];
++ char *p;
++
++ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
++ are in the same directory */
++
++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
++ "FIPS_mode_set", path, sizeof(path));
++ if (rv < 0)
++ return 0;
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++
++ /* replace libcrypto with libssl */
++ while ((p = strstr(path, "libcrypto.so")) != NULL) {
++ p = stpcpy(p, "libssl");
++ memmove(p, p + 3, strlen(p + 2));
++ }
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++ return 1;
++}
++
++# ifndef FIPS_MODULE_PATH
++# define FIPS_MODULE_PATH "/etc/system-fips"
++# endif
++
++int FIPS_module_installed(void)
++{
++ int rv;
++ rv = access(FIPS_MODULE_PATH, F_OK);
++ if (rv < 0 && errno != ENOENT)
++ rv = 0;
++
++ /* Installed == true */
++ return !rv;
++}
++
+ int FIPS_module_mode_set(int onoff, const char *auth)
+ {
+ int ret = 0;
+@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons
+ }
+ # endif
+
+- if (!FIPSCHECK_verify
+- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
+- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+- fips_selftest_fail = 1;
+- ret = 0;
+- goto end;
+- }
+-
+- if (!FIPSCHECK_verify
+- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
++ if (!verify_checksums()) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ctor openssl-1.0.2a/crypto/fips/fips.h
+--- openssl-1.0.2a/crypto/fips/fips.h.fips-ctor 2015-04-21 17:42:18.739766724 +0200
++++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-21 17:42:18.743766818 +0200
+@@ -74,6 +74,7 @@ extern "C" {
+
+ int FIPS_module_mode_set(int onoff, const char *auth);
+ int FIPS_module_mode(void);
++ int FIPS_module_installed(void);
+ const void *FIPS_rand_check(void);
+ int FIPS_selftest(void);
+ int FIPS_selftest_failed(void);
+diff -up openssl-1.0.2a/crypto/o_init.c.fips-ctor openssl-1.0.2a/crypto/o_init.c
+--- openssl-1.0.2a/crypto/o_init.c.fips-ctor 2015-04-21 17:42:18.732766559 +0200
++++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:45:02.662613173 +0200
+@@ -74,6 +74,9 @@ static void init_fips_mode(void)
+ char buf[2] = "0";
+ int fd;
+
++ /* Ensure the selftests always run */
++ FIPS_mode_set(1);
++
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+@@ -85,8 +88,12 @@ static void init_fips_mode(void)
+ * otherwise..
+ */
+
+- if (buf[0] == '1') {
+- FIPS_mode_set(1);
++ if (buf[0] != '1') {
++ /* drop down to non-FIPS mode if it is not requested */
++ FIPS_mode_set(0);
++ } else {
++ /* abort if selftest failed */
++ FIPS_selftest_check();
+ }
+ }
+ #endif
+@@ -96,13 +103,16 @@ static void init_fips_mode(void)
+ * sets FIPS callbacks
+ */
+
+-void OPENSSL_init_library(void)
++void __attribute__ ((constructor)) OPENSSL_init_library(void)
+ {
+ static int done = 0;
+ if (done)
+ return;
+ done = 1;
+ #ifdef OPENSSL_FIPS
++ if (!FIPS_module_installed()) {
++ return;
++ }
+ RAND_init_fips();
+ init_fips_mode();
+ if (!FIPS_mode()) {
diff --git a/SOURCES/openssl-1.0.2a-fips-ec.patch b/SOURCES/openssl-1.0.2a-fips-ec.patch
new file mode 100644
index 0000000..e42f4a1
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-fips-ec.patch
@@ -0,0 +1,1929 @@
+diff -up openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.2a/crypto/ecdh/ecdhtest.c
+--- openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ecdhtest.c 2015-04-22 19:00:19.721884512 +0200
+@@ -501,11 +501,13 @@ int main(int argc, char *argv[])
+ goto err;
+
+ /* NIST PRIME CURVES TESTS */
++# if 0
+ if (!test_ecdh_curve
+ (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
+ goto err;
+ if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
+ goto err;
++# endif
+ if (!test_ecdh_curve
+ (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
+ goto err;
+@@ -536,13 +538,14 @@ int main(int argc, char *argv[])
+ if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
+ goto err;
+ # endif
++# if 0
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
+ goto err;
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
+ goto err;
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
+ goto err;
+-
++# endif
+ ret = 0;
+
+ err:
+diff -up openssl-1.0.2a/crypto/ecdh/ech_lib.c.fips-ec openssl-1.0.2a/crypto/ecdh/ech_lib.c
+--- openssl-1.0.2a/crypto/ecdh/ech_lib.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ech_lib.c 2015-04-22 19:00:19.721884512 +0200
+@@ -93,14 +93,7 @@ void ECDH_set_default_method(const ECDH_
+ const ECDH_METHOD *ECDH_get_default_method(void)
+ {
+ if (!default_ECDH_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ecdh_openssl();
+- else
+- return ECDH_OpenSSL();
+-#else
+ default_ECDH_method = ECDH_OpenSSL();
+-#endif
+ }
+ return default_ECDH_method;
+ }
+diff -up openssl-1.0.2a/crypto/ecdh/ech_ossl.c.fips-ec openssl-1.0.2a/crypto/ecdh/ech_ossl.c
+--- openssl-1.0.2a/crypto/ecdh/ech_ossl.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ech_ossl.c 2015-04-22 19:00:19.722884536 +0200
+@@ -78,6 +78,10 @@
+ #include <openssl/obj_mac.h>
+ #include <openssl/bn.h>
+
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key,
+ EC_KEY *ecdh,
+ void *(*KDF) (const void *in, size_t inlen,
+@@ -90,7 +94,7 @@ static ECDH_METHOD openssl_ecdh_meth = {
+ NULL, /* init */
+ NULL, /* finish */
+ #endif
+- 0, /* flags */
++ ECDH_FLAG_FIPS_METHOD, /* flags */
+ NULL /* app_data */
+ };
+
+@@ -119,6 +123,13 @@ static int ecdh_compute_key(void *out, s
+ size_t buflen, len;
+ unsigned char *buf = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++#endif
++
+ if (outlen > INT_MAX) {
+ ECDHerr(ECDH_F_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); /* sort of,
+ * anyway */
+diff -up openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecdsatest.c
+--- openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecdsatest.c 2015-04-22 19:00:19.722884536 +0200
+@@ -138,11 +138,14 @@ int restore_rand(void)
+ }
+
+ static int fbytes_counter = 0;
+-static const char *numbers[8] = {
++static const char *numbers[10] = {
++ "651056770906015076056810763456358567190100156695615665659",
+ "651056770906015076056810763456358567190100156695615665659",
+ "6140507067065001063065065565667405560006161556565665656654",
+ "8763001015071075675010661307616710783570106710677817767166"
+ "71676178726717",
++ "8763001015071075675010661307616710783570106710677817767166"
++ "71676178726717",
+ "7000000175690566466555057817571571075705015757757057795755"
+ "55657156756655",
+ "1275552191113212300012030439187146164646146646466749494799",
+@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num)
+ int ret;
+ BIGNUM *tmp = NULL;
+
+- if (fbytes_counter >= 8)
++ if (fbytes_counter >= 10)
+ return 0;
+ tmp = BN_new();
+ if (!tmp)
+@@ -532,8 +535,10 @@ int main(void)
+ RAND_seed(rnd_seed, sizeof(rnd_seed));
+
+ /* the tests */
++# if 0
+ if (!x9_62_tests(out))
+ goto err;
++# endif
+ if (!test_builtin(out))
+ goto err;
+
+diff -up openssl-1.0.2a/crypto/ecdsa/ecs_lib.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecs_lib.c
+--- openssl-1.0.2a/crypto/ecdsa/ecs_lib.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecs_lib.c 2015-04-22 19:00:19.722884536 +0200
+@@ -80,14 +80,7 @@ void ECDSA_set_default_method(const ECDS
+ const ECDSA_METHOD *ECDSA_get_default_method(void)
+ {
+ if (!default_ECDSA_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ecdsa_openssl();
+- else
+- return ECDSA_OpenSSL();
+-#else
+ default_ECDSA_method = ECDSA_OpenSSL();
+-#endif
+ }
+ return default_ECDSA_method;
+ }
+diff -up openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c
+--- openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c 2015-04-22 19:00:19.722884536 +0200
+@@ -60,6 +60,9 @@
+ #include <openssl/err.h>
+ #include <openssl/obj_mac.h>
+ #include <openssl/bn.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
+ const BIGNUM *, const BIGNUM *,
+@@ -78,7 +81,7 @@ static ECDSA_METHOD openssl_ecdsa_meth =
+ NULL, /* init */
+ NULL, /* finish */
+ #endif
+- 0, /* flags */
++ ECDSA_FLAG_FIPS_METHOD, /* flags */
+ NULL /* app_data */
+ };
+
+@@ -245,6 +248,13 @@ static ECDSA_SIG *ecdsa_do_sign(const un
+ ECDSA_DATA *ecdsa;
+ const BIGNUM *priv_key;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++#endif
++
+ ecdsa = ecdsa_check(eckey);
+ group = EC_KEY_get0_group(eckey);
+ priv_key = EC_KEY_get0_private_key(eckey);
+@@ -358,6 +368,13 @@ static int ecdsa_do_verify(const unsigne
+ const EC_GROUP *group;
+ const EC_POINT *pub_key;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++#endif
++
+ /* check input values */
+ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
+ (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
+diff -up openssl-1.0.2a/crypto/ec/ec_cvt.c.fips-ec openssl-1.0.2a/crypto/ec/ec_cvt.c
+--- openssl-1.0.2a/crypto/ec/ec_cvt.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ec_cvt.c 2015-04-22 19:01:08.703040756 +0200
+@@ -82,10 +82,6 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const B
+ const EC_METHOD *meth;
+ EC_GROUP *ret;
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ec_group_new_curve_gfp(p, a, b, ctx);
+-#endif
+ #if defined(OPENSSL_BN_ASM_MONT)
+ /*
+ * This might appear controversial, but the fact is that generic
+@@ -160,10 +156,6 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const
+ const EC_METHOD *meth;
+ EC_GROUP *ret;
+
+-# ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ec_group_new_curve_gf2m(p, a, b, ctx);
+-# endif
+ meth = EC_GF2m_simple_method();
+
+ ret = EC_GROUP_new(meth);
+diff -up openssl-1.0.2a/crypto/ec/ec_key.c.fips-ec openssl-1.0.2a/crypto/ec/ec_key.c
+--- openssl-1.0.2a/crypto/ec/ec_key.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ec_key.c 2015-04-22 19:00:19.722884536 +0200
+@@ -64,9 +64,6 @@
+ #include <string.h>
+ #include "ec_lcl.h"
+ #include <openssl/err.h>
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-#endif
+
+ EC_KEY *EC_KEY_new(void)
+ {
+@@ -227,6 +224,38 @@ int EC_KEY_up_ref(EC_KEY *r)
+ return ((i > 1) ? 1 : 0);
+ }
+
++#ifdef OPENSSL_FIPS
++
++# include <openssl/evp.h>
++# include <openssl/fips.h>
++# include <openssl/fips_rand.h>
++
++static int fips_check_ec(EC_KEY *key)
++{
++ EVP_PKEY *pk;
++ unsigned char tbs[] = "ECDSA Pairwise Check Data";
++ int ret = 0;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_EC_KEY(pk, key);
++
++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
++ ret = 1;
++
++ err:
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED);
++ fips_set_selftest_fail();
++ }
++ if (pk)
++ EVP_PKEY_free(pk);
++ return ret;
++}
++
++#endif
++
+ int EC_KEY_generate_key(EC_KEY *eckey)
+ {
+ int ok = 0;
+@@ -235,8 +264,10 @@ int EC_KEY_generate_key(EC_KEY *eckey)
+ EC_POINT *pub_key = NULL;
+
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ec_key_generate_key(eckey);
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
+ #endif
+
+ if (!eckey || !eckey->group) {
+@@ -277,6 +308,14 @@ int EC_KEY_generate_key(EC_KEY *eckey)
+ eckey->priv_key = priv_key;
+ eckey->pub_key = pub_key;
+
++#ifdef OPENSSL_FIPS
++ if (!fips_check_ec(eckey)) {
++ eckey->priv_key = NULL;
++ eckey->pub_key = NULL;
++ goto err;
++ }
++#endif
++
+ ok = 1;
+
+ err:
+@@ -408,10 +447,12 @@ int EC_KEY_set_public_key_affine_coordin
+ goto err;
+ }
+ /*
+- * Check if retrieved coordinates match originals: if not values are out
+- * of range.
++ * Check if retrieved coordinates match originals and are less
++ * than field order: if not values are out of range.
+ */
+- if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
++ if (BN_cmp(x, tx) || BN_cmp(y, ty)
++ || (BN_cmp(x, &key->group->field) >= 0)
++ || (BN_cmp(y, &key->group->field) >= 0)) {
+ ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
+ EC_R_COORDINATES_OUT_OF_RANGE);
+ goto err;
+diff -up openssl-1.0.2a/crypto/ec/ecp_mont.c.fips-ec openssl-1.0.2a/crypto/ec/ecp_mont.c
+--- openssl-1.0.2a/crypto/ec/ecp_mont.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ecp_mont.c 2015-04-22 19:00:19.722884536 +0200
+@@ -63,10 +63,6 @@
+
+ #include <openssl/err.h>
+
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-#endif
+-
+ #include "ec_lcl.h"
+
+ const EC_METHOD *EC_GFp_mont_method(void)
+@@ -111,11 +107,6 @@ const EC_METHOD *EC_GFp_mont_method(void
+ ec_GFp_mont_field_set_to_one
+ };
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return fips_ec_gfp_mont_method();
+-#endif
+-
+ return &ret;
+ }
+
+diff -up openssl-1.0.2a/crypto/ec/ecp_nist.c.fips-ec openssl-1.0.2a/crypto/ec/ecp_nist.c
+--- openssl-1.0.2a/crypto/ec/ecp_nist.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ecp_nist.c 2015-04-22 19:00:19.723884560 +0200
+@@ -67,10 +67,6 @@
+ #include <openssl/obj_mac.h>
+ #include "ec_lcl.h"
+
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-#endif
+-
+ const EC_METHOD *EC_GFp_nist_method(void)
+ {
+ static const EC_METHOD ret = {
+@@ -113,11 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void
+ 0 /* field_set_to_one */
+ };
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return fips_ec_gfp_nist_method();
+-#endif
+-
+ return &ret;
+ }
+
+diff -up openssl-1.0.2a/crypto/ec/ecp_smpl.c.fips-ec openssl-1.0.2a/crypto/ec/ecp_smpl.c
+--- openssl-1.0.2a/crypto/ec/ecp_smpl.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ecp_smpl.c 2015-04-22 19:00:19.723884560 +0200
+@@ -66,10 +66,6 @@
+ #include <openssl/err.h>
+ #include <openssl/symhacks.h>
+
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-#endif
+-
+ #include "ec_lcl.h"
+
+ const EC_METHOD *EC_GFp_simple_method(void)
+@@ -114,11 +110,6 @@ const EC_METHOD *EC_GFp_simple_method(vo
+ 0 /* field_set_to_one */
+ };
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return fips_ec_gfp_simple_method();
+-#endif
+-
+ return &ret;
+ }
+
+@@ -187,6 +178,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
+ return 0;
+ }
+
++ if (BN_num_bits(p) < 256) {
++ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
++ return 0;
++ }
++
+ if (ctx == NULL) {
+ ctx = new_ctx = BN_CTX_new();
+ if (ctx == NULL)
+diff -up openssl-1.0.2a/crypto/evp/m_ecdsa.c.fips-ec openssl-1.0.2a/crypto/evp/m_ecdsa.c
+--- openssl-1.0.2a/crypto/evp/m_ecdsa.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/m_ecdsa.c 2015-04-22 19:00:19.723884560 +0200
+@@ -136,7 +136,7 @@ static const EVP_MD ecdsa_md = {
+ NID_ecdsa_with_SHA1,
+ NID_ecdsa_with_SHA1,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.2a/crypto/fips/cavs/fips_ecdhvs.c.fips-ec openssl-1.0.2a/crypto/fips/cavs/fips_ecdhvs.c
+--- openssl-1.0.2a/crypto/fips/cavs/fips_ecdhvs.c.fips-ec 2015-04-22 19:00:19.723884560 +0200
++++ openssl-1.0.2a/crypto/fips/cavs/fips_ecdhvs.c 2015-04-22 19:00:19.723884560 +0200
+@@ -0,0 +1,456 @@
++/* fips/ecdh/fips_ecdhvs.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#define OPENSSL_FIPSAPI
++#include <openssl/opensslconf.h>
++
++#ifndef OPENSSL_FIPS
++# include <stdio.h>
++
++int main(int argc, char **argv)
++{
++ printf("No FIPS ECDH support\n");
++ return (0);
++}
++#else
++
++# include <openssl/crypto.h>
++# include <openssl/bn.h>
++# include <openssl/ecdh.h>
++# include <openssl/fips.h>
++# include <openssl/err.h>
++# include <openssl/evp.h>
++# include <string.h>
++# include <ctype.h>
++
++# include "fips_utl.h"
++
++static const EVP_MD *eparse_md(char *line)
++{
++ char *p;
++ if (line[0] != '[' || line[1] != 'E')
++ return NULL;
++ p = strchr(line, '-');
++ if (!p)
++ return NULL;
++ line = p + 1;
++ p = strchr(line, ']');
++ if (!p)
++ return NULL;
++ *p = 0;
++ p = line;
++ while (isspace(*p))
++ p++;
++ if (!strcmp(p, "SHA1"))
++ return EVP_sha1();
++ else if (!strcmp(p, "SHA224"))
++ return EVP_sha224();
++ else if (!strcmp(p, "SHA256"))
++ return EVP_sha256();
++ else if (!strcmp(p, "SHA384"))
++ return EVP_sha384();
++ else if (!strcmp(p, "SHA512"))
++ return EVP_sha512();
++ else
++ return NULL;
++}
++
++static int lookup_curve2(char *cname)
++{
++ char *p;
++ p = strchr(cname, ']');
++ if (!p) {
++ fprintf(stderr, "Parse error: missing ]\n");
++ return NID_undef;
++ }
++ *p = 0;
++
++ if (!strcmp(cname, "B-163"))
++ return NID_sect163r2;
++ if (!strcmp(cname, "B-233"))
++ return NID_sect233r1;
++ if (!strcmp(cname, "B-283"))
++ return NID_sect283r1;
++ if (!strcmp(cname, "B-409"))
++ return NID_sect409r1;
++ if (!strcmp(cname, "B-571"))
++ return NID_sect571r1;
++ if (!strcmp(cname, "K-163"))
++ return NID_sect163k1;
++ if (!strcmp(cname, "K-233"))
++ return NID_sect233k1;
++ if (!strcmp(cname, "K-283"))
++ return NID_sect283k1;
++ if (!strcmp(cname, "K-409"))
++ return NID_sect409k1;
++ if (!strcmp(cname, "K-571"))
++ return NID_sect571k1;
++ if (!strcmp(cname, "P-192"))
++ return NID_X9_62_prime192v1;
++ if (!strcmp(cname, "P-224"))
++ return NID_secp224r1;
++ if (!strcmp(cname, "P-256"))
++ return NID_X9_62_prime256v1;
++ if (!strcmp(cname, "P-384"))
++ return NID_secp384r1;
++ if (!strcmp(cname, "P-521"))
++ return NID_secp521r1;
++
++ fprintf(stderr, "Unknown Curve name %s\n", cname);
++ return NID_undef;
++}
++
++static int lookup_curve(char *cname)
++{
++ char *p;
++ p = strchr(cname, ':');
++ if (!p) {
++ fprintf(stderr, "Parse error: missing :\n");
++ return NID_undef;
++ }
++ cname = p + 1;
++ while (isspace(*cname))
++ cname++;
++ return lookup_curve2(cname);
++}
++
++static EC_POINT *make_peer(EC_GROUP *group, BIGNUM *x, BIGNUM *y)
++{
++ EC_POINT *peer;
++ int rv;
++ BN_CTX *c;
++ peer = EC_POINT_new(group);
++ if (!peer)
++ return NULL;
++ c = BN_CTX_new();
++ if (EC_METHOD_get_field_type(EC_GROUP_method_of(group))
++ == NID_X9_62_prime_field)
++ rv = EC_POINT_set_affine_coordinates_GFp(group, peer, x, y, c);
++ else
++# ifdef OPENSSL_NO_EC2M
++ {
++ fprintf(stderr, "ERROR: GF2m not supported\n");
++ exit(1);
++ }
++# else
++ rv = EC_POINT_set_affine_coordinates_GF2m(group, peer, x, y, c);
++# endif
++
++ BN_CTX_free(c);
++ if (rv)
++ return peer;
++ EC_POINT_free(peer);
++ return NULL;
++}
++
++static int ec_print_key(FILE *out, EC_KEY *key, int add_e, int exout)
++{
++ const EC_POINT *pt;
++ const EC_GROUP *grp;
++ const EC_METHOD *meth;
++ int rv;
++ BIGNUM *tx, *ty;
++ const BIGNUM *d = NULL;
++ BN_CTX *ctx;
++ ctx = BN_CTX_new();
++ if (!ctx)
++ return 0;
++ tx = BN_CTX_get(ctx);
++ ty = BN_CTX_get(ctx);
++ if (!tx || !ty)
++ return 0;
++ grp = EC_KEY_get0_group(key);
++ pt = EC_KEY_get0_public_key(key);
++ if (exout)
++ d = EC_KEY_get0_private_key(key);
++ meth = EC_GROUP_method_of(grp);
++ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
++ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, tx, ty, ctx);
++ else
++# ifdef OPENSSL_NO_EC2M
++ {
++ fprintf(stderr, "ERROR: GF2m not supported\n");
++ exit(1);
++ }
++# else
++ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, tx, ty, ctx);
++# endif
++
++ if (add_e) {
++ do_bn_print_name(out, "QeIUTx", tx);
++ do_bn_print_name(out, "QeIUTy", ty);
++ if (d)
++ do_bn_print_name(out, "QeIUTd", d);
++ } else {
++ do_bn_print_name(out, "QIUTx", tx);
++ do_bn_print_name(out, "QIUTy", ty);
++ if (d)
++ do_bn_print_name(out, "QIUTd", d);
++ }
++
++ BN_CTX_free(ctx);
++
++ return rv;
++
++}
++
++static void ec_output_Zhash(FILE *out, int exout, EC_GROUP *group,
++ BIGNUM *ix, BIGNUM *iy, BIGNUM *id, BIGNUM *cx,
++ BIGNUM *cy, const EVP_MD *md,
++ unsigned char *rhash, size_t rhashlen)
++{
++ EC_KEY *ec = NULL;
++ EC_POINT *peerkey = NULL;
++ unsigned char *Z;
++ unsigned char chash[EVP_MAX_MD_SIZE];
++ int Zlen;
++ ec = EC_KEY_new();
++ EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
++ EC_KEY_set_group(ec, group);
++ peerkey = make_peer(group, cx, cy);
++ if (rhash == NULL) {
++ if (md)
++ rhashlen = M_EVP_MD_size(md);
++ EC_KEY_generate_key(ec);
++ ec_print_key(out, ec, md ? 1 : 0, exout);
++ } else {
++ EC_KEY_set_public_key_affine_coordinates(ec, ix, iy);
++ EC_KEY_set_private_key(ec, id);
++ }
++ Zlen = (EC_GROUP_get_degree(group) + 7) / 8;
++ Z = OPENSSL_malloc(Zlen);
++ if (!Z)
++ exit(1);
++ ECDH_compute_key(Z, Zlen, peerkey, ec, 0);
++ if (md) {
++ if (exout)
++ OutputValue("Z", Z, Zlen, out, 0);
++ FIPS_digest(Z, Zlen, chash, NULL, md);
++ OutputValue(rhash ? "IUTHashZZ" : "HashZZ", chash, rhashlen, out, 0);
++ if (rhash) {
++ fprintf(out, "Result = %s\n",
++ memcmp(chash, rhash, rhashlen) ? "F" : "P");
++ }
++ } else
++ OutputValue("ZIUT", Z, Zlen, out, 0);
++ OPENSSL_cleanse(Z, Zlen);
++ OPENSSL_free(Z);
++ EC_KEY_free(ec);
++ EC_POINT_free(peerkey);
++}
++
++# ifdef FIPS_ALGVS
++int fips_ecdhvs_main(int argc, char **argv)
++# else
++int main(int argc, char **argv)
++# endif
++{
++ char **args = argv + 1;
++ int argn = argc - 1;
++ FILE *in, *out;
++ char buf[2048], lbuf[2048];
++ unsigned char *rhash = NULL;
++ long rhashlen;
++ BIGNUM *cx = NULL, *cy = NULL;
++ BIGNUM *id = NULL, *ix = NULL, *iy = NULL;
++ const EVP_MD *md = NULL;
++ EC_GROUP *group = NULL;
++ char *keyword = NULL, *value = NULL;
++ int do_verify = -1, exout = 0;
++ int rv = 1;
++
++ int curve_nids[5] = { 0, 0, 0, 0, 0 };
++ int param_set = -1;
++
++ fips_algtest_init();
++
++ if (argn && !strcmp(*args, "ecdhver")) {
++ do_verify = 1;
++ args++;
++ argn--;
++ } else if (argn && !strcmp(*args, "ecdhgen")) {
++ do_verify = 0;
++ args++;
++ argn--;
++ }
++
++ if (argn && !strcmp(*args, "-exout")) {
++ exout = 1;
++ args++;
++ argn--;
++ }
++
++ if (do_verify == -1) {
++ fprintf(stderr, "%s [ecdhver|ecdhgen|] [-exout] (infile outfile)\n",
++ argv[0]);
++ exit(1);
++ }
++
++ if (argn == 2) {
++ in = fopen(*args, "r");
++ if (!in) {
++ fprintf(stderr, "Error opening input file\n");
++ exit(1);
++ }
++ out = fopen(args[1], "w");
++ if (!out) {
++ fprintf(stderr, "Error opening output file\n");
++ exit(1);
++ }
++ } else if (argn == 0) {
++ in = stdin;
++ out = stdout;
++ } else {
++ fprintf(stderr, "%s [dhver|dhgen|] [-exout] (infile outfile)\n",
++ argv[0]);
++ exit(1);
++ }
++
++ while (fgets(buf, sizeof(buf), in) != NULL) {
++ fputs(buf, out);
++ if (buf[0] == '[' && buf[1] == 'E') {
++ int c = buf[2];
++ if (c < 'A' || c > 'E')
++ goto parse_error;
++ param_set = c - 'A';
++ /* If just [E?] then initial paramset */
++ if (buf[3] == ']')
++ continue;
++ if (group)
++ EC_GROUP_free(group);
++ group = EC_GROUP_new_by_curve_name(curve_nids[c - 'A']);
++ }
++ if (strlen(buf) > 10 && !strncmp(buf, "[Curve", 6)) {
++ int nid;
++ if (param_set == -1)
++ goto parse_error;
++ nid = lookup_curve(buf);
++ if (nid == NID_undef)
++ goto parse_error;
++ curve_nids[param_set] = nid;
++ }
++
++ if (strlen(buf) > 4 && buf[0] == '[' && buf[2] == '-') {
++ int nid = lookup_curve2(buf + 1);
++ if (nid == NID_undef)
++ goto parse_error;
++ if (group)
++ EC_GROUP_free(group);
++ group = EC_GROUP_new_by_curve_name(nid);
++ if (!group) {
++ fprintf(stderr, "ERROR: unsupported curve %s\n", buf + 1);
++ return 1;
++ }
++ }
++
++ if (strlen(buf) > 6 && !strncmp(buf, "[E", 2)) {
++ md = eparse_md(buf);
++ if (md == NULL)
++ goto parse_error;
++ continue;
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if (!strcmp(keyword, "QeCAVSx") || !strcmp(keyword, "QCAVSx")) {
++ if (!do_hex2bn(&cx, value))
++ goto parse_error;
++ } else if (!strcmp(keyword, "QeCAVSy") || !strcmp(keyword, "QCAVSy")) {
++ if (!do_hex2bn(&cy, value))
++ goto parse_error;
++ if (do_verify == 0)
++ ec_output_Zhash(out, exout, group,
++ NULL, NULL, NULL,
++ cx, cy, md, rhash, rhashlen);
++ } else if (!strcmp(keyword, "deIUT")) {
++ if (!do_hex2bn(&id, value))
++ goto parse_error;
++ } else if (!strcmp(keyword, "QeIUTx")) {
++ if (!do_hex2bn(&ix, value))
++ goto parse_error;
++ } else if (!strcmp(keyword, "QeIUTy")) {
++ if (!do_hex2bn(&iy, value))
++ goto parse_error;
++ } else if (!strcmp(keyword, "CAVSHashZZ")) {
++ if (!md)
++ goto parse_error;
++ rhash = hex2bin_m(value, &rhashlen);
++ if (!rhash || rhashlen != M_EVP_MD_size(md))
++ goto parse_error;
++ ec_output_Zhash(out, exout, group, ix, iy, id, cx, cy,
++ md, rhash, rhashlen);
++ }
++ }
++ rv = 0;
++ parse_error:
++ if (id)
++ BN_free(id);
++ if (ix)
++ BN_free(ix);
++ if (iy)
++ BN_free(iy);
++ if (cx)
++ BN_free(cx);
++ if (cy)
++ BN_free(cy);
++ if (group)
++ EC_GROUP_free(group);
++ if (in && in != stdin)
++ fclose(in);
++ if (out && out != stdout)
++ fclose(out);
++ if (rv)
++ fprintf(stderr, "Error Parsing request file\n");
++ return rv;
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/cavs/fips_ecdsavs.c.fips-ec openssl-1.0.2a/crypto/fips/cavs/fips_ecdsavs.c
+--- openssl-1.0.2a/crypto/fips/cavs/fips_ecdsavs.c.fips-ec 2015-04-22 19:00:19.723884560 +0200
++++ openssl-1.0.2a/crypto/fips/cavs/fips_ecdsavs.c 2015-04-22 19:00:19.723884560 +0200
+@@ -0,0 +1,486 @@
++/* fips/ecdsa/fips_ecdsavs.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#define OPENSSL_FIPSAPI
++#include <openssl/opensslconf.h>
++#include <stdio.h>
++
++#ifndef OPENSSL_FIPS
++
++int main(int argc, char **argv)
++{
++ printf("No FIPS ECDSA support\n");
++ return (0);
++}
++#else
++
++# include <string.h>
++# include <ctype.h>
++# include <openssl/err.h>
++# include <openssl/bn.h>
++# include <openssl/ecdsa.h>
++# include <openssl/evp.h>
++# include "fips_utl.h"
++
++# include <openssl/objects.h>
++
++static int elookup_curve(char *in, char *curve_name, const EVP_MD **pmd)
++{
++ char *cname, *p;
++ /* Copy buffer as we will change it */
++ strcpy(curve_name, in);
++ cname = curve_name + 1;
++ p = strchr(cname, ']');
++ if (!p) {
++ fprintf(stderr, "Parse error: missing ]\n");
++ return NID_undef;
++ }
++ *p = 0;
++ p = strchr(cname, ',');
++ if (p) {
++ if (!pmd) {
++ fprintf(stderr, "Parse error: unexpected digest\n");
++ return NID_undef;
++ }
++ *p = 0;
++ p++;
++
++ if (!strcmp(p, "SHA-1"))
++ *pmd = EVP_sha1();
++ else if (!strcmp(p, "SHA-224"))
++ *pmd = EVP_sha224();
++ else if (!strcmp(p, "SHA-256"))
++ *pmd = EVP_sha256();
++ else if (!strcmp(p, "SHA-384"))
++ *pmd = EVP_sha384();
++ else if (!strcmp(p, "SHA-512"))
++ *pmd = EVP_sha512();
++ else {
++ fprintf(stderr, "Unknown digest %s\n", p);
++ return NID_undef;
++ }
++ } else if (pmd)
++ *pmd = EVP_sha1();
++
++ if (!strcmp(cname, "B-163"))
++ return NID_sect163r2;
++ if (!strcmp(cname, "B-233"))
++ return NID_sect233r1;
++ if (!strcmp(cname, "B-283"))
++ return NID_sect283r1;
++ if (!strcmp(cname, "B-409"))
++ return NID_sect409r1;
++ if (!strcmp(cname, "B-571"))
++ return NID_sect571r1;
++ if (!strcmp(cname, "K-163"))
++ return NID_sect163k1;
++ if (!strcmp(cname, "K-233"))
++ return NID_sect233k1;
++ if (!strcmp(cname, "K-283"))
++ return NID_sect283k1;
++ if (!strcmp(cname, "K-409"))
++ return NID_sect409k1;
++ if (!strcmp(cname, "K-571"))
++ return NID_sect571k1;
++ if (!strcmp(cname, "P-192"))
++ return NID_X9_62_prime192v1;
++ if (!strcmp(cname, "P-224"))
++ return NID_secp224r1;
++ if (!strcmp(cname, "P-256"))
++ return NID_X9_62_prime256v1;
++ if (!strcmp(cname, "P-384"))
++ return NID_secp384r1;
++ if (!strcmp(cname, "P-521"))
++ return NID_secp521r1;
++
++ fprintf(stderr, "Unknown Curve name %s\n", cname);
++ return NID_undef;
++}
++
++static int ec_get_pubkey(EC_KEY *key, BIGNUM *x, BIGNUM *y)
++{
++ const EC_POINT *pt;
++ const EC_GROUP *grp;
++ const EC_METHOD *meth;
++ int rv;
++ BN_CTX *ctx;
++ ctx = BN_CTX_new();
++ if (!ctx)
++ return 0;
++ grp = EC_KEY_get0_group(key);
++ pt = EC_KEY_get0_public_key(key);
++ meth = EC_GROUP_method_of(grp);
++ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
++ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, x, y, ctx);
++ else
++# ifdef OPENSSL_NO_EC2M
++ {
++ fprintf(stderr, "ERROR: GF2m not supported\n");
++ exit(1);
++ }
++# else
++ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, x, y, ctx);
++# endif
++
++ BN_CTX_free(ctx);
++
++ return rv;
++
++}
++
++static int KeyPair(FILE *in, FILE *out)
++{
++ char buf[2048], lbuf[2048];
++ char *keyword, *value;
++ int curve_nid = NID_undef;
++ int i, count;
++ BIGNUM *Qx = NULL, *Qy = NULL;
++ const BIGNUM *d = NULL;
++ EC_KEY *key = NULL;
++ Qx = BN_new();
++ Qy = BN_new();
++ while (fgets(buf, sizeof buf, in) != NULL) {
++ if (*buf == '[' && buf[2] == '-') {
++ if (buf[2] == '-')
++ curve_nid = elookup_curve(buf, lbuf, NULL);
++ fputs(buf, out);
++ continue;
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf)) {
++ fputs(buf, out);
++ continue;
++ }
++ if (!strcmp(keyword, "N")) {
++ count = atoi(value);
++
++ for (i = 0; i < count; i++) {
++
++ key = EC_KEY_new_by_curve_name(curve_nid);
++ if (!EC_KEY_generate_key(key)) {
++ fprintf(stderr, "Error generating key\n");
++ return 0;
++ }
++
++ if (!ec_get_pubkey(key, Qx, Qy)) {
++ fprintf(stderr, "Error getting public key\n");
++ return 0;
++ }
++
++ d = EC_KEY_get0_private_key(key);
++
++ do_bn_print_name(out, "d", d);
++ do_bn_print_name(out, "Qx", Qx);
++ do_bn_print_name(out, "Qy", Qy);
++ fputs(RESP_EOL, out);
++ EC_KEY_free(key);
++
++ }
++
++ }
++
++ }
++ BN_free(Qx);
++ BN_free(Qy);
++ return 1;
++}
++
++static int PKV(FILE *in, FILE *out)
++{
++
++ char buf[2048], lbuf[2048];
++ char *keyword, *value;
++ int curve_nid = NID_undef;
++ BIGNUM *Qx = NULL, *Qy = NULL;
++ EC_KEY *key = NULL;
++ while (fgets(buf, sizeof buf, in) != NULL) {
++ fputs(buf, out);
++ if (*buf == '[' && buf[2] == '-') {
++ curve_nid = elookup_curve(buf, lbuf, NULL);
++ if (curve_nid == NID_undef)
++ return 0;
++
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if (!strcmp(keyword, "Qx")) {
++ if (!do_hex2bn(&Qx, value)) {
++ fprintf(stderr, "Invalid Qx value\n");
++ return 0;
++ }
++ }
++ if (!strcmp(keyword, "Qy")) {
++ int rv;
++ if (!do_hex2bn(&Qy, value)) {
++ fprintf(stderr, "Invalid Qy value\n");
++ return 0;
++ }
++ key = EC_KEY_new_by_curve_name(curve_nid);
++ no_err = 1;
++ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy);
++ no_err = 0;
++ EC_KEY_free(key);
++ fprintf(out, "Result = %s" RESP_EOL, rv ? "P" : "F");
++ }
++
++ }
++ BN_free(Qx);
++ BN_free(Qy);
++ return 1;
++}
++
++static int SigGen(FILE *in, FILE *out)
++{
++ char buf[2048], lbuf[2048];
++ char *keyword, *value;
++ unsigned char *msg;
++ int curve_nid = NID_undef;
++ long mlen;
++ BIGNUM *Qx = NULL, *Qy = NULL;
++ EC_KEY *key = NULL;
++ ECDSA_SIG *sig = NULL;
++ const EVP_MD *digest = NULL;
++ Qx = BN_new();
++ Qy = BN_new();
++ while (fgets(buf, sizeof buf, in) != NULL) {
++ fputs(buf, out);
++ if (*buf == '[') {
++ curve_nid = elookup_curve(buf, lbuf, &digest);
++ if (curve_nid == NID_undef)
++ return 0;
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if (!strcmp(keyword, "Msg")) {
++ msg = hex2bin_m(value, &mlen);
++ if (!msg) {
++ fprintf(stderr, "Invalid Message\n");
++ return 0;
++ }
++
++ key = EC_KEY_new_by_curve_name(curve_nid);
++ if (!EC_KEY_generate_key(key)) {
++ fprintf(stderr, "Error generating key\n");
++ return 0;
++ }
++
++ if (!ec_get_pubkey(key, Qx, Qy)) {
++ fprintf(stderr, "Error getting public key\n");
++ return 0;
++ }
++
++ sig = FIPS_ecdsa_sign(key, msg, mlen, digest);
++
++ if (!sig) {
++ fprintf(stderr, "Error signing message\n");
++ return 0;
++ }
++
++ do_bn_print_name(out, "Qx", Qx);
++ do_bn_print_name(out, "Qy", Qy);
++ do_bn_print_name(out, "R", sig->r);
++ do_bn_print_name(out, "S", sig->s);
++
++ EC_KEY_free(key);
++ OPENSSL_free(msg);
++ FIPS_ecdsa_sig_free(sig);
++
++ }
++
++ }
++ BN_free(Qx);
++ BN_free(Qy);
++ return 1;
++}
++
++static int SigVer(FILE *in, FILE *out)
++{
++ char buf[2048], lbuf[2048];
++ char *keyword, *value;
++ unsigned char *msg = NULL;
++ int curve_nid = NID_undef;
++ long mlen;
++ BIGNUM *Qx = NULL, *Qy = NULL;
++ EC_KEY *key = NULL;
++ ECDSA_SIG sg, *sig = &sg;
++ const EVP_MD *digest = NULL;
++ sig->r = NULL;
++ sig->s = NULL;
++ while (fgets(buf, sizeof buf, in) != NULL) {
++ fputs(buf, out);
++ if (*buf == '[') {
++ curve_nid = elookup_curve(buf, lbuf, &digest);
++ if (curve_nid == NID_undef)
++ return 0;
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if (!strcmp(keyword, "Msg")) {
++ msg = hex2bin_m(value, &mlen);
++ if (!msg) {
++ fprintf(stderr, "Invalid Message\n");
++ return 0;
++ }
++ }
++
++ if (!strcmp(keyword, "Qx")) {
++ if (!do_hex2bn(&Qx, value)) {
++ fprintf(stderr, "Invalid Qx value\n");
++ return 0;
++ }
++ }
++ if (!strcmp(keyword, "Qy")) {
++ if (!do_hex2bn(&Qy, value)) {
++ fprintf(stderr, "Invalid Qy value\n");
++ return 0;
++ }
++ }
++ if (!strcmp(keyword, "R")) {
++ if (!do_hex2bn(&sig->r, value)) {
++ fprintf(stderr, "Invalid R value\n");
++ return 0;
++ }
++ }
++ if (!strcmp(keyword, "S")) {
++ int rv;
++ if (!do_hex2bn(&sig->s, value)) {
++ fprintf(stderr, "Invalid S value\n");
++ return 0;
++ }
++ key = EC_KEY_new_by_curve_name(curve_nid);
++ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy);
++
++ if (rv != 1) {
++ fprintf(stderr, "Error setting public key\n");
++ return 0;
++ }
++
++ no_err = 1;
++ rv = FIPS_ecdsa_verify(key, msg, mlen, digest, sig);
++ EC_KEY_free(key);
++ if (msg)
++ OPENSSL_free(msg);
++ no_err = 0;
++
++ fprintf(out, "Result = %s" RESP_EOL, rv ? "P" : "F");
++ }
++
++ }
++ if (sig->r)
++ BN_free(sig->r);
++ if (sig->s)
++ BN_free(sig->s);
++ if (Qx)
++ BN_free(Qx);
++ if (Qy)
++ BN_free(Qy);
++ return 1;
++}
++
++# ifdef FIPS_ALGVS
++int fips_ecdsavs_main(int argc, char **argv)
++# else
++int main(int argc, char **argv)
++# endif
++{
++ FILE *in = NULL, *out = NULL;
++ const char *cmd = argv[1];
++ int rv = 0;
++ fips_algtest_init();
++
++ if (argc == 4) {
++ in = fopen(argv[2], "r");
++ if (!in) {
++ fprintf(stderr, "Error opening input file\n");
++ exit(1);
++ }
++ out = fopen(argv[3], "w");
++ if (!out) {
++ fprintf(stderr, "Error opening output file\n");
++ exit(1);
++ }
++ } else if (argc == 2) {
++ in = stdin;
++ out = stdout;
++ }
++
++ if (!cmd) {
++ fprintf(stderr, "fips_ecdsavs [KeyPair|PKV|SigGen|SigVer]\n");
++ return 1;
++ }
++ if (!strcmp(cmd, "KeyPair"))
++ rv = KeyPair(in, out);
++ else if (!strcmp(cmd, "PKV"))
++ rv = PKV(in, out);
++ else if (!strcmp(cmd, "SigVer"))
++ rv = SigVer(in, out);
++ else if (!strcmp(cmd, "SigGen"))
++ rv = SigGen(in, out);
++ else {
++ fprintf(stderr, "Unknown command %s\n", cmd);
++ return 1;
++ }
++
++ if (argc == 4) {
++ fclose(in);
++ fclose(out);
++ }
++
++ if (rv <= 0) {
++ fprintf(stderr, "Error running %s\n", cmd);
++ return 1;
++ }
++
++ return 0;
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_ecdh_selftest.c.fips-ec openssl-1.0.2a/crypto/fips/fips_ecdh_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_ecdh_selftest.c.fips-ec 2015-04-22 19:00:19.724884583 +0200
++++ openssl-1.0.2a/crypto/fips/fips_ecdh_selftest.c 2015-04-22 19:00:19.724884583 +0200
+@@ -0,0 +1,242 @@
++/* fips/ecdh/fips_ecdh_selftest.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project 2011.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/ec.h>
++#include <openssl/ecdh.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifdef OPENSSL_FIPS
++
++# include "fips_locl.h"
++
++static const unsigned char p256_qcavsx[] = {
++ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62,
++ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13,
++ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50
++};
++
++static const unsigned char p256_qcavsy[] = {
++ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f,
++ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf,
++ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e
++};
++
++static const unsigned char p256_qiutx[] = {
++ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c,
++ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1,
++ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f
++};
++
++static const unsigned char p256_qiuty[] = {
++ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae,
++ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75,
++ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8
++};
++
++static const unsigned char p256_qiutd[] = {
++ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3,
++ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc,
++ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8
++};
++
++static const unsigned char p256_ziut[] = {
++ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a,
++ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77,
++ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f
++};
++
++typedef struct {
++ int curve;
++ const unsigned char *x1;
++ size_t x1len;
++ const unsigned char *y1;
++ size_t y1len;
++ const unsigned char *d1;
++ size_t d1len;
++ const unsigned char *x2;
++ size_t x2len;
++ const unsigned char *y2;
++ size_t y2len;
++ const unsigned char *z;
++ size_t zlen;
++} ECDH_SELFTEST_DATA;
++
++# define make_ecdh_test(nid, pr) { nid, \
++ pr##_qiutx, sizeof(pr##_qiutx), \
++ pr##_qiuty, sizeof(pr##_qiuty), \
++ pr##_qiutd, sizeof(pr##_qiutd), \
++ pr##_qcavsx, sizeof(pr##_qcavsx), \
++ pr##_qcavsy, sizeof(pr##_qcavsy), \
++ pr##_ziut, sizeof(pr##_ziut) }
++
++static ECDH_SELFTEST_DATA test_ecdh_data[] = {
++ make_ecdh_test(NID_X9_62_prime256v1, p256),
++};
++
++int FIPS_selftest_ecdh(void)
++{
++ EC_KEY *ec1 = NULL, *ec2 = NULL;
++ const EC_POINT *ecp = NULL;
++ BIGNUM *x = NULL, *y = NULL, *d = NULL;
++ unsigned char *ztmp = NULL;
++ int rv = 1;
++ size_t i;
++
++ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {
++ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
++ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
++ continue;
++ ztmp = OPENSSL_malloc(ecd->zlen);
++
++ x = BN_bin2bn(ecd->x1, ecd->x1len, x);
++ y = BN_bin2bn(ecd->y1, ecd->y1len, y);
++ d = BN_bin2bn(ecd->d1, ecd->d1len, d);
++
++ if (!x || !y || !d || !ztmp) {
++ rv = -1;
++ goto err;
++ }
++
++ ec1 = EC_KEY_new_by_curve_name(ecd->curve);
++ if (!ec1) {
++ rv = -1;
++ goto err;
++ }
++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
++
++ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!EC_KEY_set_private_key(ec1, d)) {
++ rv = -1;
++ goto err;
++ }
++
++ x = BN_bin2bn(ecd->x2, ecd->x2len, x);
++ y = BN_bin2bn(ecd->y2, ecd->y2len, y);
++
++ if (!x || !y) {
++ rv = -1;
++ goto err;
++ }
++
++ ec2 = EC_KEY_new_by_curve_name(ecd->curve);
++ if (!ec2) {
++ rv = -1;
++ goto err;
++ }
++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
++
++ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
++ rv = -1;
++ goto err;
++ }
++
++ ecp = EC_KEY_get0_public_key(ec2);
++ if (!ecp) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
++ ztmp[0] ^= 0x1;
++
++ if (memcmp(ztmp, ecd->z, ecd->zlen)) {
++ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
++ rv = 0;
++ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
++ goto err;
++
++ EC_KEY_free(ec1);
++ ec1 = NULL;
++ EC_KEY_free(ec2);
++ ec2 = NULL;
++ OPENSSL_free(ztmp);
++ ztmp = NULL;
++ }
++
++ err:
++
++ if (x)
++ BN_clear_free(x);
++ if (y)
++ BN_clear_free(y);
++ if (d)
++ BN_clear_free(d);
++ if (ec1)
++ EC_KEY_free(ec1);
++ if (ec2)
++ EC_KEY_free(ec2);
++ if (ztmp)
++ OPENSSL_free(ztmp);
++
++ return rv;
++
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_ecdsa_selftest.c.fips-ec openssl-1.0.2a/crypto/fips/fips_ecdsa_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_ecdsa_selftest.c.fips-ec 2015-04-22 19:00:19.724884583 +0200
++++ openssl-1.0.2a/crypto/fips/fips_ecdsa_selftest.c 2015-04-22 19:00:19.724884583 +0200
+@@ -0,0 +1,165 @@
++/* fips/ecdsa/fips_ecdsa_selftest.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project 2011.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/ec.h>
++#include <openssl/ecdsa.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifdef OPENSSL_FIPS
++
++static const char P_256_name[] = "ECDSA P-256";
++
++static const unsigned char P_256_d[] = {
++ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f,
++ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87,
++ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64
++};
++
++static const unsigned char P_256_qx[] = {
++ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e,
++ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31,
++ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07
++};
++
++static const unsigned char P_256_qy[] = {
++ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b,
++ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e,
++ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb
++};
++
++typedef struct {
++ int curve;
++ const char *name;
++ const unsigned char *x;
++ size_t xlen;
++ const unsigned char *y;
++ size_t ylen;
++ const unsigned char *d;
++ size_t dlen;
++} EC_SELFTEST_DATA;
++
++# define make_ecdsa_test(nid, pr) { nid, pr##_name, \
++ pr##_qx, sizeof(pr##_qx), \
++ pr##_qy, sizeof(pr##_qy), \
++ pr##_d, sizeof(pr##_d)}
++
++static EC_SELFTEST_DATA test_ec_data[] = {
++ make_ecdsa_test(NID_X9_62_prime256v1, P_256),
++};
++
++int FIPS_selftest_ecdsa()
++{
++ EC_KEY *ec = NULL;
++ BIGNUM *x = NULL, *y = NULL, *d = NULL;
++ EVP_PKEY *pk = NULL;
++ int rv = 0;
++ size_t i;
++
++ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) {
++ EC_SELFTEST_DATA *ecd = test_ec_data + i;
++
++ x = BN_bin2bn(ecd->x, ecd->xlen, x);
++ y = BN_bin2bn(ecd->y, ecd->ylen, y);
++ d = BN_bin2bn(ecd->d, ecd->dlen, d);
++
++ if (!x || !y || !d)
++ goto err;
++
++ ec = EC_KEY_new_by_curve_name(ecd->curve);
++ if (!ec)
++ goto err;
++
++ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
++ goto err;
++
++ if (!EC_KEY_set_private_key(ec, d))
++ goto err;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_EC_KEY(pk, ec);
++
++ if (!fips_pkey_signature_test(pk, NULL, 0,
++ NULL, 0, EVP_sha256(), 0, ecd->name))
++ goto err;
++ }
++
++ rv = 1;
++
++ err:
++
++ if (x)
++ BN_clear_free(x);
++ if (y)
++ BN_clear_free(y);
++ if (d)
++ BN_clear_free(d);
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (ec)
++ EC_KEY_free(ec);
++
++ return rv;
++
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ec openssl-1.0.2a/crypto/fips/fips.h
+--- openssl-1.0.2a/crypto/fips/fips.h.fips-ec 2015-04-22 19:00:19.688883733 +0200
++++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 19:00:19.724884583 +0200
+@@ -93,6 +93,8 @@ extern "C" {
+ void FIPS_corrupt_dsa(void);
+ void FIPS_corrupt_dsa_keygen(void);
+ int FIPS_selftest_dsa(void);
++ int FIPS_selftest_ecdsa(void);
++ int FIPS_selftest_ecdh(void);
+ void FIPS_corrupt_rng(void);
+ void FIPS_rng_stick(void);
+ void FIPS_x931_stick(int onoff);
+diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-ec openssl-1.0.2a/crypto/fips/fips_post.c
+--- openssl-1.0.2a/crypto/fips/fips_post.c.fips-ec 2015-04-22 19:00:19.688883733 +0200
++++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 19:00:19.724884583 +0200
+@@ -95,8 +95,12 @@ int FIPS_selftest(void)
+ rv = 0;
+ if (!FIPS_selftest_rsa())
+ rv = 0;
++ if (!FIPS_selftest_ecdsa())
++ rv = 0;
+ if (!FIPS_selftest_dsa())
+ rv = 0;
++ if (!FIPS_selftest_ecdh())
++ rv = 0;
+ return rv;
+ }
+
+diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-ec openssl-1.0.2a/crypto/fips/Makefile
+--- openssl-1.0.2a/crypto/fips/Makefile.fips-ec 2015-04-22 19:00:19.691883805 +0200
++++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 19:00:19.724884583 +0200
+@@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_self
+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
+ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+- fips_cmac_selftest.c fips_enc.c fips_md.c
++ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c
+
+ LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
+ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
+ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
+ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
+- fips_cmac_selftest.o fips_enc.o fips_md.o
++ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o
+
+ LIBCRYPTO=-L.. -lcrypto
+
+@@ -119,6 +119,21 @@ fips_aes_selftest.o: ../../include/opens
+ fips_aes_selftest.o: ../../include/openssl/safestack.h
+ fips_aes_selftest.o: ../../include/openssl/stack.h
+ fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
++fips_cmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_cmac_selftest.o: ../../include/openssl/cmac.h
++fips_cmac_selftest.o: ../../include/openssl/crypto.h
++fips_cmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_cmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_cmac_selftest.o: ../../include/openssl/lhash.h
++fips_cmac_selftest.o: ../../include/openssl/obj_mac.h
++fips_cmac_selftest.o: ../../include/openssl/objects.h
++fips_cmac_selftest.o: ../../include/openssl/opensslconf.h
++fips_cmac_selftest.o: ../../include/openssl/opensslv.h
++fips_cmac_selftest.o: ../../include/openssl/ossl_typ.h
++fips_cmac_selftest.o: ../../include/openssl/safestack.h
++fips_cmac_selftest.o: ../../include/openssl/stack.h
++fips_cmac_selftest.o: ../../include/openssl/symhacks.h fips_cmac_selftest.c
++fips_cmac_selftest.o: fips_locl.h
+ fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ fips_des_selftest.o: ../../include/openssl/crypto.h
+ fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+@@ -232,6 +247,46 @@ fips_dsa_selftest.o: ../../include/opens
+ fips_dsa_selftest.o: ../../include/openssl/stack.h
+ fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
+ fips_dsa_selftest.o: fips_locl.h
++fips_ecdh_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_ecdh_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_ecdh_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
++fips_ecdh_selftest.o: ../../include/openssl/ecdh.h ../../include/openssl/err.h
++fips_ecdh_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_ecdh_selftest.o: ../../include/openssl/lhash.h
++fips_ecdh_selftest.o: ../../include/openssl/obj_mac.h
++fips_ecdh_selftest.o: ../../include/openssl/objects.h
++fips_ecdh_selftest.o: ../../include/openssl/opensslconf.h
++fips_ecdh_selftest.o: ../../include/openssl/opensslv.h
++fips_ecdh_selftest.o: ../../include/openssl/ossl_typ.h
++fips_ecdh_selftest.o: ../../include/openssl/safestack.h
++fips_ecdh_selftest.o: ../../include/openssl/stack.h
++fips_ecdh_selftest.o: ../../include/openssl/symhacks.h fips_ecdh_selftest.c
++fips_ecdh_selftest.o: fips_locl.h
++fips_ecdsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_ecdsa_selftest.o: ../../include/openssl/bn.h
++fips_ecdsa_selftest.o: ../../include/openssl/crypto.h
++fips_ecdsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
++fips_ecdsa_selftest.o: ../../include/openssl/ecdsa.h
++fips_ecdsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_ecdsa_selftest.o: ../../include/openssl/fips.h
++fips_ecdsa_selftest.o: ../../include/openssl/lhash.h
++fips_ecdsa_selftest.o: ../../include/openssl/obj_mac.h
++fips_ecdsa_selftest.o: ../../include/openssl/objects.h
++fips_ecdsa_selftest.o: ../../include/openssl/opensslconf.h
++fips_ecdsa_selftest.o: ../../include/openssl/opensslv.h
++fips_ecdsa_selftest.o: ../../include/openssl/ossl_typ.h
++fips_ecdsa_selftest.o: ../../include/openssl/safestack.h
++fips_ecdsa_selftest.o: ../../include/openssl/stack.h
++fips_ecdsa_selftest.o: ../../include/openssl/symhacks.h fips_ecdsa_selftest.c
++fips_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_enc.o: ../../include/openssl/opensslconf.h
++fips_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++fips_enc.o: ../../include/openssl/symhacks.h fips_enc.c
+ fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ fips_hmac_selftest.o: ../../include/openssl/crypto.h
+ fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+@@ -246,6 +301,15 @@ fips_hmac_selftest.o: ../../include/open
+ fips_hmac_selftest.o: ../../include/openssl/safestack.h
+ fips_hmac_selftest.o: ../../include/openssl/stack.h
+ fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
++fips_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_md.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_md.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
++fips_md.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
++fips_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_md.o: fips_md.c
+ fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+ fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+ fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+diff -up openssl-1.0.2a/version.map.fips-ec openssl-1.0.2a/version.map
+--- openssl-1.0.2a/version.map.fips-ec 2015-04-22 19:00:19.704884111 +0200
++++ openssl-1.0.2a/version.map 2015-04-22 19:00:19.724884583 +0200
+@@ -6,6 +6,10 @@ OPENSSL_1.0.1 {
+ _original*;
+ _current*;
+ };
++OPENSSL_1.0.1_EC {
++ global:
++ EC*;
++};
+ OPENSSL_1.0.2 {
+ global:
+ SSLeay;
diff --git a/SOURCES/openssl-1.0.2a-fips-md5-allow.patch b/SOURCES/openssl-1.0.2a-fips-md5-allow.patch
new file mode 100644
index 0000000..825417f
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-fips-md5-allow.patch
@@ -0,0 +1,21 @@
+diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.2a/crypto/md5/md5_dgst.c
+--- openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow 2015-04-09 18:18:36.505393113 +0200
++++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-09 18:18:32.408298469 +0200
+@@ -72,7 +72,16 @@ const char MD5_version[] = "MD5" OPENSSL
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-nonfips_md_init(MD5)
++int MD5_Init(MD5_CTX *c)
++#ifdef OPENSSL_FIPS
++{
++ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
++ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
++ return private_MD5_Init(c);
++}
++
++int private_MD5_Init(MD5_CTX *c)
++#endif
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = INIT_DATA_A;
diff --git a/SOURCES/openssl-1.0.2a-ipv6-apps.patch b/SOURCES/openssl-1.0.2a-ipv6-apps.patch
new file mode 100644
index 0000000..dd8b42c
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-ipv6-apps.patch
@@ -0,0 +1,525 @@
+diff -up openssl-1.0.2a/apps/s_apps.h.ipv6-apps openssl-1.0.2a/apps/s_apps.h
+--- openssl-1.0.2a/apps/s_apps.h.ipv6-apps 2015-04-20 15:01:24.029120104 +0200
++++ openssl-1.0.2a/apps/s_apps.h 2015-04-20 15:05:00.353137701 +0200
+@@ -151,7 +151,7 @@ typedef fd_mask fd_set;
+ #define PORT_STR "4433"
+ #define PROTOCOL "tcp"
+
+-int do_server(int port, int type, int *ret,
++int do_server(char *port, int type, int *ret,
+ int (*cb) (char *hostname, int s, int stype,
+ unsigned char *context), unsigned char *context,
+ int naccept);
+@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO *out, SS
+ int ssl_print_curves(BIO *out, SSL *s, int noshared);
+ #endif
+ int ssl_print_tmp_key(BIO *out, SSL *s);
+-int init_client(int *sock, char *server, int port, int type);
++int init_client(int *sock, char *server, char *port, int type);
+ int should_retry(int i);
+ int extract_port(char *str, short *port_ptr);
+-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+- short *p);
++int extract_host_port(char *str, char **host_ptr, char **port_ptr);
+
+ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
+ int argi, long argl, long ret);
+diff -up openssl-1.0.2a/apps/s_client.c.ipv6-apps openssl-1.0.2a/apps/s_client.c
+--- openssl-1.0.2a/apps/s_client.c.ipv6-apps 2015-04-20 15:01:24.022119942 +0200
++++ openssl-1.0.2a/apps/s_client.c 2015-04-20 15:06:42.338503234 +0200
+@@ -662,7 +662,7 @@ int MAIN(int argc, char **argv)
+ int cbuf_len, cbuf_off;
+ int sbuf_len, sbuf_off;
+ fd_set readfds, writefds;
+- short port = PORT;
++ char *port_str = PORT_STR;
+ int full_log = 1;
+ char *host = SSL_HOST_NAME;
+ char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
+@@ -785,13 +785,11 @@ int MAIN(int argc, char **argv)
+ } else if (strcmp(*argv, "-port") == 0) {
+ if (--argc < 1)
+ goto bad;
+- port = atoi(*(++argv));
+- if (port == 0)
+- goto bad;
++ port_str = *(++argv);
+ } else if (strcmp(*argv, "-connect") == 0) {
+ if (--argc < 1)
+ goto bad;
+- if (!extract_host_port(*(++argv), &host, NULL, &port))
++ if (!extract_host_port(*(++argv), &host, &port_str))
+ goto bad;
+ } else if (strcmp(*argv, "-verify") == 0) {
+ verify = SSL_VERIFY_PEER;
+@@ -1417,7 +1415,7 @@ int MAIN(int argc, char **argv)
+
+ re_start:
+
+- if (init_client(&s, host, port, socket_type) == 0) {
++ if (init_client(&s, host, port_str, socket_type) == 0) {
+ BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
+ SHUTDOWN(s);
+ goto end;
+diff -up openssl-1.0.2a/apps/s_server.c.ipv6-apps openssl-1.0.2a/apps/s_server.c
+--- openssl-1.0.2a/apps/s_server.c.ipv6-apps 2015-04-20 15:01:24.030120127 +0200
++++ openssl-1.0.2a/apps/s_server.c 2015-04-20 15:10:47.245187746 +0200
+@@ -1061,7 +1061,7 @@ int MAIN(int argc, char *argv[])
+ {
+ X509_VERIFY_PARAM *vpm = NULL;
+ int badarg = 0;
+- short port = PORT;
++ char *port_str = PORT_STR;
+ char *CApath = NULL, *CAfile = NULL;
+ char *chCApath = NULL, *chCAfile = NULL;
+ char *vfyCApath = NULL, *vfyCAfile = NULL;
+@@ -1148,7 +1148,8 @@ int MAIN(int argc, char *argv[])
+ if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
+ if (--argc < 1)
+ goto bad;
+- if (!extract_port(*(++argv), &port))
++ port_str = *(++argv);
++ if (port_str == NULL || *port_str == '\0')
+ goto bad;
+ } else if (strcmp(*argv, "-naccept") == 0) {
+ if (--argc < 1)
+@@ -2020,13 +2021,13 @@ int MAIN(int argc, char *argv[])
+ BIO_printf(bio_s_out, "ACCEPT\n");
+ (void)BIO_flush(bio_s_out);
+ if (rev)
+- do_server(port, socket_type, &accept_socket, rev_body, context,
++ do_server(port_str, socket_type, &accept_socket, rev_body, context,
+ naccept);
+ else if (www)
+- do_server(port, socket_type, &accept_socket, www_body, context,
++ do_server(port_str, socket_type, &accept_socket, www_body, context,
+ naccept);
+ else
+- do_server(port, socket_type, &accept_socket, sv_body, context,
++ do_server(port_str, socket_type, &accept_socket, sv_body, context,
+ naccept);
+ print_stats(bio_s_out, ctx);
+ ret = 0;
+diff -up openssl-1.0.2a/apps/s_socket.c.ipv6-apps openssl-1.0.2a/apps/s_socket.c
+--- openssl-1.0.2a/apps/s_socket.c.ipv6-apps 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/s_socket.c 2015-04-20 15:32:53.960079507 +0200
+@@ -106,9 +106,7 @@ static struct hostent *GetHostByName(cha
+ static void ssl_sock_cleanup(void);
+ # endif
+ static int ssl_sock_init(void);
+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
+-static int init_server(int *sock, int port, int type);
+-static int init_server_long(int *sock, int port, char *ip, int type);
++static int init_server(int *sock, char *port, int type);
+ static int do_accept(int acc_sock, int *sock, char **host);
+ static int host_ip(char *str, unsigned char ip[4]);
+
+@@ -231,65 +229,66 @@ static int ssl_sock_init(void)
+ return (1);
+ }
+
+-int init_client(int *sock, char *host, int port, int type)
++int init_client(int *sock, char *host, char *port, int type)
+ {
+- unsigned char ip[4];
+-
+- memset(ip, '\0', sizeof ip);
+- if (!host_ip(host, &(ip[0])))
+- return 0;
+- return init_client_ip(sock, ip, port, type);
+-}
+-
+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
+-{
+- unsigned long addr;
+- struct sockaddr_in them;
+- int s, i;
++ struct addrinfo *res, *res0, hints;
++ char *failed_call = NULL;
++ int s;
++ int e;
+
+ if (!ssl_sock_init())
+ return (0);
+
+- memset((char *)&them, 0, sizeof(them));
+- them.sin_family = AF_INET;
+- them.sin_port = htons((unsigned short)port);
+- addr = (unsigned long)
+- ((unsigned long)ip[0] << 24L) |
+- ((unsigned long)ip[1] << 16L) |
+- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
+- them.sin_addr.s_addr = htonl(addr);
+-
+- if (type == SOCK_STREAM)
+- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+- else /* ( type == SOCK_DGRAM) */
+- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+-
+- if (s == INVALID_SOCKET) {
+- perror("socket");
++ memset(&hints, '\0', sizeof(hints));
++ hints.ai_socktype = type;
++ hints.ai_flags = AI_ADDRCONFIG;
++
++ e = getaddrinfo(host, port, &hints, &res);
++ if (e) {
++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
++ if (e == EAI_SYSTEM)
++ perror("getaddrinfo");
+ return (0);
+ }
++
++ res0 = res;
++ while (res) {
++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
++ if (s == INVALID_SOCKET) {
++ failed_call = "socket";
++ goto nextres;
++ }
+ # if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
+- if (type == SOCK_STREAM) {
+- i = 0;
+- i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
+- if (i < 0) {
+- closesocket(s);
+- perror("keepalive");
+- return (0);
++ if (type == SOCK_STREAM) {
++ int i = 0;
++ i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,
++ (char *)&i, sizeof(i));
++ if (i < 0) {
++ failed_call = "keepalive";
++ goto nextres;
++ }
+ }
+- }
+ # endif
+-
+- if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
+- closesocket(s);
+- perror("connect");
+- return (0);
++ if (connect(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) {
++ freeaddrinfo(res0);
++ *sock = s;
++ return (1);
++ }
++
++ failed_call = "socket";
++ nextres:
++ if (s != INVALID_SOCKET)
++ close(s);
++ res = res->ai_next;
+ }
+- *sock = s;
+- return (1);
++ freeaddrinfo(res0);
++ closesocket(s);
++
++ perror(failed_call);
++ return (0);
+ }
+
+-int do_server(int port, int type, int *ret,
++int do_server(char *port, int type, int *ret,
+ int (*cb) (char *hostname, int s, int stype,
+ unsigned char *context), unsigned char *context,
+ int naccept)
+@@ -328,69 +327,89 @@ int do_server(int port, int type, int *r
+ }
+ }
+
+-static int init_server_long(int *sock, int port, char *ip, int type)
++static int init_server(int *sock, char *port, int type)
+ {
+- int ret = 0;
+- struct sockaddr_in server;
+- int s = -1;
++ struct addrinfo *res, *res0 = NULL, hints;
++ char *failed_call = NULL;
++ int s = INVALID_SOCKET;
++ int e;
+
+ if (!ssl_sock_init())
+ return (0);
+
+- memset((char *)&server, 0, sizeof(server));
+- server.sin_family = AF_INET;
+- server.sin_port = htons((unsigned short)port);
+- if (ip == NULL)
+- server.sin_addr.s_addr = INADDR_ANY;
+- else
+-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
+-# ifndef BIT_FIELD_LIMITS
+- memcpy(&server.sin_addr.s_addr, ip, 4);
+-# else
+- memcpy(&server.sin_addr, ip, 4);
+-# endif
+-
+- if (type == SOCK_STREAM)
+- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+- else /* type == SOCK_DGRAM */
+- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
++ memset(&hints, '\0', sizeof(hints));
++ hints.ai_family = AF_INET6;
++ tryipv4:
++ hints.ai_socktype = type;
++ hints.ai_flags = AI_PASSIVE;
++
++ e = getaddrinfo(NULL, port, &hints, &res);
++ if (e) {
++ if (hints.ai_family == AF_INET) {
++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
++ if (e == EAI_SYSTEM)
++ perror("getaddrinfo");
++ return (0);
++ } else
++ res = NULL;
++ }
+
+- if (s == INVALID_SOCKET)
+- goto err;
++ res0 = res;
++ while (res) {
++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
++ if (s == INVALID_SOCKET) {
++ failed_call = "socket";
++ goto nextres;
++ }
++ if (hints.ai_family == AF_INET6) {
++ int j = 0;
++ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&j, sizeof j);
++ }
+ # if defined SOL_SOCKET && defined SO_REUSEADDR
+- {
+- int j = 1;
+- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
+- }
+-# endif
+- if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
+-# ifndef OPENSSL_SYS_WINDOWS
+- perror("bind");
++ {
++ int j = 1;
++ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
++ }
+ # endif
+- goto err;
++
++ if (bind(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) {
++ failed_call = "bind";
++ goto nextres;
++ }
++ if (type == SOCK_STREAM && listen(s, 128) == -1) {
++ failed_call = "listen";
++ goto nextres;
++ }
++
++ *sock = s;
++ return (1);
++
++ nextres:
++ if (s != INVALID_SOCKET)
++ close(s);
++ res = res->ai_next;
+ }
+- /* Make it 128 for linux */
+- if (type == SOCK_STREAM && listen(s, 128) == -1)
+- goto err;
+- *sock = s;
+- ret = 1;
+- err:
+- if ((ret == 0) && (s != -1)) {
+- SHUTDOWN(s);
++ if (res0)
++ freeaddrinfo(res0);
++
++ if (s == INVALID_SOCKET) {
++ if (hints.ai_family == AF_INET6) {
++ hints.ai_family = AF_INET;
++ goto tryipv4;
++ }
++ perror("socket");
++ return (0);
+ }
+- return (ret);
+-}
+
+-static int init_server(int *sock, int port, int type)
+-{
+- return (init_server_long(sock, port, NULL, type));
++ perror(failed_call);
++ return (0);
+ }
+
+ static int do_accept(int acc_sock, int *sock, char **host)
+ {
++ static struct sockaddr_storage from;
++ char buffer[NI_MAXHOST];
+ int ret;
+- struct hostent *h1, *h2;
+- static struct sockaddr_in from;
+ int len;
+ /* struct linger ling; */
+
+@@ -432,134 +451,60 @@ static int do_accept(int acc_sock, int *
+ ling.l_onoff=1;
+ ling.l_linger=0;
+ i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
+- if (i < 0) { perror("linger"); return(0); }
++ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
+ i=0;
+ i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+- if (i < 0) { perror("keepalive"); return(0); }
++ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
+ */
+
+ if (host == NULL)
+ goto end;
+-# ifndef BIT_FIELD_LIMITS
+- /* I should use WSAAsyncGetHostByName() under windows */
+- h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
+- sizeof(from.sin_addr.s_addr), AF_INET);
+-# else
+- h1 = gethostbyaddr((char *)&from.sin_addr,
+- sizeof(struct in_addr), AF_INET);
+-# endif
+- if (h1 == NULL) {
+- BIO_printf(bio_err, "bad gethostbyaddr\n");
++
++ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
++ buffer, sizeof(buffer), NULL, 0, 0)) {
++ BIO_printf(bio_err, "getnameinfo failed\n");
+ *host = NULL;
+ /* return(0); */
+ } else {
+- if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
++ if ((*host = (char *)OPENSSL_malloc(strlen(buffer) + 1)) == NULL) {
+ perror("OPENSSL_malloc");
+ closesocket(ret);
+ return (0);
+ }
+- BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
+-
+- h2 = GetHostByName(*host);
+- if (h2 == NULL) {
+- BIO_printf(bio_err, "gethostbyname failure\n");
+- closesocket(ret);
+- return (0);
+- }
+- if (h2->h_addrtype != AF_INET) {
+- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
+- closesocket(ret);
+- return (0);
+- }
++ strcpy(*host, buffer);
+ }
+ end:
+ *sock = ret;
+ return (1);
+ }
+
+-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+- short *port_ptr)
++int extract_host_port(char *str, char **host_ptr, char **port_ptr)
+ {
+- char *h, *p;
++ char *h, *p, *x;
+
+- h = str;
+- p = strchr(str, ':');
++ x = h = str;
++ if (*h == '[') {
++ h++;
++ p = strchr(h, ']');
++ if (p == NULL) {
++ BIO_printf(bio_err, "no ending bracket for IPv6 address\n");
++ return (0);
++ }
++ *(p++) = '\0';
++ x = p;
++ }
++ p = strchr(x, ':');
+ if (p == NULL) {
+ BIO_printf(bio_err, "no port defined\n");
+ return (0);
+ }
+ *(p++) = '\0';
+
+- if ((ip != NULL) && !host_ip(str, ip))
+- goto err;
+ if (host_ptr != NULL)
+ *host_ptr = h;
++ if (port_ptr != NULL)
++ *port_ptr = p;
+
+- if (!extract_port(p, port_ptr))
+- goto err;
+- return (1);
+- err:
+- return (0);
+-}
+-
+-static int host_ip(char *str, unsigned char ip[4])
+-{
+- unsigned int in[4];
+- int i;
+-
+- if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
+- 4) {
+- for (i = 0; i < 4; i++)
+- if (in[i] > 255) {
+- BIO_printf(bio_err, "invalid IP address\n");
+- goto err;
+- }
+- ip[0] = in[0];
+- ip[1] = in[1];
+- ip[2] = in[2];
+- ip[3] = in[3];
+- } else { /* do a gethostbyname */
+- struct hostent *he;
+-
+- if (!ssl_sock_init())
+- return (0);
+-
+- he = GetHostByName(str);
+- if (he == NULL) {
+- BIO_printf(bio_err, "gethostbyname failure\n");
+- goto err;
+- }
+- /* cast to short because of win16 winsock definition */
+- if ((short)he->h_addrtype != AF_INET) {
+- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
+- return (0);
+- }
+- ip[0] = he->h_addr_list[0][0];
+- ip[1] = he->h_addr_list[0][1];
+- ip[2] = he->h_addr_list[0][2];
+- ip[3] = he->h_addr_list[0][3];
+- }
+- return (1);
+- err:
+- return (0);
+-}
+-
+-int extract_port(char *str, short *port_ptr)
+-{
+- int i;
+- struct servent *s;
+-
+- i = atoi(str);
+- if (i != 0)
+- *port_ptr = (unsigned short)i;
+- else {
+- s = getservbyname(str, "tcp");
+- if (s == NULL) {
+- BIO_printf(bio_err, "getservbyname failure for %s\n", str);
+- return (0);
+- }
+- *port_ptr = ntohs((unsigned short)s->s_port);
+- }
+ return (1);
+ }
+
diff --git a/SOURCES/openssl-1.0.2a-issuer-hash.patch b/SOURCES/openssl-1.0.2a-issuer-hash.patch
new file mode 100644
index 0000000..a439d14
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-issuer-hash.patch
@@ -0,0 +1,11 @@
+diff -up openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1k/crypto/x509/x509_cmp.c
+--- openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash 2015-04-09 18:16:03.349855193 +0200
++++ openssl-1.0.1k/crypto/x509/x509_cmp.c 2015-04-09 18:16:00.616792058 +0200
+@@ -86,6 +86,7 @@ unsigned long X509_issuer_and_serial_has
+ char *f;
+
+ EVP_MD_CTX_init(&ctx);
++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
+ goto err;
diff --git a/SOURCES/openssl-1.0.2a-no-rpath.patch b/SOURCES/openssl-1.0.2a-no-rpath.patch
new file mode 100644
index 0000000..4aafefd
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-no-rpath.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.2a/Makefile.shared.no-rpath openssl-1.0.2a/Makefile.shared
+--- openssl-1.0.2a/Makefile.shared.no-rpath 2015-04-09 18:14:39.647921663 +0200
++++ openssl-1.0.2a/Makefile.shared 2015-04-09 18:14:34.423800985 +0200
+@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+ #This is rather special. It's a special target with which one can link
+ #applications without bothering with any features that have anything to
diff --git a/SOURCES/openssl-1.0.2a-padlock64.patch b/SOURCES/openssl-1.0.2a-padlock64.patch
new file mode 100644
index 0000000..19d3958
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-padlock64.patch
@@ -0,0 +1,198 @@
+diff -up openssl-1.0.2a/engines/e_padlock.c.padlock64 openssl-1.0.2a/engines/e_padlock.c
+--- openssl-1.0.2a/engines/e_padlock.c.padlock64 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/engines/e_padlock.c 2015-04-22 16:23:44.105617468 +0200
+@@ -101,7 +101,10 @@
+ */
+ # undef COMPILE_HW_PADLOCK
+ # if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
+-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
++# if (defined(__GNUC__) && __GNUC__>=2 && \
++ (defined(__i386__) || defined(__i386) || \
++ defined(__x86_64__) || defined(__x86_64)) \
++ ) || \
+ (defined(_MSC_VER) && defined(_M_IX86))
+ # define COMPILE_HW_PADLOCK
+ # endif
+@@ -140,7 +143,7 @@ void ENGINE_load_padlock(void)
+ # endif
+ # elif defined(__GNUC__)
+ # ifndef alloca
+-# define alloca(s) __builtin_alloca(s)
++# define alloca(s) __builtin_alloca((s))
+ # endif
+ # endif
+
+@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_da
+ * =======================================================
+ */
+ # if defined(__GNUC__) && __GNUC__>=2
++# if defined(__i386__) || defined(__i386)
+ /*
+ * As for excessive "push %ebx"/"pop %ebx" found all over.
+ * When generating position-independent code GCC won't let
+@@ -379,22 +383,6 @@ static int padlock_available(void)
+ return padlock_use_ace + padlock_use_rng;
+ }
+
+-# ifndef OPENSSL_NO_AES
+-# ifndef AES_ASM
+-/* Our own htonl()/ntohl() */
+-static inline void padlock_bswapl(AES_KEY *ks)
+-{
+- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
+- unsigned int *key = ks->rd_key;
+-
+- while (i--) {
+- asm volatile ("bswapl %0":"+r" (*key));
+- key++;
+- }
+-}
+-# endif
+-# endif
+-
+ /*
+ * Force key reload from memory to the CPU microcode. Loading EFLAGS from the
+ * stack clears EFLAGS[30] which does the trick.
+@@ -404,7 +392,7 @@ static inline void padlock_reload_key(vo
+ asm volatile ("pushfl; popfl");
+ }
+
+-# ifndef OPENSSL_NO_AES
++# ifndef OPENSSL_NO_AES
+ /*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+@@ -448,6 +436,101 @@ static inline void *name(size_t cnt,
+ : "edx", "cc", "memory"); \
+ return iv; \
+ }
++# endif
++
++# elif defined(__x86_64__) || defined(__x86_64)
++
++/* Load supported features of the CPU to see if
++ the PadLock is available. */
++static int padlock_available(void)
++{
++ char vendor_string[16];
++ unsigned int eax, edx;
++
++ /* Are we running on the Centaur (VIA) CPU? */
++ eax = 0x00000000;
++ vendor_string[12] = 0;
++ asm volatile ("cpuid\n"
++ "movl %%ebx,(%1)\n"
++ "movl %%edx,4(%1)\n"
++ "movl %%ecx,8(%1)\n":"+a" (eax):"r"(vendor_string):"rbx",
++ "rcx", "rdx");
++ if (strcmp(vendor_string, "CentaurHauls") != 0)
++ return 0;
++
++ /* Check for Centaur Extended Feature Flags presence */
++ eax = 0xC0000000;
++ asm volatile ("cpuid":"+a" (eax)::"rbx", "rcx", "rdx");
++ if (eax < 0xC0000001)
++ return 0;
++
++ /* Read the Centaur Extended Feature Flags */
++ eax = 0xC0000001;
++ asm volatile ("cpuid":"+a" (eax), "=d"(edx)::"rbx", "rcx");
++
++ /* Fill up some flags */
++ padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6));
++ padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2));
++
++ return padlock_use_ace + padlock_use_rng;
++}
++
++/* Force key reload from memory to the CPU microcode.
++ Loading EFLAGS from the stack clears EFLAGS[30]
++ which does the trick. */
++static inline void padlock_reload_key(void)
++{
++ asm volatile ("pushfq; popfq");
++}
++
++# ifndef OPENSSL_NO_AES
++/*
++ * This is heuristic key context tracing. At first one
++ * believes that one should use atomic swap instructions,
++ * but it's not actually necessary. Point is that if
++ * padlock_saved_context was changed by another thread
++ * after we've read it and before we compare it with cdata,
++ * our key *shall* be reloaded upon thread context switch
++ * and we are therefore set in either case...
++ */
++static inline void padlock_verify_context(struct padlock_cipher_data *cdata)
++{
++ asm volatile ("pushfq\n"
++ " btl $30,(%%rsp)\n"
++ " jnc 1f\n"
++ " cmpq %2,%1\n"
++ " je 1f\n"
++ " popfq\n"
++ " subq $8,%%rsp\n"
++ "1: addq $8,%%rsp\n"
++ " movq %2,%0":"+m" (padlock_saved_context)
++ :"r"(padlock_saved_context), "r"(cdata):"cc");
++}
++
++/* Template for padlock_xcrypt_* modes */
++/* BIG FAT WARNING:
++ * The offsets used with 'leal' instructions
++ * describe items of the 'padlock_cipher_data'
++ * structure.
++ */
++# define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
++static inline void *name(size_t cnt, \
++ struct padlock_cipher_data *cdata, \
++ void *out, const void *inp) \
++{ void *iv; \
++ asm volatile ( "leaq 16(%0),%%rdx\n" \
++ " leaq 32(%0),%%rbx\n" \
++ rep_xcrypt "\n" \
++ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
++ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
++ : "rbx", "rdx", "cc", "memory"); \
++ return iv; \
++}
++# endif
++
++# endif /* cpu */
++
++# ifndef OPENSSL_NO_AES
+
+ /* Generate all functions with appropriate opcodes */
+ /* rep xcryptecb */
+@@ -458,6 +541,20 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, "
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
+ /* rep xcryptofb */
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
++
++# ifndef AES_ASM
++/* Our own htonl()/ntohl() */
++static inline void padlock_bswapl(AES_KEY *ks)
++{
++ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
++ unsigned int *key = ks->rd_key;
++
++ while (i--) {
++ asm volatile ("bswapl %0":"+r" (*key));
++ key++;
++ }
++}
++# endif
+ # endif
+ /* The RNG call itself */
+ static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
+@@ -485,8 +582,8 @@ static inline unsigned int padlock_xstor
+ static inline unsigned char *padlock_memcpy(void *dst, const void *src,
+ size_t n)
+ {
+- long *d = dst;
+- const long *s = src;
++ size_t *d = dst;
++ const size_t *s = src;
+
+ n /= sizeof(*d);
+ do {
diff --git a/SOURCES/openssl-1.0.2a-readme-warning.patch b/SOURCES/openssl-1.0.2a-readme-warning.patch
new file mode 100644
index 0000000..7069989
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-readme-warning.patch
@@ -0,0 +1,50 @@
+diff -up openssl-1.0.2a/README.warning openssl-1.0.2a/README
+--- openssl-1.0.2a/README.warning 2015-03-20 16:00:47.000000000 +0100
++++ openssl-1.0.2a/README 2015-03-21 09:06:11.000000000 +0100
+@@ -5,6 +5,46 @@
+ Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+ All rights reserved.
+
++ WARNING
++ -------
++
++ This version of OpenSSL is built in a way that supports operation in
++ the so called FIPS mode. Note though that the library as we build it
++ is not FIPS 140-2 validated and the FIPS mode is present for testing
++ purposes only.
++
++ This version also contains a few differences from the upstream code
++ some of which are:
++ * The FIPS validation support is significantly different from the
++ upstream FIPS support. For example the FIPS integrity verification
++ check is implemented differently as the FIPS module is built inside
++ the shared library. The HMAC-SHA256 checksums of the whole shared
++ libraries are verified. Also note that the FIPS integrity
++ verification check requires that the libcrypto and libssl shared
++ library files are unmodified which means that it will fail if these
++ files are changed for example by prelink.
++ * If the file /etc/system-fips is present the integrity verification
++ and selftests of the crypto algorithms are run inside the library
++ constructor code.
++ * With the /etc/system-fips present the module respects the kernel
++ FIPS flag /proc/sys/crypto/fips and tries to initialize the FIPS mode
++ if it is set to 1 aborting if the FIPS mode could not be initialized.
++ With the /etc/system-fips present it is also possible to force the
++ OpenSSL library to FIPS mode especially for debugging purposes by
++ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
++ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
++ will not automatically load the built in compression method ZLIB
++ when initialized. Applications can still explicitely ask for ZLIB
++ compression method.
++ * The library was patched so the certificates, CRLs and other objects
++ signed with use of MD5 fail verification as the MD5 is too insecure
++ to be used for signatures. If the environment variable
++ OPENSSL_ENABLE_MD5_VERIFY is set, the verification can proceed
++ normally.
++ * If the OPENSSL_ENFORCE_MODULUS_BITS environment variable is set,
++ the library will not allow generation of DSA and RSA keys with
++ other lengths than specified in the FIPS 186-4 standard.
++
+ DESCRIPTION
+ -----------
+
diff --git a/SOURCES/openssl-1.0.2a-rsa-x931.patch b/SOURCES/openssl-1.0.2a-rsa-x931.patch
new file mode 100644
index 0000000..4de716a
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-rsa-x931.patch
@@ -0,0 +1,35 @@
+diff -up openssl-1.0.2a/apps/genrsa.c.x931 openssl-1.0.2a/apps/genrsa.c
+--- openssl-1.0.2a/apps/genrsa.c.x931 2015-04-09 18:18:24.132107287 +0200
++++ openssl-1.0.2a/apps/genrsa.c 2015-04-09 18:18:18.852985339 +0200
+@@ -97,6 +97,7 @@ int MAIN(int argc, char **argv)
+ int ret = 1;
+ int i, num = DEFBITS;
+ long l;
++ int use_x931 = 0;
+ const EVP_CIPHER *enc = NULL;
+ unsigned long f4 = RSA_F4;
+ char *outfile = NULL;
+@@ -139,6 +140,8 @@ int MAIN(int argc, char **argv)
+ f4 = 3;
+ else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
+ f4 = RSA_F4;
++ else if (strcmp(*argv, "-x931") == 0)
++ use_x931 = 1;
+ # ifndef OPENSSL_NO_ENGINE
+ else if (strcmp(*argv, "-engine") == 0) {
+ if (--argc < 1)
+@@ -278,7 +281,13 @@ int MAIN(int argc, char **argv)
+ if (!rsa)
+ goto err;
+
+- if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
++ if (use_x931) {
++ if (!BN_set_word(bn, f4))
++ goto err;
++ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
++ goto err;
++ } else if (!BN_set_word(bn, f4)
++ || !RSA_generate_key_ex(rsa, num, bn, &cb))
+ goto err;
+
+ app_RAND_write_file(NULL, bio_err);
diff --git a/SOURCES/openssl-1.0.2a-test-use-localhost.patch b/SOURCES/openssl-1.0.2a-test-use-localhost.patch
new file mode 100644
index 0000000..4510e6e
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-test-use-localhost.patch
@@ -0,0 +1,21 @@
+diff -up openssl-1.0.2a/ssl/ssltest.c.use-localhost openssl-1.0.2a/ssl/ssltest.c
+--- openssl-1.0.2a/ssl/ssltest.c.use-localhost 2015-04-20 14:43:07.172601663 +0200
++++ openssl-1.0.2a/ssl/ssltest.c 2015-04-20 14:45:02.831299849 +0200
+@@ -1516,16 +1516,7 @@ int main(int argc, char *argv[])
+
+ #ifndef OPENSSL_NO_KRB5
+ if (c_ssl && c_ssl->kssl_ctx) {
+- char localhost[MAXHOSTNAMELEN + 2];
+-
+- if (gethostname(localhost, sizeof localhost - 1) == 0) {
+- localhost[sizeof localhost - 1] = '\0';
+- if (strlen(localhost) == sizeof localhost - 1) {
+- BIO_printf(bio_err, "localhost name too long\n");
+- goto end;
+- }
+- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost);
+- }
++ kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, "localhost");
+ }
+ #endif /* OPENSSL_NO_KRB5 */
+
diff --git a/SOURCES/openssl-1.0.2a-version-add-engines.patch b/SOURCES/openssl-1.0.2a-version-add-engines.patch
new file mode 100644
index 0000000..b7936b3
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-version-add-engines.patch
@@ -0,0 +1,47 @@
+diff -up openssl-1.0.2a/apps/version.c.version-add-engines openssl-1.0.2a/apps/version.c
+--- openssl-1.0.2a/apps/version.c.version-add-engines 2015-04-09 18:16:42.345756005 +0200
++++ openssl-1.0.2a/apps/version.c 2015-04-09 18:16:36.573622667 +0200
+@@ -131,6 +131,7 @@
+ #ifndef OPENSSL_NO_BF
+ # include <openssl/blowfish.h>
+ #endif
++#include <openssl/engine.h>
+
+ #undef PROG
+ #define PROG version_main
+@@ -140,7 +141,8 @@ int MAIN(int, char **);
+ int MAIN(int argc, char **argv)
+ {
+ int i, ret = 0;
+- int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
++ int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir =
++ 0, engines = 0;
+
+ apps_startup();
+
+@@ -164,7 +166,7 @@ int MAIN(int argc, char **argv)
+ else if (strcmp(argv[i], "-d") == 0)
+ dir = 1;
+ else if (strcmp(argv[i], "-a") == 0)
+- date = version = cflags = options = platform = dir = 1;
++ date = version = cflags = options = platform = dir = engines = 1;
+ else {
+ BIO_printf(bio_err, "usage:version -[avbofpd]\n");
+ ret = 1;
+@@ -208,6 +210,16 @@ int MAIN(int argc, char **argv)
+ printf("%s\n", SSLeay_version(SSLEAY_CFLAGS));
+ if (dir)
+ printf("%s\n", SSLeay_version(SSLEAY_DIR));
++ if (engines) {
++ ENGINE *e;
++ printf("engines: ");
++ e = ENGINE_get_first();
++ while (e) {
++ printf("%s ", ENGINE_get_id(e));
++ e = ENGINE_get_next(e);
++ }
++ printf("\n");
++ }
+ end:
+ apps_shutdown();
+ OPENSSL_EXIT(ret);
diff --git a/SOURCES/openssl-1.0.2a-version.patch b/SOURCES/openssl-1.0.2a-version.patch
new file mode 100644
index 0000000..25dfff5
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-version.patch
@@ -0,0 +1,83 @@
+diff -up openssl-1.0.2a/crypto/cversion.c.version openssl-1.0.2a/crypto/cversion.c
+--- openssl-1.0.2a/crypto/cversion.c.version 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/cversion.c 2015-04-21 16:48:56.285535316 +0200
+@@ -62,7 +62,7 @@
+ # include "buildinf.h"
+ #endif
+
+-const char *SSLeay_version(int t)
++const char *_current_SSLeay_version(int t)
+ {
+ if (t == SSLEAY_VERSION)
+ return OPENSSL_VERSION_TEXT;
+@@ -101,7 +101,40 @@ const char *SSLeay_version(int t)
+ return ("not available");
+ }
+
+-unsigned long SSLeay(void)
++const char *_original_SSLeay_version(int t)
++{
++ if (t == SSLEAY_VERSION)
++ return "OpenSSL 1.0.0-fips 29 Mar 2010";
++ else
++ return _current_SSLeay_version(t);
++}
++
++const char *_original101_SSLeay_version(int t)
++{
++ if (t == SSLEAY_VERSION)
++ return "OpenSSL 1.0.1e-fips 11 Feb 2013";
++ else
++ return _current_SSLeay_version(t);
++}
++
++unsigned long _original_SSLeay(void)
++{
++ return (0x10000003L);
++}
++
++unsigned long _original101_SSLeay(void)
++{
++ return (0x1000105fL);
++}
++
++unsigned long _current_SSLeay(void)
+ {
+ return (SSLEAY_VERSION_NUMBER);
+ }
++
++__asm__(".symver _original_SSLeay,SSLeay@");
++__asm__(".symver _original_SSLeay_version,SSLeay_version@");
++__asm__(".symver _original101_SSLeay,SSLeay@OPENSSL_1.0.1");
++__asm__(".symver _original101_SSLeay_version,SSLeay_version@OPENSSL_1.0.1");
++__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.2");
++__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.2");
+diff -up openssl-1.0.2a/Makefile.shared.version openssl-1.0.2a/Makefile.shared
+--- openssl-1.0.2a/Makefile.shared.version 2015-04-21 16:43:02.624170648 +0200
++++ openssl-1.0.2a/Makefile.shared 2015-04-21 16:43:02.676171879 +0200
+@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
+ SHLIB_SUFFIX=; \
+ ALLSYMSFLAGS='-Wl,--whole-archive'; \
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+ DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+diff -up openssl-1.0.2a/version.map.version openssl-1.0.2a/version.map
+--- openssl-1.0.2a/version.map.version 2015-04-21 16:43:02.676171879 +0200
++++ openssl-1.0.2a/version.map 2015-04-21 16:51:49.621630589 +0200
+@@ -0,0 +1,13 @@
++OPENSSL_1.0.1 {
++ global:
++ SSLeay;
++ SSLeay_version;
++ local:
++ _original*;
++ _current*;
++};
++OPENSSL_1.0.2 {
++ global:
++ SSLeay;
++ SSLeay_version;
++} OPENSSL_1.0.1;
diff --git a/SOURCES/openssl-1.0.2a-x509.patch b/SOURCES/openssl-1.0.2a-x509.patch
new file mode 100644
index 0000000..7c96a57
--- /dev/null
+++ b/SOURCES/openssl-1.0.2a-x509.patch
@@ -0,0 +1,28 @@
+diff -up openssl-1.0.2a/crypto/x509/by_file.c.x509 openssl-1.0.2a/crypto/x509/by_file.c
+--- openssl-1.0.2a/crypto/x509/by_file.c.x509 2015-04-09 18:16:29.365456157 +0200
++++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-09 18:16:26.398387618 +0200
+@@ -152,9 +152,12 @@ int X509_load_cert_file(X509_LOOKUP *ctx
+ }
+ }
+ i = X509_STORE_add_cert(ctx->store_ctx, x);
+- if (!i)
+- goto err;
+- count++;
++ /* ignore any problems with current certificate
++ and continue with the next one */
++ if (i)
++ count++;
++ else
++ ERR_clear_error();
+ X509_free(x);
+ x = NULL;
+ }
+@@ -167,7 +170,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx
+ }
+ i = X509_STORE_add_cert(ctx->store_ctx, x);
+ if (!i)
+- goto err;
++ ERR_clear_error();
+ ret = i;
+ } else {
+ X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);
diff --git a/SOURCES/openssl-1.0.2c-default-paths.patch b/SOURCES/openssl-1.0.2c-default-paths.patch
new file mode 100644
index 0000000..aa607be
--- /dev/null
+++ b/SOURCES/openssl-1.0.2c-default-paths.patch
@@ -0,0 +1,63 @@
+diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c
+--- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200
+@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
+ }
+ #endif
+
+- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx))) {
+- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(ctx)) {
++ ERR_print_errors(bio_err);
++ }
++ } else {
++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
+ }
++
+ if (vpm)
+ SSL_CTX_set1_param(ctx, vpm);
+
+@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
+ else
+ SSL_CTX_sess_set_cache_size(ctx2, 128);
+
+- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx2))) {
++ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
++ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
+ ERR_print_errors(bio_err);
+ }
+ if (vpm)
+diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c
+--- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200
+@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
+
+ SSL_load_error_strings();
+
+- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
+- /*
+- * BIO_printf(bio_err,"error setting default verify locations\n");
+- */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
++ ERR_print_errors(bio_err);
++ }
++ } else {
++ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
+ }
+
+ if (tm_cipher == NULL)
diff --git a/SOURCES/openssl-1.0.2c-ecc-suiteb.patch b/SOURCES/openssl-1.0.2c-ecc-suiteb.patch
new file mode 100644
index 0000000..dfcae76
--- /dev/null
+++ b/SOURCES/openssl-1.0.2c-ecc-suiteb.patch
@@ -0,0 +1,195 @@
+diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c
+--- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200
++++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200
+@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- if (strcmp(*argv, "ecdsap160") == 0)
+- ecdsa_doit[R_EC_P160] = 2;
+- else if (strcmp(*argv, "ecdsap192") == 0)
+- ecdsa_doit[R_EC_P192] = 2;
+- else if (strcmp(*argv, "ecdsap224") == 0)
+- ecdsa_doit[R_EC_P224] = 2;
+- else if (strcmp(*argv, "ecdsap256") == 0)
++ if (strcmp(*argv, "ecdsap256") == 0)
+ ecdsa_doit[R_EC_P256] = 2;
+ else if (strcmp(*argv, "ecdsap384") == 0)
+ ecdsa_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdsap521") == 0)
+ ecdsa_doit[R_EC_P521] = 2;
+- else if (strcmp(*argv, "ecdsak163") == 0)
+- ecdsa_doit[R_EC_K163] = 2;
+- else if (strcmp(*argv, "ecdsak233") == 0)
+- ecdsa_doit[R_EC_K233] = 2;
+- else if (strcmp(*argv, "ecdsak283") == 0)
+- ecdsa_doit[R_EC_K283] = 2;
+- else if (strcmp(*argv, "ecdsak409") == 0)
+- ecdsa_doit[R_EC_K409] = 2;
+- else if (strcmp(*argv, "ecdsak571") == 0)
+- ecdsa_doit[R_EC_K571] = 2;
+- else if (strcmp(*argv, "ecdsab163") == 0)
+- ecdsa_doit[R_EC_B163] = 2;
+- else if (strcmp(*argv, "ecdsab233") == 0)
+- ecdsa_doit[R_EC_B233] = 2;
+- else if (strcmp(*argv, "ecdsab283") == 0)
+- ecdsa_doit[R_EC_B283] = 2;
+- else if (strcmp(*argv, "ecdsab409") == 0)
+- ecdsa_doit[R_EC_B409] = 2;
+- else if (strcmp(*argv, "ecdsab571") == 0)
+- ecdsa_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdsa") == 0) {
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- if (strcmp(*argv, "ecdhp160") == 0)
+- ecdh_doit[R_EC_P160] = 2;
+- else if (strcmp(*argv, "ecdhp192") == 0)
+- ecdh_doit[R_EC_P192] = 2;
+- else if (strcmp(*argv, "ecdhp224") == 0)
+- ecdh_doit[R_EC_P224] = 2;
+- else if (strcmp(*argv, "ecdhp256") == 0)
++ if (strcmp(*argv, "ecdhp256") == 0)
+ ecdh_doit[R_EC_P256] = 2;
+ else if (strcmp(*argv, "ecdhp384") == 0)
+ ecdh_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdhp521") == 0)
+ ecdh_doit[R_EC_P521] = 2;
+- else if (strcmp(*argv, "ecdhk163") == 0)
+- ecdh_doit[R_EC_K163] = 2;
+- else if (strcmp(*argv, "ecdhk233") == 0)
+- ecdh_doit[R_EC_K233] = 2;
+- else if (strcmp(*argv, "ecdhk283") == 0)
+- ecdh_doit[R_EC_K283] = 2;
+- else if (strcmp(*argv, "ecdhk409") == 0)
+- ecdh_doit[R_EC_K409] = 2;
+- else if (strcmp(*argv, "ecdhk571") == 0)
+- ecdh_doit[R_EC_K571] = 2;
+- else if (strcmp(*argv, "ecdhb163") == 0)
+- ecdh_doit[R_EC_B163] = 2;
+- else if (strcmp(*argv, "ecdhb233") == 0)
+- ecdh_doit[R_EC_B233] = 2;
+- else if (strcmp(*argv, "ecdhb283") == 0)
+- ecdh_doit[R_EC_B283] = 2;
+- else if (strcmp(*argv, "ecdhb409") == 0)
+- ecdh_doit[R_EC_B409] = 2;
+- else if (strcmp(*argv, "ecdhb571") == 0)
+- ecdh_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdh") == 0) {
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdh_doit[i] = 1;
+ } else
+ # endif
+@@ -1156,21 +1104,11 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
+- "ecdsap256 ecdsap384 ecdsap521\n");
+- BIO_printf(bio_err,
+- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
+- BIO_printf(bio_err,
+- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
++ BIO_printf(bio_err, "ecdsap256 ecdsap384 ecdsap521\n");
+ BIO_printf(bio_err, "ecdsa\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 "
+- "ecdhp256 ecdhp384 ecdhp521\n");
+- BIO_printf(bio_err,
+- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
+- BIO_printf(bio_err,
+- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
++ BIO_printf(bio_err, "ecdhp256 ecdhp384 ecdhp521\n");
+ BIO_printf(bio_err, "ecdh\n");
+ # endif
+
+@@ -1255,11 +1193,11 @@ int MAIN(int argc, char **argv)
+ if (!FIPS_mode() || i != R_DSA_512)
+ dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdh_doit[i] = 1;
+ # endif
+ }
+diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c
+--- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200
++++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200
+@@ -268,11 +268,7 @@ static const unsigned char eccurves_auto
+ 0, 23, /* secp256r1 (23) */
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+- 0, 28, /* brainpool512r1 (28) */
+- 0, 27, /* brainpoolP384r1 (27) */
+ 0, 24, /* secp384r1 (24) */
+- 0, 26, /* brainpoolP256r1 (26) */
+- 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -289,11 +285,7 @@ static const unsigned char eccurves_all[
+ 0, 23, /* secp256r1 (23) */
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+- 0, 28, /* brainpool512r1 (28) */
+- 0, 27, /* brainpoolP384r1 (27) */
+ 0, 24, /* secp384r1 (24) */
+- 0, 26, /* brainpoolP256r1 (26) */
+- 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[
+ * Remaining curves disabled by default but still permitted if set
+ * via an explicit callback or parameters.
+ */
+- 0, 20, /* secp224k1 (20) */
+- 0, 21, /* secp224r1 (21) */
+- 0, 18, /* secp192k1 (18) */
+- 0, 19, /* secp192r1 (19) */
+- 0, 15, /* secp160k1 (15) */
+- 0, 16, /* secp160r1 (16) */
+- 0, 17, /* secp160r2 (17) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
+ 0, 6, /* sect233k1 (6) */
+@@ -348,29 +333,21 @@ static const unsigned char fips_curves_d
+ 0, 9, /* sect283k1 (9) */
+ 0, 10, /* sect283r1 (10) */
+ # endif
+- 0, 22, /* secp256k1 (22) */
+ 0, 23, /* secp256r1 (23) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
+ 0, 6, /* sect233k1 (6) */
+ 0, 7, /* sect233r1 (7) */
+ # endif
+- 0, 20, /* secp224k1 (20) */
+- 0, 21, /* secp224r1 (21) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 4, /* sect193r1 (4) */
+ 0, 5, /* sect193r2 (5) */
+ # endif
+- 0, 18, /* secp192k1 (18) */
+- 0, 19, /* secp192r1 (19) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 1, /* sect163k1 (1) */
+ 0, 2, /* sect163r1 (2) */
+ 0, 3, /* sect163r2 (3) */
+ # endif
+- 0, 15, /* secp160k1 (15) */
+- 0, 16, /* secp160r1 (16) */
+- 0, 17, /* secp160r2 (17) */
+ };
+ # endif
+
diff --git a/SOURCES/openssl-1.0.2d-secp256k1.patch b/SOURCES/openssl-1.0.2d-secp256k1.patch
new file mode 100644
index 0000000..4c94133
--- /dev/null
+++ b/SOURCES/openssl-1.0.2d-secp256k1.patch
@@ -0,0 +1,82 @@
+diff -up openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 openssl-1.0.2d/crypto/ec/ec_curve.c
+--- openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 2015-08-12 14:55:15.203415420 -0400
++++ openssl-1.0.2d/crypto/ec/ec_curve.c 2015-08-12 15:07:12.659113262 -0400
+@@ -86,6 +86,42 @@ typedef struct {
+ unsigned int cofactor; /* promoted to BN_ULONG */
+ } EC_CURVE_DATA;
+
++static const struct {
++ EC_CURVE_DATA h;
++ unsigned char data[0 + 32 * 6];
++} _EC_SECG_PRIME_256K1 = {
++ {
++ NID_X9_62_prime_field, 0, 32, 1
++ },
++ {
++ /* no seed */
++ /* p */
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
++ /* a */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ /* b */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
++ /* x */
++ 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
++ 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
++ 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
++ /* y */
++ 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
++ 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
++ 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
++ /* order */
++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++ 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
++ 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
++ }
++};
++
+ /* the nist prime curves */
+ static const struct {
+ EC_CURVE_DATA h;
+@@ -235,6 +271,8 @@ typedef struct _ec_list_element_st {
+ static const ec_list_element curve_list[] = {
+ /* prime field curves */
+ /* secg curves */
++ {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
++ "SECG curve over a 256 bit prime field"},
+ /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+ {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
+ "NIST/SECG curve over a 384 bit prime field"},
+diff -up openssl-1.0.2d/ssl/t1_lib.c.secp256k1 openssl-1.0.2d/ssl/t1_lib.c
+--- openssl-1.0.2d/ssl/t1_lib.c.secp256k1 2015-08-12 15:04:42.876925441 -0400
++++ openssl-1.0.2d/ssl/t1_lib.c 2015-08-12 15:04:47.837699822 -0400
+@@ -269,6 +269,7 @@ static const unsigned char eccurves_auto
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+ 0, 24, /* secp384r1 (24) */
++ 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -286,6 +287,7 @@ static const unsigned char eccurves_all[
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+ 0, 24, /* secp384r1 (24) */
++ 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -333,6 +335,7 @@ static const unsigned char fips_curves_d
+ 0, 9, /* sect283k1 (9) */
+ 0, 10, /* sect283r1 (10) */
+ # endif
++ 0, 22, /* secp256k1 (22) */
+ 0, 23, /* secp256r1 (23) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
diff --git a/SOURCES/openssl-1.0.2e-remove-nistp224.patch b/SOURCES/openssl-1.0.2e-remove-nistp224.patch
new file mode 100644
index 0000000..22b99c1
--- /dev/null
+++ b/SOURCES/openssl-1.0.2e-remove-nistp224.patch
@@ -0,0 +1,15 @@
+diff -up openssl-1.0.2e/crypto/ec/ec.h.nistp224 openssl-1.0.2e/crypto/ec/ec.h
+--- openssl-1.0.2e/crypto/ec/ec.h.nistp224 2015-12-04 14:00:57.000000000 +0100
++++ openssl-1.0.2e/crypto/ec/ec.h 2015-12-08 15:51:37.046747916 +0100
+@@ -149,11 +149,6 @@ const EC_METHOD *EC_GFp_mont_method(void
+ const EC_METHOD *EC_GFp_nist_method(void);
+
+ # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+-/** Returns 64-bit optimized methods for nistp224
+- * \return EC_METHOD object
+- */
+-const EC_METHOD *EC_GFp_nistp224_method(void);
+-
+ /** Returns 64-bit optimized methods for nistp256
+ * \return EC_METHOD object
+ */
diff --git a/SOURCES/openssl-1.0.2e-rpmbuild.patch b/SOURCES/openssl-1.0.2e-rpmbuild.patch
new file mode 100644
index 0000000..db1460c
--- /dev/null
+++ b/SOURCES/openssl-1.0.2e-rpmbuild.patch
@@ -0,0 +1,115 @@
+diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure
+--- openssl-1.0.2e/Configure.rpmbuild 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/Configure 2015-12-04 13:20:22.996835604 +0100
+@@ -365,8 +365,8 @@ my %table=(
+ ####
+ # *-generic* is endian-neutral target, but ./config is free to
+ # throw in -D[BL]_ENDIAN, whichever appropriate...
+-"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic32","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc", "gcc:-DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+
+ #######################################################################
+ # Note that -march is not among compiler options in below linux-armv4
+@@ -395,31 +395,31 @@ my %table=(
+ #
+ # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
+ #
+-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ # Configure script adds minimally required -march for assembly support,
+ # if no -march was specified at command line. mips32 and mips64 below
+ # refer to contemporary MIPS Architecture specifications, MIPS32 and
+ # MIPS64, rather than to kernel bitness.
+-"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
+-"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-mips32", "gcc:-mabi=32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-mips64", "gcc:-mabi=n32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::32",
++"linux64-mips64", "gcc:-mabi=64 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### IA-32 targets...
+ "linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
+ ####
+-"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
+-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
+-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-s390x", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### So called "highgprs" target for z/Architecture CPUs
+ # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
+ # /proc/cpuinfo. The idea is to preserve most significant bits of
+@@ -437,12 +437,12 @@ my %table=(
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.
+-"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # it's a real mess with -mcpu=ultrasparc option under Linux, but
+ # -Wa,-Av8plus should do the trick no matter what.
+-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # GCC 3.1 is a requirement
+-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### Alpha Linux with GNU C and Compaq C setups
+ # Special notes:
+ # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
+@@ -1767,7 +1767,7 @@ while (<IN>)
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ {
+ my $sotmp = $1;
+- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
+ }
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ {
+diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org
+--- openssl-1.0.2e/Makefile.org.rpmbuild 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/Makefile.org 2015-12-04 13:18:44.913538616 +0100
+@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
+ SHLIB_MAJOR=
+ SHLIB_MINOR=
+ SHLIB_EXT=
++SHLIB_SONAMEVER=10
+ PLATFORM=dist
+ OPTIONS=
+ CONFIGURE_ARGS=
+@@ -341,10 +342,9 @@ clean-shared:
+ link-shared:
+ @ set -e; for i in $(SHLIBDIRS); do \
+ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ symlink.$(SHLIB_TARGET); \
+- libs="$$libs -l$$i"; \
+ done
+
+ build-shared: do_$(SHLIB_TARGET) link-shared
+@@ -355,7 +355,7 @@ do_$(SHLIB_TARGET):
+ libs="$(LIBKRB5) $$libs"; \
+ fi; \
+ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ LIBDEPS="$$libs $(EX_LIBS)" \
+ link_a.$(SHLIB_TARGET); \
diff --git a/SOURCES/openssl-1.0.2e-speed-doc.patch b/SOURCES/openssl-1.0.2e-speed-doc.patch
new file mode 100644
index 0000000..8e3d95b
--- /dev/null
+++ b/SOURCES/openssl-1.0.2e-speed-doc.patch
@@ -0,0 +1,58 @@
+diff -up openssl-1.0.2e/apps/speed.c.speed-doc openssl-1.0.2e/apps/speed.c
+--- openssl-1.0.2e/apps/speed.c.speed-doc 2015-12-04 14:00:58.000000000 +0100
++++ openssl-1.0.2e/apps/speed.c 2016-01-15 14:15:56.482343557 +0100
+@@ -648,10 +648,6 @@ int MAIN(int argc, char **argv)
+ # endif
+ int multiblock = 0;
+
+-# ifndef TIMES
+- usertime = -1;
+-# endif
+-
+ apps_startup();
+ memset(results, 0, sizeof(results));
+ # ifndef OPENSSL_NO_DSA
+@@ -1145,10 +1141,8 @@ int MAIN(int argc, char **argv)
+
+ BIO_printf(bio_err, "\n");
+ BIO_printf(bio_err, "Available options:\n");
+-# if defined(TIMES) || defined(USE_TOD)
+ BIO_printf(bio_err, "-elapsed "
+ "measure time in real time instead of CPU user time.\n");
+-# endif
+ # ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err,
+ "-engine e "
+diff -up openssl-1.0.2e/doc/apps/speed.pod.speed-doc openssl-1.0.2e/doc/apps/speed.pod
+--- openssl-1.0.2e/doc/apps/speed.pod.speed-doc 2015-12-03 14:42:07.000000000 +0100
++++ openssl-1.0.2e/doc/apps/speed.pod 2016-01-15 14:05:23.044222376 +0100
+@@ -8,6 +8,9 @@ speed - test library performance
+
+ B<openssl speed>
+ [B<-engine id>]
++[B<-elapsed>]
++[B<-evp algo>]
++[B<-decrypt>]
+ [B<md2>]
+ [B<mdc2>]
+ [B<md5>]
+@@ -49,6 +52,19 @@ to attempt to obtain a functional refere
+ thus initialising it if needed. The engine will then be set as the default
+ for all available algorithms.
+
++=item B<-elapsed>
++
++Measure time in real time instead of CPU time. It can be useful when testing
++speed of hardware engines.
++
++=item B<-evp algo>
++
++Use the specified cipher or message digest algorithm via the EVP interface.
++
++=item B<-decrypt>
++
++Time the decryption instead of encryption. Affects only the EVP testing.
++
+ =item B<[zero or more test algorithms]>
+
+ If any options are given, B<speed> tests those algorithms, otherwise all of
diff --git a/SOURCES/openssl-1.0.2e-wrap-pad.patch b/SOURCES/openssl-1.0.2e-wrap-pad.patch
new file mode 100644
index 0000000..fad043c
--- /dev/null
+++ b/SOURCES/openssl-1.0.2e-wrap-pad.patch
@@ -0,0 +1,541 @@
+diff -up openssl-1.0.2e/crypto/evp/c_allc.c.wrap openssl-1.0.2e/crypto/evp/c_allc.c
+--- openssl-1.0.2e/crypto/evp/c_allc.c.wrap 2015-12-04 13:33:42.118550036 +0100
++++ openssl-1.0.2e/crypto/evp/c_allc.c 2015-12-04 13:33:42.190551722 +0100
+@@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_128_xts());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+@@ -191,6 +192,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_192_gcm());
+ EVP_add_cipher(EVP_aes_192_ccm());
+ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+@@ -204,6 +206,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_256_xts());
+ EVP_add_cipher(EVP_aes_256_ccm());
+ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+ # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+@@ -258,6 +261,7 @@ void OpenSSL_add_all_ciphers(void)
+
+ EVP_add_cipher(EVP_des_ede());
+ EVP_add_cipher(EVP_des_ede3());
++ EVP_add_cipher(EVP_des_ede3_wrap());
+ # endif
+
+ # ifndef OPENSSL_NO_AES
+@@ -272,6 +276,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_128_xts());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+@@ -284,6 +289,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_192_gcm());
+ EVP_add_cipher(EVP_aes_192_ccm());
+ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+@@ -297,6 +303,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_256_xts());
+ EVP_add_cipher(EVP_aes_256_ccm());
+ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+ # endif
+diff -up openssl-1.0.2e/crypto/evp/e_aes.c.wrap openssl-1.0.2e/crypto/evp/e_aes.c
+--- openssl-1.0.2e/crypto/evp/e_aes.c.wrap 2015-12-04 13:33:42.119550059 +0100
++++ openssl-1.0.2e/crypto/evp/e_aes.c 2015-12-04 13:33:42.190551722 +0100
+@@ -1,5 +1,5 @@
+ /* ====================================================================
+- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -1953,7 +1953,7 @@ static int aes_wrap_init_key(EVP_CIPHER_
+ wctx->iv = NULL;
+ }
+ if (iv) {
+- memcpy(ctx->iv, iv, 8);
++ memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
+ wctx->iv = ctx->iv;
+ }
+ return 1;
+@@ -1964,30 +1964,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
+ {
+ EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
+ size_t rv;
++ /* AES wrap with padding has IV length of 4, without padding 8 */
++ int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
++ /* No final operation so always return zero length */
+ if (!in)
+ return 0;
+- if (inlen % 8)
++ /* Input length must always be non-zero */
++ if (!inlen)
+ return -1;
+- if (ctx->encrypt && inlen < 8)
++ /* If decrypting need at least 16 bytes and multiple of 8 */
++ if (!ctx->encrypt && (inlen < 16 || inlen & 0x7))
+ return -1;
+- if (!ctx->encrypt && inlen < 16)
++ /* If not padding input must be multiple of 8 */
++ if (!pad && inlen & 0x7)
+ return -1;
+ if (!out) {
+- if (ctx->encrypt)
++ if (ctx->encrypt) {
++ /* If padding round up to multiple of 8 */
++ if (pad)
++ inlen = (inlen + 7) / 8 * 8;
++ /* 8 byte prefix */
+ return inlen + 8;
+- else
++ } else {
++ /* If not padding output will be exactly 8 bytes
++ * smaller than input. If padding it will be at
++ * least 8 bytes smaller but we don't know how
++ * much.
++ */
+ return inlen - 8;
+ }
++ }
++ if (pad) {
+ if (ctx->encrypt)
+- rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
++ rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
++ out, in, inlen,
+ (block128_f) AES_encrypt);
+ else
+- rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
++ rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
++ out, in, inlen,
+ (block128_f) AES_decrypt);
++ } else {
++ if (ctx->encrypt)
++ rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
++ out, in, inlen, (block128_f) AES_encrypt);
++ else
++ rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
++ out, in, inlen, (block128_f) AES_decrypt);
++ }
+ return rv ? (int)rv : -1;
+ }
+
+-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
++# define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
+ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
+ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
+
+@@ -2032,3 +2059,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
+ {
+ return &aes_256_wrap;
+ }
++
++static const EVP_CIPHER aes_128_wrap_pad = {
++ NID_id_aes128_wrap_pad,
++ 8, 16, 4, WRAP_FLAGS,
++ aes_wrap_init_key, aes_wrap_cipher,
++ NULL,
++ sizeof(EVP_AES_WRAP_CTX),
++ NULL, NULL, NULL, NULL
++};
++
++const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
++{
++ return &aes_128_wrap_pad;
++}
++
++static const EVP_CIPHER aes_192_wrap_pad = {
++ NID_id_aes192_wrap_pad,
++ 8, 24, 4, WRAP_FLAGS,
++ aes_wrap_init_key, aes_wrap_cipher,
++ NULL,
++ sizeof(EVP_AES_WRAP_CTX),
++ NULL, NULL, NULL, NULL
++};
++
++const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
++{
++ return &aes_192_wrap_pad;
++}
++
++static const EVP_CIPHER aes_256_wrap_pad = {
++ NID_id_aes256_wrap_pad,
++ 8, 32, 4, WRAP_FLAGS,
++ aes_wrap_init_key, aes_wrap_cipher,
++ NULL,
++ sizeof(EVP_AES_WRAP_CTX),
++ NULL, NULL, NULL, NULL
++};
++
++const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
++{
++ return &aes_256_wrap_pad;
++}
+diff -up openssl-1.0.2e/crypto/evp/e_des3.c.wrap openssl-1.0.2e/crypto/evp/e_des3.c
+--- openssl-1.0.2e/crypto/evp/e_des3.c.wrap 2015-12-04 13:33:42.119550059 +0100
++++ openssl-1.0.2e/crypto/evp/e_des3.c 2015-12-04 13:33:42.191551745 +0100
+@@ -474,7 +474,7 @@ static const EVP_CIPHER des3_wrap = {
+ NID_id_smime_alg_CMS3DESwrap,
+ 8, 24, 0,
+ EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
+- | EVP_CIPH_FLAG_DEFAULT_ASN1,
++ | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_FIPS,
+ des_ede3_init_key, des_ede3_wrap_cipher,
+ NULL,
+ sizeof(DES_EDE_KEY),
+diff -up openssl-1.0.2e/crypto/evp/evp.h.wrap openssl-1.0.2e/crypto/evp/evp.h
+--- openssl-1.0.2e/crypto/evp/evp.h.wrap 2015-12-04 13:33:42.120550083 +0100
++++ openssl-1.0.2e/crypto/evp/evp.h 2015-12-04 13:33:42.191551745 +0100
+@@ -834,6 +834,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void);
+ const EVP_CIPHER *EVP_aes_128_gcm(void);
+ const EVP_CIPHER *EVP_aes_128_xts(void);
+ const EVP_CIPHER *EVP_aes_128_wrap(void);
++const EVP_CIPHER *EVP_aes_128_wrap_pad(void);
+ const EVP_CIPHER *EVP_aes_192_ecb(void);
+ const EVP_CIPHER *EVP_aes_192_cbc(void);
+ const EVP_CIPHER *EVP_aes_192_cfb1(void);
+@@ -845,6 +846,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void);
+ const EVP_CIPHER *EVP_aes_192_ccm(void);
+ const EVP_CIPHER *EVP_aes_192_gcm(void);
+ const EVP_CIPHER *EVP_aes_192_wrap(void);
++const EVP_CIPHER *EVP_aes_192_wrap_pad(void);
+ const EVP_CIPHER *EVP_aes_256_ecb(void);
+ const EVP_CIPHER *EVP_aes_256_cbc(void);
+ const EVP_CIPHER *EVP_aes_256_cfb1(void);
+@@ -857,6 +859,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void);
+ const EVP_CIPHER *EVP_aes_256_gcm(void);
+ const EVP_CIPHER *EVP_aes_256_xts(void);
+ const EVP_CIPHER *EVP_aes_256_wrap(void);
++const EVP_CIPHER *EVP_aes_256_wrap_pad(void);
+ # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+ const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
+ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void);
+diff -up openssl-1.0.2e/crypto/evp/evptests.txt.wrap openssl-1.0.2e/crypto/evp/evptests.txt
+--- openssl-1.0.2e/crypto/evp/evptests.txt.wrap 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/crypto/evp/evptests.txt 2015-12-04 13:33:42.191551745 +0100
+@@ -399,3 +399,7 @@ id-aes256-wrap:000102030405060708090A0B0
+ id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2
+ id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1
+ id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F:28C9F404C4B810F4CBCCB35CFB87F8263F5786E2D80ED326CBC7F0E71A99F43BFB988B9B7A02DD21
++# AES wrap tests from RFC5649
++id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a
++id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f
++
+diff -up openssl-1.0.2e/crypto/modes/modes.h.wrap openssl-1.0.2e/crypto/modes/modes.h
+--- openssl-1.0.2e/crypto/modes/modes.h.wrap 2015-12-04 13:33:41.770541886 +0100
++++ openssl-1.0.2e/crypto/modes/modes.h 2015-12-04 13:33:42.191551745 +0100
+@@ -157,6 +157,12 @@ size_t CRYPTO_128_unwrap(void *key, cons
+ unsigned char *out,
+ const unsigned char *in, size_t inlen,
+ block128_f block);
++size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
++ unsigned char *out, const unsigned char *in,
++ size_t inlen, block128_f block);
++size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
++ unsigned char *out, const unsigned char *in,
++ size_t inlen, block128_f block);
+
+ #ifdef __cplusplus
+ }
+diff -up openssl-1.0.2e/crypto/modes/wrap128.c.wrap openssl-1.0.2e/crypto/modes/wrap128.c
+--- openssl-1.0.2e/crypto/modes/wrap128.c.wrap 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/crypto/modes/wrap128.c 2015-12-04 13:37:51.486366984 +0100
+@@ -2,6 +2,7 @@
+ /*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
++ * Mode with padding contributed by Petr Spacek (pspacek@redhat.com).
+ */
+ /* ====================================================================
+ * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
+@@ -52,19 +53,44 @@
+ * ====================================================================
+ */
+
++/** Beware!
++ *
++ * Following wrapping modes were designed for AES but this implementation
++ * allows you to use them for any 128 bit block cipher.
++ */
++
+ #include "cryptlib.h"
+ #include <openssl/modes.h>
+
++/** RFC 3394 section 2.2.3.1 Default Initial Value */
+ static const unsigned char default_iv[] = {
+ 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
+ };
+
+-/*
+- * Input size limit: lower than maximum of standards but far larger than
++/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
++static const unsigned char default_aiv[] = {
++ 0xA6, 0x59, 0x59, 0xA6
++};
++
++/** Input size limit: lower than maximum of standards but far larger than
+ * anything that will be used in practice.
+ */
+ #define CRYPTO128_WRAP_MAX (1UL << 31)
+
++/** Wrapping according to RFC 3394 section 2.2.1.
++ *
++ * @param[in] key Key value.
++ * @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
++ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
++ * @param[in] inlen Length of in.
++ * @param[out] out Cipher text. Minimal buffer length = (inlen + 8) bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
++ * or if inlen > CRYPTO128_WRAP_MAX.
++ * Output length if wrapping succeeded.
++ */
+ size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
+ unsigned char *out,
+ const unsigned char *in, size_t inlen,
+@@ -72,7 +98,7 @@ size_t CRYPTO_128_wrap(void *key, const
+ {
+ unsigned char *A, B[16], *R;
+ size_t i, j, t;
+- if ((inlen & 0x7) || (inlen < 8) || (inlen > CRYPTO128_WRAP_MAX))
++ if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
+ return 0;
+ A = B;
+ t = 1;
+@@ -100,7 +126,23 @@ size_t CRYPTO_128_wrap(void *key, const
+ return inlen + 8;
+ }
+
+-size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
++/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
++ * IV check (step 3) is responsibility of the caller.
++ *
++ * @param[in] key Key value.
++ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
++ * @param[out] out Plain text without IV.
++ * Minimal buffer length = (inlen - 8) bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] in Ciphertext text as n 64-bit blocks
++ * @param[in] inlen Length of in.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
++ * or if inlen is not multiply of 8.
++ * Output length otherwise.
++ */
++static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
+ unsigned char *out,
+ const unsigned char *in, size_t inlen,
+ block128_f block)
+@@ -128,11 +170,190 @@ size_t CRYPTO_128_unwrap(void *key, cons
+ memcpy(R, B + 8, 8);
+ }
+ }
++ memcpy(iv, A, 8);
++ return inlen;
++}
++
++/** Unwrapping according to RFC 3394 section 2.2.2 including IV check.
++ * First block of plain text have to match supplied IV otherwise an error is
++ * returned.
++ *
++ * @param[in] key Key value.
++ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
++ * @param[out] out Plain text without IV.
++ * Minimal buffer length = (inlen - 8) bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] in Ciphertext text as n 64-bit blocks
++ * @param[in] inlen Length of in.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
++ * or if inlen is not multiply of 8
++ * or if IV doesn't match expected value.
++ * Output length otherwise.
++ */
++size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
++ unsigned char *out, const unsigned char *in,
++ size_t inlen, block128_f block)
++{
++ size_t ret;
++ unsigned char got_iv[8];
++
++ ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
++ if (ret == 0)
++ return 0;
++
+ if (!iv)
+ iv = default_iv;
+- if (memcmp(A, iv, 8)) {
++ if (CRYPTO_memcmp(got_iv, iv, 8)) {
++ OPENSSL_cleanse(out, ret);
++ return 0;
++ }
++ return ret;
++}
++
++/** Wrapping according to RFC 5649 section 4.1.
++ *
++ * @param[in] key Key value.
++ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
++ * @param[out] out Cipher text. Minimal buffer length = (inlen + 15) bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
++ * @param[in] inlen Length of in.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
++ * Output length if wrapping succeeded.
++ */
++size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
++ unsigned char *out,
++ const unsigned char *in, size_t inlen,
++ block128_f block)
++{
++ /* n: number of 64-bit blocks in the padded key data */
++ const size_t blocks_padded = (inlen + 7) / 8;
++ const size_t padded_len = blocks_padded * 8;
++ const size_t padding_len = padded_len - inlen;
++ /* RFC 5649 section 3: Alternative Initial Value */
++ unsigned char aiv[8];
++ int ret;
++
++ /* Section 1: use 32-bit fixed field for plaintext octet length */
++ if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
++ return 0;
++
++ /* Section 3: Alternative Initial Value */
++ if (!icv)
++ memcpy(aiv, default_aiv, 4);
++ else
++ memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
++
++ aiv[4] = (inlen >> 24) & 0xFF;
++ aiv[5] = (inlen >> 16) & 0xFF;
++ aiv[6] = (inlen >> 8) & 0xFF;
++ aiv[7] = inlen & 0xFF;
++
++ if (padded_len == 8) {
++ /* Section 4.1 - special case in step 2:
++ * If the padded plaintext contains exactly eight octets, then
++ * prepend the AIV and encrypt the resulting 128-bit block
++ * using AES in ECB mode. */
++ memmove(out + 8, in, inlen);
++ memcpy(out, aiv, 8);
++ memset(out + 8 + inlen, 0, padding_len);
++ block(out, out, key);
++ ret = 16; /* AIV + padded input */
++ } else {
++ memmove(out, in, inlen);
++ memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
++ ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
++ }
++
++ return ret;
++}
++
++/** Unwrapping according to RFC 5649 section 4.2.
++ *
++ * @param[in] key Key value.
++ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
++ * @param[out] out Plain text. Minimal buffer length = inlen bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] in Ciphertext text as n 64-bit blocks
++ * @param[in] inlen Length of in.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
++ * or if inlen is not multiply of 8
++ * or if IV and message length indicator doesn't match.
++ * Output length if unwrapping succeeded and IV matches.
++ */
++size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
++ unsigned char *out,
++ const unsigned char *in, size_t inlen,
++ block128_f block)
++{
++ /* n: number of 64-bit blocks in the padded key data */
++ size_t n = inlen / 8 - 1;
++ size_t padded_len;
++ size_t padding_len;
++ size_t ptext_len;
++ /* RFC 5649 section 3: Alternative Initial Value */
++ unsigned char aiv[8];
++ static unsigned char zeros[8] = { 0x0 };
++ size_t ret;
++
++ /* Section 4.2: Cipher text length has to be (n+1) 64-bit blocks. */
++ if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
++ return 0;
++
++ memmove(out, in, inlen);
++ if (inlen == 16) {
++ /* Section 4.2 - special case in step 1:
++ * When n=1, the ciphertext contains exactly two 64-bit
++ * blocks and they are decrypted as a single AES
++ * block using AES in ECB mode:
++ * AIV | P[1] = DEC(K, C[0] | C[1])
++ */
++ block(out, out, key);
++ memcpy(aiv, out, 8);
++ /* Remove AIV */
++ memmove(out, out + 8, 8);
++ padded_len = 8;
++ } else {
++ padded_len = inlen - 8;
++ ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block);
++ if (padded_len != ret) {
+ OPENSSL_cleanse(out, inlen);
+ return 0;
+ }
+- return inlen;
++ }
++
++ /* Section 3: AIV checks: Check that MSB(32,A) = A65959A6.
++ * Optionally a user-supplied value can be used
++ * (even if standard doesn't mention this). */
++ if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
++ || (icv && CRYPTO_memcmp(aiv, icv, 4))) {
++ OPENSSL_cleanse(out, inlen);
++ return 0;
++ }
++
++ /* Check that 8*(n-1) < LSB(32,AIV) <= 8*n.
++ * If so, let ptext_len = LSB(32,AIV). */
++
++ ptext_len = (aiv[4] << 24) | (aiv[5] << 16) | (aiv[6] << 8) | aiv[7];
++ if (8 * (n - 1) >= ptext_len || ptext_len > 8 * n) {
++ OPENSSL_cleanse(out, inlen);
++ return 0;
++ }
++
++ /* Check that the rightmost padding_len octets of the output data
++ * are zero. */
++ padding_len = padded_len - ptext_len;
++ if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
++ OPENSSL_cleanse(out, inlen);
++ return 0;
++ }
++
++ /* Section 4.2 step 3: Remove padding */
++ return ptext_len;
+ }
diff --git a/SOURCES/openssl-1.0.2g-manfix.patch b/SOURCES/openssl-1.0.2g-manfix.patch
new file mode 100644
index 0000000..12e5103
--- /dev/null
+++ b/SOURCES/openssl-1.0.2g-manfix.patch
@@ -0,0 +1,90 @@
+diff -up openssl-1.0.2g/doc/apps/ec.pod.manfix openssl-1.0.2g/doc/apps/ec.pod
+--- openssl-1.0.2g/doc/apps/ec.pod.manfix 2016-03-01 14:35:05.000000000 +0100
++++ openssl-1.0.2g/doc/apps/ec.pod 2016-03-01 16:47:35.331568290 +0100
+@@ -93,10 +93,6 @@ prints out the public, private key compo
+
+ this option prevents output of the encoded version of the key.
+
+-=item B<-modulus>
+-
+-this option prints out the value of the public key component of the key.
+-
+ =item B<-pubin>
+
+ by default a private key is read from the input file: with this option a
+diff -up openssl-1.0.2g/doc/apps/openssl.pod.manfix openssl-1.0.2g/doc/apps/openssl.pod
+--- openssl-1.0.2g/doc/apps/openssl.pod.manfix 2016-03-01 14:35:05.000000000 +0100
++++ openssl-1.0.2g/doc/apps/openssl.pod 2016-03-01 16:47:35.331568290 +0100
+@@ -163,7 +163,7 @@ Create or examine a netscape certificate
+
+ Online Certificate Status Protocol utility.
+
+-=item L<B<passwd>|passwd(1)>
++=item L<B<passwd>|sslpasswd(1)>
+
+ Generation of hashed passwords.
+
+@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
+
+ Public key algorithm cryptographic operation utility.
+
+-=item L<B<rand>|rand(1)>
++=item L<B<rand>|sslrand(1)>
+
+ Generate pseudo-random bytes.
+
+@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
+ L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
+ L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
+ L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
+-L<passwd(1)|passwd(1)>,
++L<sslpasswd(1)|sslpasswd(1)>,
+ L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
+-L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
++L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
+ L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
+ L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
+ L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
+diff -up openssl-1.0.2g/doc/apps/s_client.pod.manfix openssl-1.0.2g/doc/apps/s_client.pod
+--- openssl-1.0.2g/doc/apps/s_client.pod.manfix 2016-03-01 14:35:53.000000000 +0100
++++ openssl-1.0.2g/doc/apps/s_client.pod 2016-03-01 16:47:35.358568902 +0100
+@@ -35,6 +35,9 @@ B<openssl> B<s_client>
+ [B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
++[B<-tls1_1>]
++[B<-tls1_2>]
++[B<-dtls1>]
+ [B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+@@ -201,7 +204,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
+diff -up openssl-1.0.2g/doc/apps/s_server.pod.manfix openssl-1.0.2g/doc/apps/s_server.pod
+--- openssl-1.0.2g/doc/apps/s_server.pod.manfix 2016-03-01 14:35:53.000000000 +0100
++++ openssl-1.0.2g/doc/apps/s_server.pod 2016-03-01 16:47:35.359568925 +0100
+@@ -42,6 +42,8 @@ B<openssl> B<s_server>
+ [B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
++[B<-tls1_1>]
++[B<-tls1_2>]
+ [B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+@@ -217,7 +219,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
diff --git a/SOURCES/openssl-1.0.2h-pkgconfig.patch b/SOURCES/openssl-1.0.2h-pkgconfig.patch
new file mode 100644
index 0000000..f810157
--- /dev/null
+++ b/SOURCES/openssl-1.0.2h-pkgconfig.patch
@@ -0,0 +1,24 @@
+diff -up openssl-1.0.2h/Makefile.org.pkgconfig openssl-1.0.2h/Makefile.org
+--- openssl-1.0.2h/Makefile.org.pkgconfig 2016-05-03 18:06:45.869834730 +0200
++++ openssl-1.0.2h/Makefile.org 2016-06-27 12:04:15.444245018 +0200
+@@ -377,7 +377,7 @@ libcrypto.pc: Makefile
+ echo 'Requires: '; \
+ echo 'Libs: -L$${libdir} -lcrypto'; \
+ echo 'Libs.private: $(EX_LIBS)'; \
+- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
++ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
+
+ libssl.pc: Makefile
+ @ ( echo 'prefix=$(INSTALLTOP)'; \
+@@ -388,9 +388,9 @@ libssl.pc: Makefile
+ echo 'Name: OpenSSL-libssl'; \
+ echo 'Description: Secure Sockets Layer and cryptography libraries'; \
+ echo 'Version: '$(VERSION); \
+- echo 'Requires.private: libcrypto'; \
++ echo 'Requires: libcrypto'; \
+ echo 'Libs: -L$${libdir} -lssl'; \
+- echo 'Libs.private: $(EX_LIBS)'; \
++ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
+ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+
+ openssl.pc: Makefile
diff --git a/SOURCES/openssl-1.0.2i-chil-fixes.patch b/SOURCES/openssl-1.0.2i-chil-fixes.patch
new file mode 100644
index 0000000..c7f1820
--- /dev/null
+++ b/SOURCES/openssl-1.0.2i-chil-fixes.patch
@@ -0,0 +1,15 @@
+diff -up openssl-1.0.2i/engines/e_chil.c.chil openssl-1.0.2i/engines/e_chil.c
+--- openssl-1.0.2i/engines/e_chil.c.chil 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/engines/e_chil.c 2016-09-22 13:49:32.532017102 +0200
+@@ -1274,6 +1274,11 @@ static int hwcrhk_insert_card(const char
+ UI *ui;
+ void *callback_data = NULL;
+ UI_METHOD *ui_method = NULL;
++ /* Despite what the documentation says prompt_info can be
++ * an empty string.
++ */
++ if (prompt_info && !*prompt_info)
++ prompt_info = NULL;
+
+ if (cactx) {
+ if (cactx->ui_method)
diff --git a/SOURCES/openssl-1.0.2i-enc-fail.patch b/SOURCES/openssl-1.0.2i-enc-fail.patch
new file mode 100644
index 0000000..819a3fc
--- /dev/null
+++ b/SOURCES/openssl-1.0.2i-enc-fail.patch
@@ -0,0 +1,25 @@
+diff -up openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2i/crypto/evp/bio_enc.c
+--- openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/bio_enc.c 2016-09-22 13:58:24.592381002 +0200
+@@ -307,8 +307,9 @@ static long enc_ctrl(BIO *b, int cmd, lo
+ case BIO_CTRL_RESET:
+ ctx->ok = 1;
+ ctx->finished = 0;
+- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
+- ctx->cipher.encrypt);
++ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
++ ctx->cipher.encrypt))
++ ctx->ok = 0;
+ ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
+ break;
+ case BIO_CTRL_EOF: /* More to read */
+@@ -430,7 +431,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI
+
+ b->init = 1;
+ ctx = (BIO_ENC_CTX *)b->ptr;
+- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
++ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e))
++ ctx->ok = 0;
+
+ if (b->callback != NULL)
+ b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);
diff --git a/SOURCES/openssl-1.0.2i-enginesdir.patch b/SOURCES/openssl-1.0.2i-enginesdir.patch
new file mode 100644
index 0000000..862ef1b
--- /dev/null
+++ b/SOURCES/openssl-1.0.2i-enginesdir.patch
@@ -0,0 +1,83 @@
+diff --git a/Configure b/Configure
+index c39f71a..7f3d905 100755
+--- a/Configure
++++ b/Configure
+@@ -727,6 +727,7 @@ my $idx_multilib = $idx++;
+ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
++my $enginesdir="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -956,6 +957,10 @@ PROCESS_ARGS:
+ {
+ $openssldir=$1;
+ }
++ elsif (/^--enginesdir=(.*)$/)
++ {
++ $enginesdir=$1;
++ }
+ elsif (/^--install.prefix=(.*)$/)
+ {
+ $install_prefix=$1;
+@@ -1207,7 +1212,7 @@ chop $prefix if $prefix =~ /.\/$/;
+
+ $openssldir=$prefix . "/ssl" if $openssldir eq "";
+ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+-
++$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
+
+ print "IsMK1MF=$IsMK1MF\n";
+
+@@ -1709,6 +1714,7 @@ while (<IN>)
+ s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
+ s/^MULTILIB=.*$/MULTILIB=$multilib/;
+ s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
++ s/^ENGINESDIR=.*$/ENGINESDIR=$enginesdir/;
+ s/^LIBDIR=.*$/LIBDIR=$libdir/;
+ s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
+ s/^PLATFORM=.*$/PLATFORM=$target/;
+@@ -1915,7 +1921,7 @@ while (<IN>)
+ }
+ elsif (/^#define\s+ENGINESDIR/)
+ {
+- my $foo = "$prefix/$libdir/engines";
++ my $foo = "$enginesdir";
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
+diff --git a/Makefile.org b/Makefile.org
+index 2377f50..fe8d54c 100644
+--- a/Makefile.org
++++ b/Makefile.org
+@@ -28,6 +28,7 @@ INSTALLTOP=/usr/local/ssl
+
+ # Do not edit this manually. Use Configure --openssldir=DIR do change this!
+ OPENSSLDIR=/usr/local/ssl
++ENGINESDIR=$${libdir}/engines
+
+ # NO_IDEA - Define to build without the IDEA algorithm
+ # NO_RC4 - Define to build without the RC4 algorithm
+@@ -368,7 +369,7 @@ libcrypto.pc: Makefile
+ echo 'exec_prefix=$${prefix}'; \
+ echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
+ echo 'includedir=$${prefix}/include'; \
+- echo 'enginesdir=$${libdir}/engines'; \
++ echo 'enginesdir=$(ENGINESDIR)'; \
+ echo ''; \
+ echo 'Name: OpenSSL-libcrypto'; \
+ echo 'Description: OpenSSL cryptography library'; \
+diff --git a/engines/Makefile b/engines/Makefile
+index 2058ff4..a2c407b 100644
+--- a/engines/Makefile
++++ b/engines/Makefile
+@@ -124,7 +124,7 @@ install:
+ esac; \
+ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ fi; \
+- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
++ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ done; \
+ fi
diff --git a/SOURCES/openssl-1.0.2i-fips.patch b/SOURCES/openssl-1.0.2i-fips.patch
new file mode 100644
index 0000000..669922c
--- /dev/null
+++ b/SOURCES/openssl-1.0.2i-fips.patch
@@ -0,0 +1,13703 @@
+diff -up openssl-1.0.2i/apps/speed.c.fips openssl-1.0.2i/apps/speed.c
+--- openssl-1.0.2i/apps/speed.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/apps/speed.c 2016-09-22 13:35:57.007220767 +0200
+@@ -197,7 +197,6 @@
+ # ifdef OPENSSL_DOING_MAKEDEPEND
+ # undef AES_set_encrypt_key
+ # undef AES_set_decrypt_key
+-# undef DES_set_key_unchecked
+ # endif
+ # define BF_set_key private_BF_set_key
+ # define CAST_set_key private_CAST_set_key
+@@ -205,7 +204,6 @@
+ # define SEED_set_key private_SEED_set_key
+ # define RC2_set_key private_RC2_set_key
+ # define RC4_set_key private_RC4_set_key
+-# define DES_set_key_unchecked private_DES_set_key_unchecked
+ # define AES_set_encrypt_key private_AES_set_encrypt_key
+ # define AES_set_decrypt_key private_AES_set_decrypt_key
+ # define Camellia_set_key private_Camellia_set_key
+@@ -974,7 +972,12 @@ int MAIN(int argc, char **argv)
+ # endif
+ # ifndef OPENSSL_NO_RSA
+ if (strcmp(*argv, "rsa") == 0) {
+- rsa_doit[R_RSA_512] = 1;
++# ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++# endif
++ {
++ rsa_doit[R_RSA_512] = 1;
++ }
+ rsa_doit[R_RSA_1024] = 1;
+ rsa_doit[R_RSA_2048] = 1;
+ rsa_doit[R_RSA_4096] = 1;
+@@ -982,7 +985,12 @@ int MAIN(int argc, char **argv)
+ # endif
+ # ifndef OPENSSL_NO_DSA
+ if (strcmp(*argv, "dsa") == 0) {
+- dsa_doit[R_DSA_512] = 1;
++# ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++# endif
++ {
++ dsa_doit[R_DSA_512] = 1;
++ }
+ dsa_doit[R_DSA_1024] = 1;
+ dsa_doit[R_DSA_2048] = 1;
+ } else
+@@ -1233,13 +1241,19 @@ int MAIN(int argc, char **argv)
+
+ if (j == 0) {
+ for (i = 0; i < ALGOR_NUM; i++) {
+- if (i != D_EVP)
++ if (i != D_EVP &&
++ (!FIPS_mode() || (i != D_WHIRLPOOL &&
++ i != D_MD2 && i != D_MD4 &&
++ i != D_MD5 && i != D_MDC2 &&
++ i != D_RMD160)))
+ doit[i] = 1;
+ }
+ for (i = 0; i < RSA_NUM; i++)
+- rsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_RSA_512)
++ rsa_doit[i] = 1;
+ for (i = 0; i < DSA_NUM; i++)
+- dsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_DSA_512)
++ dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+ for (i = 0; i < EC_NUM; i++)
+ ecdsa_doit[i] = 1;
+@@ -1299,30 +1313,46 @@ int MAIN(int argc, char **argv)
+ AES_set_encrypt_key(key32, 256, &aes_ks3);
+ # endif
+ # ifndef OPENSSL_NO_CAMELLIA
+- Camellia_set_key(key16, 128, &camellia_ks1);
+- Camellia_set_key(ckey24, 192, &camellia_ks2);
+- Camellia_set_key(ckey32, 256, &camellia_ks3);
++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
++ Camellia_set_key(key16, 128, &camellia_ks1);
++ Camellia_set_key(ckey24, 192, &camellia_ks2);
++ Camellia_set_key(ckey32, 256, &camellia_ks3);
++ }
+ # endif
+ # ifndef OPENSSL_NO_IDEA
+- idea_set_encrypt_key(key16, &idea_ks);
++ if (doit[D_CBC_IDEA]) {
++ idea_set_encrypt_key(key16, &idea_ks);
++ }
+ # endif
+ # ifndef OPENSSL_NO_SEED
+- SEED_set_key(key16, &seed_ks);
++ if (doit[D_CBC_SEED]) {
++ SEED_set_key(key16, &seed_ks);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC4
+- RC4_set_key(&rc4_ks, 16, key16);
++ if (doit[D_RC4]) {
++ RC4_set_key(&rc4_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC2
+- RC2_set_key(&rc2_ks, 16, key16, 128);
++ if (doit[D_CBC_RC2]) {
++ RC2_set_key(&rc2_ks, 16, key16, 128);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC5
+- RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ if (doit[D_CBC_RC5]) {
++ RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ }
+ # endif
+ # ifndef OPENSSL_NO_BF
+- BF_set_key(&bf_ks, 16, key16);
++ if (doit[D_CBC_BF]) {
++ BF_set_key(&bf_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_CAST
+- CAST_set_key(&cast_ks, 16, key16);
++ if (doit[D_CBC_CAST]) {
++ CAST_set_key(&cast_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RSA
+ memset(rsa_c, 0, sizeof(rsa_c));
+@@ -1605,6 +1635,7 @@ int MAIN(int argc, char **argv)
+ HMAC_CTX hctx;
+
+ HMAC_CTX_init(&hctx);
++ HMAC_CTX_set_flags(&hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...",
+ 16, EVP_md5(), NULL);
+
+diff -up openssl-1.0.2i/Configure.fips openssl-1.0.2i/Configure
+--- openssl-1.0.2i/Configure.fips 2016-09-22 13:35:56.993220444 +0200
++++ openssl-1.0.2i/Configure 2016-09-22 13:35:57.008220790 +0200
+@@ -1067,11 +1067,6 @@ if (defined($disabled{"md5"}) || defined
+ $disabled{"ssl2"} = "forced";
+ }
+
+-if ($fips && $fipslibdir eq "")
+- {
+- $fipslibdir = $fipsdir . "/lib/";
+- }
+-
+ # RSAX ENGINE sets default non-FIPS RSA method.
+ if ($fips)
+ {
+@@ -1556,7 +1551,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b
+ if ($fips)
+ {
+ $openssl_other_defines.="#define OPENSSL_FIPS\n";
+- $cflags .= " -I\$(FIPSDIR)/include";
+ }
+
+ $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
+@@ -1768,9 +1762,12 @@ while (<IN>)
+
+ s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
+ s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+- s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
+ s/^BASEADDR=.*/BASEADDR=$baseaddr/;
+
++ if ($fips)
++ {
++ s/^FIPS=.*/FIPS=yes/;
++ }
+ s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
+ s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
+ s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
+diff -up openssl-1.0.2i/crypto/aes/aes_misc.c.fips openssl-1.0.2i/crypto/aes/aes_misc.c
+--- openssl-1.0.2i/crypto/aes/aes_misc.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/aes/aes_misc.c 2016-09-22 13:35:57.008220790 +0200
+@@ -70,17 +70,11 @@ const char *AES_options(void)
+ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+ {
+-#ifdef OPENSSL_FIPS
+- fips_cipher_abort(AES);
+-#endif
+ return private_AES_set_encrypt_key(userKey, bits, key);
+ }
+
+ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+ {
+-#ifdef OPENSSL_FIPS
+- fips_cipher_abort(AES);
+-#endif
+ return private_AES_set_decrypt_key(userKey, bits, key);
+ }
+diff -up openssl-1.0.2i/crypto/cmac/cmac.c.fips openssl-1.0.2i/crypto/cmac/cmac.c
+--- openssl-1.0.2i/crypto/cmac/cmac.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/cmac/cmac.c 2016-09-22 13:35:57.008220790 +0200
+@@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void)
+
+ void CMAC_CTX_cleanup(CMAC_CTX *ctx)
+ {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->cctx.engine) {
+- FIPS_cmac_ctx_cleanup(ctx);
+- return;
+- }
+-#endif
+ EVP_CIPHER_CTX_cleanup(&ctx->cctx);
+ OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
+ OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
+@@ -160,20 +154,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void
+ EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+-
+- /* Switch to FIPS cipher implementation if possible */
+- if (cipher != NULL) {
+- const EVP_CIPHER *fcipher;
+- fcipher = FIPS_get_cipherbynid(EVP_CIPHER_nid(cipher));
+- if (fcipher != NULL)
+- cipher = fcipher;
+- }
+- /*
+- * Other algorithm blocking will be done in FIPS_cmac_init, via
+- * FIPS_cipherinit().
+- */
+- if (!impl && !ctx->cctx.engine)
+- return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
+ }
+ #endif
+ /* All zeros means restart */
+@@ -219,10 +199,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
+ {
+ const unsigned char *data = in;
+ size_t bl;
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->cctx.engine)
+- return FIPS_cmac_update(ctx, in, dlen);
+-#endif
+ if (ctx->nlast_block == -1)
+ return 0;
+ if (dlen == 0)
+@@ -262,10 +238,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
+ int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
+ {
+ int i, bl, lb;
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->cctx.engine)
+- return FIPS_cmac_final(ctx, out, poutlen);
+-#endif
+ if (ctx->nlast_block == -1)
+ return 0;
+ bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
+diff -up openssl-1.0.2i/crypto/crypto.h.fips openssl-1.0.2i/crypto/crypto.h
+--- openssl-1.0.2i/crypto/crypto.h.fips 2016-09-22 13:35:56.890218070 +0200
++++ openssl-1.0.2i/crypto/crypto.h 2016-09-22 13:35:57.008220790 +0200
+@@ -600,24 +600,29 @@ int FIPS_mode_set(int r);
+ void OPENSSL_init(void);
+
+ # define fips_md_init(alg) fips_md_init_ctx(alg, alg)
++# define nonfips_md_init(alg) nonfips_md_init_ctx(alg, alg)
++# define fips_md_init_ctx(alg, cx) \
++ int alg##_Init(cx##_CTX *c)
+
+ # ifdef OPENSSL_FIPS
+-# define fips_md_init_ctx(alg, cx) \
++# define nonfips_md_init_ctx(alg, cx) \
+ int alg##_Init(cx##_CTX *c) \
+ { \
+ if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
+- "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
++ "Digest " #alg " forbidden in FIPS mode!"); \
+ return private_##alg##_Init(c); \
+ } \
+ int private_##alg##_Init(cx##_CTX *c)
+
+ # define fips_cipher_abort(alg) \
+ if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
+- "Low level API call to cipher " #alg " forbidden in FIPS mode!")
++ "Cipher " #alg " forbidden in FIPS mode!")
++
++/* die if FIPS selftest failed */
++void FIPS_selftest_check(void);
+
+ # else
+-# define fips_md_init_ctx(alg, cx) \
+- int alg##_Init(cx##_CTX *c)
++# define nonfips_md_init_ctx(alg, cx) fips_md_init_ctx(alg, cx)
+ # define fips_cipher_abort(alg) while(0)
+ # endif
+
+@@ -637,6 +642,9 @@ int CRYPTO_memcmp(const volatile void *a
+ */
+ void ERR_load_CRYPTO_strings(void);
+
++# define OPENSSL_HAVE_INIT 1
++void OPENSSL_init_library(void);
++
+ /* Error codes for the CRYPTO functions. */
+
+ /* Function codes. */
+diff -up openssl-1.0.2i/crypto/des/des.h.fips openssl-1.0.2i/crypto/des/des.h
+--- openssl-1.0.2i/crypto/des/des.h.fips 2016-09-22 13:35:56.918218715 +0200
++++ openssl-1.0.2i/crypto/des/des.h 2016-09-22 13:35:57.008220790 +0200
+@@ -231,10 +231,6 @@ int DES_set_key(const_DES_cblock *key, D
+ int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule);
+ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule);
+ void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule);
+-# ifdef OPENSSL_FIPS
+-void private_DES_set_key_unchecked(const_DES_cblock *key,
+- DES_key_schedule *schedule);
+-# endif
+ void DES_string_to_key(const char *str, DES_cblock *key);
+ void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2);
+ void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+diff -up openssl-1.0.2i/crypto/des/set_key.c.fips openssl-1.0.2i/crypto/des/set_key.c
+--- openssl-1.0.2i/crypto/des/set_key.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/des/set_key.c 2016-09-22 13:35:57.008220790 +0200
+@@ -359,15 +359,6 @@ int DES_set_key_checked(const_DES_cblock
+ }
+
+ void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
+-#ifdef OPENSSL_FIPS
+-{
+- fips_cipher_abort(DES);
+- private_DES_set_key_unchecked(key, schedule);
+-}
+-
+-void private_DES_set_key_unchecked(const_DES_cblock *key,
+- DES_key_schedule *schedule)
+-#endif
+ {
+ static const int shifts2[16] =
+ { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 };
+diff -up openssl-1.0.2i/crypto/dh/dh_gen.c.fips openssl-1.0.2i/crypto/dh/dh_gen.c
+--- openssl-1.0.2i/crypto/dh/dh_gen.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dh/dh_gen.c 2016-09-22 13:35:57.009220813 +0200
+@@ -85,10 +85,6 @@ int DH_generate_parameters_ex(DH *ret, i
+ #endif
+ if (ret->meth->generate_params)
+ return ret->meth->generate_params(ret, prime_len, generator, cb);
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dh_generate_parameters_ex(ret, prime_len, generator, cb);
+-#endif
+ return dh_builtin_genparams(ret, prime_len, generator, cb);
+ }
+
+@@ -126,6 +122,18 @@ static int dh_builtin_genparams(DH *ret,
+ int g, ok = -1;
+ BN_CTX *ctx = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+diff -up openssl-1.0.2i/crypto/dh/dh.h.fips openssl-1.0.2i/crypto/dh/dh.h
+--- openssl-1.0.2i/crypto/dh/dh.h.fips 2016-09-22 13:35:56.863217447 +0200
++++ openssl-1.0.2i/crypto/dh/dh.h 2016-09-22 13:35:57.009220813 +0200
+@@ -77,6 +77,8 @@
+ # define OPENSSL_DH_MAX_MODULUS_BITS 10000
+ # endif
+
++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++
+ # define DH_FLAG_CACHE_MONT_P 0x01
+
+ /*
+diff -up openssl-1.0.2i/crypto/dh/dh_key.c.fips openssl-1.0.2i/crypto/dh/dh_key.c
+--- openssl-1.0.2i/crypto/dh/dh_key.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dh/dh_key.c 2016-09-22 13:35:57.009220813 +0200
+@@ -61,6 +61,9 @@
+ #include <openssl/bn.h>
+ #include <openssl/rand.h>
+ #include <openssl/dh.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static int generate_key(DH *dh);
+ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
+@@ -97,7 +100,7 @@ int DH_compute_key(unsigned char *key, c
+ int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ {
+ int rv, pad;
+- rv = dh->meth->compute_key(key, pub_key, dh);
++ rv = DH_compute_key(key, pub_key, dh);
+ if (rv <= 0)
+ return rv;
+ pad = BN_num_bytes(dh->p) - rv;
+@@ -115,7 +118,7 @@ static DH_METHOD dh_ossl = {
+ dh_bn_mod_exp,
+ dh_init,
+ dh_finish,
+- 0,
++ DH_FLAG_FIPS_METHOD,
+ NULL,
+ NULL
+ };
+@@ -134,6 +137,14 @@ static int generate_key(DH *dh)
+ BN_MONT_CTX *mont = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()
++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ return 0;
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+@@ -217,6 +228,13 @@ static int compute_key(unsigned char *ke
+ DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
+ goto err;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()
++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+@@ -277,6 +295,9 @@ static int dh_bn_mod_exp(const DH *dh, B
+
+ static int dh_init(DH *dh)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dh->flags |= DH_FLAG_CACHE_MONT_P;
+ return (1);
+ }
+diff -up openssl-1.0.2i/crypto/dh/dh_lib.c.fips openssl-1.0.2i/crypto/dh/dh_lib.c
+--- openssl-1.0.2i/crypto/dh/dh_lib.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dh/dh_lib.c 2016-09-22 13:35:57.009220813 +0200
+@@ -80,14 +80,7 @@ void DH_set_default_method(const DH_METH
+ const DH_METHOD *DH_get_default_method(void)
+ {
+ if (!default_DH_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dh_openssl();
+- else
+- return DH_OpenSSL();
+-#else
+ default_DH_method = DH_OpenSSL();
+-#endif
+ }
+ return default_DH_method;
+ }
+diff -up openssl-1.0.2i/crypto/dsa/dsa_err.c.fips openssl-1.0.2i/crypto/dsa/dsa_err.c
+--- openssl-1.0.2i/crypto/dsa/dsa_err.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dsa/dsa_err.c 2016-09-22 13:35:57.009220813 +0200
+@@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]
+ {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"},
+ {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
+ {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
++ {ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
++ {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
+ {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN2), "DSA_BUILTIN_PARAMGEN2"},
+ {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
+ {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
+@@ -109,6 +111,8 @@ static ERR_STRING_DATA DSA_str_reasons[]
+ {ERR_REASON(DSA_R_DECODE_ERROR), "decode error"},
+ {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"},
+ {ERR_REASON(DSA_R_INVALID_PARAMETERS), "invalid parameters"},
++ {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"},
++ {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
+ {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"},
+ {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
+ {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"},
+diff -up openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips openssl-1.0.2i/crypto/dsa/dsa_gen.c
+--- openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dsa/dsa_gen.c 2016-09-22 13:42:54.389840662 +0200
+@@ -91,6 +91,16 @@
+ # include <openssl/fips.h>
+ # endif
+
++# ifndef OPENSSL_FIPS
++static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed,
++ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
++ int *counter_ret, BN_GENCB *cb);
++static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
++ BIGNUM **g_ret, unsigned long *h_ret,
++ BN_GENCB *cb);
++# endif
++
+ int DSA_generate_parameters_ex(DSA *ret, int bits,
+ const unsigned char *seed_in, int seed_len,
+ int *counter_ret, unsigned long *h_ret,
+@@ -106,83 +116,146 @@ int DSA_generate_parameters_ex(DSA *ret,
+ if (ret->meth->dsa_paramgen)
+ return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
+ counter_ret, h_ret, cb);
+-# ifdef OPENSSL_FIPS
+- else if (FIPS_mode()) {
+- return FIPS_dsa_generate_parameters_ex(ret, bits,
+- seed_in, seed_len,
+- counter_ret, h_ret, cb);
+- }
+-# endif
+ else {
+ const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
+ size_t qbits = EVP_MD_size(evpmd) * 8;
+
+ return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
+- seed_in, seed_len, NULL, counter_ret,
++ seed_in, seed_len, counter_ret,
+ h_ret, cb);
+ }
+ }
+
++# ifdef OPENSSL_FIPS
++int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
++ const EVP_MD *evpmd,
++ const unsigned char *seed_in, size_t seed_len,
++ int *counter_ret, unsigned long *h_ret,
++ BN_GENCB *cb)
++{
++ return dsa_builtin_paramgen(ret, bits, qbits,
++ evpmd, seed_in, seed_len,
++ counter_ret, h_ret, cb);
++}
++# endif
++
+ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+- size_t seed_len, unsigned char *seed_out,
++ size_t seed_len,
+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
+ {
+ int ok = 0;
+ unsigned char seed[SHA256_DIGEST_LENGTH];
++ BIGNUM *g = NULL, *q = NULL, *p = NULL;
++ size_t qsize = qbits >> 3;
++ BN_CTX *ctx = NULL;
++
++# ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (FIPS_module_mode() &&
++ (bits != 1024 || qbits != 160) &&
++ (bits != 2048 || qbits != 224) &&
++ (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) {
++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
++ goto err;
++ }
++# endif
++ if (seed_len && (seed_len < (size_t)qsize))
++ seed_in = NULL; /* seed buffer too small -- ignore */
++ if (seed_len > sizeof(seed))
++ seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
++ * but our internal buffers are restricted to 256 bits*/
++ if (seed_in != NULL)
++ memcpy(seed, seed_in, seed_len);
++ else
++ seed_len = 0;
++
++ if ((ctx = BN_CTX_new()) == NULL)
++ goto err;
++
++ BN_CTX_start(ctx);
++
++ if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
++ seed, seed_len, &p, &q, counter_ret, cb))
++ goto err;
++
++ if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
++ goto err;
++
++ ok = 1;
++ err:
++ if (ok) {
++ if (ret->p) {
++ BN_free(ret->p);
++ ret->p = NULL;
++ }
++ if (ret->q) {
++ BN_free(ret->q);
++ ret->q = NULL;
++ }
++ if (ret->g) {
++ BN_free(ret->g);
++ ret->g = NULL;
++ }
++ ret->p = BN_dup(p);
++ ret->q = BN_dup(q);
++ ret->g = BN_dup(g);
++ if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
++ ok = 0;
++ }
++ if (ctx) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++ return ok;
++}
++
++# ifndef OPENSSL_FIPS
++static
++# endif
++int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed,
++ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
++ int *counter_ret, BN_GENCB *cb)
++{
++ int ok = 0;
+ unsigned char md[SHA256_DIGEST_LENGTH];
+- unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
++ unsigned char buf[SHA256_DIGEST_LENGTH];
+ BIGNUM *r0, *W, *X, *c, *test;
+- BIGNUM *g = NULL, *q = NULL, *p = NULL;
+- BN_MONT_CTX *mont = NULL;
+- int i, k, n = 0, m = 0, qsize = qbits >> 3;
++ BIGNUM *q = NULL, *p = NULL;
++ int i, k, b, n = 0, m = 0, qsize = qbits >> 3;
+ int counter = 0;
+ int r = 0;
+- BN_CTX *ctx = NULL;
+- unsigned int h = 2;
+
+ if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
+ qsize != SHA256_DIGEST_LENGTH)
+ /* invalid q size */
+ return 0;
+
+- if (evpmd == NULL)
+- /* use SHA1 as default */
++ if (evpmd == NULL) {
++ if (qbits <= 160)
+ evpmd = EVP_sha1();
++ else if (qbits <= 224)
++ evpmd = EVP_sha224();
++ else
++ evpmd = EVP_sha256();
++ }
+
+ if (bits < 512)
+ bits = 512;
+
+ bits = (bits + 63) / 64 * 64;
+
+- /*
+- * NB: seed_len == 0 is special case: copy generated seed to seed_in if
+- * it is not NULL.
+- */
+- if (seed_len && (seed_len < (size_t)qsize))
+- seed_in = NULL; /* seed buffer too small -- ignore */
+- if (seed_len > (size_t)qsize)
+- seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger
+- * SEED, but our internal buffers are
+- * restricted to 160 bits */
+- if (seed_in != NULL)
+- memcpy(seed, seed_in, seed_len);
+-
+- if ((mont = BN_MONT_CTX_new()) == NULL)
+- goto err;
+-
+- if ((ctx = BN_CTX_new()) == NULL)
+- goto err;
+-
+- BN_CTX_start(ctx);
+-
+ r0 = BN_CTX_get(ctx);
+- g = BN_CTX_get(ctx);
+ W = BN_CTX_get(ctx);
+- q = BN_CTX_get(ctx);
++ *q_ret = q = BN_CTX_get(ctx);
+ X = BN_CTX_get(ctx);
+ c = BN_CTX_get(ctx);
+- p = BN_CTX_get(ctx);
++ *p_ret = p = BN_CTX_get(ctx);
+ test = BN_CTX_get(ctx);
+
+ if (test == NULL)
+@@ -191,15 +264,20 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!BN_lshift(test, BN_value_one(), bits - 1))
+ goto err;
+
++ /* step 3 n = \lceil bits / qbits \rceil - 1 */
++ n = (bits + qbits - 1) / qbits - 1;
++ /* step 4 b = bits - 1 - n * qbits */
++ b = bits - 1 - n * qbits;
++
+ for (;;) {
+ for (;;) { /* find q */
+ int seed_is_random;
+
+- /* step 1 */
++ /* step 5 generate seed */
+ if (!BN_GENCB_call(cb, 0, m++))
+ goto err;
+
+- if (!seed_len || !seed_in) {
++ if (!seed_len) {
+ if (RAND_bytes(seed, qsize) <= 0)
+ goto err;
+ seed_is_random = 1;
+@@ -209,29 +287,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ * be bad */
+ }
+ memcpy(buf, seed, qsize);
+- memcpy(buf2, seed, qsize);
+- /* precompute "SEED + 1" for step 7: */
+- for (i = qsize - 1; i >= 0; i--) {
+- buf[i]++;
+- if (buf[i] != 0)
+- break;
+- }
+
+- /* step 2 */
++ /* step 6 U = hash(seed) */
+ if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
+ goto err;
+- if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
+- goto err;
+- for (i = 0; i < qsize; i++)
+- md[i] ^= buf2[i];
+
+- /* step 3 */
++ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
+ md[0] |= 0x80;
+ md[qsize - 1] |= 0x01;
+ if (!BN_bin2bn(md, qsize, q))
+ goto err;
+
+- /* step 4 */
++ /* step 8 test for prime (64 round of Rabin-Miller) */
+ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
+ seed_is_random, cb);
+ if (r > 0)
+@@ -239,8 +306,6 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (r != 0)
+ goto err;
+
+- /* do a callback call */
+- /* step 5 */
+ }
+
+ if (!BN_GENCB_call(cb, 2, 0))
+@@ -248,19 +313,16 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!BN_GENCB_call(cb, 3, 0))
+ goto err;
+
+- /* step 6 */
++ /* step 11 */
+ counter = 0;
+- /* "offset = 2" */
+-
+- n = (bits - 1) / 160;
++ /* "offset = 1" */
+
+ for (;;) {
+ if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
+ goto err;
+
+- /* step 7 */
++ /* step 11.1, 11.2 obtain W */
+ BN_zero(W);
+- /* now 'buf' contains "SEED + offset - 1" */
+ for (k = 0; k <= n; k++) {
+ /*
+ * obtain "SEED + offset + k" by incrementing:
+@@ -274,36 +336,37 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL))
+ goto err;
+
+- /* step 8 */
+ if (!BN_bin2bn(md, qsize, r0))
+ goto err;
+- if (!BN_lshift(r0, r0, (qsize << 3) * k))
++ if (k == n)
++ BN_mask_bits(r0, b);
++ if (!BN_lshift(r0, r0, qbits * k))
+ goto err;
+ if (!BN_add(W, W, r0))
+ goto err;
+ }
+
+- /* more of step 8 */
+- if (!BN_mask_bits(W, bits - 1))
+- goto err;
++ /* step 11.3 X = W + 2^(L-1) */
+ if (!BN_copy(X, W))
+ goto err;
+ if (!BN_add(X, X, test))
+ goto err;
+
+- /* step 9 */
++ /* step 11.4 c = X mod 2*q */
+ if (!BN_lshift1(r0, q))
+ goto err;
+ if (!BN_mod(c, X, r0, ctx))
+ goto err;
++
++ /* step 11.5 p = X - (c - 1) */
+ if (!BN_sub(r0, c, BN_value_one()))
+ goto err;
+ if (!BN_sub(p, X, r0))
+ goto err;
+
+- /* step 10 */
++ /* step 11.6 */
+ if (BN_cmp(p, test) >= 0) {
+- /* step 11 */
++ /* step 11.7 */
+ r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);
+ if (r > 0)
+ goto end; /* found it */
+@@ -311,12 +374,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ goto err;
+ }
+
+- /* step 13 */
++ /* step 11.9 */
+ counter++;
+ /* "offset = offset + n + 1" */
+
+- /* step 14 */
+- if (counter >= 4096)
++ /* step 12 */
++ if (counter >= 4 * bits)
+ break;
+ }
+ }
+@@ -324,7 +387,33 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!BN_GENCB_call(cb, 2, 1))
+ goto err;
+
+- /* We now need to generate g */
++ ok = 1;
++ err:
++ if (ok) {
++ if (counter_ret != NULL)
++ *counter_ret = counter;
++ }
++ return ok;
++}
++
++# ifndef OPENSSL_FIPS
++static
++# endif
++int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
++ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
++{
++ int ok = 0;
++ BIGNUM *r0, *test, *g = NULL;
++ BN_MONT_CTX *mont;
++ unsigned int h = 2;
++
++ if ((mont = BN_MONT_CTX_new()) == NULL)
++ goto err;
++
++ r0 = BN_CTX_get(ctx);
++ *g_ret = g = BN_CTX_get(ctx);
++ test = BN_CTX_get(ctx);
++
+ /* Set r0=(p-1)/q */
+ if (!BN_sub(test, p, BN_value_one()))
+ goto err;
+@@ -353,46 +442,14 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ ok = 1;
+ err:
+ if (ok) {
+- if (ret->p)
+- BN_free(ret->p);
+- if (ret->q)
+- BN_free(ret->q);
+- if (ret->g)
+- BN_free(ret->g);
+- ret->p = BN_dup(p);
+- ret->q = BN_dup(q);
+- ret->g = BN_dup(g);
+- if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
+- ok = 0;
+- goto err;
+- }
+- if (counter_ret != NULL)
+- *counter_ret = counter;
+ if (h_ret != NULL)
+ *h_ret = h;
+- if (seed_out)
+- memcpy(seed_out, seed, qsize);
+- }
+- if (ctx) {
+- BN_CTX_end(ctx);
+- BN_CTX_free(ctx);
+ }
+ if (mont != NULL)
+ BN_MONT_CTX_free(mont);
+ return ok;
+ }
+
+-# ifdef OPENSSL_FIPS
+-# undef fips_dsa_builtin_paramgen2
+-extern int fips_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+- const EVP_MD *evpmd,
+- const unsigned char *seed_in,
+- size_t seed_len, int idx,
+- unsigned char *seed_out,
+- int *counter_ret, unsigned long *h_ret,
+- BN_GENCB *cb);
+-# endif
+-
+ /*
+ * This is a parameter generation algorithm for the DSA2 algorithm as
+ * described in FIPS 186-3.
+@@ -418,14 +475,6 @@ int dsa_builtin_paramgen2(DSA *ret, size
+ EVP_MD_CTX mctx;
+ unsigned int h = 2;
+
+-# ifdef OPENSSL_FIPS
+-
+- if (FIPS_mode())
+- return fips_dsa_builtin_paramgen2(ret, L, N, evpmd,
+- seed_in, seed_len, idx,
+- seed_out, counter_ret, h_ret, cb);
+-# endif
+-
+ EVP_MD_CTX_init(&mctx);
+
+ if (evpmd == NULL) {
+diff -up openssl-1.0.2i/crypto/dsa/dsa.h.fips openssl-1.0.2i/crypto/dsa/dsa.h
+--- openssl-1.0.2i/crypto/dsa/dsa.h.fips 2016-09-22 13:35:56.789215742 +0200
++++ openssl-1.0.2i/crypto/dsa/dsa.h 2016-09-22 13:35:57.010220836 +0200
+@@ -88,6 +88,8 @@
+ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000
+ # endif
+
++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
++
+ # define DSA_FLAG_CACHE_MONT_P 0x01
+ /*
+ * new with 0.9.7h; the built-in DSA implementation now uses constant time
+@@ -265,6 +267,20 @@ int DSA_print_fp(FILE *bp, const DSA *x,
+ DH *DSA_dup_DH(const DSA *r);
+ # endif
+
++# ifdef OPENSSL_FIPS
++int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
++ const EVP_MD *evpmd,
++ const unsigned char *seed_in,
++ size_t seed_len, int *counter_ret,
++ unsigned long *h_ret, BN_GENCB *cb);
++int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed,
++ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
++ int *counter_ret, BN_GENCB *cb);
++int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, BIGNUM **g_ret,
++ unsigned long *h_ret, BN_GENCB *cb);
++# endif
++
+ # define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
+ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
+ EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
+@@ -287,11 +303,14 @@ void ERR_load_DSA_strings(void);
+ # define DSA_F_DO_DSA_PRINT 104
+ # define DSA_F_DSAPARAMS_PRINT 100
+ # define DSA_F_DSAPARAMS_PRINT_FP 101
+-# define DSA_F_DSA_BUILTIN_PARAMGEN2 126
++# define DSA_F_DSA_BUILTIN_KEYGEN 124
++# define DSA_F_DSA_BUILTIN_PARAMGEN 123
++# define DSA_F_DSA_BUILTIN_PARAMGEN2 226
+ # define DSA_F_DSA_DO_SIGN 112
+ # define DSA_F_DSA_DO_VERIFY 113
+-# define DSA_F_DSA_GENERATE_KEY 124
+-# define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
++# define DSA_F_DSA_GENERATE_KEY 126
++# define DSA_F_DSA_GENERATE_PARAMETERS_EX 127
++# define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125
+ # define DSA_F_DSA_NEW_METHOD 103
+ # define DSA_F_DSA_PARAM_DECODE 119
+ # define DSA_F_DSA_PRINT_FP 105
+@@ -317,12 +336,16 @@ void ERR_load_DSA_strings(void);
+ # define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
+ # define DSA_R_DECODE_ERROR 104
+ # define DSA_R_INVALID_DIGEST_TYPE 106
+-# define DSA_R_INVALID_PARAMETERS 112
++# define DSA_R_INVALID_PARAMETERS 212
++# define DSA_R_KEY_SIZE_INVALID 113
++# define DSA_R_KEY_SIZE_TOO_SMALL 110
+ # define DSA_R_MISSING_PARAMETERS 101
+ # define DSA_R_MODULUS_TOO_LARGE 103
+-# define DSA_R_NEED_NEW_SETUP_VALUES 110
++# define DSA_R_NEED_NEW_SETUP_VALUES 112
+ # define DSA_R_NON_FIPS_DSA_METHOD 111
++# define DSA_R_NON_FIPS_METHOD 111
+ # define DSA_R_NO_PARAMETERS_SET 107
++# define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112
+ # define DSA_R_PARAMETER_ENCODING_ERROR 105
+ # define DSA_R_Q_NOT_PRIME 113
+
+diff -up openssl-1.0.2i/crypto/dsa/dsa_key.c.fips openssl-1.0.2i/crypto/dsa/dsa_key.c
+--- openssl-1.0.2i/crypto/dsa/dsa_key.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dsa/dsa_key.c 2016-09-22 13:35:57.010220836 +0200
+@@ -66,6 +66,34 @@
+
+ # ifdef OPENSSL_FIPS
+ # include <openssl/fips.h>
++# include <openssl/evp.h>
++
++static int fips_check_dsa(DSA *dsa)
++{
++ EVP_PKEY *pk;
++ unsigned char tbs[] = "DSA Pairwise Check Data";
++ int ret = 0;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_DSA(pk, dsa);
++
++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
++ ret = 1;
++
++ err:
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
++ fips_set_selftest_fail();
++ }
++
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++}
++
+ # endif
+
+ static int dsa_builtin_keygen(DSA *dsa);
+@@ -81,10 +109,6 @@ int DSA_generate_key(DSA *dsa)
+ # endif
+ if (dsa->meth->dsa_keygen)
+ return dsa->meth->dsa_keygen(dsa);
+-# ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dsa_generate_key(dsa);
+-# endif
+ return dsa_builtin_keygen(dsa);
+ }
+
+@@ -94,6 +118,14 @@ static int dsa_builtin_keygen(DSA *dsa)
+ BN_CTX *ctx = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+
+@@ -131,6 +163,13 @@ static int dsa_builtin_keygen(DSA *dsa)
+
+ dsa->priv_key = priv_key;
+ dsa->pub_key = pub_key;
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !fips_check_dsa(dsa)) {
++ dsa->pub_key = NULL;
++ dsa->priv_key = NULL;
++ goto err;
++ }
++# endif
+ ok = 1;
+
+ err:
+diff -up openssl-1.0.2i/crypto/dsa/dsa_lib.c.fips openssl-1.0.2i/crypto/dsa/dsa_lib.c
+--- openssl-1.0.2i/crypto/dsa/dsa_lib.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dsa/dsa_lib.c 2016-09-22 13:35:57.010220836 +0200
+@@ -86,14 +86,7 @@ void DSA_set_default_method(const DSA_ME
+ const DSA_METHOD *DSA_get_default_method(void)
+ {
+ if (!default_DSA_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dsa_openssl();
+- else
+- return DSA_OpenSSL();
+-#else
+ default_DSA_method = DSA_OpenSSL();
+-#endif
+ }
+ return default_DSA_method;
+ }
+diff -up openssl-1.0.2i/crypto/dsa/dsa_locl.h.fips openssl-1.0.2i/crypto/dsa/dsa_locl.h
+--- openssl-1.0.2i/crypto/dsa/dsa_locl.h.fips 2016-09-22 13:35:56.790215765 +0200
++++ openssl-1.0.2i/crypto/dsa/dsa_locl.h 2016-09-22 13:35:57.010220836 +0200
+@@ -56,7 +56,7 @@
+
+ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+- size_t seed_len, unsigned char *seed_out,
++ size_t seed_len,
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb);
+
+diff -up openssl-1.0.2i/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2i/crypto/dsa/dsa_ossl.c
+--- openssl-1.0.2i/crypto/dsa/dsa_ossl.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dsa/dsa_ossl.c 2016-09-22 13:35:57.010220836 +0200
+@@ -65,6 +65,9 @@
+ #include <openssl/dsa.h>
+ #include <openssl/rand.h>
+ #include <openssl/asn1.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+@@ -83,7 +86,7 @@ static DSA_METHOD openssl_dsa_meth = {
+ NULL, /* dsa_bn_mod_exp, */
+ dsa_init,
+ dsa_finish,
+- 0,
++ DSA_FLAG_FIPS_METHOD,
+ NULL,
+ NULL,
+ NULL
+@@ -140,6 +143,19 @@ static DSA_SIG *dsa_do_sign(const unsign
+ DSA_SIG *ret = NULL;
+ int noredo = 0;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
++ return NULL;
++ }
++#endif
++
+ BN_init(&m);
+ BN_init(&xr);
+
+@@ -335,6 +351,18 @@ static int dsa_do_verify(const unsigned
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
+ return -1;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++#endif
+
+ if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
+@@ -415,6 +443,9 @@ static int dsa_do_verify(const unsigned
+
+ static int dsa_init(DSA *dsa)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dsa->flags |= DSA_FLAG_CACHE_MONT_P;
+ return (1);
+ }
+diff -up openssl-1.0.2i/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2i/crypto/dsa/dsa_pmeth.c
+--- openssl-1.0.2i/crypto/dsa/dsa_pmeth.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dsa/dsa_pmeth.c 2016-09-22 13:35:57.010220836 +0200
+@@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
+ if (!dsa)
+ return 0;
+ ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
+- NULL, 0, NULL, NULL, NULL, pcb);
++ NULL, 0, NULL, NULL, pcb);
+ if (ret)
+ EVP_PKEY_assign_DSA(pkey, dsa);
+ else
+diff -up openssl-1.0.2i/crypto/dsa/dsatest.c.fips openssl-1.0.2i/crypto/dsa/dsatest.c
+--- openssl-1.0.2i/crypto/dsa/dsatest.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/dsa/dsatest.c 2016-09-22 13:35:57.010220836 +0200
+@@ -100,36 +100,41 @@ static int MS_CALLBACK dsa_cb(int p, int
+ * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1
+ */
+ static unsigned char seed[20] = {
+- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,
+- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,
++ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,
++ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,
+ };
+
+ static unsigned char out_p[] = {
+- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
+- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
+- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
+- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
+- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
+- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
+- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
+- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
++ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,
++ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,
++ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,
++ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,
++ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,
++ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,
++ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,
++ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,
++ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,
++ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,
++ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,
+ };
+
+ static unsigned char out_q[] = {
+- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
+- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
+- 0xda, 0xce, 0x91, 0x5f,
++ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,
++ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,
+ };
+
+ static unsigned char out_g[] = {
+- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
+- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
+- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
+- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
+- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
+- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
+- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
+- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
++ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,
++ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,
++ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,
++ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,
++ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,
++ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,
++ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,
++ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,
++ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,
++ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,
++ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,
+ };
+
+ static const unsigned char str1[] = "12345678901234567890";
+@@ -162,7 +167,7 @@ int main(int argc, char **argv)
+ BIO_printf(bio_err, "test generation of DSA parameters\n");
+
+ BN_GENCB_set(&cb, dsa_cb, bio_err);
+- if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
++ if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
+ seed, 20,
+ &counter,
+ &h, &cb))
+@@ -176,8 +181,8 @@ int main(int argc, char **argv)
+ BIO_printf(bio_err, "\ncounter=%d h=%ld\n", counter, h);
+
+ DSA_print(bio_err, dsa, 0);
+- if (counter != 105) {
+- BIO_printf(bio_err, "counter should be 105\n");
++ if (counter != 239) {
++ BIO_printf(bio_err, "counter should be 239\n");
+ goto end;
+ }
+ if (h != 2) {
+diff -up openssl-1.0.2i/crypto/engine/eng_all.c.fips openssl-1.0.2i/crypto/engine/eng_all.c
+--- openssl-1.0.2i/crypto/engine/eng_all.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/engine/eng_all.c 2016-09-22 13:35:57.011220859 +0200
+@@ -59,11 +59,25 @@
+
+ #include "cryptlib.h"
+ #include "eng_int.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ void ENGINE_load_builtin_engines(void)
+ {
+ /* Some ENGINEs need this */
+ OPENSSL_cpuid_setup();
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (FIPS_mode()) {
++ /* We allow loading dynamic engine as a third party
++ engine might be FIPS validated.
++ User is disallowed to load non-validated engines
++ by security policy. */
++ ENGINE_load_dynamic();
++ return;
++ }
++#endif
+ #if 0
+ /*
+ * There's no longer any need for an "openssl" ENGINE unless, one day, it
+diff -up openssl-1.0.2i/crypto/evp/c_allc.c.fips openssl-1.0.2i/crypto/evp/c_allc.c
+--- openssl-1.0.2i/crypto/evp/c_allc.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/c_allc.c 2016-09-22 13:35:57.011220859 +0200
+@@ -65,6 +65,10 @@
+ void OpenSSL_add_all_ciphers(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode()) {
++#endif
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cfb());
+ EVP_add_cipher(EVP_des_cfb1());
+@@ -238,4 +242,64 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher_alias(SN_camellia_256_cbc, "CAMELLIA256");
+ EVP_add_cipher_alias(SN_camellia_256_cbc, "camellia256");
+ #endif
++#ifdef OPENSSL_FIPS
++ } else {
++# ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede_cfb());
++ EVP_add_cipher(EVP_des_ede3_cfb());
++
++ EVP_add_cipher(EVP_des_ede_ofb());
++ EVP_add_cipher(EVP_des_ede3_ofb());
++
++ EVP_add_cipher(EVP_des_ede_cbc());
++ EVP_add_cipher(EVP_des_ede3_cbc());
++ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
++ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
++
++ EVP_add_cipher(EVP_des_ede());
++ EVP_add_cipher(EVP_des_ede3());
++# endif
++
++# ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_ecb());
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_128_cfb());
++ EVP_add_cipher(EVP_aes_128_cfb1());
++ EVP_add_cipher(EVP_aes_128_cfb8());
++ EVP_add_cipher(EVP_aes_128_ofb());
++ EVP_add_cipher(EVP_aes_128_ctr());
++ EVP_add_cipher(EVP_aes_128_gcm());
++ EVP_add_cipher(EVP_aes_128_xts());
++ EVP_add_cipher(EVP_aes_128_ccm());
++ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
++ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
++ EVP_add_cipher(EVP_aes_192_ecb());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_192_cfb());
++ EVP_add_cipher(EVP_aes_192_cfb1());
++ EVP_add_cipher(EVP_aes_192_cfb8());
++ EVP_add_cipher(EVP_aes_192_ofb());
++ EVP_add_cipher(EVP_aes_192_ctr());
++ EVP_add_cipher(EVP_aes_192_gcm());
++ EVP_add_cipher(EVP_aes_192_ccm());
++ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
++ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
++ EVP_add_cipher(EVP_aes_256_ecb());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_256_cfb());
++ EVP_add_cipher(EVP_aes_256_cfb1());
++ EVP_add_cipher(EVP_aes_256_cfb8());
++ EVP_add_cipher(EVP_aes_256_ofb());
++ EVP_add_cipher(EVP_aes_256_ctr());
++ EVP_add_cipher(EVP_aes_256_gcm());
++ EVP_add_cipher(EVP_aes_256_xts());
++ EVP_add_cipher(EVP_aes_256_ccm());
++ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
++ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
++# endif
++ }
++#endif
+ }
+diff -up openssl-1.0.2i/crypto/evp/c_alld.c.fips openssl-1.0.2i/crypto/evp/c_alld.c
+--- openssl-1.0.2i/crypto/evp/c_alld.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/c_alld.c 2016-09-22 13:35:57.011220859 +0200
+@@ -64,51 +64,81 @@
+
+ void OpenSSL_add_all_digests(void)
+ {
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode()) {
++#endif
+ #ifndef OPENSSL_NO_MD4
+- EVP_add_digest(EVP_md4());
++ EVP_add_digest(EVP_md4());
+ #endif
+ #ifndef OPENSSL_NO_MD5
+- EVP_add_digest(EVP_md5());
+- EVP_add_digest_alias(SN_md5, "ssl2-md5");
+- EVP_add_digest_alias(SN_md5, "ssl3-md5");
++ EVP_add_digest(EVP_md5());
++ EVP_add_digest_alias(SN_md5, "ssl2-md5");
++ EVP_add_digest_alias(SN_md5, "ssl3-md5");
+ #endif
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
+- EVP_add_digest(EVP_sha());
++ EVP_add_digest(EVP_sha());
+ # ifndef OPENSSL_NO_DSA
+- EVP_add_digest(EVP_dss());
++ EVP_add_digest(EVP_dss());
+ # endif
+ #endif
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+- EVP_add_digest(EVP_sha1());
+- EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
+- EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++ EVP_add_digest(EVP_sha1());
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+ # ifndef OPENSSL_NO_DSA
+- EVP_add_digest(EVP_dss1());
+- EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
+- EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
+- EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
++ EVP_add_digest(EVP_dss1());
++ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- EVP_add_digest(EVP_ecdsa());
++ EVP_add_digest(EVP_ecdsa());
+ # endif
+ #endif
+ #if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES)
+- EVP_add_digest(EVP_mdc2());
++ EVP_add_digest(EVP_mdc2());
+ #endif
+ #ifndef OPENSSL_NO_RIPEMD
+- EVP_add_digest(EVP_ripemd160());
+- EVP_add_digest_alias(SN_ripemd160, "ripemd");
+- EVP_add_digest_alias(SN_ripemd160, "rmd160");
++ EVP_add_digest(EVP_ripemd160());
++ EVP_add_digest_alias(SN_ripemd160, "ripemd");
++ EVP_add_digest_alias(SN_ripemd160, "rmd160");
+ #endif
+ #ifndef OPENSSL_NO_SHA256
+- EVP_add_digest(EVP_sha224());
+- EVP_add_digest(EVP_sha256());
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
+ #endif
+ #ifndef OPENSSL_NO_SHA512
+- EVP_add_digest(EVP_sha384());
+- EVP_add_digest(EVP_sha512());
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
+ #endif
+ #ifndef OPENSSL_NO_WHIRLPOOL
+- EVP_add_digest(EVP_whirlpool());
++ EVP_add_digest(EVP_whirlpool());
++#endif
++#ifdef OPENSSL_FIPS
++ } else {
++# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
++ EVP_add_digest(EVP_sha1());
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++# ifndef OPENSSL_NO_DSA
++ EVP_add_digest(EVP_dss1());
++ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
++# endif
++# ifndef OPENSSL_NO_ECDSA
++ EVP_add_digest(EVP_ecdsa());
++# endif
++# endif
++# ifndef OPENSSL_NO_SHA256
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++# endif
++# ifndef OPENSSL_NO_SHA512
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++# endif
++ }
+ #endif
+ }
+diff -up openssl-1.0.2i/crypto/evp/digest.c.fips openssl-1.0.2i/crypto/evp/digest.c
+--- openssl-1.0.2i/crypto/evp/digest.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/digest.c 2016-09-22 13:45:40.054658929 +0200
+@@ -143,18 +143,55 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
+ return EVP_DigestInit_ex(ctx, type, NULL);
+ }
+
++#ifdef OPENSSL_FIPS
++
++/* The purpose of these is to trap programs that attempt to use non FIPS
++ * algorithms in FIPS mode and ignore the errors.
++ */
++
++static int bad_init(EVP_MD_CTX *ctx)
++{
++ FIPS_ERROR_IGNORED("Digest init");
++ return 0;
++}
++
++static int bad_update(EVP_MD_CTX *ctx, const void *data, size_t count)
++{
++ FIPS_ERROR_IGNORED("Digest update");
++ return 0;
++}
++
++static int bad_final(EVP_MD_CTX *ctx, unsigned char *md)
++{
++ FIPS_ERROR_IGNORED("Digest Final");
++ return 0;
++}
++
++static const EVP_MD bad_md = {
++ 0,
++ 0,
++ 0,
++ 0,
++ bad_init,
++ bad_update,
++ bad_final,
++ NULL,
++ NULL,
++ NULL,
++ 0,
++ {0, 0, 0, 0},
++};
++
++#endif
++
+ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+ {
+ EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
+ #ifdef OPENSSL_FIPS
+- /* If FIPS mode switch to approved implementation if possible */
+- if (FIPS_mode()) {
+- const EVP_MD *fipsmd;
+- if (type) {
+- fipsmd = evp_get_fips_md(type);
+- if (fipsmd)
+- type = fipsmd;
+- }
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ ctx->digest = &bad_md;
++ return 0;
+ }
+ #endif
+ #ifndef OPENSSL_NO_ENGINE
+@@ -212,6 +249,16 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ }
+ #endif
+ if (ctx->digest != type) {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (!(type->flags & EVP_MD_FLAG_FIPS)
++ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
++ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ ctx->digest = &bad_md;
++ return 0;
++ }
++ }
++#endif
+ if (ctx->digest && ctx->digest->ctx_size) {
+ OPENSSL_free(ctx->md_data);
+ ctx->md_data = NULL;
+@@ -238,23 +285,13 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ }
+ if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
+ return 1;
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode()) {
+- if (FIPS_digestinit(ctx, type))
+- return 1;
+- OPENSSL_free(ctx->md_data);
+- ctx->md_data = NULL;
+- return 0;
+- }
+-#endif
+ return ctx->digest->init(ctx);
+ }
+
+ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_digestupdate(ctx, data, count);
++ FIPS_selftest_check();
+ #endif
+ return ctx->update(ctx, data, count);
+ }
+@@ -272,11 +309,10 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns
+ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
+ {
+ int ret;
++
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_digestfinal(ctx, md, size);
++ FIPS_selftest_check();
+ #endif
+-
+ OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
+ ret = ctx->digest->final(ctx, md);
+ if (size != NULL)
+@@ -375,7 +411,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
+ /* This call frees resources associated with the context */
+ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+ {
+-#ifndef OPENSSL_FIPS
+ /*
+ * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
+ * sometimes only copies of the context are ever finalised.
+@@ -388,7 +423,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+ OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
+ OPENSSL_free(ctx->md_data);
+ }
+-#endif
+ if (ctx->pctx)
+ EVP_PKEY_CTX_free(ctx->pctx);
+ #ifndef OPENSSL_NO_ENGINE
+@@ -399,9 +433,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+ */
+ ENGINE_finish(ctx->engine);
+ #endif
+-#ifdef OPENSSL_FIPS
+- FIPS_md_ctx_cleanup(ctx);
+-#endif
+ memset(ctx, '\0', sizeof *ctx);
+
+ return 1;
+diff -up openssl-1.0.2i/crypto/evp/e_aes.c.fips openssl-1.0.2i/crypto/evp/e_aes.c
+--- openssl-1.0.2i/crypto/evp/e_aes.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/e_aes.c 2016-09-22 13:35:57.011220859 +0200
+@@ -60,9 +60,6 @@
+ # include "modes_lcl.h"
+ # include <openssl/rand.h>
+
+-# undef EVP_CIPH_FLAG_FIPS
+-# define EVP_CIPH_FLAG_FIPS 0
+-
+ typedef struct {
+ union {
+ double align;
+@@ -1159,6 +1156,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
+ case EVP_CTRL_GCM_SET_IVLEN:
+ if (arg <= 0)
+ return 0;
++# ifdef OPENSSL_FIPS
++ if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
++ && arg < 12)
++ return 0;
++# endif
+ /* Allocate memory for IV if needed */
+ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
+ if (gctx->iv != c->iv)
+@@ -1727,6 +1729,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+ return 0;
+ if (!out || !in || len < AES_BLOCK_SIZE)
+ return 0;
++# ifdef OPENSSL_FIPS
++ /* Requirement of SP800-38E */
++ if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
++ (len > (1UL << 20) * 16)) {
++ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
++ return 0;
++ }
++# endif
+ if (xctx->stream)
+ (*xctx->stream) (in, out, len,
+ xctx->xts.key1, xctx->xts.key2, ctx->iv);
+diff -up openssl-1.0.2i/crypto/evp/e_des3.c.fips openssl-1.0.2i/crypto/evp/e_des3.c
+--- openssl-1.0.2i/crypto/evp/e_des3.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/e_des3.c 2016-09-22 13:35:57.012220882 +0200
+@@ -65,10 +65,6 @@
+ # include <openssl/des.h>
+ # include <openssl/rand.h>
+
+-/* Block use of implementations in FIPS mode */
+-# undef EVP_CIPH_FLAG_FIPS
+-# define EVP_CIPH_FLAG_FIPS 0
+-
+ typedef struct {
+ union {
+ double align;
+diff -up openssl-1.0.2i/crypto/evp/e_null.c.fips openssl-1.0.2i/crypto/evp/e_null.c
+--- openssl-1.0.2i/crypto/evp/e_null.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/e_null.c 2016-09-22 13:35:57.012220882 +0200
+@@ -68,7 +68,7 @@ static int null_cipher(EVP_CIPHER_CTX *c
+ static const EVP_CIPHER n_cipher = {
+ NID_undef,
+ 1, 0, 0,
+- 0,
++ EVP_CIPH_FLAG_FIPS,
+ null_init_key,
+ null_cipher,
+ NULL,
+diff -up openssl-1.0.2i/crypto/evp/evp_enc.c.fips openssl-1.0.2i/crypto/evp/evp_enc.c
+--- openssl-1.0.2i/crypto/evp/evp_enc.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/evp_enc.c 2016-09-22 13:46:12.998418222 +0200
+@@ -69,16 +69,73 @@
+ #endif
+ #include "evp_locl.h"
+
+-#ifdef OPENSSL_FIPS
+-# define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
+-#else
+-# define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
+-#endif
++#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
+
+ const char EVP_version[] = "EVP" OPENSSL_VERSION_PTEXT;
+
++#ifdef OPENSSL_FIPS
++
++/* The purpose of these is to trap programs that attempt to use non FIPS
++ * algorithms in FIPS mode and ignore the errors.
++ */
++
++static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++ const unsigned char *iv, int enc)
++{
++ FIPS_ERROR_IGNORED("Cipher init");
++ return 0;
++}
++
++static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, unsigned int inl)
++{
++ FIPS_ERROR_IGNORED("Cipher update");
++ return 0;
++}
++
++/* NB: no cleanup because it is allowed after failed init */
++
++static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
++{
++ FIPS_ERROR_IGNORED("Cipher set_asn1");
++ return 0;
++}
++
++static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
++{
++ FIPS_ERROR_IGNORED("Cipher get_asn1");
++ return 0;
++}
++
++static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
++{
++ FIPS_ERROR_IGNORED("Cipher ctrl");
++ return 0;
++}
++
++static const EVP_CIPHER bad_cipher = {
++ 0,
++ 0,
++ 0,
++ 0,
++ 0,
++ bad_init,
++ bad_do_cipher,
++ NULL,
++ 0,
++ bad_set_asn1,
++ bad_get_asn1,
++ bad_ctrl,
++ NULL
++};
++
++#endif
++
+ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ memset(ctx, 0, sizeof(EVP_CIPHER_CTX));
+ /* ctx->cipher=NULL; */
+ }
+@@ -110,6 +167,13 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ enc = 1;
+ ctx->encrypt = enc;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ ctx->cipher = &bad_cipher;
++ return 0;
++ }
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ /*
+ * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
+@@ -168,16 +232,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ ctx->engine = NULL;
+ #endif
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode()) {
+- const EVP_CIPHER *fcipher = NULL;
+- if (cipher)
+- fcipher = evp_get_fips_cipher(cipher);
+- if (fcipher)
+- cipher = fcipher;
+- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+- }
+-#endif
+ ctx->cipher = cipher;
+ if (ctx->cipher->ctx_size) {
+ ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size);
+@@ -204,10 +258,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ #ifndef OPENSSL_NO_ENGINE
+ skip_to_init:
+ #endif
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+-#endif
+ /* we assume block size is a power of 2 in *cryptUpdate */
+ OPENSSL_assert(ctx->cipher->block_size == 1
+ || ctx->cipher->block_size == 8
+@@ -253,6 +303,19 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ break;
+ }
+ }
++#ifdef OPENSSL_FIPS
++ /* After 'key' is set no further parameters changes are permissible.
++ * So only check for non FIPS enabling at this point.
++ */
++ if (key && FIPS_mode()) {
++ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
++ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
++ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ ctx->cipher = &bad_cipher;
++ return 0;
++ }
++ }
++#endif
+
+ if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
+ if (!ctx->cipher->init(ctx, key, iv, enc))
+@@ -554,7 +617,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX
+
+ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
+ {
+-#ifndef OPENSSL_FIPS
+ if (c->cipher != NULL) {
+ if (c->cipher->cleanup && !c->cipher->cleanup(c))
+ return 0;
+@@ -564,7 +626,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
+ }
+ if (c->cipher_data)
+ OPENSSL_free(c->cipher_data);
+-#endif
+ #ifndef OPENSSL_NO_ENGINE
+ if (c->engine)
+ /*
+@@ -573,9 +634,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
+ */
+ ENGINE_finish(c->engine);
+ #endif
+-#ifdef OPENSSL_FIPS
+- FIPS_cipher_ctx_cleanup(c);
+-#endif
+ memset(c, 0, sizeof(EVP_CIPHER_CTX));
+ return 1;
+ }
+diff -up openssl-1.0.2i/crypto/evp/evp.h.fips openssl-1.0.2i/crypto/evp/evp.h
+--- openssl-1.0.2i/crypto/evp/evp.h.fips 2016-09-22 13:35:56.902218346 +0200
++++ openssl-1.0.2i/crypto/evp/evp.h 2016-09-22 13:35:57.012220882 +0200
+@@ -122,6 +122,10 @@
+ extern "C" {
+ #endif
+
++# ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# endif
++
+ /*
+ * Type needs to be a bit field Sub-type needs to be for variations on the
+ * method, as in, can it do arbitrary encryption....
+@@ -285,11 +289,6 @@ struct env_md_ctx_st {
+ * cleaned */
+ # define EVP_MD_CTX_FLAG_REUSE 0x0004/* Don't free up ctx->md_data
+ * in EVP_MD_CTX_cleanup */
+-/*
+- * FIPS and pad options are ignored in 1.0.0, definitions are here so we
+- * don't accidentally reuse the values for other purposes.
+- */
+-
+ # define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008/* Allow use of non FIPS
+ * digest in FIPS mode */
+
+@@ -302,6 +301,10 @@ struct env_md_ctx_st {
+ # define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00/* PKCS#1 v1.5 mode */
+ # define EVP_MD_CTX_FLAG_PAD_X931 0x10/* X9.31 mode */
+ # define EVP_MD_CTX_FLAG_PAD_PSS 0x20/* PSS mode */
++# define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
++ ((ctx->flags>>16) &0xFFFF) /* seed length */
++# define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF/* salt len same as digest */
++# define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE/* salt max or auto recovered */
+
+ # define EVP_MD_CTX_FLAG_NO_INIT 0x0100/* Don't initialize md_data */
+
+@@ -363,15 +366,15 @@ struct evp_cipher_st {
+ /* cipher handles random key generation */
+ # define EVP_CIPH_RAND_KEY 0x200
+ /* cipher has its own additional copying logic */
+-# define EVP_CIPH_CUSTOM_COPY 0x400
++# define EVP_CIPH_CUSTOM_COPY 0x4000
+ /* Allow use default ASN1 get/set iv */
+ # define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
+ /* Buffer length in bits not bytes: CFB1 mode only */
+ # define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
+ /* Note if suitable for use in FIPS mode */
+-# define EVP_CIPH_FLAG_FIPS 0x4000
++# define EVP_CIPH_FLAG_FIPS 0x400
+ /* Allow non FIPS cipher in FIPS mode */
+-# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
++# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
+ /*
+ * Cipher handles any and all padding logic as well as finalisation.
+ */
+diff -up openssl-1.0.2i/crypto/evp/evp_lib.c.fips openssl-1.0.2i/crypto/evp/evp_lib.c
+--- openssl-1.0.2i/crypto/evp/evp_lib.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/evp_lib.c 2016-09-22 13:35:57.012220882 +0200
+@@ -60,10 +60,6 @@
+ #include "cryptlib.h"
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-# include "evp_locl.h"
+-#endif
+
+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+ {
+@@ -224,6 +220,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_
+ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, unsigned int inl)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ return ctx->cipher->do_cipher(ctx, out, in, inl);
+ }
+
+@@ -234,22 +233,12 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(
+
+ unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
+ {
+-#ifdef OPENSSL_FIPS
+- const EVP_CIPHER *fcipher;
+- fcipher = evp_get_fips_cipher(cipher);
+- if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)
+- return cipher->flags | EVP_CIPH_FLAG_FIPS;
+-#endif
+ return cipher->flags;
+ }
+
+ unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
+ {
+-#ifdef OPENSSL_FIPS
+- return EVP_CIPHER_flags(ctx->cipher);
+-#else
+ return ctx->cipher->flags;
+-#endif
+ }
+
+ void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
+@@ -316,40 +305,8 @@ int EVP_MD_size(const EVP_MD *md)
+ return md->md_size;
+ }
+
+-#ifdef OPENSSL_FIPS
+-
+-const EVP_MD *evp_get_fips_md(const EVP_MD *md)
+-{
+- int nid = EVP_MD_type(md);
+- if (nid == NID_dsa)
+- return FIPS_evp_dss1();
+- else if (nid == NID_dsaWithSHA)
+- return FIPS_evp_dss();
+- else if (nid == NID_ecdsa_with_SHA1)
+- return FIPS_evp_ecdsa();
+- else
+- return FIPS_get_digestbynid(nid);
+-}
+-
+-const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher)
+-{
+- int nid = cipher->nid;
+- if (nid == NID_undef)
+- return FIPS_evp_enc_null();
+- else
+- return FIPS_get_cipherbynid(nid);
+-}
+-
+-#endif
+-
+ unsigned long EVP_MD_flags(const EVP_MD *md)
+ {
+-#ifdef OPENSSL_FIPS
+- const EVP_MD *fmd;
+- fmd = evp_get_fips_md(md);
+- if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)
+- return md->flags | EVP_MD_FLAG_FIPS;
+-#endif
+ return md->flags;
+ }
+
+diff -up openssl-1.0.2i/crypto/evp/evp_locl.h.fips openssl-1.0.2i/crypto/evp/evp_locl.h
+--- openssl-1.0.2i/crypto/evp/evp_locl.h.fips 2016-09-22 13:35:56.898218254 +0200
++++ openssl-1.0.2i/crypto/evp/evp_locl.h 2016-09-22 13:35:57.013220905 +0200
+@@ -258,10 +258,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
+ BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
+ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
+ NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
+- 0, cipher##_init_key, NULL, \
+- EVP_CIPHER_set_asn1_iv, \
+- EVP_CIPHER_get_asn1_iv, \
+- NULL)
++ EVP_CIPH_FLAG_DEFAULT_ASN1, \
++ cipher##_init_key, NULL, NULL, NULL, NULL)
+
+ struct evp_pkey_ctx_st {
+ /* Method associated with this operation */
+@@ -355,11 +353,6 @@ const EVP_CIPHER *evp_get_fips_cipher(co
+ # define MD2_Init private_MD2_Init
+ # define MDC2_Init private_MDC2_Init
+ # define SHA_Init private_SHA_Init
+-# define SHA1_Init private_SHA1_Init
+-# define SHA224_Init private_SHA224_Init
+-# define SHA256_Init private_SHA256_Init
+-# define SHA384_Init private_SHA384_Init
+-# define SHA512_Init private_SHA512_Init
+
+ # define BF_set_key private_BF_set_key
+ # define CAST_set_key private_CAST_set_key
+@@ -367,7 +360,6 @@ const EVP_CIPHER *evp_get_fips_cipher(co
+ # define SEED_set_key private_SEED_set_key
+ # define RC2_set_key private_RC2_set_key
+ # define RC4_set_key private_RC4_set_key
+-# define DES_set_key_unchecked private_DES_set_key_unchecked
+ # define Camellia_set_key private_Camellia_set_key
+
+ #endif
+diff -up openssl-1.0.2i/crypto/evp/m_dss.c.fips openssl-1.0.2i/crypto/evp/m_dss.c
+--- openssl-1.0.2i/crypto/evp/m_dss.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/m_dss.c 2016-09-22 13:35:57.013220905 +0200
+@@ -86,7 +86,7 @@ static const EVP_MD dsa_md = {
+ NID_dsaWithSHA,
+ NID_dsaWithSHA,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.2i/crypto/evp/m_dss1.c.fips openssl-1.0.2i/crypto/evp/m_dss1.c
+--- openssl-1.0.2i/crypto/evp/m_dss1.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/m_dss1.c 2016-09-22 13:35:57.013220905 +0200
+@@ -87,7 +87,7 @@ static const EVP_MD dss1_md = {
+ NID_dsa,
+ NID_dsaWithSHA1,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.2i/crypto/evp/m_md2.c.fips openssl-1.0.2i/crypto/evp/m_md2.c
+--- openssl-1.0.2i/crypto/evp/m_md2.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/m_md2.c 2016-09-22 13:35:57.013220905 +0200
+@@ -68,6 +68,7 @@
+ # ifndef OPENSSL_NO_RSA
+ # include <openssl/rsa.h>
+ # endif
++# include "evp_locl.h"
+
+ static int init(EVP_MD_CTX *ctx)
+ {
+diff -up openssl-1.0.2i/crypto/evp/m_sha1.c.fips openssl-1.0.2i/crypto/evp/m_sha1.c
+--- openssl-1.0.2i/crypto/evp/m_sha1.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/m_sha1.c 2016-09-22 13:35:57.013220905 +0200
+@@ -87,7 +87,8 @@ static const EVP_MD sha1_md = {
+ NID_sha1,
+ NID_sha1WithRSAEncryption,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+@@ -134,7 +135,8 @@ static const EVP_MD sha224_md = {
+ NID_sha224,
+ NID_sha224WithRSAEncryption,
+ SHA224_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init224,
+ update256,
+ final256,
+@@ -154,7 +156,8 @@ static const EVP_MD sha256_md = {
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init256,
+ update256,
+ final256,
+@@ -197,7 +200,8 @@ static const EVP_MD sha384_md = {
+ NID_sha384,
+ NID_sha384WithRSAEncryption,
+ SHA384_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init384,
+ update512,
+ final512,
+@@ -217,7 +221,8 @@ static const EVP_MD sha512_md = {
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ SHA512_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init512,
+ update512,
+ final512,
+diff -up openssl-1.0.2i/crypto/evp/p_sign.c.fips openssl-1.0.2i/crypto/evp/p_sign.c
+--- openssl-1.0.2i/crypto/evp/p_sign.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/p_sign.c 2016-09-22 13:35:57.013220905 +0200
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ #ifdef undef
+ void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
+@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <=
++ 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
+ goto err;
+ *siglen = sltmp;
+diff -up openssl-1.0.2i/crypto/evp/p_verify.c.fips openssl-1.0.2i/crypto/evp/p_verify.c
+--- openssl-1.0.2i/crypto/evp/p_verify.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/evp/p_verify.c 2016-09-22 13:35:57.013220905 +0200
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
+ unsigned int siglen, EVP_PKEY *pkey)
+@@ -87,6 +88,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <=
++ 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
+ err:
+ EVP_PKEY_CTX_free(pkctx);
+diff -up openssl-1.0.2i/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_aes_selftest.c
+--- openssl-1.0.2i/crypto/fips/fips_aes_selftest.c.fips 2016-09-22 13:35:57.013220905 +0200
++++ openssl-1.0.2i/crypto/fips/fips_aes_selftest.c 2016-09-22 13:35:57.013220905 +0200
+@@ -0,0 +1,365 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++
++#ifdef OPENSSL_FIPS
++static const struct {
++ const unsigned char key[16];
++ const unsigned char plaintext[16];
++ const unsigned char ciphertext[16];
++} tests[] = {
++ {
++ {
++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
++ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
++ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
++0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
++ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
++
++static int corrupt_aes;
++
++void FIPS_corrupt_aes()
++{
++ corrupt_aes = 1;
++}
++
++int FIPS_selftest_aes()
++{
++ int n;
++ int ret = 0;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ for (n = 0; n < 1; ++n) {
++ unsigned char key[16];
++
++ memcpy(key, tests[n].key, sizeof(key));
++ if (corrupt_aes)
++ key[0]++;
++ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(),
++ key, NULL,
++ tests[n].plaintext,
++ tests[n].ciphertext, 16) <= 0)
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
++ return ret;
++}
++
++/* AES-CCM test data from NIST public test vectors */
++
++static const unsigned char ccm_key[] = {
++ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
++ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
++};
++
++static const unsigned char ccm_nonce[] = {
++ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
++};
++
++static const unsigned char ccm_adata[] = {
++ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
++ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
++ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
++};
++
++static const unsigned char ccm_pt[] = {
++ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
++ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
++};
++
++static const unsigned char ccm_ct[] = {
++ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
++ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
++};
++
++static const unsigned char ccm_tag[] = {
++ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
++ 0x14, 0xdb, 0x50, 0x6d
++};
++
++int FIPS_selftest_aes_ccm(void)
++{
++ int ret = 0;
++ unsigned char out[128], tag[16];
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ memset(out, 0, sizeof(out));
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
++ sizeof(ccm_nonce), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
++ sizeof(ccm_tag), NULL))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
++ goto err;
++
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
++ goto err;
++ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
++ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
++ goto err;
++
++ memset(out, 0, sizeof(out));
++
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
++ sizeof(ccm_nonce), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
++ goto err;
++
++ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
++ goto err;
++
++ ret = 1;
++
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ } else
++ return ret;
++
++}
++
++/* AES-GCM test data from NIST public test vectors */
++
++static const unsigned char gcm_key[] = {
++ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
++ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
++ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
++};
++
++static const unsigned char gcm_iv[] = {
++ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
++};
++
++static const unsigned char gcm_pt[] = {
++ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
++ 0xcc, 0x2b, 0xf2, 0xa5
++};
++
++static const unsigned char gcm_aad[] = {
++ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
++ 0x7f, 0xec, 0x78, 0xde
++};
++
++static const unsigned char gcm_ct[] = {
++ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
++ 0xb9, 0xf2, 0x17, 0x36
++};
++
++static const unsigned char gcm_tag[] = {
++ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
++ 0x98, 0xf7, 0x7e, 0x0c
++};
++
++int FIPS_selftest_aes_gcm(void)
++{
++ int ret = 0;
++ unsigned char out[128], tag[16];
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ memset(out, 0, sizeof(out));
++ memset(tag, 0, sizeof(tag));
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
++ sizeof(gcm_iv), NULL))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 1))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
++ goto err;
++
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
++ goto err;
++
++ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
++ goto err;
++
++ memset(out, 0, sizeof(out));
++
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
++ sizeof(gcm_iv), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 0))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
++ goto err;
++
++ if (memcmp(out, gcm_pt, 16))
++ goto err;
++
++ ret = 1;
++
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ } else
++ return ret;
++
++}
++
++static const unsigned char XTS_128_key[] = {
++ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,
++ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
++ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
++};
++
++static const unsigned char XTS_128_i[] = {
++ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,
++ 0x3e, 0x76, 0x8a, 0xd5
++};
++
++static const unsigned char XTS_128_pt[] = {
++ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,
++ 0x07, 0x90, 0x31, 0x1c
++};
++
++static const unsigned char XTS_128_ct[] = {
++ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,
++ 0xbe, 0x47, 0x1c, 0x63
++};
++
++static const unsigned char XTS_256_key[] = {
++ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,
++ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
++ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,
++ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
++ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,
++ 0x2c, 0xf4, 0x1b, 0x08
++};
++
++static const unsigned char XTS_256_i[] = {
++ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,
++ 0xa9, 0xf8, 0x75, 0x64
++};
++
++static const unsigned char XTS_256_pt[] = {
++ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,
++ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
++ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
++};
++
++static const unsigned char XTS_256_ct[] = {
++ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,
++ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
++ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
++};
++
++int FIPS_selftest_aes_xts()
++{
++ int ret = 1;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ if (fips_cipher_test(&ctx, EVP_aes_128_xts(),
++ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
++ sizeof(XTS_128_pt)) <= 0)
++ ret = 0;
++
++ if (fips_cipher_test(&ctx, EVP_aes_256_xts(),
++ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
++ sizeof(XTS_256_pt)) <= 0)
++ ret = 0;
++
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);
++ return ret;
++}
++
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips.c.fips openssl-1.0.2i/crypto/fips/fips.c
+--- openssl-1.0.2i/crypto/fips/fips.c.fips 2016-09-22 13:35:57.014220928 +0200
++++ openssl-1.0.2i/crypto/fips/fips.c 2016-09-22 13:35:57.014220928 +0200
+@@ -0,0 +1,483 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define _GNU_SOURCE
++
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <string.h>
++#include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++# include <openssl/fips.h>
++
++# ifndef PATH_MAX
++# define PATH_MAX 1024
++# endif
++
++static int fips_selftest_fail = 0;
++static int fips_mode = 0;
++static int fips_started = 0;
++
++static int fips_is_owning_thread(void);
++static int fips_set_owning_thread(void);
++static int fips_clear_owning_thread(void);
++
++# define fips_w_lock() CRYPTO_w_lock(CRYPTO_LOCK_FIPS)
++# define fips_w_unlock() CRYPTO_w_unlock(CRYPTO_LOCK_FIPS)
++# define fips_r_lock() CRYPTO_r_lock(CRYPTO_LOCK_FIPS)
++# define fips_r_unlock() CRYPTO_r_unlock(CRYPTO_LOCK_FIPS)
++
++static void fips_set_mode(int onoff)
++{
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_started) {
++ if (!owning_thread)
++ fips_w_lock();
++ fips_mode = onoff;
++ if (!owning_thread)
++ fips_w_unlock();
++ }
++}
++
++int FIPS_module_mode(void)
++{
++ int ret = 0;
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_started) {
++ if (!owning_thread)
++ fips_r_lock();
++ ret = fips_mode;
++ if (!owning_thread)
++ fips_r_unlock();
++ }
++ return ret;
++}
++
++int FIPS_selftest_failed(void)
++{
++ int ret = 0;
++ if (fips_started) {
++ int owning_thread = fips_is_owning_thread();
++
++ if (!owning_thread)
++ fips_r_lock();
++ ret = fips_selftest_fail;
++ if (!owning_thread)
++ fips_r_unlock();
++ }
++ return ret;
++}
++
++/* Selftest failure fatal exit routine. This will be called
++ * during *any* cryptographic operation. It has the minimum
++ * overhead possible to avoid too big a performance hit.
++ */
++
++void FIPS_selftest_check(void)
++{
++ if (fips_selftest_fail) {
++ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
++ }
++}
++
++void fips_set_selftest_fail(void)
++{
++ fips_selftest_fail = 1;
++}
++
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path,
++ size_t pathlen)
++{
++ Dl_info info;
++ void *dl, *sym;
++ int rv = -1;
++
++ dl = dlopen(libname, RTLD_LAZY);
++ if (dl == NULL) {
++ return -1;
++ }
++
++ sym = dlsym(dl, symbolname);
++
++ if (sym != NULL && dladdr(sym, &info)) {
++ strncpy(path, info.dli_fname, pathlen - 1);
++ path[pathlen - 1] = '\0';
++ rv = 0;
++ }
++
++ dlclose(dl);
++
++ return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *bin2hex(void *buf, size_t len)
++{
++ char *hex, *p;
++ unsigned char *src = buf;
++
++ hex = malloc(len * 2 + 1);
++ if (hex == NULL)
++ return NULL;
++
++ p = hex;
++
++ while (len > 0) {
++ unsigned c;
++
++ c = *src;
++ src++;
++
++ *p = conv[c >> 4];
++ ++p;
++ *p = conv[c & 0x0f];
++ ++p;
++ --len;
++ }
++ *p = '\0';
++ return hex;
++}
++
++# define HMAC_PREFIX "."
++# define HMAC_SUFFIX ".hmac"
++# define READ_BUFFER_LENGTH 16384
++
++static char *make_hmac_path(const char *origpath)
++{
++ char *path, *p;
++ const char *fn;
++
++ path =
++ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++ if (path == NULL) {
++ return NULL;
++ }
++
++ fn = strrchr(origpath, '/');
++ if (fn == NULL) {
++ fn = origpath;
++ } else {
++ ++fn;
++ }
++
++ strncpy(path, origpath, fn - origpath);
++ p = path + (fn - origpath);
++ p = stpcpy(p, HMAC_PREFIX);
++ p = stpcpy(p, fn);
++ p = stpcpy(p, HMAC_SUFFIX);
++
++ return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++ FILE *f = NULL;
++ int rv = -1;
++ unsigned char rbuf[READ_BUFFER_LENGTH];
++ size_t len;
++ unsigned int hlen;
++ HMAC_CTX c;
++
++ HMAC_CTX_init(&c);
++
++ f = fopen(path, "r");
++
++ if (f == NULL) {
++ goto end;
++ }
++
++ HMAC_Init(&c, hmackey, sizeof(hmackey) - 1, EVP_sha256());
++
++ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++ HMAC_Update(&c, rbuf, len);
++ }
++
++ len = sizeof(rbuf);
++ /* reuse rbuf for hmac */
++ HMAC_Final(&c, rbuf, &hlen);
++
++ *buf = malloc(hlen);
++ if (*buf == NULL) {
++ goto end;
++ }
++
++ *hmaclen = hlen;
++
++ memcpy(*buf, rbuf, hlen);
++
++ rv = 0;
++ end:
++ HMAC_CTX_cleanup(&c);
++
++ if (f)
++ fclose(f);
++
++ return rv;
++}
++
++static int FIPSCHECK_verify(const char *libname, const char *symbolname)
++{
++ char path[PATH_MAX + 1];
++ int rv;
++ FILE *hf;
++ char *hmacpath, *p;
++ char *hmac = NULL;
++ size_t n;
++
++ rv = get_library_path(libname, symbolname, path, sizeof(path));
++
++ if (rv < 0)
++ return 0;
++
++ hmacpath = make_hmac_path(path);
++ if (hmacpath == NULL)
++ return 0;
++
++ hf = fopen(hmacpath, "r");
++ if (hf == NULL) {
++ free(hmacpath);
++ return 0;
++ }
++
++ if (getline(&hmac, &n, hf) > 0) {
++ void *buf;
++ size_t hmaclen;
++ char *hex;
++
++ if ((p = strchr(hmac, '\n')) != NULL)
++ *p = '\0';
++
++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++ rv = -4;
++ goto end;
++ }
++
++ if ((hex = bin2hex(buf, hmaclen)) == NULL) {
++ free(buf);
++ rv = -5;
++ goto end;
++ }
++
++ if (strcmp(hex, hmac) != 0) {
++ rv = -1;
++ }
++ free(buf);
++ free(hex);
++ } else {
++ rv = -1;
++ }
++
++ end:
++ free(hmac);
++ free(hmacpath);
++ fclose(hf);
++
++ if (rv < 0)
++ return 0;
++
++ /* check successful */
++ return 1;
++}
++
++int FIPS_module_mode_set(int onoff, const char *auth)
++{
++ int ret = 0;
++
++ fips_w_lock();
++ fips_started = 1;
++ fips_set_owning_thread();
++
++ if (onoff) {
++
++ fips_selftest_fail = 0;
++
++ /* Don't go into FIPS mode twice, just so we can do automagic
++ seeding */
++ if (FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FIPS_MODE_ALREADY_SET);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++# ifdef OPENSSL_IA32_SSE2
++ {
++ extern unsigned int OPENSSL_ia32cap_P[2];
++ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=
++ (1 << 25 | 1 << 26)) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_UNSUPPORTED_PLATFORM);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++ OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */
++ OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */
++ }
++# endif
++
++ if (!FIPSCHECK_verify
++ ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ if (!FIPSCHECK_verify
++ ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ if (FIPS_selftest())
++ fips_set_mode(onoff);
++ else {
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++ ret = 1;
++ goto end;
++ }
++ fips_set_mode(0);
++ fips_selftest_fail = 0;
++ ret = 1;
++ end:
++ fips_clear_owning_thread();
++ fips_w_unlock();
++ return ret;
++}
++
++static CRYPTO_THREADID fips_thread;
++static int fips_thread_set = 0;
++
++static int fips_is_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
++ if (fips_thread_set) {
++ CRYPTO_THREADID cur;
++ CRYPTO_THREADID_current(&cur);
++ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
++ ret = 1;
++ }
++ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++}
++
++int fips_set_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
++ if (!fips_thread_set) {
++ CRYPTO_THREADID_current(&fips_thread);
++ ret = 1;
++ fips_thread_set = 1;
++ }
++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++}
++
++int fips_clear_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
++ if (fips_thread_set) {
++ CRYPTO_THREADID cur;
++ CRYPTO_THREADID_current(&cur);
++ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
++ fips_thread_set = 0;
++ }
++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++}
++
++# if 0
++/* The purpose of this is to ensure the error code exists and the function
++ * name is to keep the error checking script quiet
++ */
++void hash_final(void)
++{
++ FIPSerr(FIPS_F_HASH_FINAL, FIPS_R_NON_FIPS_METHOD);
++}
++# endif
++
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_cmac_selftest.c
+--- openssl-1.0.2i/crypto/fips/fips_cmac_selftest.c.fips 2016-09-22 13:35:57.014220928 +0200
++++ openssl-1.0.2i/crypto/fips/fips_cmac_selftest.c 2016-09-22 13:35:57.014220928 +0200
+@@ -0,0 +1,156 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/cmac.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++ int nid;
++ const unsigned char key[EVP_MAX_KEY_LENGTH];
++ size_t keysize;
++ const unsigned char msg[64];
++ size_t msgsize;
++ const unsigned char mac[32];
++ size_t macsize;
++} CMAC_KAT;
++
++/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
++static const CMAC_KAT vector[] = {
++ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
++ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,
++ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,
++ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,
++ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,
++ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,
++ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,
++ {0xfb, 0xfe, 0xa4, 0x1b,}, 32},
++ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
++ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,
++ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,
++ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,
++ {0x0}, 0,
++ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,
++ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,
++ },
++ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
++ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,
++ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,
++ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,
++ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,
++ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,
++ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,
++ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,
++ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,
++ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,
++ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,
++ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,
++ },
++ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
++ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,
++ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,
++ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,
++ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,
++ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,
++ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,
++ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,
++ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,
++ },
++};
++
++int FIPS_selftest_cmac()
++{
++ size_t n, outlen;
++ unsigned char out[32];
++ const EVP_CIPHER *cipher;
++ CMAC_CTX *ctx = CMAC_CTX_new();
++ const CMAC_KAT *t;
++ int rv = 1;
++
++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++ cipher = FIPS_get_cipherbynid(t->nid);
++ if (!cipher) {
++ rv = -1;
++ goto err;
++ }
++ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {
++ rv = -1;
++ goto err;
++ }
++ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!CMAC_Final(ctx, out, &outlen)) {
++ rv = -1;
++ goto err;
++ }
++ CMAC_CTX_cleanup(ctx);
++
++ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {
++ rv = 0;
++ }
++ }
++
++ err:
++ CMAC_CTX_free(ctx);
++
++ if (rv == -1) {
++ rv = 0;
++ }
++ if (!rv)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);
++
++ return rv;
++}
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_des_selftest.c
+--- openssl-1.0.2i/crypto/fips/fips_des_selftest.c.fips 2016-09-22 13:35:57.014220928 +0200
++++ openssl-1.0.2i/crypto/fips/fips_des_selftest.c 2016-09-22 13:35:57.014220928 +0200
+@@ -0,0 +1,138 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static const struct {
++ const unsigned char key[16];
++ const unsigned char plaintext[8];
++ const unsigned char ciphertext[8];
++} tests2[] = {
++ {
++ {
++ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,
++ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {
++ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {
++ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}
++ }, {
++ {
++ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,
++ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {
++ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {
++ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}
++};
++
++static const struct {
++ const unsigned char key[24];
++ const unsigned char plaintext[8];
++ const unsigned char ciphertext[8];
++} tests3[] = {
++ {
++ {
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
++ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {
++ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {
++ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {
++ {
++ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,
++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
++ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {
++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {
++0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};
++
++static int corrupt_des;
++
++void FIPS_corrupt_des()
++{
++ corrupt_des = 1;
++}
++
++int FIPS_selftest_des()
++{
++ int n, ret = 0;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
++ for (n = 0; n < 2; ++n) {
++ unsigned char plaintext[8];
++
++ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
++ if (corrupt_des)
++ plaintext[0]++;
++ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(),
++ tests2[n].key, NULL,
++ plaintext, tests2[n].ciphertext, 8))
++ goto err;
++ }
++
++ /* Encrypt/decrypt with 3DES and compare to known answers */
++ for (n = 0; n < 2; ++n) {
++ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(),
++ tests3[n].key, NULL,
++ tests3[n].plaintext, tests3[n].ciphertext, 8))
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);
++
++ return ret;
++}
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_ctr.c
+--- openssl-1.0.2i/crypto/fips/fips_drbg_ctr.c.fips 2016-09-22 13:35:57.014220928 +0200
++++ openssl-1.0.2i/crypto/fips/fips_drbg_ctr.c 2016-09-22 13:35:57.014220928 +0200
+@@ -0,0 +1,415 @@
++/* fips/rand/fips_drbg_ctr.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static void inc_128(DRBG_CTR_CTX * cctx)
++{
++ int i;
++ unsigned char c;
++ unsigned char *p = cctx->V + 15;
++ for (i = 0; i < 16; i++) {
++ c = *p;
++ c++;
++ *p = c;
++ if (c)
++ return;
++ p--;
++ }
++}
++
++static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,
++ size_t inlen)
++{
++ size_t i, n;
++ /* Any zero padding will have no effect on the result as we
++ * are XORing. So just process however much input we have.
++ */
++
++ if (!in || !inlen)
++ return;
++
++ if (inlen < cctx->keylen)
++ n = inlen;
++ else
++ n = cctx->keylen;
++
++ for (i = 0; i < n; i++)
++ cctx->K[i] ^= in[i];
++ if (inlen <= cctx->keylen)
++ return;
++
++ n = inlen - cctx->keylen;
++ /* Should never happen */
++ if (n > 16)
++ n = 16;
++ for (i = 0; i < 16; i++)
++ cctx->V[i] ^= in[i + cctx->keylen];
++}
++
++/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
++
++static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,
++ const unsigned char *in)
++{
++ int i;
++ for (i = 0; i < 16; i++)
++ out[i] ^= in[i];
++ AES_encrypt(out, out, &cctx->df_ks);
++#if 0
++ fprintf(stderr, "BCC in+out\n");
++ BIO_dump_fp(stderr, in, 16);
++ BIO_dump_fp(stderr, out, 16);
++#endif
++}
++
++/* Handle several BCC operations for as much data as we need for K and X */
++static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)
++{
++ ctr_BCC_block(cctx, cctx->KX, in);
++ ctr_BCC_block(cctx, cctx->KX + 16, in);
++ if (cctx->keylen != 16)
++ ctr_BCC_block(cctx, cctx->KX + 32, in);
++}
++
++/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
++ * see 10.4.2 stage 7.
++ */
++static void ctr_BCC_init(DRBG_CTR_CTX * cctx)
++{
++ memset(cctx->KX, 0, 48);
++ memset(cctx->bltmp, 0, 16);
++ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
++ cctx->bltmp[3] = 1;
++ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
++ if (cctx->keylen != 16) {
++ cctx->bltmp[3] = 2;
++ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
++ }
++}
++
++/* Process several blocks into BCC algorithm, some possibly partial */
++static void ctr_BCC_update(DRBG_CTR_CTX * cctx,
++ const unsigned char *in, size_t inlen)
++{
++ if (!in || !inlen)
++ return;
++ /* If we have partial block handle it first */
++ if (cctx->bltmp_pos) {
++ size_t left = 16 - cctx->bltmp_pos;
++ /* If we now have a complete block process it */
++ if (inlen >= left) {
++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
++ ctr_BCC_blocks(cctx, cctx->bltmp);
++ cctx->bltmp_pos = 0;
++ inlen -= left;
++ in += left;
++ }
++ }
++ /* Process zero or more complete blocks */
++ while (inlen >= 16) {
++ ctr_BCC_blocks(cctx, in);
++ in += 16;
++ inlen -= 16;
++ }
++ /* Copy any remaining partial block to the temporary buffer */
++ if (inlen > 0) {
++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
++ cctx->bltmp_pos += inlen;
++ }
++}
++
++static void ctr_BCC_final(DRBG_CTR_CTX * cctx)
++{
++ if (cctx->bltmp_pos) {
++ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
++ ctr_BCC_blocks(cctx, cctx->bltmp);
++ }
++}
++
++static void ctr_df(DRBG_CTR_CTX * cctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len)
++{
++ size_t inlen;
++ unsigned char *p = cctx->bltmp;
++ static unsigned char c80 = 0x80;
++
++ ctr_BCC_init(cctx);
++ if (!in1)
++ in1len = 0;
++ if (!in2)
++ in2len = 0;
++ if (!in3)
++ in3len = 0;
++ inlen = in1len + in2len + in3len;
++ /* Initialise L||N in temporary block */
++ *p++ = (inlen >> 24) & 0xff;
++ *p++ = (inlen >> 16) & 0xff;
++ *p++ = (inlen >> 8) & 0xff;
++ *p++ = inlen & 0xff;
++ /* NB keylen is at most 32 bytes */
++ *p++ = 0;
++ *p++ = 0;
++ *p++ = 0;
++ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
++ cctx->bltmp_pos = 8;
++ ctr_BCC_update(cctx, in1, in1len);
++ ctr_BCC_update(cctx, in2, in2len);
++ ctr_BCC_update(cctx, in3, in3len);
++ ctr_BCC_update(cctx, &c80, 1);
++ ctr_BCC_final(cctx);
++ /* Set up key K */
++ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
++ /* X follows key K */
++ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
++ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
++ if (cctx->keylen != 16)
++ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
++#if 0
++ fprintf(stderr, "Output of ctr_df:\n");
++ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
++#endif
++}
++
++/* NB the no-df Update in SP800-90 specifies a constant input length
++ * of seedlen, however other uses of this algorithm pad the input with
++ * zeroes if necessary and have up to two parameters XORed together,
++ * handle both cases in this function instead.
++ */
++
++static void ctr_Update(DRBG_CTX *dctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *nonce, size_t noncelen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ /* ks is already setup for correct key */
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++ /* If keylen longer than 128 bits need extra encrypt */
++ if (cctx->keylen != 16) {
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
++ }
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
++ /* If 192 bit key part of V is on end of K */
++ if (cctx->keylen == 24) {
++ memcpy(cctx->V + 8, cctx->V, 8);
++ memcpy(cctx->V, cctx->K + 24, 8);
++ }
++
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ /* If no input reuse existing derived value */
++ if (in1 || nonce || in2)
++ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
++ /* If this a reuse input in1len != 0 */
++ if (in1len)
++ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
++ } else {
++ ctr_XOR(cctx, in1, in1len);
++ ctr_XOR(cctx, in2, in2len);
++ }
++
++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++#if 0
++ fprintf(stderr, "K+V after update is:\n");
++ BIO_dump_fp(stderr, cctx->K, cctx->keylen);
++ BIO_dump_fp(stderr, cctx->V, 16);
++#endif
++}
++
++static int drbg_ctr_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *nonce, size_t noncelen,
++ const unsigned char *pers, size_t perslen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ memset(cctx->K, 0, sizeof(cctx->K));
++ memset(cctx->V, 0, sizeof(cctx->V));
++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
++ return 1;
++}
++
++static int drbg_ctr_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *adin, size_t adinlen)
++{
++ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
++ return 1;
++}
++
++static int drbg_ctr_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adinlen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ if (adin && adinlen) {
++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++ /* This means we reuse derived value */
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ adin = NULL;
++ adinlen = 1;
++ }
++ } else
++ adinlen = 0;
++
++ for (;;) {
++ inc_128(cctx);
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
++ dctx->lb_valid = 1;
++ continue;
++ }
++ if (outlen < 16) {
++ /* Use K as temp space as it will be updated */
++ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++ if (!fips_drbg_cprng_test(dctx, cctx->K))
++ return 0;
++ memcpy(out, cctx->K, outlen);
++ break;
++ }
++ AES_encrypt(cctx->V, out, &cctx->ks);
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ out += 16;
++ outlen -= 16;
++ if (outlen == 0)
++ break;
++ }
++
++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++
++ return 1;
++
++}
++
++static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
++{
++ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
++ return 1;
++}
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++
++ size_t keylen;
++
++ switch (dctx->type) {
++ case NID_aes_128_ctr:
++ keylen = 16;
++ break;
++
++ case NID_aes_192_ctr:
++ keylen = 24;
++ break;
++
++ case NID_aes_256_ctr:
++ keylen = 32;
++ break;
++
++ default:
++ return -2;
++ }
++
++ dctx->instantiate = drbg_ctr_instantiate;
++ dctx->reseed = drbg_ctr_reseed;
++ dctx->generate = drbg_ctr_generate;
++ dctx->uninstantiate = drbg_ctr_uninstantiate;
++
++ cctx->keylen = keylen;
++ dctx->strength = keylen * 8;
++ dctx->blocklength = 16;
++ dctx->seedlen = keylen + 16;
++
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ /* df initialisation */
++ static unsigned char df_key[32] = {
++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
++ };
++ /* Set key schedule for df_key */
++ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
++
++ dctx->min_entropy = cctx->keylen;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++ } else {
++ dctx->min_entropy = dctx->seedlen;
++ dctx->max_entropy = dctx->seedlen;
++ /* Nonce not used */
++ dctx->min_nonce = 0;
++ dctx->max_nonce = 0;
++ dctx->max_pers = dctx->seedlen;
++ dctx->max_adin = dctx->seedlen;
++ }
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_hash.c
+--- openssl-1.0.2i/crypto/fips/fips_drbg_hash.c.fips 2016-09-22 13:35:57.014220928 +0200
++++ openssl-1.0.2i/crypto/fips/fips_drbg_hash.c 2016-09-22 13:35:57.014220928 +0200
+@@ -0,0 +1,358 @@
++/* fips/rand/fips_drbg_hash.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* This is Hash_df from SP 800-90 10.4.1 */
++
++static int hash_df(DRBG_CTX *dctx, unsigned char *out,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len,
++ const unsigned char *in4, size_t in4len)
++{
++ EVP_MD_CTX *mctx = &dctx->d.hash.mctx;
++ unsigned char *vtmp = dctx->d.hash.vtmp;
++ unsigned char tmp[6];
++ /* Standard only ever needs seedlen bytes which is always less than
++ * maximum permitted so no need to check length.
++ */
++ size_t outlen = dctx->seedlen;
++ tmp[0] = 1;
++ tmp[1] = ((outlen * 8) >> 24) & 0xff;
++ tmp[2] = ((outlen * 8) >> 16) & 0xff;
++ tmp[3] = ((outlen * 8) >> 8) & 0xff;
++ tmp[4] = (outlen * 8) & 0xff;
++ if (!in1) {
++ tmp[5] = (unsigned char)in1len;
++ in1 = tmp + 5;
++ in1len = 1;
++ }
++ for (;;) {
++ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
++ return 0;
++ if (!FIPS_digestupdate(mctx, tmp, 5))
++ return 0;
++ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
++ return 0;
++ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
++ return 0;
++ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
++ return 0;
++ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
++ return 0;
++ if (outlen < dctx->blocklength) {
++ if (!FIPS_digestfinal(mctx, vtmp, NULL))
++ return 0;
++ memcpy(out, vtmp, outlen);
++ OPENSSL_cleanse(vtmp, dctx->blocklength);
++ return 1;
++ } else if (!FIPS_digestfinal(mctx, out, NULL))
++ return 0;
++
++ outlen -= dctx->blocklength;
++ if (outlen == 0)
++ return 1;
++ tmp[0]++;
++ out += dctx->blocklength;
++ }
++}
++
++/* Add an unsigned buffer to the buf value, storing the result in buf. For
++ * this algorithm the length of input never exceeds the seed length.
++ */
++
++static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
++ unsigned char *in, size_t inlen)
++{
++ size_t i = inlen;
++ const unsigned char *q;
++ unsigned char c, *p;
++ p = buf + dctx->seedlen;
++ q = in + inlen;
++
++ OPENSSL_assert(i <= dctx->seedlen);
++
++ /* Special case: zero length, just increment buffer */
++ if (i)
++ c = 0;
++ else
++ c = 1;
++
++ while (i) {
++ int r;
++ p--;
++ q--;
++ r = *p + *q + c;
++ /* Carry */
++ if (r > 0xff)
++ c = 1;
++ else
++ c = 0;
++ *p = r & 0xff;
++ i--;
++ }
++
++ i = dctx->seedlen - inlen;
++
++ /* If not adding whole buffer handle final carries */
++ if (c && i) {
++ do {
++ p--;
++ c = *p;
++ c++;
++ *p = c;
++ if (c)
++ return;
++ } while (i--);
++ }
++}
++
++/* Finalise and add hash to V */
++
++static int ctx_add_md(DRBG_CTX *dctx)
++{
++ if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
++ return 0;
++ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
++ return 1;
++}
++
++static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ if (outlen == 0)
++ return 1;
++ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
++ for (;;) {
++ FIPS_digestinit(&hctx->mctx, hctx->md);
++ FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
++ dctx->lb_valid = 1;
++ } else if (outlen < dctx->blocklength) {
++ FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
++ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
++ return 0;
++ memcpy(out, hctx->vtmp, outlen);
++ return 1;
++ } else {
++ FIPS_digestfinal(&hctx->mctx, out, NULL);
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ outlen -= dctx->blocklength;
++ if (outlen == 0)
++ return 1;
++ out += dctx->blocklength;
++ }
++ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
++ }
++}
++
++static int drbg_hash_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *pstr, size_t pstr_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ if (!hash_df(dctx, hctx->V,
++ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))
++ return 0;
++ if (!hash_df(dctx, hctx->C,
++ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++ return 0;
++
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after instantiate:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ /* V about to be updated so use C as output instead */
++ if (!hash_df(dctx, hctx->C,
++ NULL, 1, hctx->V, dctx->seedlen,
++ ent, ent_len, adin, adin_len))
++ return 0;
++ memcpy(hctx->V, hctx->C, dctx->seedlen);
++ if (!hash_df(dctx, hctx->C, NULL, 0,
++ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++ return 0;
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after reseed:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ EVP_MD_CTX *mctx = &hctx->mctx;
++ unsigned char tmp[4];
++ if (adin && adin_len) {
++ tmp[0] = 2;
++ if (!FIPS_digestinit(mctx, hctx->md))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, tmp, 1))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, adin, adin_len))
++ return 0;
++ if (!ctx_add_md(dctx))
++ return 0;
++ }
++ if (!hash_gen(dctx, out, outlen))
++ return 0;
++
++ tmp[0] = 3;
++ if (!FIPS_digestinit(mctx, hctx->md))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, tmp, 1))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++ return 0;
++
++ if (!ctx_add_md(dctx))
++ return 0;
++
++ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
++
++ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
++ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
++ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
++ tmp[3] = dctx->reseed_counter & 0xff;
++ ctx_add_buf(dctx, hctx->V, tmp, 4);
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after generate:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
++{
++ EVP_MD_CTX_cleanup(&dctx->d.hash.mctx);
++ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
++ return 1;
++}
++
++int fips_drbg_hash_init(DRBG_CTX *dctx)
++{
++ const EVP_MD *md;
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ md = FIPS_get_digestbynid(dctx->type);
++ if (!md)
++ return -2;
++ switch (dctx->type) {
++ case NID_sha1:
++ dctx->strength = 128;
++ break;
++
++ case NID_sha224:
++ dctx->strength = 192;
++ break;
++
++ default:
++ dctx->strength = 256;
++ break;
++ }
++
++ dctx->instantiate = drbg_hash_instantiate;
++ dctx->reseed = drbg_hash_reseed;
++ dctx->generate = drbg_hash_generate;
++ dctx->uninstantiate = drbg_hash_uninstantiate;
++
++ dctx->d.hash.md = md;
++ EVP_MD_CTX_init(&hctx->mctx);
++
++ /* These are taken from SP 800-90 10.1 table 2 */
++
++ dctx->blocklength = M_EVP_MD_size(md);
++ if (dctx->blocklength > 32)
++ dctx->seedlen = 111;
++ else
++ dctx->seedlen = 55;
++
++ dctx->min_entropy = dctx->strength / 8;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_hmac.c
+--- openssl-1.0.2i/crypto/fips/fips_drbg_hmac.c.fips 2016-09-22 13:35:57.015220951 +0200
++++ openssl-1.0.2i/crypto/fips/fips_drbg_hmac.c 2016-09-22 13:35:57.015220951 +0200
+@@ -0,0 +1,270 @@
++/* fips/rand/fips_drbg_hmac.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#include <openssl/aes.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static int drbg_hmac_update(DRBG_CTX *dctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len)
++{
++ static unsigned char c0 = 0, c1 = 1;
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ HMAC_CTX *hctx = &hmac->hctx;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++ if (!HMAC_Update(hctx, &c0, 1))
++ return 0;
++ if (in1len && !HMAC_Update(hctx, in1, in1len))
++ return 0;
++ if (in2len && !HMAC_Update(hctx, in2, in2len))
++ return 0;
++ if (in3len && !HMAC_Update(hctx, in3, in3len))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->K, NULL))
++ return 0;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++
++ if (!in1len && !in2len && !in3len)
++ return 1;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++ if (!HMAC_Update(hctx, &c1, 1))
++ return 0;
++ if (in1len && !HMAC_Update(hctx, in1, in1len))
++ return 0;
++ if (in2len && !HMAC_Update(hctx, in2, in2len))
++ return 0;
++ if (in3len && !HMAC_Update(hctx, in3, in3len))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->K, NULL))
++ return 0;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++
++ return 1;
++
++}
++
++static int drbg_hmac_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *pstr, size_t pstr_len)
++{
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ memset(hmac->K, 0, dctx->blocklength);
++ memset(hmac->V, 1, dctx->blocklength);
++ if (!drbg_hmac_update(dctx,
++ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
++ return 0;
++
++#ifdef HMAC_DRBG_TRACE
++ fprintf(stderr, "K+V after instantiate:\n");
++ hexprint(stderr, hmac->K, hmac->blocklength);
++ hexprint(stderr, hmac->V, hmac->blocklength);
++#endif
++ return 1;
++}
++
++static int drbg_hmac_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *adin, size_t adin_len)
++{
++ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))
++ return 0;
++
++#ifdef HMAC_DRBG_TRACE
++ {
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ fprintf(stderr, "K+V after reseed:\n");
++ hexprint(stderr, hmac->K, hmac->blocklength);
++ hexprint(stderr, hmac->V, hmac->blocklength);
++ }
++#endif
++ return 1;
++}
++
++static int drbg_hmac_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ HMAC_CTX *hctx = &hmac->hctx;
++ const unsigned char *Vtmp = hmac->V;
++ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++ return 0;
++ for (;;) {
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
++ return 0;
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ if (!HMAC_Final(hctx, dctx->lb, NULL))
++ return 0;
++ dctx->lb_valid = 1;
++ Vtmp = dctx->lb;
++ continue;
++ } else if (outlen > dctx->blocklength) {
++ if (!HMAC_Final(hctx, out, NULL))
++ return 0;
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ Vtmp = out;
++ } else {
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++ if (!fips_drbg_cprng_test(dctx, hmac->V))
++ return 0;
++ memcpy(out, hmac->V, outlen);
++ break;
++ }
++ out += dctx->blocklength;
++ outlen -= dctx->blocklength;
++ }
++ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++ return 0;
++
++ return 1;
++}
++
++static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
++{
++ HMAC_CTX_cleanup(&dctx->d.hmac.hctx);
++ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
++ return 1;
++}
++
++int fips_drbg_hmac_init(DRBG_CTX *dctx)
++{
++ const EVP_MD *md = NULL;
++ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
++ dctx->strength = 256;
++ switch (dctx->type) {
++ case NID_hmacWithSHA1:
++ md = EVP_sha1();
++ dctx->strength = 128;
++ break;
++
++ case NID_hmacWithSHA224:
++ md = EVP_sha224();
++ dctx->strength = 192;
++ break;
++
++ case NID_hmacWithSHA256:
++ md = EVP_sha256();
++ break;
++
++ case NID_hmacWithSHA384:
++ md = EVP_sha384();
++ break;
++
++ case NID_hmacWithSHA512:
++ md = EVP_sha512();
++ break;
++
++ default:
++ dctx->strength = 0;
++ return -2;
++ }
++ dctx->instantiate = drbg_hmac_instantiate;
++ dctx->reseed = drbg_hmac_reseed;
++ dctx->generate = drbg_hmac_generate;
++ dctx->uninstantiate = drbg_hmac_uninstantiate;
++ HMAC_CTX_init(&hctx->hctx);
++ hctx->md = md;
++ dctx->blocklength = M_EVP_MD_size(md);
++ dctx->seedlen = M_EVP_MD_size(md);
++
++ dctx->min_entropy = dctx->strength / 8;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_lib.c
+--- openssl-1.0.2i/crypto/fips/fips_drbg_lib.c.fips 2016-09-22 13:35:57.015220951 +0200
++++ openssl-1.0.2i/crypto/fips/fips_drbg_lib.c 2016-09-22 13:35:57.015220951 +0200
+@@ -0,0 +1,553 @@
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#include "fips_locl.h"
++#include "fips_rand_lcl.h"
++
++/* Support framework for SP800-90 DRBGs */
++
++int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
++{
++ int rv;
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ dctx->xflags = flags;
++ dctx->type = type;
++
++ dctx->iflags = 0;
++ dctx->entropy_blocklen = 0;
++ dctx->health_check_cnt = 0;
++ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
++
++ rv = fips_drbg_hash_init(dctx);
++
++ if (rv == -2)
++ rv = fips_drbg_ctr_init(dctx);
++ if (rv == -2)
++ rv = fips_drbg_hmac_init(dctx);
++
++ if (rv <= 0) {
++ if (rv == -2)
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
++ else
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
++ }
++
++ /* If not in test mode run selftests on DRBG of the same type */
++
++ if (!(dctx->xflags & DRBG_FLAG_TEST)) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
++ return 0;
++ }
++ }
++
++ return rv;
++}
++
++DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
++{
++ DRBG_CTX *dctx;
++ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
++ if (!dctx) {
++ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
++ return NULL;
++ }
++
++ if (type == 0) {
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->type = 0;
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ return dctx;
++ }
++
++ if (FIPS_drbg_init(dctx, type, flags) <= 0) {
++ OPENSSL_free(dctx);
++ return NULL;
++ }
++
++ return dctx;
++}
++
++void FIPS_drbg_free(DRBG_CTX *dctx)
++{
++ if (dctx->uninstantiate)
++ dctx->uninstantiate(dctx);
++ /* Don't free up default DRBG */
++ if (dctx == FIPS_get_default_drbg()) {
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->type = 0;
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ } else {
++ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
++ OPENSSL_free(dctx);
++ }
++}
++
++static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ unsigned char *tout, *p;
++ size_t bl = dctx->entropy_blocklen, rv;
++ if (!dctx->get_entropy)
++ return 0;
++ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
++ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
++ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
++ min_len + bl, max_len + bl);
++ if (tout == NULL)
++ return 0;
++ *pout = tout + bl;
++ if (rv < (min_len + bl) || (rv % bl))
++ return 0;
++ /* Compare consecutive blocks for continuous PRNG test */
++ for (p = tout; p < tout + rv - bl; p += bl) {
++ if (!memcmp(p, p + bl, bl)) {
++ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
++ return 0;
++ }
++ }
++ rv -= bl;
++ if (rv > max_len)
++ return max_len;
++ return rv;
++}
++
++static void fips_cleanup_entropy(DRBG_CTX *dctx,
++ unsigned char *out, size_t olen)
++{
++ size_t bl;
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ bl = 0;
++ else
++ bl = dctx->entropy_blocklen;
++ /* Call cleanup with original arguments */
++ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
++}
++
++int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++ const unsigned char *pers, size_t perslen)
++{
++ size_t entlen = 0, noncelen = 0;
++ unsigned char *nonce = NULL, *entropy = NULL;
++
++#if 0
++ /* Put here so error script picks them up */
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
++ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
++#endif
++
++ int r = 0;
++
++ if (perslen > dctx->max_pers) {
++ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
++ goto end;
++ }
++
++ if (!dctx->instantiate) {
++ r = FIPS_R_DRBG_NOT_INITIALISED;
++ goto end;
++ }
++
++ if (dctx->status != DRBG_STATUS_UNINITIALISED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else
++ r = FIPS_R_ALREADY_INSTANTIATED;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_ERROR;
++
++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++ dctx->min_entropy, dctx->max_entropy);
++
++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++ goto end;
++ }
++
++ if (dctx->max_nonce > 0 && dctx->get_nonce) {
++ noncelen = dctx->get_nonce(dctx, &nonce,
++ dctx->strength / 2,
++ dctx->min_nonce, dctx->max_nonce);
++
++ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
++ r = FIPS_R_ERROR_RETRIEVING_NONCE;
++ goto end;
++ }
++
++ }
++
++ if (!dctx->instantiate(dctx,
++ entropy, entlen, nonce, noncelen, pers, perslen)) {
++ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_READY;
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++ dctx->reseed_counter = 1;
++
++ end:
++
++ if (entropy && dctx->cleanup_entropy)
++ fips_cleanup_entropy(dctx, entropy, entlen);
++
++ if (nonce && dctx->cleanup_nonce)
++ dctx->cleanup_nonce(dctx, nonce, noncelen);
++
++ if (dctx->status == DRBG_STATUS_READY)
++ return 1;
++
++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
++
++ return 0;
++
++}
++
++static int drbg_reseed(DRBG_CTX *dctx,
++ const unsigned char *adin, size_t adinlen, int hcheck)
++{
++ unsigned char *entropy = NULL;
++ size_t entlen = 0;
++ int r = 0;
++
++#if 0
++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
++#endif
++ if (dctx->status != DRBG_STATUS_READY
++ && dctx->status != DRBG_STATUS_RESEED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++ r = FIPS_R_NOT_INSTANTIATED;
++ goto end;
++ }
++
++ if (!adin)
++ adinlen = 0;
++ else if (adinlen > dctx->max_adin) {
++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_ERROR;
++ /* Peform health check on all reseed operations if not a prediction
++ * resistance request and not in test mode.
++ */
++ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ r = FIPS_R_SELFTEST_FAILURE;
++ goto end;
++ }
++ }
++
++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++ dctx->min_entropy, dctx->max_entropy);
++
++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++ goto end;
++ }
++
++ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
++ goto end;
++
++ dctx->status = DRBG_STATUS_READY;
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++ dctx->reseed_counter = 1;
++ end:
++
++ if (entropy && dctx->cleanup_entropy)
++ fips_cleanup_entropy(dctx, entropy, entlen);
++
++ if (dctx->status == DRBG_STATUS_READY)
++ return 1;
++
++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_DRBG_RESEED, r);
++
++ return 0;
++}
++
++int FIPS_drbg_reseed(DRBG_CTX *dctx,
++ const unsigned char *adin, size_t adinlen)
++{
++ return drbg_reseed(dctx, adin, adinlen, 1);
++}
++
++static int fips_drbg_check(DRBG_CTX *dctx)
++{
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ return 1;
++ dctx->health_check_cnt++;
++ if (dctx->health_check_cnt >= dctx->health_check_interval) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
++ return 0;
++ }
++ }
++ return 1;
++}
++
++int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++ int prediction_resistance,
++ const unsigned char *adin, size_t adinlen)
++{
++ int r = 0;
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (!fips_drbg_check(dctx))
++ return 0;
++
++ if (dctx->status != DRBG_STATUS_READY
++ && dctx->status != DRBG_STATUS_RESEED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++ r = FIPS_R_NOT_INSTANTIATED;
++ goto end;
++ }
++
++ if (outlen > dctx->max_request) {
++ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
++ return 0;
++ }
++
++ if (adinlen > dctx->max_adin) {
++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++ goto end;
++ }
++
++ if (dctx->iflags & DRBG_CUSTOM_RESEED)
++ dctx->generate(dctx, NULL, outlen, NULL, 0);
++ else if (dctx->reseed_counter >= dctx->reseed_interval)
++ dctx->status = DRBG_STATUS_RESEED;
++
++ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
++ /* If prediction resistance request don't do health check */
++ int hcheck = prediction_resistance ? 0 : 1;
++
++ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {
++ r = FIPS_R_RESEED_ERROR;
++ goto end;
++ }
++ adin = NULL;
++ adinlen = 0;
++ }
++
++ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {
++ r = FIPS_R_GENERATE_ERROR;
++ dctx->status = DRBG_STATUS_ERROR;
++ goto end;
++ }
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {
++ if (dctx->reseed_counter >= dctx->reseed_interval)
++ dctx->status = DRBG_STATUS_RESEED;
++ else
++ dctx->reseed_counter++;
++ }
++
++ end:
++ if (r) {
++ if (!(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
++ return 0;
++ }
++
++ return 1;
++}
++
++int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
++{
++ int rv;
++ if (!dctx->uninstantiate)
++ rv = 1;
++ else
++ rv = dctx->uninstantiate(dctx);
++ /* Although we'd like to cleanse here we can't because we have to
++ * test the uninstantiate really zeroes the data.
++ */
++ memset(&dctx->d, 0, sizeof(dctx->d));
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ /* If method has problems uninstantiating, return error */
++ return rv;
++}
++
++int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++ size_t (*get_entropy) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_entropy) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ size_t entropy_blocklen,
++ size_t (*get_nonce) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy, size_t min_len,
++ size_t max_len),
++ void (*cleanup_nonce) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen))
++{
++ if (dctx->status != DRBG_STATUS_UNINITIALISED)
++ return 0;
++ dctx->entropy_blocklen = entropy_blocklen;
++ dctx->get_entropy = get_entropy;
++ dctx->cleanup_entropy = cleanup_entropy;
++ dctx->get_nonce = get_nonce;
++ dctx->cleanup_nonce = cleanup_nonce;
++ return 1;
++}
++
++int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++ size_t (*get_adin) (DRBG_CTX *ctx,
++ unsigned char **pout),
++ void (*cleanup_adin) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ int (*rand_seed_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num),
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf, int num,
++ double entropy))
++{
++ if (dctx->status != DRBG_STATUS_UNINITIALISED)
++ return 0;
++ dctx->get_adin = get_adin;
++ dctx->cleanup_adin = cleanup_adin;
++ dctx->rand_seed_cb = rand_seed_cb;
++ dctx->rand_add_cb = rand_add_cb;
++ return 1;
++}
++
++void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
++{
++ return dctx->app_data;
++}
++
++void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
++{
++ dctx->app_data = app_data;
++}
++
++size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
++{
++ return dctx->blocklength;
++}
++
++int FIPS_drbg_get_strength(DRBG_CTX *dctx)
++{
++ return dctx->strength;
++}
++
++void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
++{
++ dctx->health_check_interval = interval;
++}
++
++void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
++{
++ dctx->reseed_interval = interval;
++}
++
++static int drbg_stick = 0;
++
++void FIPS_drbg_stick(int onoff)
++{
++ drbg_stick = onoff;
++}
++
++/* Continuous DRBG utility function */
++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
++{
++ /* No CPRNG in test mode */
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ return 1;
++ /* Check block is valid: should never happen */
++ if (dctx->lb_valid == 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
++ fips_set_selftest_fail();
++ return 0;
++ }
++ if (drbg_stick)
++ memcpy(dctx->lb, out, dctx->blocklength);
++ /* Check against last block: fail if match */
++ if (!memcmp(dctx->lb, out, dctx->blocklength)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
++ fips_set_selftest_fail();
++ return 0;
++ }
++ /* Save last block for next comparison */
++ memcpy(dctx->lb, out, dctx->blocklength);
++ return 1;
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_rand.c
+--- openssl-1.0.2i/crypto/fips/fips_drbg_rand.c.fips 2016-09-22 13:35:57.015220951 +0200
++++ openssl-1.0.2i/crypto/fips/fips_drbg_rand.c 2016-09-22 13:35:57.015220951 +0200
+@@ -0,0 +1,164 @@
++/* fips/rand/fips_drbg_rand.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
++
++/* Since we only have one global PRNG used at any time in OpenSSL use a global
++ * variable to store context.
++ */
++
++static DRBG_CTX ossl_dctx;
++
++DRBG_CTX *FIPS_get_default_drbg(void)
++{
++ return &ossl_dctx;
++}
++
++static int fips_drbg_bytes(unsigned char *out, int count)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ int rv = 0;
++ unsigned char *adin = NULL;
++ size_t adinlen = 0;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ do {
++ size_t rcnt;
++ if (count > (int)dctx->max_request)
++ rcnt = dctx->max_request;
++ else
++ rcnt = count;
++ if (dctx->get_adin) {
++ adinlen = dctx->get_adin(dctx, &adin);
++ if (adinlen && !adin) {
++ FIPSerr(FIPS_F_FIPS_DRBG_BYTES,
++ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
++ goto err;
++ }
++ }
++ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
++ if (adin) {
++ if (dctx->cleanup_adin)
++ dctx->cleanup_adin(dctx, adin, adinlen);
++ adin = NULL;
++ }
++ if (!rv)
++ goto err;
++ out += rcnt;
++ count -= rcnt;
++ }
++ while (count);
++ rv = 1;
++ err:
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return rv;
++}
++
++static int fips_drbg_pseudo(unsigned char *out, int count)
++{
++ if (fips_drbg_bytes(out, count) <= 0)
++ return -1;
++ return 1;
++}
++
++static int fips_drbg_status(void)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ int rv;
++ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
++ return rv;
++}
++
++static void fips_drbg_cleanup(void)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ FIPS_drbg_uninstantiate(dctx);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++}
++
++static int fips_drbg_seed(const void *seed, int seedlen)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ if (dctx->rand_seed_cb)
++ return dctx->rand_seed_cb(dctx, seed, seedlen);
++ return 1;
++}
++
++static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ if (dctx->rand_add_cb)
++ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
++ return 1;
++}
++
++static const RAND_METHOD rand_drbg_meth = {
++ fips_drbg_seed,
++ fips_drbg_bytes,
++ fips_drbg_cleanup,
++ fips_drbg_add,
++ fips_drbg_pseudo,
++ fips_drbg_status
++};
++
++const RAND_METHOD *FIPS_drbg_method(void)
++{
++ return &rand_drbg_meth;
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.0.2i/crypto/fips/fips_drbg_selftest.c.fips 2016-09-22 13:35:57.015220951 +0200
++++ openssl-1.0.2i/crypto/fips/fips_drbg_selftest.c 2016-09-22 13:35:57.015220951 +0200
+@@ -0,0 +1,827 @@
++/* fips/rand/fips_drbg_selftest.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++#include "fips_locl.h"
++
++#include "fips_drbg_selftest.h"
++
++typedef struct {
++ int post;
++ int nid;
++ unsigned int flags;
++
++ /* KAT data for no PR */
++ const unsigned char *ent;
++ size_t entlen;
++ const unsigned char *nonce;
++ size_t noncelen;
++ const unsigned char *pers;
++ size_t perslen;
++ const unsigned char *adin;
++ size_t adinlen;
++ const unsigned char *entreseed;
++ size_t entreseedlen;
++ const unsigned char *adinreseed;
++ size_t adinreseedlen;
++ const unsigned char *adin2;
++ size_t adin2len;
++ const unsigned char *kat;
++ size_t katlen;
++ const unsigned char *kat2;
++ size_t kat2len;
++
++ /* KAT data for PR */
++ const unsigned char *ent_pr;
++ size_t entlen_pr;
++ const unsigned char *nonce_pr;
++ size_t noncelen_pr;
++ const unsigned char *pers_pr;
++ size_t perslen_pr;
++ const unsigned char *adin_pr;
++ size_t adinlen_pr;
++ const unsigned char *entpr_pr;
++ size_t entprlen_pr;
++ const unsigned char *ading_pr;
++ size_t adinglen_pr;
++ const unsigned char *entg_pr;
++ size_t entglen_pr;
++ const unsigned char *kat_pr;
++ size_t katlen_pr;
++ const unsigned char *kat2_pr;
++ size_t kat2len_pr;
++
++} DRBG_SELFTEST_DATA;
++
++#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
++ pr##_entropyinput, sizeof(pr##_entropyinput), \
++ pr##_nonce, sizeof(pr##_nonce), \
++ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
++ pr##_additionalinput, sizeof(pr##_additionalinput), \
++ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
++ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
++ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
++ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
++ pr##_returnedbits, sizeof(pr##_returnedbits), \
++ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
++ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
++ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
++ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
++ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
++ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
++ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
++ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
++ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
++ }
++
++#define make_drbg_test_data_df(nid, pr, p) \
++ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
++
++#define make_drbg_test_data_ec(curve, md, pr, p) \
++ make_drbg_test_data((curve << 16) | md , 0, pr, p)
++
++static DRBG_SELFTEST_DATA drbg_test[] = {
++ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
++ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
++ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
++ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
++ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
++ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
++ make_drbg_test_data(NID_sha1, 0, sha1, 0),
++ make_drbg_test_data(NID_sha224, 0, sha224, 0),
++ make_drbg_test_data(NID_sha256, 0, sha256, 1),
++ make_drbg_test_data(NID_sha384, 0, sha384, 0),
++ make_drbg_test_data(NID_sha512, 0, sha512, 0),
++ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
++ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
++ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
++ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
++ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
++ {0, 0, 0}
++};
++
++typedef struct {
++ const unsigned char *ent;
++ size_t entlen;
++ int entcnt;
++ const unsigned char *nonce;
++ size_t noncelen;
++ int noncecnt;
++} TEST_ENT;
++
++static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++ *pout = (unsigned char *)t->ent;
++ t->entcnt++;
++ return t->entlen;
++}
++
++static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++ *pout = (unsigned char *)t->nonce;
++ t->noncecnt++;
++ return t->noncelen;
++}
++
++static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++ int quick)
++{
++ TEST_ENT t;
++ int rv = 0;
++ size_t adinlen;
++ unsigned char randout[1024];
++
++ /* Initial test without PR */
++
++ /* Instantiate DRBG with test entropy, nonce and personalisation
++ * string.
++ */
++
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, &t);
++
++ t.ent = td->ent;
++ t.entlen = td->entlen;
++ t.nonce = td->nonce;
++ t.noncelen = td->noncelen;
++ t.entcnt = 0;
++ t.noncecnt = 0;
++
++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++ goto err;
++
++ /* Note for CTR without DF some additional input values
++ * ignore bytes after the keylength: so reduce adinlen
++ * to half to ensure invalid data is fed in.
++ */
++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++ adinlen = td->adinlen / 2;
++ else
++ adinlen = td->adinlen;
++
++ /* Generate with no PR and verify output matches expected data */
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))
++ goto err;
++
++ if (memcmp(randout, td->kat, td->katlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
++ goto err2;
++ }
++ /* If abbreviated POST end of test */
++ if (quick) {
++ rv = 1;
++ goto err;
++ }
++ /* Reseed DRBG with test entropy and additional input */
++ t.ent = td->entreseed;
++ t.entlen = td->entreseedlen;
++
++ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
++ goto err;
++
++ /* Generate with no PR and verify output matches expected data */
++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
++ td->adin2, td->adin2len))
++ goto err;
++
++ if (memcmp(randout, td->kat2, td->kat2len)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
++ goto err2;
++ }
++
++ FIPS_drbg_uninstantiate(dctx);
++
++ /* Now test with PR */
++
++ /* Instantiate DRBG with test entropy, nonce and personalisation
++ * string.
++ */
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, &t);
++
++ t.ent = td->ent_pr;
++ t.entlen = td->entlen_pr;
++ t.nonce = td->nonce_pr;
++ t.noncelen = td->noncelen_pr;
++ t.entcnt = 0;
++ t.noncecnt = 0;
++
++ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
++ goto err;
++
++ /* Now generate with PR: we need to supply entropy as this will
++ * perform a reseed operation. Check output matches expected value.
++ */
++
++ t.ent = td->entpr_pr;
++ t.entlen = td->entprlen_pr;
++
++ /* Note for CTR without DF some additional input values
++ * ignore bytes after the keylength: so reduce adinlen
++ * to half to ensure invalid data is fed in.
++ */
++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++ adinlen = td->adinlen_pr / 2;
++ else
++ adinlen = td->adinlen_pr;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
++ td->adin_pr, adinlen))
++ goto err;
++
++ if (memcmp(randout, td->kat_pr, td->katlen_pr)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
++ goto err2;
++ }
++
++ /* Now generate again with PR: supply new entropy again.
++ * Check output matches expected value.
++ */
++
++ t.ent = td->entg_pr;
++ t.entlen = td->entglen_pr;
++
++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
++ td->ading_pr, td->adinglen_pr))
++ goto err;
++
++ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
++ goto err2;
++ }
++ /* All OK, test complete */
++ rv = 1;
++
++ err:
++ if (rv == 0)
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
++ err2:
++ FIPS_drbg_uninstantiate(dctx);
++
++ return rv;
++
++}
++
++/* Initialise a DRBG based on selftest data */
++
++static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)
++{
++
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, t);
++
++ t->ent = td->ent;
++ t->entlen = td->entlen;
++ t->nonce = td->nonce;
++ t->noncelen = td->noncelen;
++ t->entcnt = 0;
++ t->noncecnt = 0;
++ return 1;
++}
++
++/* Initialise and instantiate DRBG based on selftest data */
++static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++ TEST_ENT * t)
++{
++ if (!do_drbg_init(dctx, td, t))
++ return 0;
++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++ return 0;
++
++ return 1;
++}
++
++/* This function performs extensive error checking as required by SP800-90.
++ * Induce several failure modes and check an error condition is set.
++ * This function along with fips_drbg_single_kat peforms the health checking
++ * operation.
++ */
++
++static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)
++{
++ unsigned char randout[1024];
++ TEST_ENT t;
++ size_t i;
++ unsigned int reseed_counter_tmp;
++ unsigned char *p = (unsigned char *)dctx;
++
++ /* Initialise DRBG */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ /* Don't report induced errors */
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Personalisation string tests */
++
++ /* Test detection of too large personlisation string */
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Entropy source tests */
++
++ /* Test entropy source failure detecion: i.e. returns no data */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Try to generate output from uninstantiated DRBG */
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_GENERATE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Test insufficient entropy */
++
++ t.entlen = dctx->min_entropy - 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test too much entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->max_entropy + 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Nonce tests */
++
++ /* Test too small nonce */
++
++ if (dctx->min_nonce) {
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.noncelen = dctx->min_nonce - 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_NONCE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ }
++
++ /* Test too large nonce */
++
++ if (dctx->max_nonce) {
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.noncelen = dctx->max_nonce + 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_NONCE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ }
++
++ /* Instantiate with valid data. */
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++
++ /* Check generation is now OK */
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Request too much data for one request */
++ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Try too large additional input */
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, dctx->max_adin + 1)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Check prediction resistance request fails if entropy source
++ * failure.
++ */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Instantiate again with valid data */
++
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++ /* Test reseed counter works */
++ /* Save initial reseed counter */
++ reseed_counter_tmp = dctx->reseed_counter;
++ /* Set reseed counter to beyond interval */
++ dctx->reseed_counter = dctx->reseed_interval;
++
++ /* Generate output and check entropy has been requested for reseed */
++ t.entcnt = 0;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++ if (t.entcnt != 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++ goto err;
++ }
++ /* Check reseed counter has been reset */
++ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Check prediction resistance request fails if entropy source
++ * failure.
++ */
++
++ t.entlen = 0;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++ /* Test reseed counter works */
++ /* Save initial reseed counter */
++ reseed_counter_tmp = dctx->reseed_counter;
++ /* Set reseed counter to beyond interval */
++ dctx->reseed_counter = dctx->reseed_interval;
++
++ /* Generate output and check entropy has been requested for reseed */
++ t.entcnt = 0;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++ if (t.entcnt != 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++ goto err;
++ }
++ /* Check reseed counter has been reset */
++ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Explicit reseed tests */
++
++ /* Test explicit reseed with too large additional input */
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Test explicit reseed with entropy source failure */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test explicit reseed with too much entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->max_entropy + 1;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test explicit reseed with too little entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->min_entropy - 1;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ p = (unsigned char *)&dctx->d;
++ /* Standard says we have to check uninstantiate really zeroes
++ * the data...
++ */
++ for (i = 0; i < sizeof(dctx->d); i++) {
++ if (*p != 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
++ goto err;
++ }
++ p++;
++ }
++
++ return 1;
++
++ err:
++ /* A real error as opposed to an induced one: underlying function will
++ * indicate the error.
++ */
++ if (!(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
++ FIPS_drbg_uninstantiate(dctx);
++ return 0;
++
++}
++
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
++{
++ DRBG_SELFTEST_DATA *td;
++ flags |= DRBG_FLAG_TEST;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (td->nid == nid && td->flags == flags) {
++ if (!fips_drbg_single_kat(dctx, td, 0))
++ return 0;
++ return fips_drbg_error_check(dctx, td);
++ }
++ }
++ return 0;
++}
++
++int FIPS_drbg_health_check(DRBG_CTX *dctx)
++{
++ int rv;
++ DRBG_CTX *tctx = NULL;
++ tctx = FIPS_drbg_new(0, 0);
++ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ if (!tctx)
++ return 0;
++ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
++ if (tctx)
++ FIPS_drbg_free(tctx);
++ if (rv)
++ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ else
++ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ if (!rv)
++ dctx->status = DRBG_STATUS_ERROR;
++ else
++ dctx->health_check_cnt = 0;
++ return rv;
++}
++
++int FIPS_selftest_drbg(void)
++{
++ DRBG_CTX *dctx;
++ DRBG_SELFTEST_DATA *td;
++ int rv = 1;
++ dctx = FIPS_drbg_new(0, 0);
++ if (!dctx)
++ return 0;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (td->post != 1)
++ continue;
++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 1;
++ if (!fips_drbg_single_kat(dctx, td, 1)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 0;
++ }
++ FIPS_drbg_free(dctx);
++ return rv;
++}
++
++int FIPS_selftest_drbg_all(void)
++{
++ DRBG_CTX *dctx;
++ DRBG_SELFTEST_DATA *td;
++ int rv = 1;
++ dctx = FIPS_drbg_new(0, 0);
++ if (!dctx)
++ return 0;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 1;
++ if (!fips_drbg_single_kat(dctx, td, 0)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_drbg_error_check(dctx, td)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 0;
++ }
++ FIPS_drbg_free(dctx);
++ return rv;
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2i/crypto/fips/fips_drbg_selftest.h
+--- openssl-1.0.2i/crypto/fips/fips_drbg_selftest.h.fips 2016-09-22 13:35:57.016220974 +0200
++++ openssl-1.0.2i/crypto/fips/fips_drbg_selftest.h 2016-09-22 13:35:57.016220974 +0200
+@@ -0,0 +1,1791 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/* Selftest and health check data for the SP800-90 DRBG */
++
++#define __fips_constseg
++
++/* AES-128 use df PR */
++__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {
++ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
++ 0xc8, 0xdb, 0xff, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {
++ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
++ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
++ 0xd7, 0xd7, 0x01, 0x67
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_additionalinput[] = {
++ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
++ 0x9a, 0x47, 0x08, 0x76
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
++ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
++ 0x09, 0xfb, 0xa3, 0xb6
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
++ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
++ 0x66, 0x1c, 0xea, 0x5b
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
++ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
++ 0x3f, 0x5e, 0x31, 0x06
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
++ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
++ 0xa7, 0xe3, 0xa8, 0x67
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {
++ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
++ 0x0f, 0x38, 0x43, 0xc6
++};
++
++/* AES-128 use df No PR */
++__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {
++ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
++ 0x9d, 0x7d, 0x1c, 0x9b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {
++ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_personalizationstring[] = {
++ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
++ 0x38, 0x66, 0xba, 0x1b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {
++ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
++ 0xb5, 0xe2, 0xb2, 0x41
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {
++ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
++ 0xe7, 0x57, 0x11, 0xb4
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_entropyinputreseed[] = {
++ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
++ 0xc7, 0xc4, 0x9e, 0x39
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_additionalinputreseed[] = {
++ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
++ 0xc8, 0x93, 0xfa, 0x84
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {
++ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
++ 0x06, 0x0c, 0x15, 0x2c
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {
++ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
++ 0x46, 0x81, 0xc7, 0x19
++};
++
++/* AES-192 use df PR */
++__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {
++ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
++ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {
++ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
++ 0xd1, 0x80, 0x78, 0xfa
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
++ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
++ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
++ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_additionalinput[] = {
++ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
++ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
++ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
++ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
++ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
++ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
++ 0x19, 0x30, 0x6b, 0x67
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
++ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
++ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
++ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
++ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
++ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {
++ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
++ 0x7e, 0x1a, 0x2b, 0x83
++};
++
++/* AES-192 use df No PR */
++__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {
++ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
++ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {
++ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
++ 0x77, 0xd7, 0x41, 0x0e
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_personalizationstring[] = {
++ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
++ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
++ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {
++ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
++ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
++ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {
++ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
++ 0xb7, 0xed, 0xe9, 0xea
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_entropyinputreseed[] = {
++ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
++ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_additionalinputreseed[] = {
++ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
++ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
++ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {
++ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
++ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
++ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {
++ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
++ 0x1a, 0xf9, 0x13, 0x28
++};
++
++/* AES-256 use df PR */
++__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {
++ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
++ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
++ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {
++ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
++ 0x2b, 0x36, 0xff, 0xa4
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
++ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
++ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
++ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_additionalinput[] = {
++ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
++ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
++ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
++ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
++ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
++ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
++ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
++ 0x17, 0xab, 0x3c, 0x7a
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
++ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
++ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
++ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
++ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
++ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
++ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {
++ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
++ 0xd9, 0xe2, 0x97, 0x00
++};
++
++/* AES-256 use df No PR */
++__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {
++ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
++ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
++ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {
++ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
++ 0x4c, 0x44, 0x84, 0x40
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_personalizationstring[] = {
++ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
++ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
++ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {
++ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
++ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
++ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {
++ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
++ 0x28, 0x0c, 0x3b, 0xc1
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_entropyinputreseed[] = {
++ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
++ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
++ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_additionalinputreseed[] = {
++ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
++ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
++ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {
++ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
++ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
++ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {
++ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
++ 0xfa, 0xfd, 0x35, 0x5e
++};
++
++/* AES-128 no df PR */
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {
++ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
++ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
++ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {
++ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
++ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
++ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
++ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_additionalinput[] = {
++ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
++ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
++ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
++ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
++ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
++ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
++ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
++ 0xaf, 0x19, 0x32, 0x16
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
++ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
++ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
++ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
++ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
++ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
++ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {
++ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
++ 0x57, 0x82, 0x33, 0xaf
++};
++
++/* AES-128 no df No PR */
++__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {
++ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
++ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
++ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {
++ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_personalizationstring[] = {
++ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
++ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
++ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {
++ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
++ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
++ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {
++ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
++ 0xed, 0x3e, 0x65, 0xc2
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_entropyinputreseed[] = {
++ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
++ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
++ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_additionalinputreseed[] = {
++ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
++ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
++ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {
++ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
++ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
++ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {
++ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
++ 0x81, 0x37, 0x19, 0xd4
++};
++
++/* AES-192 no df PR */
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {
++ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
++ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
++ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
++ 0x17, 0x1f, 0x8d, 0x9a
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {
++ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
++ 0x61, 0x5c, 0xee, 0x0f
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
++ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
++ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
++ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
++ 0x57, 0x2e, 0xe7, 0x55
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_additionalinput[] = {
++ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
++ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
++ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
++ 0xe2, 0xd0, 0x0c, 0x2f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
++ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
++ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
++ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
++ 0x1d, 0x30, 0xb3, 0x78
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
++ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
++ 0x7e, 0x3e, 0x0c, 0x26
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
++ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
++ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
++ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
++ 0x0c, 0x4b, 0xee, 0x6e
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
++ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
++ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
++ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
++ 0x8e, 0x0a, 0x83, 0xdf
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {
++ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
++ 0xb9, 0xa1, 0x21, 0x68
++};
++
++/* AES-192 no df No PR */
++__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {
++ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
++ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
++ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
++ 0x94, 0xc3, 0x59, 0x63
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {
++ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
++ 0x29, 0xfd, 0x45, 0x71
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_personalizationstring[] = {
++ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
++ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
++ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
++ 0x3b, 0x88, 0xce, 0x35
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {
++ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
++ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
++ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
++ 0x3e, 0xbe, 0xd4, 0x8e
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {
++ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
++ 0x45, 0xe7, 0x4a, 0xc5
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_entropyinputreseed[] = {
++ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
++ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
++ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
++ 0x9b, 0xcb, 0x7e, 0x75
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_additionalinputreseed[] = {
++ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
++ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
++ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
++ 0x5d, 0x7a, 0x25, 0x79
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {
++ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
++ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
++ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
++ 0x91, 0x6a, 0xe3, 0x5f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {
++ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
++ 0x66, 0x67, 0x2c, 0x92
++};
++
++/* AES-256 no df PR */
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {
++ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
++ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
++ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
++ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {
++ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
++ 0xcc, 0x4b, 0xee, 0x2e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
++ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
++ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
++ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
++ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_additionalinput[] = {
++ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
++ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
++ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
++ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
++ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
++ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
++ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
++ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
++ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
++ 0x79, 0x60, 0x93, 0xcf
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
++ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
++ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
++ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
++ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
++ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
++ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
++ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
++ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {
++ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
++ 0x2d, 0x5f, 0x4a, 0x46
++};
++
++/* AES-256 no df No PR */
++__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {
++ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
++ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
++ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
++ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {
++ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
++ 0x43, 0x96, 0xb9, 0xf0
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_personalizationstring[] = {
++ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
++ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
++ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
++ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {
++ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
++ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
++ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
++ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {
++ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
++ 0xd2, 0x25, 0x75, 0x0e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_entropyinputreseed[] = {
++ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
++ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
++ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
++ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_additionalinputreseed[] = {
++ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
++ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
++ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
++ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {
++ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
++ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
++ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
++ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {
++ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
++ 0xf6, 0x02, 0x32, 0xe2
++};
++
++/* SHA-1 PR */
++__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {
++ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,
++ 0x31, 0xa5, 0x91, 0x13
++};
++
++__fips_constseg static const unsigned char sha1_pr_nonce[] = {
++ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3
++};
++
++__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {
++ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,
++ 0xda, 0xea, 0x77, 0x52
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {
++ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,
++ 0x6a, 0x51, 0xe3, 0xf8
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {
++ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,
++ 0xcb, 0xa9, 0x36, 0x7a
++};
++
++__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {
++ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,
++ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {
++ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,
++ 0x16, 0x03, 0x19, 0x47
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {
++ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,
++ 0xae, 0xcd, 0x8c, 0xc4
++};
++
++__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {
++ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,
++ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87
++};
++
++/* SHA-1 No PR */
++__fips_constseg static const unsigned char sha1_entropyinput[] = {
++ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,
++ 0xe2, 0x7f, 0x4c, 0x7b
++};
++
++__fips_constseg static const unsigned char sha1_nonce[] = {
++ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14
++};
++
++__fips_constseg static const unsigned char sha1_personalizationstring[] = {
++ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,
++ 0x28, 0xec, 0x6d, 0xca
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput[] = {
++ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,
++ 0xc0, 0x72, 0xca, 0x28
++};
++
++__fips_constseg static const unsigned char sha1_int_returnedbits[] = {
++ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,
++ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea
++};
++
++__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {
++ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,
++ 0xd6, 0x99, 0x27, 0xed
++};
++
++__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {
++ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,
++ 0x84, 0x3d, 0xd4, 0xc0
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput2[] = {
++ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,
++ 0x52, 0x65, 0xcd, 0x96
++};
++
++__fips_constseg static const unsigned char sha1_returnedbits[] = {
++ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,
++ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7
++};
++
++/* SHA-224 PR */
++__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {
++ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,
++ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9
++};
++
++__fips_constseg static const unsigned char sha224_pr_nonce[] = {
++ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71
++};
++
++__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {
++ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,
++ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {
++ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,
++ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {
++ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,
++ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1
++};
++
++__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {
++ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,
++ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,
++ 0x54, 0x60, 0xee, 0x6a
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {
++ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,
++ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {
++ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,
++ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11
++};
++
++__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {
++ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,
++ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,
++ 0xdd, 0x11, 0x4c, 0xc4
++};
++
++/* SHA-224 No PR */
++__fips_constseg static const unsigned char sha224_entropyinput[] = {
++ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,
++ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb
++};
++
++__fips_constseg static const unsigned char sha224_nonce[] = {
++ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0
++};
++
++__fips_constseg static const unsigned char sha224_personalizationstring[] = {
++ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,
++ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput[] = {
++ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,
++ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f
++};
++
++__fips_constseg static const unsigned char sha224_int_returnedbits[] = {
++ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,
++ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,
++ 0x55, 0x22, 0x9a, 0xad
++};
++
++__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {
++ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,
++ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17
++};
++
++__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {
++ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,
++ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput2[] = {
++ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,
++ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6
++};
++
++__fips_constseg static const unsigned char sha224_returnedbits[] = {
++ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,
++ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,
++ 0x3b, 0xa7, 0x5c, 0x93
++};
++
++/* SHA-256 PR */
++__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {
++ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,
++ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,
++ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe
++};
++
++__fips_constseg static const unsigned char sha256_pr_nonce[] = {
++ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,
++ 0x2b, 0x91, 0x4d, 0x38
++};
++
++__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {
++ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,
++ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,
++ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {
++ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,
++ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,
++ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {
++ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,
++ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,
++ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78
++};
++
++__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {
++ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,
++ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,
++ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {
++ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,
++ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,
++ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {
++ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,
++ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,
++ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86
++};
++
++__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {
++ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,
++ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,
++ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2
++};
++
++/* SHA-256 No PR */
++__fips_constseg static const unsigned char sha256_entropyinput[] = {
++ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,
++ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,
++ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c
++};
++
++__fips_constseg static const unsigned char sha256_nonce[] = {
++ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,
++ 0x5d, 0x6f, 0x6d, 0x35
++};
++
++__fips_constseg static const unsigned char sha256_personalizationstring[] = {
++ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,
++ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,
++ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput[] = {
++ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,
++ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,
++ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87
++};
++
++__fips_constseg static const unsigned char sha256_int_returnedbits[] = {
++ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,
++ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,
++ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {
++ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,
++ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,
++ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d
++};
++
++__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {
++ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,
++ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,
++ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput2[] = {
++ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,
++ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,
++ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda
++};
++
++__fips_constseg static const unsigned char sha256_returnedbits[] = {
++ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,
++ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,
++ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3
++};
++
++/* SHA-384 PR */
++__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {
++ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,
++ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,
++ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e
++};
++
++__fips_constseg static const unsigned char sha384_pr_nonce[] = {
++ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,
++ 0x38, 0x3e, 0x2e, 0x56
++};
++
++__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {
++ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,
++ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,
++ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {
++ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,
++ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,
++ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {
++ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,
++ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,
++ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d
++};
++
++__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {
++ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,
++ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,
++ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,
++ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {
++ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,
++ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,
++ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {
++ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,
++ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,
++ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81
++};
++
++__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {
++ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,
++ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,
++ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,
++ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66
++};
++
++/* SHA-384 No PR */
++__fips_constseg static const unsigned char sha384_entropyinput[] = {
++ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,
++ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,
++ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4
++};
++
++__fips_constseg static const unsigned char sha384_nonce[] = {
++ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,
++ 0x44, 0xaf, 0x2f, 0x09
++};
++
++__fips_constseg static const unsigned char sha384_personalizationstring[] = {
++ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,
++ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,
++ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput[] = {
++ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,
++ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,
++ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48
++};
++
++__fips_constseg static const unsigned char sha384_int_returnedbits[] = {
++ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,
++ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,
++ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,
++ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a
++};
++
++__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {
++ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,
++ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,
++ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c
++};
++
++__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {
++ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,
++ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,
++ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput2[] = {
++ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,
++ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,
++ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94
++};
++
++__fips_constseg static const unsigned char sha384_returnedbits[] = {
++ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,
++ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,
++ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,
++ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7
++};
++
++/* SHA-512 PR */
++__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {
++ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,
++ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,
++ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28
++};
++
++__fips_constseg static const unsigned char sha512_pr_nonce[] = {
++ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,
++ 0x88, 0xc7, 0xa2, 0xc4
++};
++
++__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {
++ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,
++ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,
++ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {
++ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,
++ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,
++ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {
++ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,
++ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,
++ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08
++};
++
++__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {
++ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,
++ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,
++ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,
++ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,
++ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,
++ 0xe2, 0xc6, 0x8b, 0xc3
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {
++ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,
++ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,
++ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {
++ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,
++ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,
++ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99
++};
++
++__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {
++ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,
++ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,
++ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,
++ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,
++ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,
++ 0x67, 0xf7, 0x68, 0xdd
++};
++
++/* SHA-512 No PR */
++__fips_constseg static const unsigned char sha512_entropyinput[] = {
++ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,
++ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,
++ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd
++};
++
++__fips_constseg static const unsigned char sha512_nonce[] = {
++ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,
++ 0x5a, 0x64, 0xf0, 0xf7
++};
++
++__fips_constseg static const unsigned char sha512_personalizationstring[] = {
++ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,
++ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,
++ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput[] = {
++ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,
++ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,
++ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34
++};
++
++__fips_constseg static const unsigned char sha512_int_returnedbits[] = {
++ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,
++ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,
++ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,
++ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,
++ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,
++ 0x28, 0xd4, 0x39, 0x9a
++};
++
++__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {
++ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,
++ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,
++ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee
++};
++
++__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {
++ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,
++ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,
++ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput2[] = {
++ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,
++ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,
++ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92
++};
++
++__fips_constseg static const unsigned char sha512_returnedbits[] = {
++ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,
++ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,
++ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,
++ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,
++ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,
++ 0x68, 0xde, 0x42, 0xb5
++};
++
++/* HMAC SHA-1 PR */
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {
++ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,
++ 0x2c, 0x18, 0x17, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {
++ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha1_pr_personalizationstring[] = {
++ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,
++ 0x80, 0xe2, 0x7f, 0x2a
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {
++ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,
++ 0xd7, 0xbb, 0x42, 0x09
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {
++ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,
++ 0x23, 0x87, 0x2a, 0xed
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {
++ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,
++ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {
++ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,
++ 0xa0, 0x4b, 0x93, 0x6e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {
++ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,
++ 0x0f, 0xff, 0x2e, 0xaf
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {
++ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,
++ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8
++};
++
++/* HMAC SHA-1 No PR */
++__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {
++ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,
++ 0x17, 0xfe, 0x47, 0x70
++};
++
++__fips_constseg static const unsigned char hmac_sha1_nonce[] = {
++ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25
++};
++
++__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {
++ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,
++ 0x72, 0xf7, 0xd3, 0x5e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {
++ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,
++ 0xbb, 0xe3, 0xaa, 0xea
++};
++
++__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {
++ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,
++ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1
++};
++
++__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {
++ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,
++ 0x86, 0x52, 0x6d, 0x9c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {
++ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,
++ 0x79, 0xc5, 0x82, 0x28
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {
++ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,
++ 0x8a, 0xca, 0xa4, 0x7f
++};
++
++__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {
++ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,
++ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0
++};
++
++/* HMAC SHA-224 PR */
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {
++ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,
++ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {
++ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_pr_personalizationstring[] = {
++ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,
++ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {
++ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,
++ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {
++ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,
++ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {
++ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,
++ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,
++ 0x41, 0xfe, 0x99, 0xf2
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {
++ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,
++ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {
++ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,
++ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {
++ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,
++ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,
++ 0x6d, 0xd8, 0x9e, 0x72
++};
++
++/* HMAC SHA-224 No PR */
++__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {
++ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,
++ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d
++};
++
++__fips_constseg static const unsigned char hmac_sha224_nonce[] = {
++ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_personalizationstring[] = {
++ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,
++ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {
++ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,
++ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {
++ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,
++ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,
++ 0xcd, 0xd6, 0xa9, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {
++ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,
++ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_additionalinputreseed[] = {
++ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,
++ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {
++ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,
++ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96
++};
++
++__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {
++ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,
++ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,
++ 0x45, 0x84, 0xa8, 0x94
++};
++
++/* HMAC SHA-256 PR */
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {
++ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,
++ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,
++ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {
++ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,
++ 0xaa, 0xd3, 0x30, 0x9a
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_pr_personalizationstring[] = {
++ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,
++ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,
++ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {
++ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,
++ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,
++ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {
++ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,
++ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,
++ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {
++ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,
++ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,
++ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {
++ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,
++ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,
++ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {
++ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,
++ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,
++ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {
++ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,
++ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,
++ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e
++};
++
++/* HMAC SHA-256 No PR */
++__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {
++ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,
++ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,
++ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha256_nonce[] = {
++ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,
++ 0xc7, 0xfc, 0xc2, 0x01
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_personalizationstring[] = {
++ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,
++ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,
++ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {
++ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,
++ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,
++ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27
++};
++
++__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {
++ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,
++ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,
++ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {
++ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,
++ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,
++ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_additionalinputreseed[] = {
++ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,
++ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,
++ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {
++ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,
++ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,
++ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d
++};
++
++__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {
++ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,
++ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,
++ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0
++};
++
++/* HMAC SHA-384 PR */
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {
++ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,
++ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,
++ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {
++ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,
++ 0xee, 0x16, 0xc9, 0xde
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_pr_personalizationstring[] = {
++ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,
++ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,
++ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {
++ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,
++ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,
++ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {
++ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,
++ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,
++ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {
++ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,
++ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,
++ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,
++ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {
++ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,
++ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,
++ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {
++ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,
++ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,
++ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {
++ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,
++ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,
++ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,
++ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75
++};
++
++/* HMAC SHA-384 No PR */
++__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {
++ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,
++ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,
++ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f
++};
++
++__fips_constseg static const unsigned char hmac_sha384_nonce[] = {
++ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,
++ 0x38, 0xe3, 0xeb, 0x62
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_personalizationstring[] = {
++ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,
++ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,
++ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {
++ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,
++ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,
++ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce
++};
++
++__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {
++ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,
++ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,
++ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,
++ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {
++ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,
++ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,
++ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_additionalinputreseed[] = {
++ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,
++ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,
++ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {
++ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,
++ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,
++ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {
++ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,
++ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,
++ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,
++ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb
++};
++
++/* HMAC SHA-512 PR */
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {
++ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,
++ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,
++ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {
++ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,
++ 0x86, 0xea, 0xaf, 0xa2
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_pr_personalizationstring[] = {
++ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,
++ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,
++ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {
++ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,
++ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,
++ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {
++ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,
++ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,
++ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {
++ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,
++ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,
++ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,
++ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,
++ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,
++ 0x05, 0x17, 0xbe, 0x0d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {
++ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,
++ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,
++ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {
++ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,
++ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,
++ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {
++ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,
++ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,
++ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,
++ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,
++ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,
++ 0xb6, 0xaf, 0xbc, 0xd3
++};
++
++/* HMAC SHA-512 No PR */
++__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {
++ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,
++ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,
++ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95
++};
++
++__fips_constseg static const unsigned char hmac_sha512_nonce[] = {
++ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,
++ 0xd9, 0xaf, 0x43, 0x3c
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_personalizationstring[] = {
++ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,
++ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,
++ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {
++ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,
++ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,
++ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73
++};
++
++__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {
++ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,
++ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,
++ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,
++ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,
++ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,
++ 0xb1, 0x57, 0x69, 0xe8
++};
++
++__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {
++ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,
++ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,
++ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_additionalinputreseed[] = {
++ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,
++ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,
++ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {
++ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,
++ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,
++ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48
++};
++
++__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {
++ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,
++ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,
++ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,
++ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,
++ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
++ 0xc2, 0xd6, 0xfd, 0xa5
++};
+diff -up openssl-1.0.2i/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.0.2i/crypto/fips/fips_dsa_selftest.c.fips 2016-09-22 13:35:57.016220974 +0200
++++ openssl-1.0.2i/crypto/fips/fips_dsa_selftest.c 2016-09-22 13:35:57.016220974 +0200
+@@ -0,0 +1,192 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dsa.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dsa_test_2048_p[] = {
++ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
++ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
++ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,
++ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,
++ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,
++ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,
++ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,
++ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,
++ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,
++ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,
++ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,
++ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,
++ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,
++ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,
++ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,
++ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,
++ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,
++ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,
++ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,
++ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,
++ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,
++ 0xdb, 0xa0, 0x69, 0xe9
++};
++
++static const unsigned char dsa_test_2048_q[] = {
++ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,
++ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,
++ 0x74, 0x41, 0xa0, 0xa5
++};
++
++static const unsigned char dsa_test_2048_g[] = {
++ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,
++ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,
++ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,
++ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,
++ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,
++ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,
++ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,
++ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,
++ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,
++ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,
++ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,
++ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,
++ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,
++ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,
++ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,
++ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,
++ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,
++ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,
++ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,
++ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,
++ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,
++ 0xb3, 0xc2, 0xa9, 0x66
++};
++
++static const unsigned char dsa_test_2048_pub_key[] = {
++ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,
++ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,
++ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,
++ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,
++ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,
++ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,
++ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,
++ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,
++ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,
++ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,
++ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,
++ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,
++ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,
++ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,
++ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,
++ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,
++ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,
++ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,
++ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,
++ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,
++ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,
++ 0xf7, 0xda, 0xb1, 0x4f
++};
++
++static const unsigned char dsa_test_2048_priv_key[] = {
++ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,
++ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,
++ 0xec, 0x55, 0xf6, 0xcc
++};
++
++static int corrupt_dsa;
++
++void FIPS_corrupt_dsa()
++{
++ corrupt_dsa = 1;
++}
++
++int FIPS_selftest_dsa()
++{
++ DSA *dsa = NULL;
++ EVP_PKEY *pk = NULL;
++ int ret = 0;
++
++ dsa = DSA_new();
++
++ if (dsa == NULL)
++ goto err;
++
++ fips_load_key_component(dsa, p, dsa_test_2048);
++ fips_load_key_component(dsa, q, dsa_test_2048);
++ fips_load_key_component(dsa, g, dsa_test_2048);
++ fips_load_key_component(dsa, pub_key, dsa_test_2048);
++ fips_load_key_component(dsa, priv_key, dsa_test_2048);
++
++ if (corrupt_dsa)
++ BN_set_bit(dsa->pub_key, 2047);
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_DSA(pk, dsa);
++
++ if (!fips_pkey_signature_test(pk, NULL, 0,
++ NULL, 0, EVP_sha256(), 0, "DSA SHA256"))
++ goto err;
++ ret = 1;
++
++ err:
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (dsa)
++ DSA_free(dsa);
++ return ret;
++}
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_enc.c.fips openssl-1.0.2i/crypto/fips/fips_enc.c
+--- openssl-1.0.2i/crypto/fips/fips_enc.c.fips 2016-09-22 13:35:57.017220997 +0200
++++ openssl-1.0.2i/crypto/fips/fips_enc.c 2016-09-22 13:35:57.017220997 +0200
+@@ -0,0 +1,189 @@
++/* fipe/evp/fips_enc.c */
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay@cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
++{
++ switch (nid) {
++ case NID_aes_128_cbc:
++ return EVP_aes_128_cbc();
++
++ case NID_aes_128_ccm:
++ return EVP_aes_128_ccm();
++
++ case NID_aes_128_cfb1:
++ return EVP_aes_128_cfb1();
++
++ case NID_aes_128_cfb128:
++ return EVP_aes_128_cfb128();
++
++ case NID_aes_128_cfb8:
++ return EVP_aes_128_cfb8();
++
++ case NID_aes_128_ctr:
++ return EVP_aes_128_ctr();
++
++ case NID_aes_128_ecb:
++ return EVP_aes_128_ecb();
++
++ case NID_aes_128_gcm:
++ return EVP_aes_128_gcm();
++
++ case NID_aes_128_ofb128:
++ return EVP_aes_128_ofb();
++
++ case NID_aes_128_xts:
++ return EVP_aes_128_xts();
++
++ case NID_aes_192_cbc:
++ return EVP_aes_192_cbc();
++
++ case NID_aes_192_ccm:
++ return EVP_aes_192_ccm();
++
++ case NID_aes_192_cfb1:
++ return EVP_aes_192_cfb1();
++
++ case NID_aes_192_cfb128:
++ return EVP_aes_192_cfb128();
++
++ case NID_aes_192_cfb8:
++ return EVP_aes_192_cfb8();
++
++ case NID_aes_192_ctr:
++ return EVP_aes_192_ctr();
++
++ case NID_aes_192_ecb:
++ return EVP_aes_192_ecb();
++
++ case NID_aes_192_gcm:
++ return EVP_aes_192_gcm();
++
++ case NID_aes_192_ofb128:
++ return EVP_aes_192_ofb();
++
++ case NID_aes_256_cbc:
++ return EVP_aes_256_cbc();
++
++ case NID_aes_256_ccm:
++ return EVP_aes_256_ccm();
++
++ case NID_aes_256_cfb1:
++ return EVP_aes_256_cfb1();
++
++ case NID_aes_256_cfb128:
++ return EVP_aes_256_cfb128();
++
++ case NID_aes_256_cfb8:
++ return EVP_aes_256_cfb8();
++
++ case NID_aes_256_ctr:
++ return EVP_aes_256_ctr();
++
++ case NID_aes_256_ecb:
++ return EVP_aes_256_ecb();
++
++ case NID_aes_256_gcm:
++ return EVP_aes_256_gcm();
++
++ case NID_aes_256_ofb128:
++ return EVP_aes_256_ofb();
++
++ case NID_aes_256_xts:
++ return EVP_aes_256_xts();
++
++ case NID_des_ede_ecb:
++ return EVP_des_ede();
++
++ case NID_des_ede3_ecb:
++ return EVP_des_ede3();
++
++ case NID_des_ede3_cbc:
++ return EVP_des_ede3_cbc();
++
++ case NID_des_ede3_cfb1:
++ return EVP_des_ede3_cfb1();
++
++ case NID_des_ede3_cfb64:
++ return EVP_des_ede3_cfb64();
++
++ case NID_des_ede3_cfb8:
++ return EVP_des_ede3_cfb8();
++
++ case NID_des_ede3_ofb64:
++ return EVP_des_ede3_ofb();
++
++ case NID_des_ede_cbc:
++ return EVP_des_ede_cbc();
++
++ case NID_des_ede_cfb64:
++ return EVP_des_ede_cfb64();
++
++ case NID_des_ede_ofb64:
++ return EVP_des_ede_ofb();
++
++ default:
++ return NULL;
++
++ }
++}
+diff -up openssl-1.0.2i/crypto/fips/fips.h.fips openssl-1.0.2i/crypto/fips/fips.h
+--- openssl-1.0.2i/crypto/fips/fips.h.fips 2016-09-22 13:35:57.017220997 +0200
++++ openssl-1.0.2i/crypto/fips/fips.h 2016-09-22 13:35:57.017220997 +0200
+@@ -0,0 +1,278 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/opensslconf.h>
++#include <openssl/crypto.h>
++#include <stdarg.h>
++
++#ifndef OPENSSL_FIPS
++# error FIPS is disabled.
++#endif
++
++#ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++ struct dsa_st;
++ struct rsa_st;
++ struct evp_pkey_st;
++ struct env_md_st;
++ struct env_md_ctx_st;
++ struct evp_cipher_st;
++ struct evp_cipher_ctx_st;
++ struct dh_method;
++ struct CMAC_CTX_st;
++ struct hmac_ctx_st;
++
++ int FIPS_module_mode_set(int onoff, const char *auth);
++ int FIPS_module_mode(void);
++ const void *FIPS_rand_check(void);
++ int FIPS_selftest(void);
++ int FIPS_selftest_failed(void);
++ void FIPS_corrupt_sha1(void);
++ int FIPS_selftest_sha1(void);
++ int FIPS_selftest_sha2(void);
++ void FIPS_corrupt_aes(void);
++ int FIPS_selftest_aes_ccm(void);
++ int FIPS_selftest_aes_gcm(void);
++ int FIPS_selftest_aes_xts(void);
++ int FIPS_selftest_aes(void);
++ void FIPS_corrupt_des(void);
++ int FIPS_selftest_des(void);
++ void FIPS_corrupt_rsa(void);
++ void FIPS_corrupt_rsa_keygen(void);
++ int FIPS_selftest_rsa(void);
++ void FIPS_corrupt_dsa(void);
++ void FIPS_corrupt_dsa_keygen(void);
++ int FIPS_selftest_dsa(void);
++ void FIPS_corrupt_rng(void);
++ void FIPS_rng_stick(void);
++ void FIPS_x931_stick(int onoff);
++ void FIPS_drbg_stick(int onoff);
++ int FIPS_selftest_rng(void);
++ int FIPS_selftest_x931(void);
++ int FIPS_selftest_hmac(void);
++ int FIPS_selftest_drbg(void);
++ int FIPS_selftest_drbg_all(void);
++ int FIPS_selftest_cmac(void);
++
++ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
++
++# define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
++ alg " previous FIPS forbidden algorithm error ignored");
++
++ int fips_pkey_signature_test(struct evp_pkey_st *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat,
++ unsigned int katlen,
++ const struct env_md_st *digest,
++ unsigned int md_flags, const char *fail_str);
++
++ int fips_cipher_test(struct evp_cipher_ctx_st *ctx,
++ const struct evp_cipher_st *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext, int len);
++
++ void fips_set_selftest_fail(void);
++
++ const struct env_md_st *FIPS_get_digestbynid(int nid);
++
++ const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
++
++/* BEGIN ERROR CODES */
++/* The following lines are auto generated by the script mkerr.pl. Any changes
++ * made after this point may be overwritten when the script is next run.
++ */
++ void ERR_load_FIPS_strings(void);
++
++/* Error codes for the FIPS functions. */
++
++/* Function codes. */
++# define FIPS_F_DH_BUILTIN_GENPARAMS 100
++# define FIPS_F_DH_INIT 148
++# define FIPS_F_DRBG_RESEED 162
++# define FIPS_F_DSA_BUILTIN_PARAMGEN 101
++# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
++# define FIPS_F_DSA_DO_SIGN 102
++# define FIPS_F_DSA_DO_VERIFY 103
++# define FIPS_F_ECDH_COMPUTE_KEY 163
++# define FIPS_F_ECDSA_DO_SIGN 164
++# define FIPS_F_ECDSA_DO_VERIFY 165
++# define FIPS_F_EC_KEY_GENERATE_KEY 166
++# define FIPS_F_EVP_CIPHERINIT_EX 124
++# define FIPS_F_EVP_DIGESTINIT_EX 125
++# define FIPS_F_FIPS_CHECK_DSA 104
++# define FIPS_F_FIPS_CHECK_DSA_PRNG 151
++# define FIPS_F_FIPS_CHECK_EC 142
++# define FIPS_F_FIPS_CHECK_EC_PRNG 152
++# define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
++# define FIPS_F_FIPS_CHECK_RSA 106
++# define FIPS_F_FIPS_CHECK_RSA_PRNG 150
++# define FIPS_F_FIPS_CIPHER 160
++# define FIPS_F_FIPS_CIPHERINIT 143
++# define FIPS_F_FIPS_CIPHER_CTX_CTRL 161
++# define FIPS_F_FIPS_DIGESTFINAL 158
++# define FIPS_F_FIPS_DIGESTINIT 128
++# define FIPS_F_FIPS_DIGESTUPDATE 159
++# define FIPS_F_FIPS_DRBG_BYTES 131
++# define FIPS_F_FIPS_DRBG_CHECK 146
++# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
++# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
++# define FIPS_F_FIPS_DRBG_GENERATE 134
++# define FIPS_F_FIPS_DRBG_INIT 135
++# define FIPS_F_FIPS_DRBG_INSTANTIATE 138
++# define FIPS_F_FIPS_DRBG_NEW 139
++# define FIPS_F_FIPS_DRBG_RESEED 140
++# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
++# define FIPS_F_FIPS_DSA_CHECK /* unused */ 107
++# define FIPS_F_FIPS_DSA_SIGN_DIGEST 154
++# define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155
++# define FIPS_F_FIPS_GET_ENTROPY 147
++# define FIPS_F_FIPS_MODE_SET /* unused */ 108
++# define FIPS_F_FIPS_MODULE_MODE_SET 108
++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
++# define FIPS_F_FIPS_RAND_ADD 137
++# define FIPS_F_FIPS_RAND_BYTES 122
++# define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167
++# define FIPS_F_FIPS_RAND_SEED 168
++# define FIPS_F_FIPS_RAND_SET_METHOD 126
++# define FIPS_F_FIPS_RAND_STATUS 127
++# define FIPS_F_FIPS_RSA_SIGN_DIGEST 156
++# define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157
++# define FIPS_F_FIPS_SELFTEST_AES 110
++# define FIPS_F_FIPS_SELFTEST_AES_CCM 145
++# define FIPS_F_FIPS_SELFTEST_AES_GCM 129
++# define FIPS_F_FIPS_SELFTEST_AES_XTS 144
++# define FIPS_F_FIPS_SELFTEST_CMAC 130
++# define FIPS_F_FIPS_SELFTEST_DES 111
++# define FIPS_F_FIPS_SELFTEST_DSA 112
++# define FIPS_F_FIPS_SELFTEST_ECDSA 133
++# define FIPS_F_FIPS_SELFTEST_HMAC 113
++# define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114
++# define FIPS_F_FIPS_SELFTEST_SHA1 115
++# define FIPS_F_FIPS_SELFTEST_X931 114
++# define FIPS_F_FIPS_SET_PRNG_KEY 153
++# define FIPS_F_HASH_FINAL 123
++# define FIPS_F_RSA_BUILTIN_KEYGEN 116
++# define FIPS_F_RSA_EAY_INIT 149
++# define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117
++# define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118
++# define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119
++# define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120
++# define FIPS_F_RSA_X931_GENERATE_KEY_EX 121
++# define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122
++
++/* Reason codes. */
++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
++# define FIPS_R_ALREADY_INSTANTIATED 134
++# define FIPS_R_AUTHENTICATION_FAILURE 151
++# define FIPS_R_CANNOT_READ_EXE /* unused */ 103
++# define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104
++# define FIPS_R_CONTRADICTING_EVIDENCE 114
++# define FIPS_R_DRBG_NOT_INITIALISED 152
++# define FIPS_R_DRBG_STUCK 103
++# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
++# define FIPS_R_ENTROPY_SOURCE_STUCK 142
++# define FIPS_R_ERROR_INITIALISING_DRBG 115
++# define FIPS_R_ERROR_INSTANTIATING_DRBG 127
++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
++# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
++# define FIPS_R_ERROR_RETRIEVING_NONCE 140
++# define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
++# define FIPS_R_FIPS_MODE_ALREADY_SET 102
++# define FIPS_R_FIPS_SELFTEST_FAILED 106
++# define FIPS_R_FUNCTION_ERROR 116
++# define FIPS_R_GENERATE_ERROR 137
++# define FIPS_R_GENERATE_ERROR_UNDETECTED 118
++# define FIPS_R_INSTANTIATE_ERROR 119
++# define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120
++# define FIPS_R_INTERNAL_ERROR 121
++# define FIPS_R_INVALID_KEY_LENGTH 109
++# define FIPS_R_INVALID_PARAMETERS 144
++# define FIPS_R_IN_ERROR_STATE 123
++# define FIPS_R_KEY_TOO_SHORT 108
++# define FIPS_R_NONCE_ERROR_UNDETECTED 149
++# define FIPS_R_NON_FIPS_METHOD 100
++# define FIPS_R_NOPR_TEST1_FAILURE 145
++# define FIPS_R_NOPR_TEST2_FAILURE 146
++# define FIPS_R_NOT_INSTANTIATED 126
++# define FIPS_R_PAIRWISE_TEST_FAILED 107
++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
++# define FIPS_R_PRNG_STRENGTH_TOO_LOW 143
++# define FIPS_R_PR_TEST1_FAILURE 147
++# define FIPS_R_PR_TEST2_FAILURE 148
++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
++# define FIPS_R_RESEED_COUNTER_ERROR 132
++# define FIPS_R_RESEED_ERROR 133
++# define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115
++# define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116
++# define FIPS_R_SELFTEST_FAILED 101
++# define FIPS_R_SELFTEST_FAILURE 135
++# define FIPS_R_STRENGTH_ERROR_UNDETECTED 136
++# define FIPS_R_TEST_FAILURE 117
++# define FIPS_R_UNINSTANTIATE_ERROR 141
++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
++# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
++# define FIPS_R_UNSUPPORTED_PLATFORM 113
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.0.2i/crypto/fips/fips_hmac_selftest.c.fips 2016-09-22 13:35:57.017220997 +0200
++++ openssl-1.0.2i/crypto/fips/fips_hmac_selftest.c 2016-09-22 13:35:57.017220997 +0200
+@@ -0,0 +1,134 @@
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/hmac.h>
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++ const EVP_MD *(*alg) (void);
++ const char *key, *iv;
++ unsigned char kaval[EVP_MAX_MD_SIZE];
++} HMAC_KAT;
++
++static const HMAC_KAT vector[] = {
++ {EVP_sha1,
++ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,
++ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,
++ 0xc6, 0xc7, 0x5d, 0x24}
++ },
++ {EVP_sha224,
++ /* just keep extending the above... */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,
++ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,
++ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,
++ 0x8c, 0x8d, 0x12, 0xc7}
++ },
++ {EVP_sha256,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,
++ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,
++ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,
++ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}
++ },
++ {EVP_sha384,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,
++ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,
++ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,
++ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,
++ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,
++ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}
++ },
++ {EVP_sha512,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,
++ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,
++ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,
++ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,
++ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,
++ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,
++ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,
++ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}
++ },
++};
++
++int FIPS_selftest_hmac()
++{
++ int n;
++ unsigned int outlen;
++ unsigned char out[EVP_MAX_MD_SIZE];
++ const EVP_MD *md;
++ const HMAC_KAT *t;
++
++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++ md = (*t->alg) ();
++ HMAC(md, t->key, strlen(t->key),
++ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);
++
++ if (memcmp(out, t->kaval, outlen)) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++}
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_locl.h.fips openssl-1.0.2i/crypto/fips/fips_locl.h
+--- openssl-1.0.2i/crypto/fips/fips_locl.h.fips 2016-09-22 13:35:57.017220997 +0200
++++ openssl-1.0.2i/crypto/fips/fips_locl.h 2016-09-22 13:35:57.017220997 +0200
+@@ -0,0 +1,71 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++# define FIPS_MAX_CIPHER_TEST_SIZE 32
++# define fips_load_key_component(key, comp, pre) \
++ key->comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), key->comp); \
++ if (!key->comp) \
++ goto err
++
++# define fips_post_started(id, subid, ex) 1
++# define fips_post_success(id, subid, ex) 1
++# define fips_post_failed(id, subid, ex) 1
++# define fips_post_corrupt(id, subid, ex) 1
++# define fips_post_status() 1
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_md.c.fips openssl-1.0.2i/crypto/fips/fips_md.c
+--- openssl-1.0.2i/crypto/fips/fips_md.c.fips 2016-09-22 13:35:57.017220997 +0200
++++ openssl-1.0.2i/crypto/fips/fips_md.c 2016-09-22 13:35:57.017220997 +0200
+@@ -0,0 +1,144 @@
++/* fips/evp/fips_md.c */
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay@cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/* Minimal standalone FIPS versions of Digest operations */
++
++#define OPENSSL_FIPSAPI
++
++#include <stdio.h>
++#include <string.h>
++#include <openssl/objects.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++const EVP_MD *FIPS_get_digestbynid(int nid)
++{
++ switch (nid) {
++ case NID_sha1:
++ return EVP_sha1();
++
++ case NID_sha224:
++ return EVP_sha224();
++
++ case NID_sha256:
++ return EVP_sha256();
++
++ case NID_sha384:
++ return EVP_sha384();
++
++ case NID_sha512:
++ return EVP_sha512();
++
++ default:
++ return NULL;
++ }
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_post.c.fips openssl-1.0.2i/crypto/fips/fips_post.c
+--- openssl-1.0.2i/crypto/fips/fips_post.c.fips 2016-09-22 13:35:57.017220997 +0200
++++ openssl-1.0.2i/crypto/fips/fips_post.c 2016-09-22 13:35:57.017220997 +0200
+@@ -0,0 +1,201 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <string.h>
++#include <limits.h>
++
++#ifdef OPENSSL_FIPS
++
++/* Power on self test (POST) support functions */
++
++# include <openssl/fips.h>
++# include "fips_locl.h"
++
++/* Run all selftests */
++int FIPS_selftest(void)
++{
++ int rv = 1;
++ if (!FIPS_selftest_drbg())
++ rv = 0;
++ if (!FIPS_selftest_x931())
++ rv = 0;
++ if (!FIPS_selftest_sha1())
++ rv = 0;
++ if (!FIPS_selftest_sha2())
++ rv = 0;
++ if (!FIPS_selftest_hmac())
++ rv = 0;
++ if (!FIPS_selftest_cmac())
++ rv = 0;
++ if (!FIPS_selftest_aes())
++ rv = 0;
++ if (!FIPS_selftest_aes_ccm())
++ rv = 0;
++ if (!FIPS_selftest_aes_gcm())
++ rv = 0;
++ if (!FIPS_selftest_aes_xts())
++ rv = 0;
++ if (!FIPS_selftest_des())
++ rv = 0;
++ if (!FIPS_selftest_rsa())
++ rv = 0;
++ if (!FIPS_selftest_dsa())
++ rv = 0;
++ return rv;
++}
++
++/* Generalized public key test routine. Signs and verifies the data
++ * supplied in tbs using mesage digest md and setting option digest
++ * flags md_flags. If the 'kat' parameter is not NULL it will
++ * additionally check the signature matches it: a known answer test
++ * The string "fail_str" is used for identification purposes in case
++ * of failure. If "pkey" is NULL just perform a message digest check.
++ */
++
++int fips_pkey_signature_test(EVP_PKEY *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat, unsigned int katlen,
++ const EVP_MD *digest, unsigned int md_flags,
++ const char *fail_str)
++{
++ int ret = 0;
++ unsigned char sigtmp[256], *sig = sigtmp;
++ unsigned int siglen;
++ EVP_MD_CTX mctx;
++ EVP_MD_CTX_init(&mctx);
++
++ if (digest == NULL)
++ digest = EVP_sha256();
++
++ if ((pkey->type == EVP_PKEY_RSA)
++ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) {
++ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
++ if (!sig) {
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++ }
++
++ if (tbslen == -1)
++ tbslen = strlen((char *)tbs);
++
++ if (md_flags)
++ EVP_MD_CTX_set_flags(&mctx, md_flags);
++
++ if (!EVP_SignInit_ex(&mctx, digest, NULL))
++ goto error;
++ if (!EVP_SignUpdate(&mctx, tbs, tbslen))
++ goto error;
++ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
++ goto error;
++
++ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
++ goto error;
++
++ if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
++ goto error;
++ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
++ goto error;
++ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);
++
++ error:
++ if (sig != sigtmp)
++ OPENSSL_free(sig);
++ EVP_MD_CTX_cleanup(&mctx);
++ if (ret != 1) {
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
++ if (fail_str)
++ ERR_add_error_data(2, "Type=", fail_str);
++ return 0;
++ }
++ return 1;
++}
++
++/* Generalized symmetric cipher test routine. Encrypt data, verify result
++ * against known answer, decrypt and compare with original plaintext.
++ */
++
++int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext, int len)
++{
++ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
++ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
++
++ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
++ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
++ return 0;
++ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
++ return 0;
++ if (memcmp(citmp, ciphertext, len))
++ return 0;
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
++ return 0;
++ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
++ return 0;
++ if (memcmp(pltmp, plaintext, len))
++ return 0;
++ return 1;
++}
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_rand.c.fips openssl-1.0.2i/crypto/fips/fips_rand.c
+--- openssl-1.0.2i/crypto/fips/fips_rand.c.fips 2016-09-22 13:35:57.018221020 +0200
++++ openssl-1.0.2i/crypto/fips/fips_rand.c 2016-09-22 13:35:57.018221020 +0200
+@@ -0,0 +1,428 @@
++/* ====================================================================
++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/*
++ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
++ */
++#include <openssl/crypto.h>
++#include "e_os.h"
++
++/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
++ be defined and gettimeofday() won't be declared with strict compilers
++ like DEC C in ANSI C mode. */
++#ifndef _XOPEN_SOURCE_EXTENDED
++# define _XOPEN_SOURCE_EXTENDED 1
++#endif
++
++#include <openssl/rand.h>
++#include <openssl/aes.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
++# include <sys/time.h>
++#endif
++#if defined(OPENSSL_SYS_VXWORKS)
++# include <time.h>
++#endif
++#include <assert.h>
++#ifndef OPENSSL_SYS_WIN32
++# ifdef OPENSSL_UNISTD
++# include OPENSSL_UNISTD
++# else
++# include <unistd.h>
++# endif
++#endif
++#include <string.h>
++#include <openssl/fips.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++void *OPENSSL_stderr(void);
++
++# define AES_BLOCK_LENGTH 16
++
++/* AES FIPS PRNG implementation */
++
++typedef struct {
++ int seeded;
++ int keyed;
++ int test_mode;
++ int second;
++ int error;
++ unsigned long counter;
++ AES_KEY ks;
++ int vpos;
++ /* Temporary storage for key if it equals seed length */
++ unsigned char tmp_key[AES_BLOCK_LENGTH];
++ unsigned char V[AES_BLOCK_LENGTH];
++ unsigned char DT[AES_BLOCK_LENGTH];
++ unsigned char last[AES_BLOCK_LENGTH];
++} FIPS_PRNG_CTX;
++
++static FIPS_PRNG_CTX sctx;
++
++static int fips_prng_fail = 0;
++
++void FIPS_x931_stick(int onoff)
++{
++ fips_prng_fail = onoff;
++}
++
++void FIPS_rng_stick(void)
++{
++ FIPS_x931_stick(1);
++}
++
++static void fips_rand_prng_reset(FIPS_PRNG_CTX * ctx)
++{
++ ctx->seeded = 0;
++ ctx->keyed = 0;
++ ctx->test_mode = 0;
++ ctx->counter = 0;
++ ctx->second = 0;
++ ctx->error = 0;
++ ctx->vpos = 0;
++ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
++ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
++}
++
++static int fips_set_prng_key(FIPS_PRNG_CTX * ctx,
++ const unsigned char *key, unsigned int keylen)
++{
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ if (keylen != 16 && keylen != 24 && keylen != 32) {
++ /* error: invalid key size */
++ return 0;
++ }
++ AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
++ if (keylen == 16) {
++ memcpy(ctx->tmp_key, key, 16);
++ ctx->keyed = 2;
++ } else
++ ctx->keyed = 1;
++ ctx->seeded = 0;
++ ctx->second = 0;
++ return 1;
++}
++
++static int fips_set_prng_seed(FIPS_PRNG_CTX * ctx,
++ const unsigned char *seed, unsigned int seedlen)
++{
++ unsigned int i;
++ if (!ctx->keyed)
++ return 0;
++ /* In test mode seed is just supplied data */
++ if (ctx->test_mode) {
++ if (seedlen != AES_BLOCK_LENGTH)
++ return 0;
++ memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
++ ctx->seeded = 1;
++ return 1;
++ }
++ /* Outside test mode XOR supplied data with existing seed */
++ for (i = 0; i < seedlen; i++) {
++ ctx->V[ctx->vpos++] ^= seed[i];
++ if (ctx->vpos == AES_BLOCK_LENGTH) {
++ ctx->vpos = 0;
++ /* Special case if first seed and key length equals
++ * block size check key and seed do not match.
++ */
++ if (ctx->keyed == 2) {
++ if (!memcmp(ctx->tmp_key, ctx->V, 16)) {
++ RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
++ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
++ return 0;
++ }
++ OPENSSL_cleanse(ctx->tmp_key, 16);
++ ctx->keyed = 1;
++ }
++ ctx->seeded = 1;
++ }
++ }
++ return 1;
++}
++
++static int fips_set_test_mode(FIPS_PRNG_CTX * ctx)
++{
++ if (ctx->keyed) {
++ RANDerr(RAND_F_FIPS_SET_TEST_MODE, RAND_R_PRNG_KEYED);
++ return 0;
++ }
++ ctx->test_mode = 1;
++ return 1;
++}
++
++int FIPS_x931_test_mode(void)
++{
++ return fips_set_test_mode(&sctx);
++}
++
++int FIPS_rand_test_mode(void)
++{
++ return fips_set_test_mode(&sctx);
++}
++
++int FIPS_x931_set_dt(unsigned char *dt)
++{
++ if (!sctx.test_mode) {
++ RANDerr(RAND_F_FIPS_X931_SET_DT, RAND_R_NOT_IN_TEST_MODE);
++ return 0;
++ }
++ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
++ return 1;
++}
++
++int FIPS_rand_set_dt(unsigned char *dt)
++{
++ if (!sctx.test_mode) {
++ RANDerr(RAND_F_FIPS_RAND_SET_DT, RAND_R_NOT_IN_TEST_MODE);
++ return 0;
++ }
++ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
++ return 1;
++}
++
++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
++{
++# ifdef OPENSSL_SYS_WIN32
++ FILETIME ft;
++# elif defined(OPENSSL_SYS_VXWORKS)
++ struct timespec ts;
++# else
++ struct timeval tv;
++# endif
++
++# ifndef GETPID_IS_MEANINGLESS
++ unsigned long pid;
++# endif
++
++# ifdef OPENSSL_SYS_WIN32
++ GetSystemTimeAsFileTime(&ft);
++ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);
++ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);
++ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);
++ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);
++ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);
++ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);
++ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);
++ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);
++# elif defined(OPENSSL_SYS_VXWORKS)
++ clock_gettime(CLOCK_REALTIME, &ts);
++ buf[0] = (unsigned char)(ts.tv_sec & 0xff);
++ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);
++ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);
++ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);
++ buf[4] = (unsigned char)(ts.tv_nsec & 0xff);
++ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);
++ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);
++ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);
++# else
++ gettimeofday(&tv, NULL);
++ buf[0] = (unsigned char)(tv.tv_sec & 0xff);
++ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);
++ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);
++ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);
++ buf[4] = (unsigned char)(tv.tv_usec & 0xff);
++ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);
++ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);
++ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);
++# endif
++ buf[8] = (unsigned char)(*pctr & 0xff);
++ buf[9] = (unsigned char)((*pctr >> 8) & 0xff);
++ buf[10] = (unsigned char)((*pctr >> 16) & 0xff);
++ buf[11] = (unsigned char)((*pctr >> 24) & 0xff);
++
++ (*pctr)++;
++
++# ifndef GETPID_IS_MEANINGLESS
++ pid = (unsigned long)getpid();
++ buf[12] = (unsigned char)(pid & 0xff);
++ buf[13] = (unsigned char)((pid >> 8) & 0xff);
++ buf[14] = (unsigned char)((pid >> 16) & 0xff);
++ buf[15] = (unsigned char)((pid >> 24) & 0xff);
++# endif
++}
++
++static int fips_rand(FIPS_PRNG_CTX * ctx,
++ unsigned char *out, unsigned int outlen)
++{
++ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
++ unsigned char tmp[AES_BLOCK_LENGTH];
++ int i;
++ if (ctx->error) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_ERROR);
++ return 0;
++ }
++ if (!ctx->keyed) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_NO_KEY_SET);
++ return 0;
++ }
++ if (!ctx->seeded) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_NOT_SEEDED);
++ return 0;
++ }
++ for (;;) {
++ if (!ctx->test_mode)
++ FIPS_get_timevec(ctx->DT, &ctx->counter);
++ AES_encrypt(ctx->DT, I, &ctx->ks);
++ for (i = 0; i < AES_BLOCK_LENGTH; i++)
++ tmp[i] = I[i] ^ ctx->V[i];
++ AES_encrypt(tmp, R, &ctx->ks);
++ for (i = 0; i < AES_BLOCK_LENGTH; i++)
++ tmp[i] = R[i] ^ I[i];
++ AES_encrypt(tmp, ctx->V, &ctx->ks);
++ /* Continuous PRNG test */
++ if (ctx->second) {
++ if (fips_prng_fail)
++ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
++ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_STUCK);
++ ctx->error = 1;
++ fips_set_selftest_fail();
++ return 0;
++ }
++ }
++ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
++ if (!ctx->second) {
++ ctx->second = 1;
++ if (!ctx->test_mode)
++ continue;
++ }
++
++ if (outlen <= AES_BLOCK_LENGTH) {
++ memcpy(out, R, outlen);
++ break;
++ }
++
++ memcpy(out, R, AES_BLOCK_LENGTH);
++ out += AES_BLOCK_LENGTH;
++ outlen -= AES_BLOCK_LENGTH;
++ }
++ return 1;
++}
++
++int FIPS_x931_set_key(const unsigned char *key, int keylen)
++{
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_set_prng_key(&sctx, key, keylen);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
++{
++ return FIPS_x931_set_key(key, keylen);
++}
++
++int FIPS_x931_seed(const void *seed, int seedlen)
++{
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_set_prng_seed(&sctx, seed, seedlen);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++int FIPS_x931_bytes(unsigned char *out, int count)
++{
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_rand(&sctx, out, count);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++int FIPS_x931_status(void)
++{
++ int ret;
++ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
++ ret = sctx.seeded;
++ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++void FIPS_x931_reset(void)
++{
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ fips_rand_prng_reset(&sctx);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++}
++
++static int fips_do_rand_seed(const void *seed, int seedlen)
++{
++ FIPS_x931_seed(seed, seedlen);
++ return 1;
++}
++
++static int fips_do_rand_add(const void *seed, int seedlen, double add_entropy)
++{
++ FIPS_x931_seed(seed, seedlen);
++ return 1;
++}
++
++static const RAND_METHOD rand_x931_meth = {
++ fips_do_rand_seed,
++ FIPS_x931_bytes,
++ FIPS_x931_reset,
++ fips_do_rand_add,
++ FIPS_x931_bytes,
++ FIPS_x931_status
++};
++
++const RAND_METHOD *FIPS_x931_method(void)
++{
++ return &rand_x931_meth;
++}
++
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_rand.h.fips openssl-1.0.2i/crypto/fips/fips_rand.h
+--- openssl-1.0.2i/crypto/fips/fips_rand.h.fips 2016-09-22 13:35:57.018221020 +0200
++++ openssl-1.0.2i/crypto/fips/fips_rand.h 2016-09-22 13:35:57.018221020 +0200
+@@ -0,0 +1,163 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifndef HEADER_FIPS_RAND_H
++# define HEADER_FIPS_RAND_H
++
++# include <openssl/aes.h>
++# include <openssl/evp.h>
++# include <openssl/hmac.h>
++# include <openssl/rand.h>
++
++# ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++ int FIPS_x931_set_key(const unsigned char *key, int keylen);
++ int FIPS_x931_seed(const void *buf, int num);
++ int FIPS_x931_bytes(unsigned char *out, int outlen);
++
++ int FIPS_x931_test_mode(void);
++ void FIPS_x931_reset(void);
++ int FIPS_x931_set_dt(unsigned char *dt);
++
++ int FIPS_x931_status(void);
++
++ const RAND_METHOD *FIPS_x931_method(void);
++
++ typedef struct drbg_ctx_st DRBG_CTX;
++/* DRBG external flags */
++/* Flag for CTR mode only: use derivation function ctr_df */
++# define DRBG_FLAG_CTR_USE_DF 0x1
++/* PRNG is in test state */
++# define DRBG_FLAG_TEST 0x2
++
++ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
++ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
++ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++ const unsigned char *pers, size_t perslen);
++ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
++ size_t adinlen);
++ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++ int prediction_resistance,
++ const unsigned char *adin, size_t adinlen);
++
++ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
++ void FIPS_drbg_free(DRBG_CTX *dctx);
++
++ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++ size_t (*get_entropy) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_entropy) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ size_t entropy_blocklen,
++ size_t (*get_nonce) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_nonce) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen));
++
++ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++ size_t (*get_adin) (DRBG_CTX *ctx,
++ unsigned char
++ **pout),
++ void (*cleanup_adin) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ int (*rand_seed_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num),
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num,
++ double entropy));
++
++ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
++ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
++ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
++ int FIPS_drbg_get_strength(DRBG_CTX *dctx);
++ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
++ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
++
++ int FIPS_drbg_health_check(DRBG_CTX *dctx);
++
++ DRBG_CTX *FIPS_get_default_drbg(void);
++ const RAND_METHOD *FIPS_drbg_method(void);
++
++ int FIPS_rand_set_method(const RAND_METHOD *meth);
++ const RAND_METHOD *FIPS_rand_get_method(void);
++
++ void FIPS_rand_set_bits(int nbits);
++
++ int FIPS_rand_strength(void);
++
++/* 1.0.0 compat functions */
++ int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
++ int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
++ int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
++ int FIPS_rand_test_mode(void);
++ void FIPS_rand_reset(void);
++ int FIPS_rand_set_dt(unsigned char *dt);
++ int FIPS_rand_status(void);
++ const RAND_METHOD *FIPS_rand_method(void);
++
++# ifdef __cplusplus
++}
++# endif
++# endif
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2i/crypto/fips/fips_rand_lcl.h
+--- openssl-1.0.2i/crypto/fips/fips_rand_lcl.h.fips 2016-09-22 13:35:57.018221020 +0200
++++ openssl-1.0.2i/crypto/fips/fips_rand_lcl.h 2016-09-22 13:35:57.018221020 +0200
+@@ -0,0 +1,213 @@
++/* fips/rand/fips_rand_lcl.h */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
++typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
++typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
++
++/* 888 bits from 10.1 table 2 */
++#define HASH_PRNG_MAX_SEEDLEN 111
++
++struct drbg_hash_ctx_st {
++ const EVP_MD *md;
++ EVP_MD_CTX mctx;
++ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
++ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
++ /* Temporary value storage: should always exceed max digest length */
++ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
++};
++
++struct drbg_hmac_ctx_st {
++ const EVP_MD *md;
++ HMAC_CTX hctx;
++ unsigned char K[EVP_MAX_MD_SIZE];
++ unsigned char V[EVP_MAX_MD_SIZE];
++};
++
++struct drbg_ctr_ctx_st {
++ AES_KEY ks;
++ size_t keylen;
++ unsigned char K[32];
++ unsigned char V[16];
++ /* Temp variables used by derivation function */
++ AES_KEY df_ks;
++ AES_KEY df_kxks;
++ /* Temporary block storage used by ctr_df */
++ unsigned char bltmp[16];
++ size_t bltmp_pos;
++ unsigned char KX[48];
++};
++
++/* DRBG internal flags */
++
++/* Functions shouldn't call err library */
++#define DRBG_FLAG_NOERR 0x1
++/* Custom reseed checking */
++#define DRBG_CUSTOM_RESEED 0x2
++
++/* DRBG status values */
++/* not initialised */
++#define DRBG_STATUS_UNINITIALISED 0
++/* ok and ready to generate random bits */
++#define DRBG_STATUS_READY 1
++/* reseed required */
++#define DRBG_STATUS_RESEED 2
++/* fatal error condition */
++#define DRBG_STATUS_ERROR 3
++
++/* A default maximum length: larger than any reasonable value used in pratice */
++
++#define DRBG_MAX_LENGTH 0x7ffffff0
++/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
++ * so use max digest length.
++ */
++#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
++
++#define DRBG_HEALTH_INTERVAL (1 << 24)
++
++/* DRBG context structure */
++
++struct drbg_ctx_st {
++ /* First types common to all implementations */
++ /* DRBG type: a NID for the underlying algorithm */
++ int type;
++ /* Various external flags */
++ unsigned int xflags;
++ /* Various internal use only flags */
++ unsigned int iflags;
++ /* Used for periodic health checks */
++ int health_check_cnt, health_check_interval;
++
++ /* The following parameters are setup by mechanism drbg_init() call */
++ int strength;
++ size_t blocklength;
++ size_t max_request;
++
++ size_t min_entropy, max_entropy;
++ size_t min_nonce, max_nonce;
++ size_t max_pers, max_adin;
++ unsigned int reseed_counter;
++ unsigned int reseed_interval;
++ size_t seedlen;
++ int status;
++ /* Application data: typically used by test get_entropy */
++ void *app_data;
++ /* Implementation specific structures */
++ union {
++ DRBG_HASH_CTX hash;
++ DRBG_HMAC_CTX hmac;
++ DRBG_CTR_CTX ctr;
++ } d;
++ /* Initialiase PRNG and setup callbacks below */
++ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);
++ /* Intantiate PRNG */
++ int (*instantiate) (DRBG_CTX *ctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *nonce, size_t noncelen,
++ const unsigned char *pers, size_t perslen);
++ /* reseed */
++ int (*reseed) (DRBG_CTX *ctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *adin, size_t adinlen);
++ /* generat output */
++ int (*generate) (DRBG_CTX *ctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adinlen);
++ /* uninstantiate */
++ int (*uninstantiate) (DRBG_CTX *ctx);
++
++ /* Entropy source block length */
++ size_t entropy_blocklen;
++
++ /* entropy gathering function */
++ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len);
++ /* Indicates we have finished with entropy buffer */
++ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++ /* nonce gathering function */
++ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len);
++ /* Indicates we have finished with nonce buffer */
++ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++ /* Continuous random number test temporary area */
++ /* Last block */
++ unsigned char lb[EVP_MAX_MD_SIZE];
++ /* set if lb is valid */
++ int lb_valid;
++
++ /* Callbacks used when called through RAND interface */
++ /* Get any additional input for generate */
++ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
++ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++ /* Callback for RAND_seed(), RAND_add() */
++ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf, int num, double entropy);
++};
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx);
++int fips_drbg_hash_init(DRBG_CTX *dctx);
++int fips_drbg_hmac_init(DRBG_CTX *dctx);
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
++
++const struct env_md_st *FIPS_get_digestbynid(int nid);
++
++const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
++
++#define FIPS_digestinit EVP_DigestInit
++#define FIPS_digestupdate EVP_DigestUpdate
++#define FIPS_digestfinal EVP_DigestFinal
++#define M_EVP_MD_size EVP_MD_size
+diff -up openssl-1.0.2i/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2i/crypto/fips/fips_rand_lib.c
+--- openssl-1.0.2i/crypto/fips/fips_rand_lib.c.fips 2016-09-22 13:35:57.018221020 +0200
++++ openssl-1.0.2i/crypto/fips/fips_rand_lib.c 2016-09-22 13:35:57.018221020 +0200
+@@ -0,0 +1,181 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "e_os.h"
++
++/* FIPS API for PRNG use. Similar to RAND functionality but without
++ * ENGINE and additional checking for non-FIPS rand methods.
++ */
++
++static const RAND_METHOD *fips_rand_meth = NULL;
++static int fips_approved_rand_meth = 0;
++static int fips_rand_bits = 0;
++
++/* Allows application to override number of bits and uses non-FIPS methods */
++void FIPS_rand_set_bits(int nbits)
++{
++ fips_rand_bits = nbits;
++}
++
++int FIPS_rand_set_method(const RAND_METHOD *meth)
++{
++ if (!fips_rand_bits) {
++ if (meth == FIPS_drbg_method())
++ fips_approved_rand_meth = 1;
++ else if (meth == FIPS_x931_method())
++ fips_approved_rand_meth = 2;
++ else {
++ fips_approved_rand_meth = 0;
++ if (FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ }
++ }
++ fips_rand_meth = meth;
++ return 1;
++}
++
++const RAND_METHOD *FIPS_rand_get_method(void)
++{
++ return fips_rand_meth;
++}
++
++const RAND_METHOD *FIPS_rand_method(void)
++{
++ return FIPS_rand_get_method();
++}
++
++void FIPS_rand_reset(void)
++{
++ if (fips_rand_meth && fips_rand_meth->cleanup)
++ fips_rand_meth->cleanup();
++}
++
++int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->seed)
++ fips_rand_meth->seed(buf, num);
++ return 1;
++}
++
++void FIPS_rand_add(const void *buf, int num, double entropy)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
++ return;
++ }
++ if (fips_rand_meth && fips_rand_meth->add)
++ fips_rand_meth->add(buf, num, entropy);
++}
++
++int FIPS_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->bytes)
++ return fips_rand_meth->bytes(buf, num);
++ return 0;
++}
++
++int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->pseudorand)
++ return fips_rand_meth->pseudorand(buf, num);
++ return -1;
++}
++
++int FIPS_rand_status(void)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->status)
++ return fips_rand_meth->status();
++ return 0;
++}
++
++/* Return instantiated strength of PRNG. For DRBG this is an internal
++ * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other
++ * type of PRNG is not approved and returns 0 in FIPS mode and maximum
++ * 256 outside FIPS mode.
++ */
++
++int FIPS_rand_strength(void)
++{
++ if (fips_rand_bits)
++ return fips_rand_bits;
++ if (fips_approved_rand_meth == 1)
++ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
++ else if (fips_approved_rand_meth == 2)
++ return 80;
++ else if (fips_approved_rand_meth == 0) {
++ if (FIPS_module_mode())
++ return 0;
++ else
++ return 256;
++ }
++ return 0;
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_rand_selftest.c
+--- openssl-1.0.2i/crypto/fips/fips_rand_selftest.c.fips 2016-09-22 13:35:57.018221020 +0200
++++ openssl-1.0.2i/crypto/fips/fips_rand_selftest.c 2016-09-22 13:35:57.018221020 +0200
+@@ -0,0 +1,176 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++typedef struct {
++ unsigned char DT[16];
++ unsigned char V[16];
++ unsigned char R[16];
++} AES_PRNG_TV;
++
++/* The following test vectors are taken directly from the RGNVS spec */
++
++static unsigned char aes_128_key[16] =
++ { 0xf3, 0xb1, 0x66, 0x6d, 0x13, 0x60, 0x72, 0x42,
++ 0xed, 0x06, 0x1c, 0xab, 0xb8, 0xd4, 0x62, 0x02
++};
++
++static AES_PRNG_TV aes_128_tv = {
++ /* DT */
++ {0xe6, 0xb3, 0xbe, 0x78, 0x2a, 0x23, 0xfa, 0x62,
++ 0xd7, 0x1d, 0x4a, 0xfb, 0xb0, 0xe9, 0x22, 0xf9},
++ /* V */
++ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
++ /* R */
++ {0x59, 0x53, 0x1e, 0xd1, 0x3b, 0xb0, 0xc0, 0x55,
++ 0x84, 0x79, 0x66, 0x85, 0xc1, 0x2f, 0x76, 0x41}
++};
++
++static unsigned char aes_192_key[24] =
++ { 0x15, 0xd8, 0x78, 0x0d, 0x62, 0xd3, 0x25, 0x6e,
++ 0x44, 0x64, 0x10, 0x13, 0x60, 0x2b, 0xa9, 0xbc,
++ 0x4a, 0xfb, 0xca, 0xeb, 0x4c, 0x8b, 0x99, 0x3b
++};
++
++static AES_PRNG_TV aes_192_tv = {
++ /* DT */
++ {0x3f, 0xd8, 0xff, 0xe8, 0x80, 0x69, 0x8b, 0xc1,
++ 0xbf, 0x99, 0x7d, 0xa4, 0x24, 0x78, 0xf3, 0x4b},
++ /* V */
++ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
++ /* R */
++ {0x17, 0x07, 0xd5, 0x28, 0x19, 0x79, 0x1e, 0xef,
++ 0xa5, 0x0c, 0xbf, 0x25, 0xe5, 0x56, 0xb4, 0x93}
++};
++
++static unsigned char aes_256_key[32] =
++ { 0x6d, 0x14, 0x06, 0x6c, 0xb6, 0xd8, 0x21, 0x2d,
++ 0x82, 0x8d, 0xfa, 0xf2, 0x7a, 0x03, 0xb7, 0x9f,
++ 0x0c, 0xc7, 0x3e, 0xcd, 0x76, 0xeb, 0xee, 0xb5,
++ 0x21, 0x05, 0x8c, 0x4f, 0x31, 0x7a, 0x80, 0xbb
++};
++
++static AES_PRNG_TV aes_256_tv = {
++ /* DT */
++ {0xda, 0x3a, 0x41, 0xec, 0x1d, 0xa3, 0xb0, 0xd5,
++ 0xf2, 0xa9, 0x4e, 0x34, 0x74, 0x8e, 0x9e, 0x88},
++ /* V */
++ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
++ /* R */
++ {0x35, 0xc7, 0xef, 0xa7, 0x78, 0x4d, 0x29, 0xbc,
++ 0x82, 0x79, 0x99, 0xfb, 0xd0, 0xb3, 0x3b, 0x72}
++};
++
++void FIPS_corrupt_rng()
++{
++ aes_192_tv.V[0]++;
++}
++
++# define fips_x931_test(key, tv) \
++ do_x931_test(key, sizeof key, &tv)
++
++static int do_x931_test(unsigned char *key, int keylen, AES_PRNG_TV * tv)
++{
++ unsigned char R[16], V[16];
++ int rv = 1;
++ memcpy(V, tv->V, sizeof(V));
++ if (!FIPS_x931_set_key(key, keylen))
++ return 0;
++ if (!fips_post_started(FIPS_TEST_X931, keylen, NULL))
++ return 1;
++ if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL))
++ V[0]++;
++ FIPS_x931_seed(V, 16);
++ FIPS_x931_set_dt(tv->DT);
++ FIPS_x931_bytes(R, 16);
++ if (memcmp(R, tv->R, 16)) {
++ fips_post_failed(FIPS_TEST_X931, keylen, NULL);
++ rv = 0;
++ } else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL))
++ return 0;
++ return rv;
++}
++
++int FIPS_selftest_x931()
++{
++ int rv = 1;
++ FIPS_x931_reset();
++ if (!FIPS_x931_test_mode()) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ if (!fips_x931_test(aes_128_key, aes_128_tv))
++ rv = 0;
++ if (!fips_x931_test(aes_192_key, aes_192_tv))
++ rv = 0;
++ if (!fips_x931_test(aes_256_key, aes_256_tv))
++ rv = 0;
++ FIPS_x931_reset();
++ if (!rv)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED);
++ return rv;
++}
++
++int FIPS_selftest_rng(void)
++{
++ return FIPS_selftest_x931();
++}
++
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_randtest.c.fips openssl-1.0.2i/crypto/fips/fips_randtest.c
+--- openssl-1.0.2i/crypto/fips/fips_randtest.c.fips 2016-09-22 13:35:57.018221020 +0200
++++ openssl-1.0.2i/crypto/fips/fips_randtest.c 2016-09-22 13:35:57.018221020 +0200
+@@ -0,0 +1,247 @@
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay@cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <ctype.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++
++#include "e_os.h"
++
++#ifndef OPENSSL_FIPS
++int main(int argc, char *argv[])
++{
++ printf("No FIPS RAND support\n");
++ return (0);
++}
++
++#else
++
++# include "fips_utl.h"
++# include <openssl/fips.h>
++
++typedef struct {
++ unsigned char DT[16];
++ unsigned char V[16];
++ unsigned char R[16];
++} AES_PRNG_MCT;
++
++static const unsigned char aes_128_mct_key[16] =
++ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5,
++ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48
++};
++
++static const AES_PRNG_MCT aes_128_mct_tv = {
++ /* DT */
++ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b,
++ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac},
++ /* V */
++ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97,
++ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1},
++ /* R */
++ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb,
++ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73}
++};
++
++static const unsigned char aes_192_mct_key[24] =
++ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73,
++ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91,
++ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a
++};
++
++static const AES_PRNG_MCT aes_192_mct_tv = {
++ /* DT */
++ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9,
++ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52},
++ /* V */
++ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64,
++ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d},
++ /* R */
++ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21,
++ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47}
++};
++
++static const unsigned char aes_256_mct_key[32] =
++ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a,
++ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0,
++ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d,
++ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50
++};
++
++static const AES_PRNG_MCT aes_256_mct_tv = {
++ /* DT */
++ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee,
++ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c},
++ /* V */
++ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1,
++ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca},
++ /* R */
++ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1,
++ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d}
++};
++
++static void dump(const unsigned char *b, int n)
++{
++ while (n-- > 0) {
++ printf(" %02x", *b++);
++ }
++}
++
++static void compare(const unsigned char *result,
++ const unsigned char *expected, int n)
++{
++ int i;
++
++ for (i = 0; i < n; ++i)
++ if (result[i] != expected[i]) {
++ puts("Random test failed, got:");
++ dump(result, n);
++ puts("\n expected:");
++ dump(expected, n);
++ putchar('\n');
++ EXIT(1);
++ }
++}
++
++static void run_test(const unsigned char *key, int keylen,
++ const AES_PRNG_MCT * tv)
++{
++ unsigned char buf[16], dt[16];
++ int i, j;
++ FIPS_x931_reset();
++ FIPS_x931_test_mode();
++ FIPS_x931_set_key(key, keylen);
++ FIPS_x931_seed(tv->V, 16);
++ memcpy(dt, tv->DT, 16);
++ for (i = 0; i < 10000; i++) {
++ FIPS_x931_set_dt(dt);
++ FIPS_x931_bytes(buf, 16);
++ /* Increment DT */
++ for (j = 15; j >= 0; j--) {
++ dt[j]++;
++ if (dt[j])
++ break;
++ }
++ }
++
++ compare(buf, tv->R, 16);
++}
++
++int main()
++{
++ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
++ printf("FIPS PRNG test 1 done\n");
++ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
++ printf("FIPS PRNG test 2 done\n");
++ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
++ printf("FIPS PRNG test 3 done\n");
++ return 0;
++}
++
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips 2016-09-22 13:35:57.019221043 +0200
++++ openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c 2016-09-22 13:35:57.019221043 +0200
+@@ -0,0 +1,444 @@
++/* ====================================================================
++ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/rsa.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char n[] =
++ "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
++ "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
++ "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
++ "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
++ "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
++ "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
++ "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
++ "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB";
++
++static int corrupt_rsa;
++
++static int setrsakey(RSA *key)
++{
++ static const unsigned char e[] = "\x11";
++
++ static const unsigned char d[] =
++ "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
++ "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
++ "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
++ "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
++ "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
++ "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
++ "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
++ "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
++ "\xC1";
++
++ static const unsigned char p[] =
++ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
++ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
++ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
++ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
++ "\x99";
++
++ static const unsigned char q[] =
++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
++ "\x03";
++
++ static const unsigned char dmp1[] =
++ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
++ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
++ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
++ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
++
++ static const unsigned char dmq1[] =
++ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
++ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
++ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
++ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
++
++ static const unsigned char iqmp[] =
++ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
++ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
++ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
++ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
++ "\xF7";
++
++ key->n = BN_bin2bn(n, sizeof(n) - 1, key->n);
++ if (corrupt_rsa)
++ BN_set_bit(key->n, 1024);
++ key->e = BN_bin2bn(e, sizeof(e) - 1, key->e);
++ key->d = BN_bin2bn(d, sizeof(d) - 1, key->d);
++ key->p = BN_bin2bn(p, sizeof(p) - 1, key->p);
++ key->q = BN_bin2bn(q, sizeof(q) - 1, key->q);
++ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1) - 1, key->dmp1);
++ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1) - 1, key->dmq1);
++ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp) - 1, key->iqmp);
++ return 1;
++}
++
++void FIPS_corrupt_rsa()
++{
++ corrupt_rsa = 1;
++}
++
++/* Known Answer Test (KAT) data for the above RSA private key signing
++ * kat_tbs.
++ */
++
++static const unsigned char kat_tbs[] =
++ "OpenSSL FIPS 140-2 Public Key RSA KAT";
++
++static const unsigned char kat_RSA_PSS_SHA1[] = {
++ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
++ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
++ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
++ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
++ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
++ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
++ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
++ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
++ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
++ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
++ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
++};
++
++static const unsigned char kat_RSA_PSS_SHA224[] = {
++ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
++ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
++ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
++ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
++ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
++ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
++ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
++ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
++ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
++ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
++ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
++};
++
++static const unsigned char kat_RSA_PSS_SHA256[] = {
++ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
++ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
++ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
++ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
++ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
++ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
++ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
++ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
++ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
++ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
++ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
++};
++
++static const unsigned char kat_RSA_PSS_SHA384[] = {
++ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
++ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
++ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
++ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
++ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
++ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
++ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
++ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
++ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
++ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
++ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
++};
++
++static const unsigned char kat_RSA_PSS_SHA512[] = {
++ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
++ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
++ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
++ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
++ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
++ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
++ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
++ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
++ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
++ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
++ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
++};
++
++static const unsigned char kat_RSA_SHA1[] = {
++ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
++ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
++ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
++ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
++ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
++ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
++ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
++ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
++ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
++ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
++ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
++};
++
++static const unsigned char kat_RSA_SHA224[] = {
++ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
++ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
++ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
++ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
++ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
++ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
++ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
++ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
++ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
++ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
++ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
++};
++
++static const unsigned char kat_RSA_SHA256[] = {
++ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
++ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
++ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
++ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
++ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
++ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
++ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
++ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
++ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
++ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
++ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
++};
++
++static const unsigned char kat_RSA_SHA384[] = {
++ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
++ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
++ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
++ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
++ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
++ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
++ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
++ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
++ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
++ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
++ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
++};
++
++static const unsigned char kat_RSA_SHA512[] = {
++ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
++ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
++ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
++ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
++ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
++ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
++ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
++ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
++ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
++ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
++ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
++};
++
++static const unsigned char kat_RSA_X931_SHA1[] = {
++ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
++ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
++ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
++ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
++ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
++ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
++ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
++ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
++ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
++ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
++ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
++};
++
++static const unsigned char kat_RSA_X931_SHA256[] = {
++ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
++ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
++ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
++ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
++ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
++ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
++ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
++ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
++ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
++ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
++ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
++};
++
++static const unsigned char kat_RSA_X931_SHA384[] = {
++ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
++ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
++ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
++ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
++ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
++ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
++ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
++ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
++ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
++ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
++ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
++};
++
++static const unsigned char kat_RSA_X931_SHA512[] = {
++ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
++ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
++ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
++ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
++ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
++ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
++ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
++ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
++ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
++ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
++ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
++};
++
++int FIPS_selftest_rsa()
++{
++ int ret = 0;
++ RSA *key;
++ EVP_PKEY *pk = NULL;
++
++ if ((key = RSA_new()) == NULL)
++ goto err;
++ setrsakey(key);
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_RSA(pk, key);
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA1 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
++ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA224 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA256 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA384 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA512 PKCS#1"))
++ goto err;
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
++ "RSA SHA1 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA224,
++ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA256,
++ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA384,
++ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA512,
++ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
++ goto err;
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA1,
++ sizeof(kat_RSA_X931_SHA1), EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931"))
++ goto err;
++ /* NB: SHA224 not supported in X9.31 */
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA256,
++ sizeof(kat_RSA_X931_SHA256), EVP_sha256(),
++ EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA256 X931"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA384,
++ sizeof(kat_RSA_X931_SHA384), EVP_sha384(),
++ EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA384 X931"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA512,
++ sizeof(kat_RSA_X931_SHA512), EVP_sha512(),
++ EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA512 X931"))
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (key)
++ RSA_free(key);
++ return ret;
++}
++
++#endif /* def OPENSSL_FIPS */
+diff -up openssl-1.0.2i/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2i/crypto/fips/fips_rsa_x931g.c
+--- openssl-1.0.2i/crypto/fips/fips_rsa_x931g.c.fips 2016-09-22 13:35:57.019221043 +0200
++++ openssl-1.0.2i/crypto/fips/fips_rsa_x931g.c 2016-09-22 13:35:57.019221043 +0200
+@@ -0,0 +1,273 @@
++/* crypto/rsa/rsa_gen.c */
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay@cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <time.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++#include <openssl/rsa.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++
++extern int fips_check_rsa(RSA *rsa);
++#endif
++
++/* X9.31 RSA key derivation and generation */
++
++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
++ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
++ const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2,
++ const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb)
++{
++ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL;
++ BN_CTX *ctx = NULL, *ctx2 = NULL;
++
++ if (!rsa)
++ goto err;
++
++ ctx = BN_CTX_new();
++ if (!ctx)
++ goto err;
++ BN_CTX_start(ctx);
++
++ r0 = BN_CTX_get(ctx);
++ r1 = BN_CTX_get(ctx);
++ r2 = BN_CTX_get(ctx);
++ r3 = BN_CTX_get(ctx);
++
++ if (r3 == NULL)
++ goto err;
++ if (!rsa->e) {
++ rsa->e = BN_dup(e);
++ if (!rsa->e)
++ goto err;
++ } else
++ e = rsa->e;
++
++ /* If not all parameters present only calculate what we can.
++ * This allows test programs to output selective parameters.
++ */
++
++ if (Xp && !rsa->p) {
++ rsa->p = BN_new();
++ if (!rsa->p)
++ goto err;
++
++ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
++ Xp, Xp1, Xp2, e, ctx, cb))
++ goto err;
++ }
++
++ if (Xq && !rsa->q) {
++ rsa->q = BN_new();
++ if (!rsa->q)
++ goto err;
++ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
++ Xq, Xq1, Xq2, e, ctx, cb))
++ goto err;
++ }
++
++ if (!rsa->p || !rsa->q) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ return 2;
++ }
++
++ /* Since both primes are set we can now calculate all remaining
++ * components.
++ */
++
++ /* calculate n */
++ rsa->n = BN_new();
++ if (rsa->n == NULL)
++ goto err;
++ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
++ goto err;
++
++ /* calculate d */
++ if (!BN_sub(r1, rsa->p, BN_value_one()))
++ goto err; /* p-1 */
++ if (!BN_sub(r2, rsa->q, BN_value_one()))
++ goto err; /* q-1 */
++ if (!BN_mul(r0, r1, r2, ctx))
++ goto err; /* (p-1)(q-1) */
++
++ if (!BN_gcd(r3, r1, r2, ctx))
++ goto err;
++
++ if (!BN_div(r0, NULL, r0, r3, ctx))
++ goto err; /* LCM((p-1)(q-1)) */
++
++ ctx2 = BN_CTX_new();
++ if (!ctx2)
++ goto err;
++
++ rsa->d = BN_mod_inverse(NULL, rsa->e, r0, ctx2); /* d */
++ if (rsa->d == NULL)
++ goto err;
++
++ /* calculate d mod (p-1) */
++ rsa->dmp1 = BN_new();
++ if (rsa->dmp1 == NULL)
++ goto err;
++ if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx))
++ goto err;
++
++ /* calculate d mod (q-1) */
++ rsa->dmq1 = BN_new();
++ if (rsa->dmq1 == NULL)
++ goto err;
++ if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx))
++ goto err;
++
++ /* calculate inverse of q mod p */
++ rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
++
++ err:
++ if (ctx) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++ if (ctx2)
++ BN_CTX_free(ctx2);
++ /* If this is set all calls successful */
++ if (rsa && rsa->iqmp != NULL)
++ return 1;
++
++ return 0;
++
++}
++
++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
++ BN_GENCB *cb)
++{
++ int ok = 0;
++ BIGNUM *Xp = NULL, *Xq = NULL;
++ BN_CTX *ctx = NULL;
++
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
++ (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_KEY_TOO_SHORT);
++ return 0;
++ }
++
++ if (bits & 0xff) {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++#endif
++
++ ctx = BN_CTX_new();
++ if (!ctx)
++ goto error;
++
++ BN_CTX_start(ctx);
++ Xp = BN_CTX_get(ctx);
++ Xq = BN_CTX_get(ctx);
++ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
++ goto error;
++
++ rsa->p = BN_new();
++ rsa->q = BN_new();
++ if (!rsa->p || !rsa->q)
++ goto error;
++
++ /* Generate two primes from Xp, Xq */
++
++ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
++ e, ctx, cb))
++ goto error;
++
++ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
++ e, ctx, cb))
++ goto error;
++
++ /* Since rsa->p and rsa->q are valid this call will just derive
++ * remaining RSA components.
++ */
++
++ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
++ goto error;
++
++#ifdef OPENSSL_FIPS
++ if (!fips_check_rsa(rsa))
++ goto error;
++#endif
++
++ ok = 1;
++
++ error:
++ if (ctx) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++
++ if (ok)
++ return 1;
++
++ return 0;
++
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2i/crypto/fips/fips_sha_selftest.c
+--- openssl-1.0.2i/crypto/fips/fips_sha_selftest.c.fips 2016-09-22 13:35:57.019221043 +0200
++++ openssl-1.0.2i/crypto/fips/fips_sha_selftest.c 2016-09-22 13:35:57.019221043 +0200
+@@ -0,0 +1,145 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++
++#ifdef OPENSSL_FIPS
++static const char test[][60] = {
++ "",
++ "abc",
++ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
++};
++
++static const unsigned char ret[][SHA_DIGEST_LENGTH] = {
++ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
++ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},
++ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,
++ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},
++ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,
++ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},
++};
++
++static int corrupt_sha;
++
++void FIPS_corrupt_sha1()
++{
++ corrupt_sha = 1;
++}
++
++int FIPS_selftest_sha1()
++{
++ int n;
++
++ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {
++ unsigned char md[SHA_DIGEST_LENGTH];
++
++ EVP_Digest(test[n], strlen(test[n]) + corrupt_sha, md, NULL,
++ EVP_sha1(), NULL);
++ if (memcmp(md, ret[n], sizeof md)) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++}
++
++static const unsigned char msg_sha256[] =
++ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
++ 0xfc
++};
++
++static const unsigned char dig_sha256[] =
++ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
++ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
++ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
++ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a
++};
++
++static const unsigned char msg_sha512[] =
++ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
++ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd
++};
++
++static const unsigned char dig_sha512[] =
++ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
++ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
++ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
++ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
++ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
++ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
++ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
++ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43
++};
++
++int FIPS_selftest_sha2(void)
++{
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
++ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {
++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
++ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {
++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ return 1;
++}
++
++#endif
+diff -up openssl-1.0.2i/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2i/crypto/fips/fips_standalone_hmac.c
+--- openssl-1.0.2i/crypto/fips/fips_standalone_hmac.c.fips 2016-09-22 13:35:57.019221043 +0200
++++ openssl-1.0.2i/crypto/fips/fips_standalone_hmac.c 2016-09-22 13:35:57.019221043 +0200
+@@ -0,0 +1,268 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++#include <openssl/sha.h>
++#include <openssl/hmac.h>
++
++#ifndef FIPSCANISTER_O
++int FIPS_selftest_failed()
++{
++ return 0;
++}
++
++void FIPS_selftest_check()
++{
++}
++#endif
++
++#ifdef OPENSSL_FIPS
++int bn_mul_mont_fpu64(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
++ const BN_ULONG *np, const BN_ULONG *n0, int num)
++{
++ return 0;
++};
++
++int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
++ const BN_ULONG *np, const BN_ULONG *n0, int num)
++{
++ return 0;
++};
++
++# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
++ defined(__INTEL__) || \
++ defined(__x86_64) || defined(__x86_64__) || \
++ defined(_M_AMD64) || defined(_M_X64)
++
++unsigned int OPENSSL_ia32cap_P[4];
++unsigned long *OPENSSL_ia32cap_loc(void)
++{
++ if (sizeof(long) == 4)
++ /*
++ * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
++ * clear second element to maintain the illusion that vector
++ * is 32-bit.
++ */
++ OPENSSL_ia32cap_P[1] = 0;
++
++ OPENSSL_ia32cap_P[2] = 0;
++
++ return (unsigned long *)OPENSSL_ia32cap_P;
++}
++
++# if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
++# define OPENSSL_CPUID_SETUP
++# if defined(_WIN32)
++typedef unsigned __int64 IA32CAP;
++# else
++typedef unsigned long long IA32CAP;
++# endif
++void OPENSSL_cpuid_setup(void)
++{
++ static int trigger = 0;
++ IA32CAP OPENSSL_ia32_cpuid(unsigned int *);
++ IA32CAP vec;
++ char *env;
++
++ if (trigger)
++ return;
++
++ trigger = 1;
++ if ((env = getenv("OPENSSL_ia32cap"))) {
++ int off = (env[0] == '~') ? 1 : 0;
++# if defined(_WIN32)
++ if (!sscanf(env + off, "%I64i", &vec))
++ vec = strtoul(env + off, NULL, 0);
++# else
++ if (!sscanf(env + off, "%lli", (long long *)&vec))
++ vec = strtoul(env + off, NULL, 0);
++# endif
++ if (off)
++ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P) & ~vec;
++ else if (env[0] == ':')
++ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P);
++
++ OPENSSL_ia32cap_P[2] = 0;
++ if ((env = strchr(env, ':'))) {
++ unsigned int vecx;
++ env++;
++ off = (env[0] == '~') ? 1 : 0;
++ vecx = strtoul(env + off, NULL, 0);
++ if (off)
++ OPENSSL_ia32cap_P[2] &= ~vecx;
++ else
++ OPENSSL_ia32cap_P[2] = vecx;
++ }
++ } else
++ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P);
++
++ /*
++ * |(1<<10) sets a reserved bit to signal that variable
++ * was initialized already... This is to avoid interference
++ * with cpuid snippets in ELF .init segment.
++ */
++ OPENSSL_ia32cap_P[0] = (unsigned int)vec | (1 << 10);
++ OPENSSL_ia32cap_P[1] = (unsigned int)(vec >> 32);
++}
++# else
++unsigned int OPENSSL_ia32cap_P[4];
++# endif
++
++# else
++unsigned long *OPENSSL_ia32cap_loc(void)
++{
++ return NULL;
++}
++# endif
++int OPENSSL_NONPIC_relocated = 0;
++# if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
++void OPENSSL_cpuid_setup(void)
++{
++}
++# endif
++
++static void hmac_init(SHA256_CTX *md_ctx, SHA256_CTX *o_ctx, const char *key)
++{
++ size_t len = strlen(key);
++ int i;
++ unsigned char keymd[HMAC_MAX_MD_CBLOCK];
++ unsigned char pad[HMAC_MAX_MD_CBLOCK];
++
++ if (len > SHA_CBLOCK) {
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx, key, len);
++ SHA256_Final(keymd, md_ctx);
++ len = SHA256_DIGEST_LENGTH;
++ } else
++ memcpy(keymd, key, len);
++ memset(&keymd[len], '\0', HMAC_MAX_MD_CBLOCK - len);
++
++ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
++ pad[i] = 0x36 ^ keymd[i];
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx, pad, SHA256_CBLOCK);
++
++ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
++ pad[i] = 0x5c ^ keymd[i];
++ SHA256_Init(o_ctx);
++ SHA256_Update(o_ctx, pad, SHA256_CBLOCK);
++}
++
++static void hmac_final(unsigned char *md, SHA256_CTX *md_ctx,
++ SHA256_CTX *o_ctx)
++{
++ unsigned char buf[SHA256_DIGEST_LENGTH];
++
++ SHA256_Final(buf, md_ctx);
++ SHA256_Update(o_ctx, buf, sizeof buf);
++ SHA256_Final(md, o_ctx);
++}
++
++#endif
++
++int main(int argc, char **argv)
++{
++#ifdef OPENSSL_FIPS
++ static char key[] = "orboDeJITITejsirpADONivirpUkvarP";
++ int n, binary = 0;
++
++ if (argc < 2) {
++ fprintf(stderr, "%s [<file>]+\n", argv[0]);
++ exit(1);
++ }
++
++ n = 1;
++ if (!strcmp(argv[n], "-binary")) {
++ n++;
++ binary = 1; /* emit binary fingerprint... */
++ }
++
++ for (; n < argc; ++n) {
++ FILE *f = fopen(argv[n], "rb");
++ SHA256_CTX md_ctx, o_ctx;
++ unsigned char md[SHA256_DIGEST_LENGTH];
++ int i;
++
++ if (!f) {
++ perror(argv[n]);
++ exit(2);
++ }
++
++ hmac_init(&md_ctx, &o_ctx, key);
++ for (;;) {
++ char buf[1024];
++ size_t l = fread(buf, 1, sizeof buf, f);
++
++ if (l == 0) {
++ if (ferror(f)) {
++ perror(argv[n]);
++ exit(3);
++ } else
++ break;
++ }
++ SHA256_Update(&md_ctx, buf, l);
++ }
++ hmac_final(md, &md_ctx, &o_ctx);
++
++ if (binary) {
++ fwrite(md, SHA256_DIGEST_LENGTH, 1, stdout);
++ break; /* ... for single(!) file */
++ }
++
++/* printf("HMAC-SHA1(%s)= ",argv[n]); */
++ for (i = 0; i < SHA256_DIGEST_LENGTH; ++i)
++ printf("%02x", md[i]);
++ printf("\n");
++ }
++#endif
++ return 0;
++}
+diff -up openssl-1.0.2i/crypto/fips/fips_test_suite.c.fips openssl-1.0.2i/crypto/fips/fips_test_suite.c
+--- openssl-1.0.2i/crypto/fips/fips_test_suite.c.fips 2016-09-22 13:35:57.020221066 +0200
++++ openssl-1.0.2i/crypto/fips/fips_test_suite.c 2016-09-22 13:35:57.019221043 +0200
+@@ -0,0 +1,639 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ *
++ * This command is intended as a test driver for the FIPS-140 testing
++ * lab performing FIPS-140 validation. It demonstrates the use of the
++ * OpenSSL library ito perform a variety of common cryptographic
++ * functions. A power-up self test is demonstrated by deliberately
++ * pointing to an invalid executable hash
++ *
++ * Contributed by Steve Marquess.
++ *
++ */
++#include <stdio.h>
++#include <assert.h>
++#include <ctype.h>
++#include <string.h>
++#include <stdlib.h>
++#include <openssl/aes.h>
++#include <openssl/des.h>
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <openssl/dh.h>
++#include <openssl/hmac.h>
++#include <openssl/err.h>
++
++#include <openssl/bn.h>
++#include <openssl/rand.h>
++#include <openssl/sha.h>
++
++#ifndef OPENSSL_FIPS
++int main(int argc, char *argv[])
++{
++ printf("No FIPS support\n");
++ return (0);
++}
++#else
++
++# include <openssl/fips.h>
++# include "fips_utl.h"
++
++/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
++*/
++static int FIPS_aes_test(void)
++{
++ int ret = 0;
++ unsigned char pltmp[16];
++ unsigned char citmp[16];
++ unsigned char key[16] =
++ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
++ unsigned char plaintext[16] = "etaonrishdlcu";
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 1) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, citmp, plaintext, 16);
++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 0) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, pltmp, citmp, 16);
++ if (memcmp(pltmp, plaintext, 16))
++ goto err;
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return ret;
++}
++
++static int FIPS_des3_test(void)
++{
++ int ret = 0;
++ unsigned char pltmp[8];
++ unsigned char citmp[8];
++ unsigned char key[] =
++ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,
++ 19, 20, 21, 22, 23, 24
++ };
++ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 1) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, citmp, plaintext, 8);
++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 0) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, pltmp, citmp, 8);
++ if (memcmp(pltmp, plaintext, 8))
++ goto err;
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return ret;
++}
++
++/*
++ * DSA: generate keys and sign, verify input plaintext.
++ */
++static int FIPS_dsa_test(int bad)
++{
++ DSA *dsa = NULL;
++ EVP_PKEY pk;
++ unsigned char dgst[] = "etaonrishdlc";
++ unsigned char buf[60];
++ unsigned int slen;
++ int r = 0;
++ EVP_MD_CTX mctx;
++
++ ERR_clear_error();
++ EVP_MD_CTX_init(&mctx);
++ dsa = DSA_new();
++ if (!dsa)
++ goto end;
++ if (!DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL))
++ goto end;
++ if (!DSA_generate_key(dsa))
++ goto end;
++ if (bad)
++ BN_add_word(dsa->pub_key, 1);
++
++ pk.type = EVP_PKEY_DSA;
++ pk.pkey.dsa = dsa;
++
++ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
++ goto end;
++ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
++ goto end;
++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
++ goto end;
++
++ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
++ goto end;
++ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
++ goto end;
++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
++ end:
++ EVP_MD_CTX_cleanup(&mctx);
++ if (dsa)
++ DSA_free(dsa);
++ if (r != 1)
++ return 0;
++ return 1;
++}
++
++/*
++ * RSA: generate keys and sign, verify input plaintext.
++ */
++static int FIPS_rsa_test(int bad)
++{
++ RSA *key;
++ unsigned char input_ptext[] = "etaonrishdlc";
++ unsigned char buf[256];
++ unsigned int slen;
++ BIGNUM *bn;
++ EVP_MD_CTX mctx;
++ EVP_PKEY pk;
++ int r = 0;
++
++ ERR_clear_error();
++ EVP_MD_CTX_init(&mctx);
++ key = RSA_new();
++ bn = BN_new();
++ if (!key || !bn)
++ return 0;
++ BN_set_word(bn, 65537);
++ if (!RSA_generate_key_ex(key, 1024, bn, NULL))
++ return 0;
++ BN_free(bn);
++ if (bad)
++ BN_add_word(key->n, 1);
++
++ pk.type = EVP_PKEY_RSA;
++ pk.pkey.rsa = key;
++
++ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
++ goto end;
++ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
++ goto end;
++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
++ goto end;
++
++ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
++ goto end;
++ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
++ goto end;
++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
++ end:
++ EVP_MD_CTX_cleanup(&mctx);
++ if (key)
++ RSA_free(key);
++ if (r != 1)
++ return 0;
++ return 1;
++}
++
++/* SHA1: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha1_test()
++{
++ unsigned char digest[SHA_DIGEST_LENGTH] =
++ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a,
++0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha1(), NULL))
++ return 0;
++ if (memcmp(md, digest, sizeof(md)))
++ return 0;
++ return 1;
++}
++
++/* SHA256: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha256_test()
++{
++ unsigned char digest[SHA256_DIGEST_LENGTH] =
++ { 0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9,
++0x68, 0xc0, 0xea, 0x40, 0x91,
++ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6,
++ 0x50, 0x4f, 0x47, 0x57
++ };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA256_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha256(), NULL))
++ return 0;
++ if (memcmp(md, digest, sizeof(md)))
++ return 0;
++ return 1;
++}
++
++/* SHA512: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha512_test()
++{
++ unsigned char digest[SHA512_DIGEST_LENGTH] =
++ { 0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f,
++0x94, 0x71, 0x64, 0x28, 0xca,
++ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2,
++ 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
++ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f,
++ 0x24, 0xb1, 0xd9, 0x40, 0x22,
++ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6,
++ 0xeb, 0x2d, 0x42, 0x1d, 0xa3
++ };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha512(), NULL))
++ return 0;
++ if (memcmp(md, digest, sizeof(md)))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA1: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha1_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea,
++0x56, 0x1b, 0x61, 0x2e, 0x70,
++ 0xb2, 0xfb, 0xec, 0xc6
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha1(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA224: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha224_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe,
++0x1c, 0xb2, 0xf0, 0x20, 0x35,
++ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha224(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA256: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha256_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36,
++0x02, 0xf5, 0x72, 0x33, 0x87,
++ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee,
++ 0x51, 0xff, 0xda, 0x24, 0xf4
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha256(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA384: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha384_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08,
++0x26, 0x99, 0xef, 0x3b, 0x10,
++ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b,
++ 0xac, 0xb0, 0x07, 0x39, 0x08,
++ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3,
++ 0xf3, 0xb8, 0x9b, 0x88, 0x1c
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha384(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA512: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha512_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3,
++0x77, 0x59, 0x85, 0xa9, 0xe6,
++ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1,
++ 0xad, 0x7e, 0x24, 0xca, 0xb1,
++ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52,
++ 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
++ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96,
++ 0x3d, 0xa6, 0xd9, 0x2a, 0x53
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha512(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* DH: generate shared parameters
++*/
++static int dh_test()
++{
++ DH *dh;
++ ERR_clear_error();
++ dh = FIPS_dh_new();
++ if (!dh)
++ return 0;
++ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
++ return 0;
++ FIPS_dh_free(dh);
++ return 1;
++}
++
++/* Zeroize
++*/
++static int Zeroize()
++{
++ RSA *key;
++ BIGNUM *bn;
++ unsigned char userkey[16] =
++ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f,
++0x83, 0x02, 0xb1, 0x09, 0x68 };
++ int i, n;
++
++ key = FIPS_rsa_new();
++ bn = BN_new();
++ if (!key || !bn)
++ return 0;
++ BN_set_word(bn, 65537);
++ if (!RSA_generate_key_ex(key, 1024, bn, NULL))
++ return 0;
++ BN_free(bn);
++
++ n = BN_num_bytes(key->d);
++ printf(" Generated %d byte RSA private key\n", n);
++ printf("\tBN key before overwriting:\n");
++ do_bn_print(stdout, key->d);
++ BN_rand(key->d, n * 8, -1, 0);
++ printf("\tBN key after overwriting:\n");
++ do_bn_print(stdout, key->d);
++
++ printf("\tchar buffer key before overwriting: \n\t\t");
++ for (i = 0; i < sizeof(userkey); i++)
++ printf("%02x", userkey[i]);
++ printf("\n");
++ RAND_bytes(userkey, sizeof userkey);
++ printf("\tchar buffer key after overwriting: \n\t\t");
++ for (i = 0; i < sizeof(userkey); i++)
++ printf("%02x", userkey[i]);
++ printf("\n");
++
++ return 1;
++}
++
++static int Error;
++const char *Fail(const char *msg)
++{
++ do_print_errors();
++ Error++;
++ return msg;
++}
++
++int main(int argc, char **argv)
++{
++
++ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
++ int bad_rsa = 0, bad_dsa = 0;
++ int do_rng_stick = 0;
++ int no_exit = 0;
++
++ printf("\tFIPS-mode test application\n\n");
++
++ /* Load entropy from external file, if any */
++ RAND_load_file(".rnd", 1024);
++
++ if (argv[1]) {
++ /* Corrupted KAT tests */
++ if (!strcmp(argv[1], "aes")) {
++ FIPS_corrupt_aes();
++ printf("AES encryption/decryption with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "des")) {
++ FIPS_corrupt_des();
++ printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "dsa")) {
++ FIPS_corrupt_dsa();
++ printf
++ ("DSA key generation and signature validation with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rsa")) {
++ FIPS_corrupt_rsa();
++ printf
++ ("RSA key generation and signature validation with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rsakey")) {
++ printf
++ ("RSA key generation and signature validation with corrupted key...\n");
++ bad_rsa = 1;
++ no_exit = 1;
++ } else if (!strcmp(argv[1], "rsakeygen")) {
++ do_corrupt_rsa_keygen = 1;
++ no_exit = 1;
++ printf
++ ("RSA key generation and signature validation with corrupted keygen...\n");
++ } else if (!strcmp(argv[1], "dsakey")) {
++ printf
++ ("DSA key generation and signature validation with corrupted key...\n");
++ bad_dsa = 1;
++ no_exit = 1;
++ } else if (!strcmp(argv[1], "dsakeygen")) {
++ do_corrupt_dsa_keygen = 1;
++ no_exit = 1;
++ printf
++ ("DSA key generation and signature validation with corrupted keygen...\n");
++ } else if (!strcmp(argv[1], "sha1")) {
++ FIPS_corrupt_sha1();
++ printf("SHA-1 hash with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rng")) {
++ FIPS_corrupt_rng();
++ } else if (!strcmp(argv[1], "rngstick")) {
++ do_rng_stick = 1;
++ no_exit = 1;
++ printf("RNG test with stuck continuous test...\n");
++ } else {
++ printf("Bad argument \"%s\"\n", argv[1]);
++ exit(1);
++ }
++ if (!no_exit) {
++ if (!FIPS_mode_set(1)) {
++ do_print_errors();
++ printf("Power-up self test failed\n");
++ exit(1);
++ }
++ printf("Power-up self test successful\n");
++ exit(0);
++ }
++ }
++
++ /* Non-Approved cryptographic operation
++ */
++ printf("1. Non-Approved cryptographic operation test...\n");
++ printf("\ta. Included algorithm (D-H)...");
++ printf(dh_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* Power-up self test
++ */
++ ERR_clear_error();
++ printf("2. Automatic power-up self test...");
++ if (!FIPS_mode_set(1)) {
++ do_print_errors();
++ printf(Fail("FAILED!\n"));
++ exit(1);
++ }
++ printf("successful\n");
++ if (do_corrupt_dsa_keygen)
++ FIPS_corrupt_dsa_keygen();
++ if (do_corrupt_rsa_keygen)
++ FIPS_corrupt_rsa_keygen();
++ if (do_rng_stick)
++ FIPS_rng_stick();
++
++ /* AES encryption/decryption
++ */
++ printf("3. AES encryption/decryption...");
++ printf(FIPS_aes_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* RSA key generation and encryption/decryption
++ */
++ printf("4. RSA key generation and encryption/decryption...");
++ printf(FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n"));
++
++ /* DES-CBC encryption/decryption
++ */
++ printf("5. DES-ECB encryption/decryption...");
++ printf(FIPS_des3_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* DSA key generation and signature validation
++ */
++ printf("6. DSA key generation and signature validation...");
++ printf(FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n"));
++
++ /* SHA-1 hash
++ */
++ printf("7a. SHA-1 hash...");
++ printf(FIPS_sha1_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* SHA-256 hash
++ */
++ printf("7b. SHA-256 hash...");
++ printf(FIPS_sha256_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* SHA-512 hash
++ */
++ printf("7c. SHA-512 hash...");
++ printf(FIPS_sha512_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-1 hash
++ */
++ printf("7d. HMAC-SHA-1 hash...");
++ printf(FIPS_hmac_sha1_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-224 hash
++ */
++ printf("7e. HMAC-SHA-224 hash...");
++ printf(FIPS_hmac_sha224_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-256 hash
++ */
++ printf("7f. HMAC-SHA-256 hash...");
++ printf(FIPS_hmac_sha256_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-384 hash
++ */
++ printf("7g. HMAC-SHA-384 hash...");
++ printf(FIPS_hmac_sha384_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-512 hash
++ */
++ printf("7h. HMAC-SHA-512 hash...");
++ printf(FIPS_hmac_sha512_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* Non-Approved cryptographic operation
++ */
++ printf("8. Non-Approved cryptographic operation test...\n");
++ printf("\ta. Included algorithm (D-H)...");
++ printf(dh_test()? "successful as expected\n"
++ : Fail("failed INCORRECTLY!\n"));
++
++ /* Zeroization
++ */
++ printf("9. Zero-ization...\n");
++ printf(Zeroize()? "\tsuccessful as expected\n"
++ : Fail("\tfailed INCORRECTLY!\n"));
++
++ printf("\nAll tests completed with %d errors\n", Error);
++ return Error ? 1 : 0;
++}
++
++#endif
+diff -up openssl-1.0.2i/crypto/fips/Makefile.fips openssl-1.0.2i/crypto/fips/Makefile
+--- openssl-1.0.2i/crypto/fips/Makefile.fips 2016-09-22 13:35:57.020221066 +0200
++++ openssl-1.0.2i/crypto/fips/Makefile 2016-09-22 13:35:57.020221066 +0200
+@@ -0,0 +1,341 @@
++#
++# OpenSSL/crypto/fips/Makefile
++#
++
++DIR= fips
++TOP= ../..
++CC= cc
++INCLUDES=
++CFLAG=-g
++MAKEFILE= Makefile
++AR= ar r
++
++CFLAGS= $(INCLUDES) $(CFLAG)
++
++GENERAL=Makefile
++TEST=fips_test_suite.c fips_randtest.c
++APPS=
++
++PROGRAM= fips_standalone_hmac
++EXE= $(PROGRAM)$(EXE_EXT)
++
++LIB=$(TOP)/libcrypto.a
++LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
++ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
++ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
++ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
++ fips_cmac_selftest.c fips_enc.c fips_md.c
++
++LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
++ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
++ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
++ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
++ fips_cmac_selftest.o fips_enc.o fips_md.o
++
++LIBCRYPTO=-L.. -lcrypto
++
++SRC= $(LIBSRC) fips_standalone_hmac.c
++
++EXHEADER= fips.h fips_rand.h
++HEADER= $(EXHEADER)
++
++ALL= $(GENERAL) $(SRC) $(HEADER)
++
++top:
++ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
++
++all: lib exe
++
++lib: $(LIBOBJ)
++ $(AR) $(LIB) $(LIBOBJ)
++ $(RANLIB) $(LIB) || echo Never mind.
++ @touch lib
++
++exe: $(EXE)
++
++files:
++ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
++
++links:
++ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
++ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
++ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
++
++install:
++ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
++ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
++ do \
++ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
++ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
++ done;
++
++tags:
++ ctags $(SRC)
++
++tests:
++
++lint:
++ lint -DLINT $(INCLUDES) $(SRC)>fluff
++
++depend:
++ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
++ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
++
++dclean:
++ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
++ mv -f Makefile.new $(MAKEFILE)
++
++clean:
++ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
++
++$(EXE): $(PROGRAM).o
++ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
++ for i in $(CPUID_OBJ); do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../$$i" ; done; \
++ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
++
++# DO NOT DELETE THIS LINE -- make depend depends on it.
++
++fips.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
++fips.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
++fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
++fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
++fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++fips.o: ../../include/openssl/symhacks.h fips.c fips_locl.h
++fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_aes_selftest.o: ../../include/openssl/crypto.h
++fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_aes_selftest.o: ../../include/openssl/lhash.h
++fips_aes_selftest.o: ../../include/openssl/obj_mac.h
++fips_aes_selftest.o: ../../include/openssl/objects.h
++fips_aes_selftest.o: ../../include/openssl/opensslconf.h
++fips_aes_selftest.o: ../../include/openssl/opensslv.h
++fips_aes_selftest.o: ../../include/openssl/ossl_typ.h
++fips_aes_selftest.o: ../../include/openssl/safestack.h
++fips_aes_selftest.o: ../../include/openssl/stack.h
++fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
++fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_des_selftest.o: ../../include/openssl/crypto.h
++fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_des_selftest.o: ../../include/openssl/lhash.h
++fips_des_selftest.o: ../../include/openssl/obj_mac.h
++fips_des_selftest.o: ../../include/openssl/objects.h
++fips_des_selftest.o: ../../include/openssl/opensslconf.h
++fips_des_selftest.o: ../../include/openssl/opensslv.h
++fips_des_selftest.o: ../../include/openssl/ossl_typ.h
++fips_des_selftest.o: ../../include/openssl/safestack.h
++fips_des_selftest.o: ../../include/openssl/stack.h
++fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c
++fips_drbg_ctr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_ctr.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_ctr.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
++fips_drbg_ctr.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_drbg_ctr.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
++fips_drbg_ctr.o: ../../include/openssl/objects.h
++fips_drbg_ctr.o: ../../include/openssl/opensslconf.h
++fips_drbg_ctr.o: ../../include/openssl/opensslv.h
++fips_drbg_ctr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_ctr.o: ../../include/openssl/safestack.h
++fips_drbg_ctr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_drbg_ctr.o: fips_drbg_ctr.c fips_rand_lcl.h
++fips_drbg_hash.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_hash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_hash.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
++fips_drbg_hash.o: ../../include/openssl/fips.h
++fips_drbg_hash.o: ../../include/openssl/fips_rand.h
++fips_drbg_hash.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
++fips_drbg_hash.o: ../../include/openssl/objects.h
++fips_drbg_hash.o: ../../include/openssl/opensslconf.h
++fips_drbg_hash.o: ../../include/openssl/opensslv.h
++fips_drbg_hash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_hash.o: ../../include/openssl/safestack.h
++fips_drbg_hash.o: ../../include/openssl/stack.h
++fips_drbg_hash.o: ../../include/openssl/symhacks.h fips_drbg_hash.c
++fips_drbg_hash.o: fips_rand_lcl.h
++fips_drbg_hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_hmac.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
++fips_drbg_hmac.o: ../../include/openssl/fips.h
++fips_drbg_hmac.o: ../../include/openssl/fips_rand.h
++fips_drbg_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
++fips_drbg_hmac.o: ../../include/openssl/objects.h
++fips_drbg_hmac.o: ../../include/openssl/opensslconf.h
++fips_drbg_hmac.o: ../../include/openssl/opensslv.h
++fips_drbg_hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_hmac.o: ../../include/openssl/safestack.h
++fips_drbg_hmac.o: ../../include/openssl/stack.h
++fips_drbg_hmac.o: ../../include/openssl/symhacks.h fips_drbg_hmac.c
++fips_drbg_hmac.o: fips_rand_lcl.h
++fips_drbg_lib.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_lib.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_drbg_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_drbg_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
++fips_drbg_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
++fips_drbg_lib.o: ../../include/openssl/objects.h
++fips_drbg_lib.o: ../../include/openssl/opensslconf.h
++fips_drbg_lib.o: ../../include/openssl/opensslv.h
++fips_drbg_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_lib.o: ../../include/openssl/safestack.h
++fips_drbg_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_drbg_lib.o: fips_drbg_lib.c fips_locl.h fips_rand_lcl.h
++fips_drbg_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_drbg_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_drbg_rand.o: ../../include/openssl/fips_rand.h
++fips_drbg_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_drbg_rand.o: ../../include/openssl/obj_mac.h
++fips_drbg_rand.o: ../../include/openssl/objects.h
++fips_drbg_rand.o: ../../include/openssl/opensslconf.h
++fips_drbg_rand.o: ../../include/openssl/opensslv.h
++fips_drbg_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_rand.o: ../../include/openssl/safestack.h
++fips_drbg_rand.o: ../../include/openssl/stack.h
++fips_drbg_rand.o: ../../include/openssl/symhacks.h fips_drbg_rand.c
++fips_drbg_rand.o: fips_rand_lcl.h
++fips_drbg_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_selftest.o: ../../include/openssl/bio.h
++fips_drbg_selftest.o: ../../include/openssl/crypto.h
++fips_drbg_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_drbg_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_drbg_selftest.o: ../../include/openssl/fips_rand.h
++fips_drbg_selftest.o: ../../include/openssl/hmac.h
++fips_drbg_selftest.o: ../../include/openssl/lhash.h
++fips_drbg_selftest.o: ../../include/openssl/obj_mac.h
++fips_drbg_selftest.o: ../../include/openssl/objects.h
++fips_drbg_selftest.o: ../../include/openssl/opensslconf.h
++fips_drbg_selftest.o: ../../include/openssl/opensslv.h
++fips_drbg_selftest.o: ../../include/openssl/ossl_typ.h
++fips_drbg_selftest.o: ../../include/openssl/rand.h
++fips_drbg_selftest.o: ../../include/openssl/safestack.h
++fips_drbg_selftest.o: ../../include/openssl/stack.h
++fips_drbg_selftest.o: ../../include/openssl/symhacks.h fips_drbg_selftest.c
++fips_drbg_selftest.o: fips_drbg_selftest.h fips_locl.h fips_rand_lcl.h
++fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
++fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_dsa_selftest.o: ../../include/openssl/obj_mac.h
++fips_dsa_selftest.o: ../../include/openssl/objects.h
++fips_dsa_selftest.o: ../../include/openssl/opensslconf.h
++fips_dsa_selftest.o: ../../include/openssl/opensslv.h
++fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h
++fips_dsa_selftest.o: ../../include/openssl/safestack.h
++fips_dsa_selftest.o: ../../include/openssl/stack.h
++fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
++fips_dsa_selftest.o: fips_locl.h
++fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_hmac_selftest.o: ../../include/openssl/crypto.h
++fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_hmac_selftest.o: ../../include/openssl/hmac.h
++fips_hmac_selftest.o: ../../include/openssl/lhash.h
++fips_hmac_selftest.o: ../../include/openssl/obj_mac.h
++fips_hmac_selftest.o: ../../include/openssl/objects.h
++fips_hmac_selftest.o: ../../include/openssl/opensslconf.h
++fips_hmac_selftest.o: ../../include/openssl/opensslv.h
++fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h
++fips_hmac_selftest.o: ../../include/openssl/safestack.h
++fips_hmac_selftest.o: ../../include/openssl/stack.h
++fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
++fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
++fips_post.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_post.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_post.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_post.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_post.o: ../../include/openssl/opensslconf.h
++fips_post.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips_post.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
++fips_post.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++fips_post.o: ../../include/openssl/symhacks.h fips_locl.h fips_post.c
++fips_rand.o: ../../e_os.h ../../include/openssl/aes.h
++fips_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_rand.o: ../../include/openssl/opensslconf.h
++fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
++fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_rand.o: fips_locl.h fips_rand.c
++fips_rand_lib.o: ../../e_os.h ../../include/openssl/aes.h
++fips_rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_rand_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_rand_lib.o: ../../include/openssl/obj_mac.h
++fips_rand_lib.o: ../../include/openssl/objects.h
++fips_rand_lib.o: ../../include/openssl/opensslconf.h
++fips_rand_lib.o: ../../include/openssl/opensslv.h
++fips_rand_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_rand_lib.o: ../../include/openssl/safestack.h
++fips_rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_rand_lib.o: fips_rand_lib.c
++fips_rand_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_rand_selftest.o: ../../include/openssl/bio.h
++fips_rand_selftest.o: ../../include/openssl/crypto.h
++fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_rand_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_rand_selftest.o: ../../include/openssl/fips_rand.h
++fips_rand_selftest.o: ../../include/openssl/hmac.h
++fips_rand_selftest.o: ../../include/openssl/lhash.h
++fips_rand_selftest.o: ../../include/openssl/obj_mac.h
++fips_rand_selftest.o: ../../include/openssl/objects.h
++fips_rand_selftest.o: ../../include/openssl/opensslconf.h
++fips_rand_selftest.o: ../../include/openssl/opensslv.h
++fips_rand_selftest.o: ../../include/openssl/ossl_typ.h
++fips_rand_selftest.o: ../../include/openssl/rand.h
++fips_rand_selftest.o: ../../include/openssl/safestack.h
++fips_rand_selftest.o: ../../include/openssl/stack.h
++fips_rand_selftest.o: ../../include/openssl/symhacks.h fips_locl.h
++fips_rand_selftest.o: fips_rand_selftest.c
++fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_rsa_selftest.o: ../../include/openssl/lhash.h
++fips_rsa_selftest.o: ../../include/openssl/obj_mac.h
++fips_rsa_selftest.o: ../../include/openssl/objects.h
++fips_rsa_selftest.o: ../../include/openssl/opensslconf.h
++fips_rsa_selftest.o: ../../include/openssl/opensslv.h
++fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h
++fips_rsa_selftest.o: ../../include/openssl/rsa.h
++fips_rsa_selftest.o: ../../include/openssl/safestack.h
++fips_rsa_selftest.o: ../../include/openssl/stack.h
++fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
++fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_rsa_x931g.o: ../../include/openssl/opensslconf.h
++fips_rsa_x931g.o: ../../include/openssl/opensslv.h
++fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
++fips_rsa_x931g.o: ../../include/openssl/safestack.h
++fips_rsa_x931g.o: ../../include/openssl/stack.h
++fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c
++fips_sha_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_sha_selftest.o: ../../include/openssl/crypto.h
++fips_sha_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_sha_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_sha_selftest.o: ../../include/openssl/lhash.h
++fips_sha_selftest.o: ../../include/openssl/obj_mac.h
++fips_sha_selftest.o: ../../include/openssl/objects.h
++fips_sha_selftest.o: ../../include/openssl/opensslconf.h
++fips_sha_selftest.o: ../../include/openssl/opensslv.h
++fips_sha_selftest.o: ../../include/openssl/ossl_typ.h
++fips_sha_selftest.o: ../../include/openssl/safestack.h
++fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
++fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c
+diff -up openssl-1.0.2i/crypto/hmac/hmac.c.fips openssl-1.0.2i/crypto/hmac/hmac.c
+--- openssl-1.0.2i/crypto/hmac/hmac.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/hmac/hmac.c 2016-09-22 13:35:57.020221066 +0200
+@@ -89,12 +89,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+ EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+- /*
+- * Other algorithm blocking will be done in FIPS_cmac_init, via
+- * FIPS_hmac_init_ex().
+- */
+- if (!impl && !ctx->i_ctx.engine)
+- return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
+ }
+ #endif
+ /* If we are changing MD then we must have a key */
+@@ -111,6 +105,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+ }
+
+ if (key != NULL) {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
++ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
++ goto err;
++#endif
+ reset = 1;
+ j = EVP_MD_block_size(md);
+ OPENSSL_assert(j <= (int)sizeof(ctx->key));
+@@ -164,10 +165,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void
+
+ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
+ {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->i_ctx.engine)
+- return FIPS_hmac_update(ctx, data, len);
+-#endif
+ if (!ctx->md)
+ return 0;
+
+@@ -178,10 +175,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
+ {
+ unsigned int i;
+ unsigned char buf[EVP_MAX_MD_SIZE];
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->i_ctx.engine)
+- return FIPS_hmac_final(ctx, md, len);
+-#endif
+
+ if (!ctx->md)
+ goto err;
+@@ -225,12 +218,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
+
+ void HMAC_CTX_cleanup(HMAC_CTX *ctx)
+ {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->i_ctx.engine) {
+- FIPS_hmac_ctx_cleanup(ctx);
+- return;
+- }
+-#endif
+ EVP_MD_CTX_cleanup(&ctx->i_ctx);
+ EVP_MD_CTX_cleanup(&ctx->o_ctx);
+ EVP_MD_CTX_cleanup(&ctx->md_ctx);
+diff -up openssl-1.0.2i/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2i/crypto/mdc2/mdc2dgst.c
+--- openssl-1.0.2i/crypto/mdc2/mdc2dgst.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/mdc2/mdc2dgst.c 2016-09-22 13:35:57.020221066 +0200
+@@ -76,7 +76,7 @@
+ *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+ static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
+-fips_md_init(MDC2)
++nonfips_md_init(MDC2)
+ {
+ c->num = 0;
+ c->pad_type = 1;
+diff -up openssl-1.0.2i/crypto/md2/md2_dgst.c.fips openssl-1.0.2i/crypto/md2/md2_dgst.c
+--- openssl-1.0.2i/crypto/md2/md2_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/md2/md2_dgst.c 2016-09-22 13:35:57.020221066 +0200
+@@ -62,6 +62,11 @@
+ #include <openssl/md2.h>
+ #include <openssl/opensslv.h>
+ #include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
++#include <openssl/err.h>
+
+ const char MD2_version[] = "MD2" OPENSSL_VERSION_PTEXT;
+
+@@ -119,7 +124,7 @@ const char *MD2_options(void)
+ return ("md2(int)");
+ }
+
+-fips_md_init(MD2)
++nonfips_md_init(MD2)
+ {
+ c->num = 0;
+ memset(c->state, 0, sizeof c->state);
+diff -up openssl-1.0.2i/crypto/md4/md4_dgst.c.fips openssl-1.0.2i/crypto/md4/md4_dgst.c
+--- openssl-1.0.2i/crypto/md4/md4_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/md4/md4_dgst.c 2016-09-22 13:35:57.020221066 +0200
+@@ -72,7 +72,7 @@ const char MD4_version[] = "MD4" OPENSSL
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-fips_md_init(MD4)
++nonfips_md_init(MD4)
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = INIT_DATA_A;
+diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.fips openssl-1.0.2i/crypto/md5/md5_dgst.c
+--- openssl-1.0.2i/crypto/md5/md5_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:35:57.020221066 +0200
+@@ -72,7 +72,7 @@ const char MD5_version[] = "MD5" OPENSSL
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-fips_md_init(MD5)
++nonfips_md_init(MD5)
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = INIT_DATA_A;
+diff -up openssl-1.0.2i/crypto/o_fips.c.fips openssl-1.0.2i/crypto/o_fips.c
+--- openssl-1.0.2i/crypto/o_fips.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/o_fips.c 2016-09-22 13:35:57.020221066 +0200
+@@ -80,6 +80,8 @@ int FIPS_mode_set(int r)
+ # ifndef FIPS_AUTH_USER_PASS
+ # define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password"
+ # endif
++ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
++ return 1;
+ if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
+ return 0;
+ if (r)
+diff -up openssl-1.0.2i/crypto/o_init.c.fips openssl-1.0.2i/crypto/o_init.c
+--- openssl-1.0.2i/crypto/o_init.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:38:19.150496906 +0200
+@@ -56,8 +56,37 @@
+ #include <e_os.h>
+ #include <openssl/err.h>
+ #ifdef OPENSSL_FIPS
++# include <sys/types.h>
++# include <sys/stat.h>
++# include <fcntl.h>
++# include <unistd.h>
++# include <errno.h>
++# include <stdlib.h>
+ # include <openssl/fips.h>
+ # include <openssl/rand.h>
++
++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++{
++ char buf[2] = "0";
++ int fd;
++
++ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++ buf[0] = '1';
++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
++ close(fd);
++ }
++ /* Failure reading the fips mode switch file means just not
++ * switching into FIPS mode. We would break too many things
++ * otherwise..
++ */
++
++ if (buf[0] == '1') {
++ FIPS_mode_set(1);
++ }
++}
+ #endif
+
+ /*
+@@ -65,22 +94,26 @@
+ * sets FIPS callbacks
+ */
+
+-void OPENSSL_init(void)
++void OPENSSL_init_library(void)
+ {
+ static int done = 0;
+ if (done)
+ return;
+ done = 1;
+ #ifdef OPENSSL_FIPS
+- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
+-# ifndef OPENSSL_NO_DEPRECATED
+- FIPS_crypto_set_id_callback(CRYPTO_thread_id);
+-# endif
+- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
+- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
+ RAND_init_fips();
++ init_fips_mode();
++ if (!FIPS_mode()) {
++ /* Clean up prematurely set default rand method */
++ RAND_set_rand_method(NULL);
++ }
+ #endif
+ #if 0
+ fprintf(stderr, "Called OPENSSL_init\n");
+ #endif
+ }
++
++void OPENSSL_init(void)
++{
++ OPENSSL_init_library();
++}
+diff -up openssl-1.0.2i/crypto/opensslconf.h.in.fips openssl-1.0.2i/crypto/opensslconf.h.in
+--- openssl-1.0.2i/crypto/opensslconf.h.in.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/opensslconf.h.in 2016-09-22 13:35:57.021221089 +0200
+@@ -1,5 +1,20 @@
+ /* crypto/opensslconf.h.in */
+
++#ifdef OPENSSL_DOING_MAKEDEPEND
++
++/* Include any symbols here that have to be explicitly set to enable a feature
++ * that should be visible to makedepend.
++ *
++ * [Our "make depend" doesn't actually look at this, we use actual build settings
++ * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
++ */
++
++#ifndef OPENSSL_FIPS
++#define OPENSSL_FIPS
++#endif
++
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+
+diff -up openssl-1.0.2i/crypto/rand/md_rand.c.fips openssl-1.0.2i/crypto/rand/md_rand.c
+--- openssl-1.0.2i/crypto/rand/md_rand.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/rand/md_rand.c 2016-09-22 13:35:57.021221089 +0200
+@@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
+ crypto_lock_rand = 1;
+
+- if (!initialized) {
++ /* always poll for external entropy in FIPS mode, drbg provides the
++ * expansion
++ */
++ if (!initialized || FIPS_module_mode()) {
+ RAND_poll();
+ initialized = 1;
+ }
+diff -up openssl-1.0.2i/crypto/rand/rand.h.fips openssl-1.0.2i/crypto/rand/rand.h
+--- openssl-1.0.2i/crypto/rand/rand.h.fips 2016-09-22 13:35:56.777215465 +0200
++++ openssl-1.0.2i/crypto/rand/rand.h 2016-09-22 13:35:57.021221089 +0200
+@@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void);
+ /* Error codes for the RAND functions. */
+
+ /* Function codes. */
++# define RAND_F_ENG_RAND_GET_RAND_METHOD 108
++# define RAND_F_FIPS_RAND 103
++# define RAND_F_FIPS_RAND_BYTES 102
++# define RAND_F_FIPS_RAND_SET_DT 106
++# define RAND_F_FIPS_X931_SET_DT 106
++# define RAND_F_FIPS_SET_DT 104
++# define RAND_F_FIPS_SET_PRNG_SEED 107
++# define RAND_F_FIPS_SET_TEST_MODE 105
+ # define RAND_F_RAND_GET_RAND_METHOD 101
+-# define RAND_F_RAND_INIT_FIPS 102
++# define RAND_F_RAND_INIT_FIPS 109
+ # define RAND_F_SSLEAY_RAND_BYTES 100
+
+ /* Reason codes. */
+-# define RAND_R_DUAL_EC_DRBG_DISABLED 104
+-# define RAND_R_ERROR_INITIALISING_DRBG 102
+-# define RAND_R_ERROR_INSTANTIATING_DRBG 103
+-# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
++# define RAND_R_DUAL_EC_DRBG_DISABLED 114
++# define RAND_R_ERROR_INITIALISING_DRBG 112
++# define RAND_R_ERROR_INSTANTIATING_DRBG 113
++# define RAND_R_NON_FIPS_METHOD 105
++# define RAND_R_NOT_IN_TEST_MODE 106
++# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111
++# define RAND_R_NO_KEY_SET 107
++# define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101
++# define RAND_R_PRNG_ERROR 108
++# define RAND_R_PRNG_KEYED 109
++# define RAND_R_PRNG_NOT_REKEYED 102
++# define RAND_R_PRNG_NOT_RESEEDED 103
+ # define RAND_R_PRNG_NOT_SEEDED 100
++# define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110
++# define RAND_R_PRNG_STUCK 104
+
+ #ifdef __cplusplus
+ }
+diff -up openssl-1.0.2i/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2i/crypto/ripemd/rmd_dgst.c
+--- openssl-1.0.2i/crypto/ripemd/rmd_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/ripemd/rmd_dgst.c 2016-09-22 13:35:57.021221089 +0200
+@@ -70,7 +70,7 @@ void ripemd160_block_x86(RIPEMD160_CTX *
+ void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p, size_t num);
+ #endif
+
+-fips_md_init(RIPEMD160)
++nonfips_md_init(RIPEMD160)
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = RIPEMD160_A;
+diff -up openssl-1.0.2i/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2i/crypto/rsa/rsa_crpt.c
+--- openssl-1.0.2i/crypto/rsa/rsa_crpt.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/rsa/rsa_crpt.c 2016-09-22 13:35:57.021221089 +0200
+@@ -89,9 +89,9 @@ int RSA_private_encrypt(int flen, const
+ unsigned char *to, RSA *rsa, int padding)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+- RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,
++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+ #endif
+@@ -115,9 +115,9 @@ int RSA_public_decrypt(int flen, const u
+ RSA *rsa, int padding)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+- RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+ #endif
+diff -up openssl-1.0.2i/crypto/rsa/rsa_eay.c.fips openssl-1.0.2i/crypto/rsa/rsa_eay.c
+--- openssl-1.0.2i/crypto/rsa/rsa_eay.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/rsa/rsa_eay.c 2016-09-22 13:35:57.022221112 +0200
+@@ -114,6 +114,10 @@
+ #include <openssl/bn.h>
+ #include <openssl/rsa.h>
+ #include <openssl/rand.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ #ifndef RSA_NULL
+
+@@ -140,7 +144,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth = {
+ * if e == 3 */
+ RSA_eay_init,
+ RSA_eay_finish,
+- 0, /* flags */
++ RSA_FLAG_FIPS_METHOD, /* flags */
+ NULL,
+ 0, /* rsa_sign */
+ 0, /* rsa_verify */
+@@ -160,6 +164,22 @@ static int RSA_eay_public_encrypt(int fl
+ unsigned char *buf = NULL;
+ BN_CTX *ctx = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
+ return -1;
+@@ -361,6 +381,22 @@ static int RSA_eay_private_encrypt(int f
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+@@ -497,6 +533,22 @@ static int RSA_eay_private_decrypt(int f
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+@@ -623,6 +675,22 @@ static int RSA_eay_public_decrypt(int fl
+ unsigned char *buf = NULL;
+ BN_CTX *ctx = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
+ return -1;
+@@ -886,6 +954,9 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c
+
+ static int RSA_eay_init(RSA *rsa)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
+ return (1);
+ }
+diff -up openssl-1.0.2i/crypto/rsa/rsa_err.c.fips openssl-1.0.2i/crypto/rsa/rsa_err.c
+--- openssl-1.0.2i/crypto/rsa/rsa_err.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/rsa/rsa_err.c 2016-09-22 13:35:57.022221112 +0200
+@@ -136,6 +136,8 @@ static ERR_STRING_DATA RSA_str_functs[]
+ {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
+ {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
+ {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
++ {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
++ {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
+ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
+ {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),
+ "RSA_sign_ASN1_OCTET_STRING"},
+diff -up openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips openssl-1.0.2i/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/rsa/rsa_gen.c 2016-09-22 13:35:57.022221112 +0200
+@@ -69,8 +69,80 @@
+ #include <openssl/rsa.h>
+ #ifdef OPENSSL_FIPS
+ # include <openssl/fips.h>
+-extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
+- BN_GENCB *cb);
++# include <openssl/err.h>
++# include <openssl/evp.h>
++
++static int fips_rsa_pairwise_fail = 0;
++
++void FIPS_corrupt_rsa_keygen(void)
++{
++ fips_rsa_pairwise_fail = 1;
++}
++
++int fips_check_rsa(RSA *rsa)
++{
++ const unsigned char tbs[] = "RSA Pairwise Check Data";
++ unsigned char *ctbuf = NULL, *ptbuf = NULL;
++ int len, ret = 0;
++ EVP_PKEY *pk;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_RSA(pk, rsa);
++
++ /* Perform pairwise consistency signature test */
++ if (!fips_pkey_signature_test(pk, tbs, -1,
++ NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_X931, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_PSS, NULL))
++ goto err;
++ /* Now perform pairwise consistency encrypt/decrypt test */
++ ctbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ctbuf)
++ goto err;
++
++ len =
++ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,
++ RSA_PKCS1_PADDING);
++ if (len <= 0)
++ goto err;
++ /* Check ciphertext doesn't match plaintext */
++ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
++ goto err;
++ ptbuf = OPENSSL_malloc(RSA_size(rsa));
++
++ if (!ptbuf)
++ goto err;
++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++ if (len != (sizeof(tbs) - 1))
++ goto err;
++ if (memcmp(ptbuf, tbs, len))
++ goto err;
++
++ ret = 1;
++
++ if (!ptbuf)
++ goto err;
++
++ err:
++ if (ret == 0) {
++ fips_set_selftest_fail();
++ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);
++ }
++
++ if (ctbuf)
++ OPENSSL_free(ctbuf);
++ if (ptbuf)
++ OPENSSL_free(ptbuf);
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++}
+ #endif
+
+ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+@@ -86,7 +158,7 @@ static int rsa_builtin_keygen(RSA *rsa,
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++ if (FIPS_module_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+@@ -94,10 +166,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi
+ #endif
+ if (rsa->meth->rsa_keygen)
+ return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb);
+-#endif
+ return rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }
+
+@@ -110,6 +178,20 @@ static int rsa_builtin_keygen(RSA *rsa,
+ int bitsp, bitsq, ok = -1, n = 0;
+ BN_CTX *ctx = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_module_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
++ return 0;
++ }
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+@@ -235,6 +317,16 @@ static int rsa_builtin_keygen(RSA *rsa,
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+ goto err;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_module_mode()) {
++ if (fips_rsa_pairwise_fail)
++ BN_add_word(rsa->n, 1);
++
++ if (!fips_check_rsa(rsa))
++ goto err;
++ }
++#endif
++
+ ok = 1;
+ err:
+ if (ok == -1) {
+diff -up openssl-1.0.2i/crypto/rsa/rsa.h.fips openssl-1.0.2i/crypto/rsa/rsa.h
+--- openssl-1.0.2i/crypto/rsa/rsa.h.fips 2016-09-22 13:35:56.906218439 +0200
++++ openssl-1.0.2i/crypto/rsa/rsa.h 2016-09-22 13:35:57.022221112 +0200
+@@ -168,6 +168,8 @@ struct rsa_st {
+ # define OPENSSL_RSA_MAX_MODULUS_BITS 16384
+ # endif
+
++# define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
++
+ # ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
+ # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
+ # endif
+@@ -329,6 +331,13 @@ RSA *RSA_generate_key(int bits, unsigned
+
+ /* New version */
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
++ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
++ const BIGNUM *Xp, const BIGNUM *Xq1,
++ const BIGNUM *Xq2, const BIGNUM *Xq,
++ const BIGNUM *e, BN_GENCB *cb);
++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
++ BN_GENCB *cb);
+
+ int RSA_check_key(const RSA *);
+ /* next 4 return -1 on error */
+@@ -538,7 +547,7 @@ void ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_ALGOR_TO_MD 157
+ # define RSA_F_RSA_BUILTIN_KEYGEN 129
+ # define RSA_F_RSA_CHECK_KEY 123
+-# define RSA_F_RSA_CMS_DECRYPT 158
++# define RSA_F_RSA_CMS_DECRYPT 258
+ # define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
+ # define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
+ # define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
+@@ -559,7 +568,7 @@ void ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1 160
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
+-# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
++# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
+ # define RSA_F_RSA_PADDING_ADD_SSLV23 110
+@@ -573,21 +582,23 @@ void ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_PADDING_CHECK_X931 128
+ # define RSA_F_RSA_PRINT 115
+ # define RSA_F_RSA_PRINT_FP 116
+-# define RSA_F_RSA_PRIVATE_DECRYPT 150
+-# define RSA_F_RSA_PRIVATE_ENCRYPT 151
++# define RSA_F_RSA_PRIVATE_DECRYPT 157
++# define RSA_F_RSA_PRIVATE_ENCRYPT 148
+ # define RSA_F_RSA_PRIV_DECODE 137
+ # define RSA_F_RSA_PRIV_ENCODE 138
+ # define RSA_F_RSA_PSS_TO_CTX 162
+-# define RSA_F_RSA_PUBLIC_DECRYPT 152
++# define RSA_F_RSA_PUBLIC_DECRYPT 149
+ # define RSA_F_RSA_PUBLIC_ENCRYPT 153
+ # define RSA_F_RSA_PUB_DECODE 139
+ # define RSA_F_RSA_SETUP_BLINDING 136
++# define RSA_F_RSA_SET_DEFAULT_METHOD 150
++# define RSA_F_RSA_SET_METHOD 151
+ # define RSA_F_RSA_SIGN 117
+ # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
+ # define RSA_F_RSA_VERIFY 119
+ # define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
+ # define RSA_F_RSA_VERIFY_PKCS1_PSS 126
+-# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
++# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152
+
+ /* Reason codes. */
+ # define RSA_R_ALGORITHM_MISMATCH 100
+@@ -620,21 +631,22 @@ void ERR_load_RSA_strings(void);
+ # define RSA_R_INVALID_OAEP_PARAMETERS 162
+ # define RSA_R_INVALID_PADDING 138
+ # define RSA_R_INVALID_PADDING_MODE 141
+-# define RSA_R_INVALID_PSS_PARAMETERS 149
++# define RSA_R_INVALID_PSS_PARAMETERS 157
+ # define RSA_R_INVALID_PSS_SALTLEN 146
+-# define RSA_R_INVALID_SALT_LENGTH 150
++# define RSA_R_INVALID_SALT_LENGTH 158
+ # define RSA_R_INVALID_TRAILER 139
+ # define RSA_R_INVALID_X931_DIGEST 142
+ # define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
+ # define RSA_R_KEY_SIZE_TOO_SMALL 120
+ # define RSA_R_LAST_OCTET_INVALID 134
+ # define RSA_R_MODULUS_TOO_LARGE 105
+-# define RSA_R_NON_FIPS_RSA_METHOD 157
++# define RSA_R_NON_FIPS_RSA_METHOD 149
++# define RSA_R_NON_FIPS_METHOD 149
+ # define RSA_R_NO_PUBLIC_EXPONENT 140
+ # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
+ # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
+ # define RSA_R_OAEP_DECODING_ERROR 121
+-# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150
+ # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
+ # define RSA_R_PADDING_CHECK_FAILED 114
+ # define RSA_R_PKCS_DECODING_ERROR 159
+diff -up openssl-1.0.2i/crypto/rsa/rsa_lib.c.fips openssl-1.0.2i/crypto/rsa/rsa_lib.c
+--- openssl-1.0.2i/crypto/rsa/rsa_lib.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/rsa/rsa_lib.c 2016-09-22 13:35:57.022221112 +0200
+@@ -84,23 +84,22 @@ RSA *RSA_new(void)
+
+ void RSA_set_default_method(const RSA_METHOD *meth)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
++ return;
++ }
++#endif
+ default_RSA_meth = meth;
+ }
+
+ const RSA_METHOD *RSA_get_default_method(void)
+ {
+ if (default_RSA_meth == NULL) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_rsa_pkcs1_ssleay();
+- else
+- return RSA_PKCS1_SSLeay();
+-#else
+-# ifdef RSA_NULL
++#ifdef RSA_NULL
+ default_RSA_meth = RSA_null_method();
+-# else
++#else
+ default_RSA_meth = RSA_PKCS1_SSLeay();
+-# endif
+ #endif
+ }
+
+@@ -119,6 +118,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
+ * to deal with which ENGINE it comes from.
+ */
+ const RSA_METHOD *mtmp;
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
++ return 0;
++ }
++#endif
+ mtmp = rsa->meth;
+ if (mtmp->finish)
+ mtmp->finish(rsa);
+@@ -166,6 +171,17 @@ RSA *RSA_new_method(ENGINE *engine)
+ }
+ }
+ #endif
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
++# ifndef OPENSSL_NO_ENGINE
++ if (ret->engine)
++ ENGINE_finish(ret->engine);
++# endif
++ OPENSSL_free(ret);
++ return NULL;
++ }
++#endif
+
+ ret->pad = 0;
+ ret->version = 0;
+@@ -184,7 +200,7 @@ RSA *RSA_new_method(ENGINE *engine)
+ ret->blinding = NULL;
+ ret->mt_blinding = NULL;
+ ret->bignum_data = NULL;
+- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
++ ret->flags = ret->meth->flags;
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
+ #ifndef OPENSSL_NO_ENGINE
+ if (ret->engine)
+diff -up openssl-1.0.2i/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2i/crypto/rsa/rsa_pmeth.c
+--- openssl-1.0.2i/crypto/rsa/rsa_pmeth.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/rsa/rsa_pmeth.c 2016-09-22 13:35:57.022221112 +0200
+@@ -228,20 +228,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
+ RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
+ return -1;
+ }
+-#ifdef OPENSSL_FIPS
+- if (ret > 0) {
+- unsigned int slen;
+- ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
+- rctx->pad_mode,
+- rctx->saltlen,
+- rctx->mgf1md, sig, &slen);
+- if (ret > 0)
+- *siglen = slen;
+- else
+- *siglen = 0;
+- return ret;
+- }
+-#endif
+
+ if (EVP_MD_type(rctx->md) == NID_mdc2) {
+ unsigned int sltmp;
+@@ -359,17 +345,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
+ }
+ #endif
+ if (rctx->md) {
+-#ifdef OPENSSL_FIPS
+- if (rv > 0) {
+- return FIPS_rsa_verify_digest(rsa,
+- tbs, tbslen,
+- rctx->md,
+- rctx->pad_mode,
+- rctx->saltlen,
+- rctx->mgf1md, sig, siglen);
+-
+- }
+-#endif
+ if (rctx->pad_mode == RSA_PKCS1_PADDING)
+ return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
+ sig, siglen, rsa);
+diff -up openssl-1.0.2i/crypto/rsa/rsa_sign.c.fips openssl-1.0.2i/crypto/rsa/rsa_sign.c
+--- openssl-1.0.2i/crypto/rsa/rsa_sign.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/rsa/rsa_sign.c 2016-09-22 13:35:57.023221135 +0200
+@@ -132,7 +132,10 @@ int RSA_sign(int type, const unsigned ch
+ i2d_X509_SIG(&sig, &p);
+ s = tmps;
+ }
+- i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
++ /* NB: call underlying method directly to avoid FIPS blocking */
++ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i, s, sigret, rsa,
++ RSA_PKCS1_PADDING) :
++ 0;
+ if (i <= 0)
+ ret = 0;
+ else
+@@ -188,8 +191,10 @@ int int_rsa_verify(int dtype, const unsi
+ }
+
+ if ((dtype == NID_md5_sha1) && rm) {
+- i = RSA_public_decrypt((int)siglen,
+- sigbuf, rm, rsa, RSA_PKCS1_PADDING);
++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,
++ sigbuf, rm, rsa,
++ RSA_PKCS1_PADDING)
++ : 0;
+ if (i <= 0)
+ return 0;
+ *prm_len = i;
+@@ -205,7 +210,11 @@ int int_rsa_verify(int dtype, const unsi
+ RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
+ goto err;
+ }
+- i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
++ /* NB: call underlying method directly to avoid FIPS blocking */
++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen, sigbuf,
++ s, rsa,
++ RSA_PKCS1_PADDING) :
++ 0;
+
+ if (i <= 0)
+ goto err;
+diff -up openssl-1.0.2i/crypto/sha/sha.h.fips openssl-1.0.2i/crypto/sha/sha.h
+--- openssl-1.0.2i/crypto/sha/sha.h.fips 2016-09-22 13:35:56.699213667 +0200
++++ openssl-1.0.2i/crypto/sha/sha.h 2016-09-22 13:35:57.023221135 +0200
+@@ -105,9 +105,6 @@ typedef struct SHAstate_st {
+ } SHA_CTX;
+
+ # ifndef OPENSSL_NO_SHA0
+-# ifdef OPENSSL_FIPS
+-int private_SHA_Init(SHA_CTX *c);
+-# endif
+ int SHA_Init(SHA_CTX *c);
+ int SHA_Update(SHA_CTX *c, const void *data, size_t len);
+ int SHA_Final(unsigned char *md, SHA_CTX *c);
+@@ -115,9 +112,6 @@ unsigned char *SHA(const unsigned char *
+ void SHA_Transform(SHA_CTX *c, const unsigned char *data);
+ # endif
+ # ifndef OPENSSL_NO_SHA1
+-# ifdef OPENSSL_FIPS
+-int private_SHA1_Init(SHA_CTX *c);
+-# endif
+ int SHA1_Init(SHA_CTX *c);
+ int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
+ int SHA1_Final(unsigned char *md, SHA_CTX *c);
+@@ -139,10 +133,6 @@ typedef struct SHA256state_st {
+ } SHA256_CTX;
+
+ # ifndef OPENSSL_NO_SHA256
+-# ifdef OPENSSL_FIPS
+-int private_SHA224_Init(SHA256_CTX *c);
+-int private_SHA256_Init(SHA256_CTX *c);
+-# endif
+ int SHA224_Init(SHA256_CTX *c);
+ int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
+ int SHA224_Final(unsigned char *md, SHA256_CTX *c);
+@@ -192,10 +182,6 @@ typedef struct SHA512state_st {
+ # endif
+
+ # ifndef OPENSSL_NO_SHA512
+-# ifdef OPENSSL_FIPS
+-int private_SHA384_Init(SHA512_CTX *c);
+-int private_SHA512_Init(SHA512_CTX *c);
+-# endif
+ int SHA384_Init(SHA512_CTX *c);
+ int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
+ int SHA384_Final(unsigned char *md, SHA512_CTX *c);
+diff -up openssl-1.0.2i/crypto/sha/sha_locl.h.fips openssl-1.0.2i/crypto/sha/sha_locl.h
+--- openssl-1.0.2i/crypto/sha/sha_locl.h.fips 2016-09-22 13:35:56.702213737 +0200
++++ openssl-1.0.2i/crypto/sha/sha_locl.h 2016-09-22 13:35:57.023221135 +0200
+@@ -123,11 +123,14 @@ void sha1_block_data_order(SHA_CTX *c, c
+ #define INIT_DATA_h4 0xc3d2e1f0UL
+
+ #ifdef SHA_0
+-fips_md_init(SHA)
++nonfips_md_init(SHA)
+ #else
+ fips_md_init_ctx(SHA1, SHA)
+ #endif
+ {
++#if defined(SHA_1) && defined(OPENSSL_FIPS)
++ FIPS_selftest_check();
++#endif
+ memset(c, 0, sizeof(*c));
+ c->h0 = INIT_DATA_h0;
+ c->h1 = INIT_DATA_h1;
+diff -up openssl-1.0.2i/crypto/sha/sha256.c.fips openssl-1.0.2i/crypto/sha/sha256.c
+--- openssl-1.0.2i/crypto/sha/sha256.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/sha/sha256.c 2016-09-22 13:35:57.023221135 +0200
+@@ -12,12 +12,19 @@
+
+ # include <openssl/crypto.h>
+ # include <openssl/sha.h>
++# ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# endif
++
+ # include <openssl/opensslv.h>
+
+ const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
+
+ fips_md_init_ctx(SHA224, SHA256)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ memset(c, 0, sizeof(*c));
+ c->h[0] = 0xc1059ed8UL;
+ c->h[1] = 0x367cd507UL;
+@@ -33,6 +40,9 @@ fips_md_init_ctx(SHA224, SHA256)
+
+ fips_md_init(SHA256)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ memset(c, 0, sizeof(*c));
+ c->h[0] = 0x6a09e667UL;
+ c->h[1] = 0xbb67ae85UL;
+diff -up openssl-1.0.2i/crypto/sha/sha512.c.fips openssl-1.0.2i/crypto/sha/sha512.c
+--- openssl-1.0.2i/crypto/sha/sha512.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/sha/sha512.c 2016-09-22 13:35:57.023221135 +0200
+@@ -5,6 +5,10 @@
+ * ====================================================================
+ */
+ #include <openssl/opensslconf.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
+ /*-
+ * IMPLEMENTATION NOTES.
+@@ -62,6 +66,9 @@ const char SHA512_version[] = "SHA-512"
+
+ fips_md_init_ctx(SHA384, SHA512)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ c->h[0] = U64(0xcbbb9d5dc1059ed8);
+ c->h[1] = U64(0x629a292a367cd507);
+ c->h[2] = U64(0x9159015a3070dd17);
+@@ -80,6 +87,9 @@ fips_md_init_ctx(SHA384, SHA512)
+
+ fips_md_init(SHA512)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ c->h[0] = U64(0x6a09e667f3bcc908);
+ c->h[1] = U64(0xbb67ae8584caa73b);
+ c->h[2] = U64(0x3c6ef372fe94f82b);
+diff -up openssl-1.0.2i/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2i/crypto/whrlpool/wp_dgst.c
+--- openssl-1.0.2i/crypto/whrlpool/wp_dgst.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/whrlpool/wp_dgst.c 2016-09-22 13:35:57.023221135 +0200
+@@ -56,7 +56,7 @@
+ #include <openssl/crypto.h>
+ #include <string.h>
+
+-fips_md_init(WHIRLPOOL)
++nonfips_md_init(WHIRLPOOL)
+ {
+ memset(c, 0, sizeof(*c));
+ return (1);
+diff -up openssl-1.0.2i/Makefile.org.fips openssl-1.0.2i/Makefile.org
+--- openssl-1.0.2i/Makefile.org.fips 2016-09-22 13:35:56.996220513 +0200
++++ openssl-1.0.2i/Makefile.org 2016-09-22 13:35:57.023221135 +0200
+@@ -138,6 +138,9 @@ FIPSCANLIB=
+
+ BASEADDR=
+
++# Non-empty if FIPS enabled
++FIPS=
++
+ DIRS= crypto ssl engines apps test tools
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+@@ -150,7 +153,7 @@ SDIRS= \
+ bn ec rsa dsa ecdsa dh ecdh dso engine \
+ buffer bio stack lhash rand err \
+ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+- cms pqueue ts jpake srp store cmac
++ cms pqueue ts jpake srp store cmac fips
+ # keep in mind that the above list is adjusted by ./Configure
+ # according to no-xxx arguments...
+
+@@ -241,6 +244,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)
+ FIPSLIBDIR='${FIPSLIBDIR}' \
+ FIPSDIR='${FIPSDIR}' \
+ FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
++ FIPS="$${FIPS:-$(FIPS)}" \
+ THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
+ # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
+ # which in turn eliminates ambiguities in variable treatment with -e.
+diff -up openssl-1.0.2i/ssl/ssl_algs.c.fips openssl-1.0.2i/ssl/ssl_algs.c
+--- openssl-1.0.2i/ssl/ssl_algs.c.fips 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/ssl/ssl_algs.c 2016-09-22 13:35:57.024221158 +0200
+@@ -64,6 +64,11 @@
+ int SSL_library_init(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode()) {
++#endif
++
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cbc());
+ EVP_add_cipher(EVP_des_ede3_cbc());
+@@ -142,6 +147,48 @@ int SSL_library_init(void)
+ EVP_add_digest(EVP_sha());
+ EVP_add_digest(EVP_dss());
+ #endif
++#ifdef OPENSSL_FIPS
++ } else {
++# ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede3_cbc());
++# endif
++# ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_128_gcm());
++ EVP_add_cipher(EVP_aes_256_gcm());
++# endif
++# ifndef OPENSSL_NO_MD5
++ /* needed even in the FIPS mode for TLS MAC */
++ EVP_add_digest(EVP_md5());
++ EVP_add_digest_alias(SN_md5, "ssl2-md5");
++ EVP_add_digest_alias(SN_md5, "ssl3-md5");
++# endif
++# ifndef OPENSSL_NO_SHA
++ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++# endif
++# ifndef OPENSSL_NO_SHA256
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++# endif
++# ifndef OPENSSL_NO_SHA512
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++# endif
++# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
++ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
++ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
++# endif
++# ifndef OPENSSL_NO_ECDSA
++ EVP_add_digest(EVP_ecdsa());
++# endif
++ }
++#endif
+ #ifndef OPENSSL_NO_COMP
+ /*
+ * This will initialise the built-in compression algorithms. The value
diff --git a/SOURCES/openssl-1.0.2i-secure-getenv.patch b/SOURCES/openssl-1.0.2i-secure-getenv.patch
new file mode 100644
index 0000000..da8728e
--- /dev/null
+++ b/SOURCES/openssl-1.0.2i-secure-getenv.patch
@@ -0,0 +1,241 @@
+diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_api.c
+--- openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/conf/conf_api.c 2016-09-22 13:51:29.847742209 +0200
+@@ -63,6 +63,8 @@
+ # define NDEBUG
+ #endif
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -141,7 +143,7 @@ char *_CONF_get_string(const CONF *conf,
+ if (v != NULL)
+ return (v->value);
+ if (strcmp(section, "ENV") == 0) {
+- p = getenv(name);
++ p = secure_getenv(name);
+ if (p != NULL)
+ return (p);
+ }
+@@ -154,7 +156,7 @@ char *_CONF_get_string(const CONF *conf,
+ else
+ return (NULL);
+ } else
+- return (getenv(name));
++ return (secure_getenv(name));
+ }
+
+ #if 0 /* There's no way to provide error checking
+diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_mod.c
+--- openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/conf/conf_mod.c 2016-09-22 13:51:29.847742209 +0200
+@@ -57,6 +57,8 @@
+ *
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <openssl/crypto.h>
+@@ -530,7 +532,7 @@ char *CONF_get1_default_config_file(void
+ char *file;
+ int len;
+
+- file = getenv("OPENSSL_CONF");
++ file = secure_getenv("OPENSSL_CONF");
+ if (file)
+ return BUF_strdup(file);
+
+diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/crypto/engine/eng_list.c
+--- openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/engine/eng_list.c 2016-09-22 13:51:29.847742209 +0200
+@@ -62,6 +62,8 @@
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "eng_int.h"
+
+ /*
+@@ -369,10 +371,10 @@ ENGINE *ENGINE_by_id(const char *id)
+ */
+ if (strcmp(id, "dynamic")) {
+ # ifdef OPENSSL_SYS_VMS
+- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
++ if (OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0)
+ load_dir = "SSLROOT:[ENGINES]";
+ # else
+- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
++ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
+ load_dir = ENGINESDIR;
+ # endif
+ iterator = ENGINE_by_id("dynamic");
+diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypto/md5/md5_dgst.c
+--- openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv 2016-09-22 13:51:29.840742047 +0200
++++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:51:29.847742209 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include "md5_locl.h"
+ #include <openssl/opensslv.h>
+@@ -75,7 +77,8 @@ const char MD5_version[] = "MD5" OPENSSL
+ int MD5_Init(MD5_CTX *c)
+ #ifdef OPENSSL_FIPS
+ {
+- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
++ if (FIPS_mode()
++ && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
+ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
+ return private_MD5_Init(c);
+ }
+diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_init.c
+--- openssl-1.0.2i/crypto/o_init.c.secure-getenv 2016-09-22 13:51:29.830741814 +0200
++++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:51:30.046746834 +0200
+@@ -53,6 +53,8 @@
+ *
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <e_os.h>
+ #include <openssl/err.h>
+ #ifdef OPENSSL_FIPS
+@@ -72,7 +74,7 @@ static void init_fips_mode(void)
+ char buf[2] = "0";
+ int fd;
+
+- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/crypto/rand/randfile.c
+--- openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/rand/randfile.c 2016-09-22 13:53:17.222237626 +0200
+@@ -55,6 +55,8 @@
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
++/* for secure_getenv */
++#define _GNU_SOURCE
+
+ #include <errno.h>
+ #include <stdio.h>
+@@ -327,14 +329,12 @@ const char *RAND_file_name(char *buf, si
+ struct stat sb;
+ #endif
+
+- if (OPENSSL_issetugid() == 0)
+- s = getenv("RANDFILE");
++ s = secure_getenv("RANDFILE");
+ if (s != NULL && *s && strlen(s) + 1 < size) {
+ if (BUF_strlcpy(buf, s, size) >= size)
+ return NULL;
+ } else {
+- if (OPENSSL_issetugid() == 0)
+- s = getenv("HOME");
++ s = secure_getenv("HOME");
+ #ifdef DEFAULT_HOME
+ if (s == NULL) {
+ s = DEFAULT_HOME;
+diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto/x509/by_dir.c
+--- openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/x509/by_dir.c 2016-09-22 13:51:30.047746858 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -128,7 +130,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
+ switch (cmd) {
+ case X509_L_ADD_DIR:
+ if (argl == X509_FILETYPE_DEFAULT) {
+- dir = (char *)getenv(X509_get_default_cert_dir_env());
++ dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
+ if (dir)
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
+ else
+diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypto/x509/by_file.c
+--- openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv 2016-09-22 13:51:29.812741396 +0200
++++ openssl-1.0.2i/crypto/x509/by_file.c 2016-09-22 13:51:30.047746858 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -97,7 +99,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
+ switch (cmd) {
+ case X509_L_FILE_LOAD:
+ if (argl == X509_FILETYPE_DEFAULT) {
+- file = (char *)getenv(X509_get_default_cert_file_env());
++ file = (char *)secure_getenv(X509_get_default_cert_file_env());
+ if (file)
+ ok = (X509_load_cert_crl_file(ctx, file,
+ X509_FILETYPE_PEM) != 0);
+diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/crypto/x509/x509_vfy.c
+--- openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/crypto/x509/x509_vfy.c 2016-09-22 13:51:30.048746881 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -620,7 +622,7 @@ static int check_chain_extensions(X509_S
+ * A hack to keep people who don't want to modify their software
+ * happy
+ */
+- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
++ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+ allow_proxy_certs = 1;
+ purpose = ctx->param->purpose;
+ }
+diff -up openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2i/engines/ccgost/gost_ctl.c
+--- openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/engines/ccgost/gost_ctl.c 2016-09-22 13:51:30.048746881 +0200
+@@ -6,6 +6,8 @@
+ * Implementation of control commands for GOST engine *
+ * OpenSSL 0.9.9 libraries required *
+ **********************************************************************/
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdlib.h>
+ #include <string.h>
+ #include <openssl/crypto.h>
+@@ -64,7 +66,7 @@ const char *get_gost_engine_param(int pa
+ if (gost_params[param] != NULL) {
+ return gost_params[param];
+ }
+- tmp = getenv(gost_envnames[param]);
++ tmp = secure_getenv(gost_envnames[param]);
+ if (tmp) {
+ if (gost_params[param])
+ OPENSSL_free(gost_params[param]);
+@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
+ const char *tmp;
+ if (param < 0 || param > GOST_PARAM_MAX)
+ return 0;
+- tmp = getenv(gost_envnames[param]);
++ tmp = secure_getenv(gost_envnames[param]);
+ /*
+ * if there is value in the environment, use it, else -passed string *
+ */
diff --git a/SOURCES/openssl-1.0.2i-trusted-first-doc.patch b/SOURCES/openssl-1.0.2i-trusted-first-doc.patch
new file mode 100644
index 0000000..12ea01e
--- /dev/null
+++ b/SOURCES/openssl-1.0.2i-trusted-first-doc.patch
@@ -0,0 +1,286 @@
+diff -up openssl-1.0.2i/apps/cms.c.trusted-first openssl-1.0.2i/apps/cms.c
+--- openssl-1.0.2i/apps/cms.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/apps/cms.c 2016-09-22 14:01:27.436630359 +0200
+@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
+ "-CApath dir trusted certificates directory\n");
+ BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+diff -up openssl-1.0.2i/apps/ocsp.c.trusted-first openssl-1.0.2i/apps/ocsp.c
+--- openssl-1.0.2i/apps/ocsp.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/apps/ocsp.c 2016-09-22 14:01:27.436630359 +0200
+@@ -537,6 +537,8 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err,
+ "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ "-VAfile file validator certificates file\n");
+diff -up openssl-1.0.2i/apps/s_client.c.trusted-first openssl-1.0.2i/apps/s_client.c
+--- openssl-1.0.2i/apps/s_client.c.trusted-first 2016-09-22 14:01:27.402629569 +0200
++++ openssl-1.0.2i/apps/s_client.c 2016-09-22 14:01:27.436630359 +0200
+@@ -330,6 +330,8 @@ static void sc_usage(void)
+ BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
+ BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
++ " -trusted_first - Use trusted CA's first when building the trust chain\n");
++ BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ " -reconnect - Drop and re-make the connection with the same Session-ID\n");
+diff -up openssl-1.0.2i/apps/smime.c.trusted-first openssl-1.0.2i/apps/smime.c
+--- openssl-1.0.2i/apps/smime.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/apps/smime.c 2016-09-22 14:01:27.436630359 +0200
+@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
+ "-CApath dir trusted certificates directory\n");
+ BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+diff -up openssl-1.0.2i/apps/s_server.c.trusted-first openssl-1.0.2i/apps/s_server.c
+--- openssl-1.0.2i/apps/s_server.c.trusted-first 2016-09-22 14:01:27.374628918 +0200
++++ openssl-1.0.2i/apps/s_server.c 2016-09-22 14:01:27.437630382 +0200
+@@ -571,6 +571,8 @@ static void sv_usage(void)
+ BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
+ BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
++ " -trusted_first - Use trusted CA's first when building the trust chain\n");
++ BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ " -nocert - Don't use any certificates (Anon-DH)\n");
+diff -up openssl-1.0.2i/apps/s_time.c.trusted-first openssl-1.0.2i/apps/s_time.c
+--- openssl-1.0.2i/apps/s_time.c.trusted-first 2016-09-22 14:01:27.368628779 +0200
++++ openssl-1.0.2i/apps/s_time.c 2016-09-22 14:01:27.437630382 +0200
+@@ -182,6 +182,7 @@ static void s_time_usage(void)
+ file if not specified by this option\n\
+ -CApath arg - PEM format directory of CA's\n\
+ -CAfile arg - PEM format file of CA's\n\
++-trusted_first - Use trusted CA's first when building the trust chain\n\
+ -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
+
+ printf("usage: s_time <args>\n\n");
+diff -up openssl-1.0.2i/apps/ts.c.trusted-first openssl-1.0.2i/apps/ts.c
+--- openssl-1.0.2i/apps/ts.c.trusted-first 2016-09-22 14:01:27.400629522 +0200
++++ openssl-1.0.2i/apps/ts.c 2016-09-22 14:01:27.437630382 +0200
+@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
+ "ts -verify [-data file_to_hash] [-digest digest_bytes] "
+ "[-queryfile request.tsq] "
+ "-in response.tsr [-token_in] "
+- "-CApath ca_path -CAfile ca_file.pem "
++ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
+ "-untrusted cert_file.pem\n");
+ cleanup:
+ /* Clean up. */
+diff -up openssl-1.0.2i/apps/verify.c.trusted-first openssl-1.0.2i/apps/verify.c
+--- openssl-1.0.2i/apps/verify.c.trusted-first 2016-09-22 14:01:27.438630405 +0200
++++ openssl-1.0.2i/apps/verify.c 2016-09-22 14:02:37.951269140 +0200
+@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
+ usage:
+ if (ret == 1) {
+ BIO_printf(bio_err,
+- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
++ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
+ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
+ #ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err, " [-engine e]");
+diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/cms.pod
+--- openssl-1.0.2i/doc/apps/cms.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/doc/apps/cms.pod 2016-09-22 14:01:27.438630405 +0200
+@@ -35,6 +35,7 @@ B<openssl> B<cms>
+ [B<-print>]
+ [B<-CAfile file>]
+ [B<-CApath dir>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-md digest>]
+ [B<-[cipher]>]
+@@ -248,6 +249,12 @@ B<-verify>. This directory must be a sta
+ is a hash of each subject name (using B<x509 -hash>) should be linked
+ to each certificate.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before untrusted certificates
++from the message when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-md digest>
+
+ digest algorithm to use when signing or resigning. If not present then the
+diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/ocsp.pod
+--- openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first 2016-09-22 14:01:27.401629545 +0200
++++ openssl-1.0.2i/doc/apps/ocsp.pod 2016-09-22 14:01:27.438630405 +0200
+@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
+ [B<-path>]
+ [B<-CApath dir>]
+ [B<-CAfile file>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-VAfile file>]
+ [B<-validity_period n>]
+@@ -144,6 +145,13 @@ connection timeout to the OCSP responder
+ file or pathname containing trusted CA certificates. These are used to verify
+ the signature on the OCSP response.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over certificates provided
++in the response or residing in other certificates file when building the trust
++chain to verify responder certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-no_alt_chains>
+
+ See L<B<verify>|verify(1)> manual page for details.
+diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/apps/s_client.pod
+--- openssl-1.0.2i/doc/apps/s_client.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
++++ openssl-1.0.2i/doc/apps/s_client.pod 2016-09-22 14:01:27.438630405 +0200
+@@ -19,6 +19,7 @@ B<openssl> B<s_client>
+ [B<-pass arg>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-reconnect>]
+ [B<-pause>]
+@@ -125,7 +126,7 @@ also used when building the client certi
+ A file containing trusted certificates to use during server authentication
+ and to use when attempting to build the client certificate chain.
+
+-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
+
+ Set various certificate chain valiadition option. See the
+ L<B<verify>|verify(1)> manual page for details.
+diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps/smime.pod
+--- openssl-1.0.2i/doc/apps/smime.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/doc/apps/smime.pod 2016-09-22 14:01:27.438630405 +0200
+@@ -15,6 +15,9 @@ B<openssl> B<smime>
+ [B<-pk7out>]
+ [B<-[cipher]>]
+ [B<-in file>]
++[B<-CAfile file>]
++[B<-CApath dir>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-certfile file>]
+ [B<-signer file>]
+@@ -150,6 +153,12 @@ B<-verify>. This directory must be a sta
+ is a hash of each subject name (using B<x509 -hash>) should be linked
+ to each certificate.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over certificates provided
++in the message when building the trust chain to verify a certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-md digest>
+
+ digest algorithm to use when signing or resigning. If not present then the
+diff -up openssl-1.0.2i/doc/apps/s_server.pod.trusted-first openssl-1.0.2i/doc/apps/s_server.pod
+--- openssl-1.0.2i/doc/apps/s_server.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
++++ openssl-1.0.2i/doc/apps/s_server.pod 2016-09-22 14:01:27.438630405 +0200
+@@ -33,6 +33,7 @@ B<openssl> B<s_server>
+ [B<-state>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-nocert>]
+ [B<-cipher cipherlist>]
+@@ -178,6 +179,12 @@ and to use when attempting to build the
+ is also used in the list of acceptable client CAs passed to the client when
+ a certificate is requested.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before other certificates
++when building the trust chain to verify client certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-no_alt_chains>
+
+ See the L<B<verify>|verify(1)> manual page for details.
+diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/apps/s_time.pod
+--- openssl-1.0.2i/doc/apps/s_time.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/doc/apps/s_time.pod 2016-09-22 14:01:27.439630429 +0200
+@@ -14,6 +14,7 @@ B<openssl> B<s_time>
+ [B<-key filename>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-reuse>]
+ [B<-new>]
+ [B<-verify depth>]
+@@ -76,6 +77,12 @@ also used when building the client certi
+ A file containing trusted certificates to use during server authentication
+ and to use when attempting to build the client certificate chain.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over the certificates provided
++by the server when building the trust chain to verify server certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-new>
+
+ performs the timing test using a new session ID for each connection.
+diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts.pod
+--- openssl-1.0.2i/doc/apps/ts.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/doc/apps/ts.pod 2016-09-22 14:01:27.439630429 +0200
+@@ -46,6 +46,7 @@ B<-verify>
+ [B<-token_in>]
+ [B<-CApath> trusted_cert_path]
+ [B<-CAfile> trusted_certs.pem]
++[B<-trusted_first>]
+ [B<-untrusted> cert_file.pem]
+
+ =head1 DESCRIPTION
+@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
+ or B<-CApath> must be specified.
+ (Optional)
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before other certificates
++when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-untrusted> cert_file.pem
+
+ Set of additional untrusted certificates in PEM format which may be
+diff -up openssl-1.0.2i/doc/apps/verify.pod.trusted-first openssl-1.0.2i/doc/apps/verify.pod
+--- openssl-1.0.2i/doc/apps/verify.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
++++ openssl-1.0.2i/doc/apps/verify.pod 2016-09-22 14:01:27.439630429 +0200
+@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
+ B<openssl> B<verify>
+ [B<-CApath directory>]
+ [B<-CAfile file>]
++[B<-trusted_first>]
+ [B<-purpose purpose>]
+ [B<-policy arg>]
+ [B<-ignore_critical>]
+@@ -86,6 +87,12 @@ If a valid CRL cannot be found an error
+ A file of untrusted certificates. The file should contain multiple certificates
+ in PEM format concatenated together.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before the certificates in the untrusted
++file when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-purpose purpose>
+
+ The intended use for the certificate. If this option is not specified,
diff --git a/SOURCES/openssl-1.0.2j-deprecate-algos.patch b/SOURCES/openssl-1.0.2j-deprecate-algos.patch
new file mode 100644
index 0000000..cbfb2e9
--- /dev/null
+++ b/SOURCES/openssl-1.0.2j-deprecate-algos.patch
@@ -0,0 +1,226 @@
+diff -up openssl-1.0.2j/crypto/asn1/a_verify.c.deprecate-algos openssl-1.0.2j/crypto/asn1/a_verify.c
+--- openssl-1.0.2j/crypto/asn1/a_verify.c.deprecate-algos 2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/crypto/asn1/a_verify.c 2017-01-09 16:47:11.666994197 +0100
+@@ -56,6 +56,9 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
++
+ #include <stdio.h>
+ #include <time.h>
+
+@@ -133,6 +136,30 @@ int ASN1_verify(i2d_of_void *i2d, X509_A
+
+ #endif
+
++static int legacy_mds[] = { NID_md5, NID_sha, NID_md4, NID_md2, 0 };
++extern int private_ossl_allowed_legacy_mds[];
++
++static int is_md_legacy_disallowed(int mdnid)
++{
++ int i;
++
++ if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") != NULL)
++ return 0;
++
++ for (i = 0; legacy_mds[i] != 0; ++i) {
++ if (mdnid == legacy_mds[i]) {
++ int j;
++
++ for (j = 0; private_ossl_allowed_legacy_mds[j] != 0; ++j) {
++ if (mdnid == private_ossl_allowed_legacy_mds[j])
++ return 0;
++ }
++ return 1;
++ }
++ }
++ return 0;
++}
++
+ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
+ ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
+ {
+@@ -174,6 +201,10 @@ int ASN1_item_verify(const ASN1_ITEM *it
+ if (ret != 2)
+ goto err;
+ ret = -1;
++ } else if (is_md_legacy_disallowed(mdnid)) {
++ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
++ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++ goto err;
+ } else {
+ const EVP_MD *type;
+ type = EVP_get_digestbynid(mdnid);
+diff -up openssl-1.0.2j/crypto/o_init.c.deprecate-algos openssl-1.0.2j/crypto/o_init.c
+--- openssl-1.0.2j/crypto/o_init.c.deprecate-algos 2017-01-05 17:49:00.000000000 +0100
++++ openssl-1.0.2j/crypto/o_init.c 2017-01-09 16:52:29.018298611 +0100
+@@ -64,11 +64,21 @@
+ # include <unistd.h>
+ # include <errno.h>
+ # include <stdlib.h>
++# include <stdio.h>
++# include <string.h>
++# include <strings.h>
++# include <ctype.h>
+ # include <openssl/fips.h>
+ # include <openssl/rand.h>
++# include <openssl/dh.h>
++# include <openssl/objects.h>
+
+ # define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
++# define LEGACY_SETTINGS_FILE "/etc/pki/tls/legacy-settings"
++
++# define NUM_MAX_LEGACY_MDS 8
++
+ static void init_fips_mode(void)
+ {
+ char buf[2] = "0";
+@@ -98,6 +108,115 @@ static void init_fips_mode(void)
+ }
+ #endif
+
++int private_ossl_allowed_legacy_mds[NUM_MAX_LEGACY_MDS + 1]; /* zero terminated */
++
++int private_ossl_minimum_dh_bits;
++
++static void parse_legacy_mds(char *p)
++{
++ int idx = 0;
++ char *e = p;
++
++ while (p[0] != '\0') {
++ while (e[0] != '\0' && !isspace(e[0]) && e[0] != ',') {
++ ++e;
++ }
++ if (e[0] != '\0') {
++ e[0] = '\0';
++ ++e;
++ }
++
++ if (strcasecmp(p, "md5") == 0) {
++ private_ossl_allowed_legacy_mds[idx++] = NID_md5;
++ } else if (strcasecmp(p, "md4") == 0) {
++ private_ossl_allowed_legacy_mds[idx++] = NID_md4;
++ } else if (strcasecmp(p, "sha") == 0) {
++ private_ossl_allowed_legacy_mds[idx++] = NID_sha;
++ } else if (strcasecmp(p, "md2") == 0) {
++ private_ossl_allowed_legacy_mds[idx++] = NID_md2;
++ }
++
++ if (idx >=
++ sizeof(private_ossl_allowed_legacy_mds) /
++ sizeof(private_ossl_allowed_legacy_mds[0])) {
++ break;
++ }
++
++ while (e[0] == ',' || isspace(e[0])) {
++ ++e;
++ }
++
++ p = e;
++ }
++}
++
++static void parse_minimum_dh_bits(char *p)
++{
++ private_ossl_minimum_dh_bits = strtol(p, NULL, 10);
++ if (private_ossl_minimum_dh_bits < 512
++ || private_ossl_minimum_dh_bits > OPENSSL_DH_MAX_MODULUS_BITS) {
++ /* use default */
++ private_ossl_minimum_dh_bits = 0;
++ }
++}
++
++static void load_legacy_settings(void)
++{
++ FILE *f;
++ char *line = NULL;
++ size_t len = 0;
++
++ if ((f = fopen(LEGACY_SETTINGS_FILE, "r")) == NULL) {
++ return;
++ }
++
++ while (getline(&line, &len, f) > 0) {
++ char *p = line, *e, *val;
++
++ /* skip initial whitespace */
++ while (isspace(p[0])) {
++ ++p;
++ }
++
++ e = p;
++
++ while (e[0] != '\0' && !isspace(e[0])) {
++ ++e;
++ }
++
++ /* terminate name, skip whitespace between name and value */
++ if (e[0] != '\0') {
++ e[0] = '\0';
++ ++e;
++ while (isspace(e[0])) {
++ ++e;
++ }
++ }
++
++ val = e;
++
++ e = e + strlen(val);
++
++ /* trim terminating whitespace */
++ while (e > val) {
++ --e;
++ if (isspace(e[0])) {
++ e[0] = '\0';
++ } else {
++ break;
++ }
++ }
++
++ if (strcasecmp(p, "LegacySigningMDs") == 0) {
++ parse_legacy_mds(val);
++ } else if (strcasecmp(line, "MinimumDHBits") == 0) {
++ parse_minimum_dh_bits(val);
++ }
++ /* simply skip other unrecognized lines */
++ }
++ (void)fclose(f);
++}
++
+ /*
+ * Perform any essential OpenSSL initialization operations. Currently only
+ * sets FIPS callbacks
+@@ -109,6 +228,7 @@ void __attribute__ ((constructor)) OPENS
+ if (done)
+ return;
+ done = 1;
++ load_legacy_settings();
+ #ifdef OPENSSL_FIPS
+ if (!FIPS_module_installed()) {
+ return;
+diff -up openssl-1.0.2j/ssl/s3_clnt.c.deprecate-algos openssl-1.0.2j/ssl/s3_clnt.c
+--- openssl-1.0.2j/ssl/s3_clnt.c.deprecate-algos 2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/ssl/s3_clnt.c 2017-01-09 17:01:19.428506961 +0100
+@@ -3478,6 +3478,8 @@ int ssl3_send_client_certificate(SSL *s)
+
+ #define has_bits(i,m) (((i)&(m)) == (m))
+
++extern int private_ossl_minimum_dh_bits;
++
+ int ssl3_check_cert_and_algorithm(SSL *s)
+ {
+ int i, idx;
+@@ -3608,8 +3610,7 @@ int ssl3_check_cert_and_algorithm(SSL *s
+ DH_free(dh_srvr);
+ }
+
+- if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024)
+- || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
++ if (dh_size < (private_ossl_minimum_dh_bits ? private_ossl_minimum_dh_bits : 1024)) {
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
+ goto f_err;
+ }
diff --git a/SOURCES/openssl-1.0.2j-downgrade-strength.patch b/SOURCES/openssl-1.0.2j-downgrade-strength.patch
new file mode 100644
index 0000000..6e9e387
--- /dev/null
+++ b/SOURCES/openssl-1.0.2j-downgrade-strength.patch
@@ -0,0 +1,138 @@
+diff -up openssl-1.0.2j/ssl/s3_lib.c.downgrade-strength openssl-1.0.2j/ssl/s3_lib.c
+--- openssl-1.0.2j/ssl/s3_lib.c.downgrade-strength 2017-01-05 17:23:21.091203023 +0100
++++ openssl-1.0.2j/ssl/s3_lib.c 2017-01-05 17:36:37.250194225 +0100
+@@ -227,7 +227,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -243,7 +243,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -278,7 +278,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+ #endif
+@@ -575,7 +575,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -730,7 +730,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -746,7 +746,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -796,7 +796,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -812,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -1429,7 +1429,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+ #endif
+@@ -1714,7 +1714,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -2106,7 +2106,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -2186,7 +2186,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -2266,7 +2266,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -2346,7 +2346,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -2426,7 +2426,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
diff --git a/SOURCES/openssl-1.0.2j-krb5keytab.patch b/SOURCES/openssl-1.0.2j-krb5keytab.patch
new file mode 100644
index 0000000..9feb8cf
--- /dev/null
+++ b/SOURCES/openssl-1.0.2j-krb5keytab.patch
@@ -0,0 +1,172 @@
+diff -up openssl-1.0.2j/apps/s_client.c.krb5keytab openssl-1.0.2j/apps/s_client.c
+--- openssl-1.0.2j/apps/s_client.c.krb5keytab 2017-01-05 17:02:05.481441088 +0100
++++ openssl-1.0.2j/apps/s_client.c 2017-01-05 17:08:28.311073180 +0100
+@@ -171,6 +171,10 @@ typedef unsigned int u_int;
+ #include "s_apps.h"
+ #include "timeouts.h"
+
++#ifndef OPENSSL_NO_KRB5
++static char *krb5svc = NULL;
++#endif
++
+ #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
+ /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+ # undef FIONBIO
+@@ -400,6 +404,9 @@ static void sc_usage(void)
+ BIO_printf(bio_err,
+ " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+ BIO_printf(bio_err, " are supported.\n");
++#ifndef OPENSSL_NO_KRB5
++ BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err,
+ " -engine id - Initialise and use the specified engine\n");
+@@ -1069,6 +1076,13 @@ int MAIN(int argc, char **argv)
+ c_nbio = 1;
+ }
+ #endif
++#ifndef OPENSSL_NO_KRB5
++ else if (strcmp(*argv, "-krb5svc") == 0) {
++ if (--argc < 1)
++ goto bad;
++ krb5svc= *(++argv);
++ }
++#endif
+ else if (strcmp(*argv, "-starttls") == 0) {
+ if (--argc < 1)
+ goto bad;
+@@ -1435,6 +1449,8 @@ int MAIN(int argc, char **argv)
+ if (con && (kctx = kssl_ctx_new()) != NULL) {
+ SSL_set0_kssl_ctx(con, kctx);
+ kssl_ctx_setstring(kctx, KSSL_SERVER, host);
++ if (krb5svc != NULL)
++ kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc);
+ }
+ #endif /* OPENSSL_NO_KRB5 */
+ /* SSL_set_cipher_list(con,"RC4-MD5"); */
+diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.c
+--- openssl-1.0.2j/apps/s_server.c.krb5keytab 2017-01-05 17:02:05.482441111 +0100
++++ openssl-1.0.2j/apps/s_server.c 2017-01-05 17:16:36.458078609 +0100
+@@ -206,6 +206,11 @@ typedef unsigned int u_int;
+ # include <fcntl.h>
+ #endif
+
++#ifndef OPENSSL_NO_KRB5
++static char *krb5svc = NULL;
++static char *keytab = NULL;
++#endif
++
+ #ifndef OPENSSL_NO_RSA
+ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
+ #endif
+@@ -579,6 +584,10 @@ static void sv_usage(void)
+ BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
+ BIO_printf(bio_err, " -quiet - No server output\n");
+ BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n");
++#ifndef OPENSSL_NO_KRB5
++ BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
++ BIO_printf(bio_err, " -keytab arg - Kerberos keytab filename\n");
++#endif
+ #ifndef OPENSSL_NO_PSK
+ BIO_printf(bio_err, " -psk_hint arg - PSK identity hint to use\n");
+ BIO_printf(bio_err, " -psk arg - PSK in hex (without 0x)\n");
+@@ -1326,6 +1335,17 @@ int MAIN(int argc, char *argv[])
+ goto bad;
+ vfyCAfile = *(++argv);
+ }
++#ifndef OPENSSL_NO_KRB5
++ else if (strcmp(*argv, "-krb5svc") == 0) {
++ if (--argc < 1)
++ goto bad;
++ krb5svc = *(++argv);
++ } else if (strcmp(*argv, "-keytab") == 0) {
++ if (--argc < 1)
++ goto bad;
++ keytab = *(++argv);
++ }
++#endif
+ #ifdef FIONBIO
+ else if (strcmp(*argv, "-nbio") == 0) {
+ s_nbio = 1;
+@@ -2226,8 +2246,10 @@ static int sv_body(char *hostname, int s
+ #ifndef OPENSSL_NO_KRB5
+ if ((kctx = kssl_ctx_new()) != NULL) {
+ SSL_set0_kssl_ctx(con, kctx);
+- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
++ kssl_ctx_setstring(kctx, KSSL_SERVICE,
++ krb5svc == NULL ? KRB5SVC : krb5svc);
++ if (keytab != NULL)
++ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
+ }
+ #endif /* OPENSSL_NO_KRB5 */
+ if (context)
+@@ -2836,8 +2858,11 @@ static int www_body(char *hostname, int
+ #endif
+ #ifndef OPENSSL_NO_KRB5
+ if ((kctx = kssl_ctx_new()) != NULL) {
+- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
++ SSL_set0_kssl_ctx(con, kctx);
++ kssl_ctx_setstring(kctx, KSSL_SERVICE,
++ krb5svc == NULL ? KRB5SVC : krb5svc);
++ if (keytab != NULL)
++ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
+ }
+ #endif /* OPENSSL_NO_KRB5 */
+ if (context)
+diff -up openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab openssl-1.0.2j/doc/apps/s_client.pod
+--- openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab 2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/doc/apps/s_client.pod 2017-01-05 17:21:30.562709291 +0100
+@@ -43,6 +43,7 @@ B<openssl> B<s_client>
+ [B<-fallback_scsv>]
+ [B<-bugs>]
+ [B<-cipher cipherlist>]
++[B<-krb5svc service>]
+ [B<-serverpref>]
+ [B<-starttls protocol>]
+ [B<-engine id>]
+@@ -228,6 +229,12 @@ command for more information.
+
+ use the server's cipher preferences; only used for SSLV2.
+
++=item B<-krb5svc service>
++
++the Kerberos service name to use (default "host"). This means s_server
++will expect a ticket for the principal I<service>/hostname@REALM, and will
++need keys for that principal in its keytab.
++
+ =item B<-starttls protocol>
+
+ send the protocol-specific message(s) to switch to TLS for communication.
+diff -up openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab openssl-1.0.2j/doc/apps/s_server.pod
+--- openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab 2017-01-05 17:02:05.482441111 +0100
++++ openssl-1.0.2j/doc/apps/s_server.pod 2017-01-05 17:20:54.769902331 +0100
+@@ -37,6 +37,8 @@ B<openssl> B<s_server>
+ [B<-nocert>]
+ [B<-cipher cipherlist>]
+ [B<-serverpref>]
++[B<-krb5svc service>]
++[B<-keytab filename>]
+ [B<-quiet>]
+ [B<-no_tmp_rsa>]
+ [B<-ssl2>]
+@@ -246,6 +248,17 @@ the B<ciphers> command for more informat
+
+ use the server's cipher preferences, rather than the client's preferences.
+
++=item B<-krb5svc service>
++
++the Kerberos service name to use (default "host"). This means s_server
++will expect a ticket for the principal I<service>/hostname@REALM, and will
++need keys for that principal in its keytab.
++
++=item B<-keytab filename>
++
++the Kerberos "keytab" (key table) file, containing keys for the s_server
++service principal (Kerberos identity; see -krb5svc).
++
+ =item B<-tlsextdebug>
+
+ print out a hex dump of any TLS extensions received from the server.
diff --git a/SOURCES/openssl-1.0.2j-new-fips-reqs.patch b/SOURCES/openssl-1.0.2j-new-fips-reqs.patch
new file mode 100644
index 0000000..2b9ec06
--- /dev/null
+++ b/SOURCES/openssl-1.0.2j-new-fips-reqs.patch
@@ -0,0 +1,1396 @@
+diff -up openssl-1.0.2j/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2j/crypto/bn/bn_rand.c
+--- openssl-1.0.2j/crypto/bn/bn_rand.c.fips-reqs 2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/crypto/bn/bn_rand.c 2017-01-10 16:25:11.142340595 +0100
+@@ -141,8 +141,11 @@ static int bnrand(int pseudorand, BIGNUM
+ }
+
+ /* make a random number and set the top and bottom bits */
+- time(&tim);
+- RAND_add(&tim, sizeof(tim), 0.0);
++ if (!FIPS_mode()) {
++ /* in FIPS mode the RNG is always properly seeded or the module fails */
++ time(&tim);
++ RAND_add(&tim, sizeof(tim), 0.0);
++ }
+
+ /* We ignore the value of pseudorand and always call RAND_bytes */
+ if (RAND_bytes(buf, bytes) <= 0)
+diff -up openssl-1.0.2j/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2j/crypto/dh/dh_gen.c
+--- openssl-1.0.2j/crypto/dh/dh_gen.c.fips-reqs 2017-01-10 16:25:11.099339627 +0100
++++ openssl-1.0.2j/crypto/dh/dh_gen.c 2017-01-10 16:25:11.142340595 +0100
+@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret,
+ return 0;
+ }
+
+- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+diff -up openssl-1.0.2j/crypto/dh/dh.h.fips-reqs openssl-1.0.2j/crypto/dh/dh.h
+--- openssl-1.0.2j/crypto/dh/dh.h.fips-reqs 2017-01-10 16:25:11.099339627 +0100
++++ openssl-1.0.2j/crypto/dh/dh.h 2017-01-10 16:25:11.142340595 +0100
+@@ -78,6 +78,7 @@
+ # endif
+
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
+
+ # define DH_FLAG_CACHE_MONT_P 0x01
+
+diff -up openssl-1.0.2j/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2j/crypto/dsa/dsa_gen.c
+--- openssl-1.0.2j/crypto/dsa/dsa_gen.c.fips-reqs 2017-01-10 16:25:11.100339650 +0100
++++ openssl-1.0.2j/crypto/dsa/dsa_gen.c 2017-01-10 16:25:11.143340618 +0100
+@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ }
+
+ if (FIPS_module_mode() &&
+- (bits != 1024 || qbits != 160) &&
+- (bits != 2048 || qbits != 224) &&
+- (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) {
++ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024
++ || qbits != 160) && (bits != 2048 || qbits != 224) && (bits != 2048
++ || qbits !=
++ 256)
++ && (bits != 3072 || qbits != 256)) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
+ goto err;
+ }
+diff -up openssl-1.0.2j/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2j/crypto/dsa/dsa.h
+--- openssl-1.0.2j/crypto/dsa/dsa.h.fips-reqs 2017-01-10 16:25:11.100339650 +0100
++++ openssl-1.0.2j/crypto/dsa/dsa.h 2017-01-10 16:25:11.143340618 +0100
+@@ -89,6 +89,7 @@
+ # endif
+
+ # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024)
+
+ # define DSA_FLAG_CACHE_MONT_P 0x01
+ /*
+@@ -251,9 +252,9 @@ int DSAparams_print_fp(FILE *fp, const D
+ int DSA_print_fp(FILE *bp, const DSA *x, int off);
+ # endif
+
+-# define DSS_prime_checks 50
++# define DSS_prime_checks 64
+ /*
+- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
++ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of
+ * Rabin-Miller
+ */
+ # define DSA_is_prime(n, callback, cb_arg) \
+diff -up openssl-1.0.2j/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2j/crypto/dsa/dsa_key.c
+--- openssl-1.0.2j/crypto/dsa/dsa_key.c.fips-reqs 2017-01-10 16:25:11.141340573 +0100
++++ openssl-1.0.2j/crypto/dsa/dsa_key.c 2017-01-10 16:25:11.143340618 +0100
+@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa)
+
+ # ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+- && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+diff -up openssl-1.0.2j/crypto/evp/e_aes.c.fips-reqs openssl-1.0.2j/crypto/evp/e_aes.c
+--- openssl-1.0.2j/crypto/evp/e_aes.c.fips-reqs 2017-01-10 16:25:11.102339695 +0100
++++ openssl-1.0.2j/crypto/evp/e_aes.c 2017-01-10 16:25:11.143340618 +0100
+@@ -381,6 +381,8 @@ static int aesni_xts_init_key(EVP_CIPHER
+
+ if (key) {
+ /* key_len is two AES keys */
++ if (FIPS_module_mode() && memcmp(key, key + ctx->key_len / 2, ctx->key_len / 2) == 0)
++ return 0;
+ if (enc) {
+ aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) aesni_encrypt;
+@@ -701,6 +703,9 @@ static int aes_t4_xts_init_key(EVP_CIPHE
+
+ if (key) {
+ int bits = ctx->key_len * 4;
++
++ if (FIPS_module_mode() && memcmp(key, key + ctx->key_len / 2, ctx->key_len / 2) == 0)
++ return 0;
+ xctx->stream = NULL;
+ /* key_len is two AES keys */
+ if (enc) {
+@@ -1645,6 +1650,8 @@ static int aes_xts_init_key(EVP_CIPHER_C
+
+ if (key)
+ do {
++ if (FIPS_module_mode() && memcmp(key, key + ctx->key_len / 2, ctx->key_len / 2) == 0)
++ return 0;
+ # ifdef AES_XTS_ASM
+ xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
+ # else
+diff -up openssl-1.0.2j/crypto/fips/fips.c.fips-reqs openssl-1.0.2j/crypto/fips/fips.c
+--- openssl-1.0.2j/crypto/fips/fips.c.fips-reqs 2017-01-10 16:25:11.141340573 +0100
++++ openssl-1.0.2j/crypto/fips/fips.c 2017-01-10 16:25:11.143340618 +0100
+@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons
+ ret = 0;
+ goto end;
+ }
+- OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */
+- OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */
+ }
+ # endif
+
+- if (!verify_checksums()) {
+- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ if (!FIPS_selftest()) {
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
+- if (FIPS_selftest())
+- fips_set_mode(onoff);
+- else {
++ if (!verify_checksums()) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
++
++ fips_set_mode(onoff);
+ ret = 1;
+ goto end;
+ }
+diff -up openssl-1.0.2j/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2j/crypto/fips/fips_dh_selftest.c
+--- openssl-1.0.2j/crypto/fips/fips_dh_selftest.c.fips-reqs 2017-01-10 16:25:11.143340618 +0100
++++ openssl-1.0.2j/crypto/fips/fips_dh_selftest.c 2017-01-10 16:25:11.143340618 +0100
+@@ -0,0 +1,162 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 2013 Red Hat, Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dh.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dh_test_2048_p[] = {
++ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09,
++ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11,
++ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,
++ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F,
++ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC,
++ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE,
++ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39,
++ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E,
++ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2,
++ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A,
++ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A,
++ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF,
++ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7,
++ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73,
++ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6,
++ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35,
++ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED,
++ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03,
++ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC,
++ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE,
++ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58,
++ 0x4B, 0xD8, 0x37, 0xEB
++};
++
++static const unsigned char dh_test_2048_g[] = {
++ 0x02
++};
++
++static const unsigned char dh_test_2048_pub_key[] = {
++ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA,
++ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2,
++ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12,
++ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5,
++ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D,
++ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1,
++ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51,
++ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F,
++ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6,
++ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED,
++ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46,
++ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA,
++ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1,
++ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE,
++ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53,
++ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9,
++ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3,
++ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9,
++ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56,
++ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E,
++ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9,
++ 0x36, 0x9E, 0xDA, 0xD2
++};
++
++static const unsigned char dh_test_2048_priv_key[] = {
++ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91,
++ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00,
++ 0xEC, 0x55, 0xF6, 0xCC
++};
++
++int FIPS_selftest_dh()
++{
++ DH *dh = NULL;
++ int ret = 0;
++ void *pub_key = NULL;
++ int len;
++
++ dh = DH_new();
++
++ if (dh == NULL)
++ goto err;
++
++ fips_load_key_component(dh, p, dh_test_2048);
++ fips_load_key_component(dh, g, dh_test_2048);
++ /* note that the private key is much shorter than normally used
++ * but still g ** priv_key > p
++ */
++ fips_load_key_component(dh, priv_key, dh_test_2048);
++
++ if (DH_generate_key(dh) <= 0)
++ goto err;
++
++ len = BN_num_bytes(dh->pub_key);
++ if ((pub_key = OPENSSL_malloc(len)) == NULL)
++ goto err;
++ BN_bn2bin(dh->pub_key, pub_key);
++
++ if (len != sizeof(dh_test_2048_pub_key) ||
++ memcmp(pub_key, dh_test_2048_pub_key, len) != 0)
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (dh)
++ DH_free(dh);
++
++ OPENSSL_free(pub_key);
++ return ret;
++}
++#endif
+diff -up openssl-1.0.2j/crypto/fips/fips.h.fips-reqs openssl-1.0.2j/crypto/fips/fips.h
+--- openssl-1.0.2j/crypto/fips/fips.h.fips-reqs 2017-01-10 16:25:11.137340483 +0100
++++ openssl-1.0.2j/crypto/fips/fips.h 2017-01-10 16:25:11.144340641 +0100
+@@ -96,6 +96,7 @@ extern "C" {
+ int FIPS_selftest_dsa(void);
+ int FIPS_selftest_ecdsa(void);
+ int FIPS_selftest_ecdh(void);
++ int FIPS_selftest_dh(void);
+ void FIPS_corrupt_rng(void);
+ void FIPS_rng_stick(void);
+ void FIPS_x931_stick(int onoff);
+diff -up openssl-1.0.2j/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2j/crypto/fips/fips_post.c
+--- openssl-1.0.2j/crypto/fips/fips_post.c.fips-reqs 2017-01-10 16:25:11.134340415 +0100
++++ openssl-1.0.2j/crypto/fips/fips_post.c 2017-01-10 16:25:11.144340641 +0100
+@@ -99,6 +99,8 @@ int FIPS_selftest(void)
+ rv = 0;
+ if (!FIPS_selftest_dsa())
+ rv = 0;
++ if (!FIPS_selftest_dh())
++ rv = 0;
+ if (!FIPS_selftest_ecdh())
+ rv = 0;
+ return rv;
+diff -up openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c.fips-reqs 2017-01-10 16:25:11.109339852 +0100
++++ openssl-1.0.2j/crypto/fips/fips_rsa_selftest.c 2017-01-10 16:25:11.144340641 +0100
+@@ -60,68 +60,107 @@
+ #ifdef OPENSSL_FIPS
+
+ static const unsigned char n[] =
+- "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
+- "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
+- "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
+- "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
+- "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
+- "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
+- "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
+- "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB";
++ "\x00\xc9\xd5\x6d\x9d\x90\xdb\x43\xd6\x02\xed\x96\x88\x13\x8a"
++ "\xb2\xbf\x6e\xa1\x06\x10\xb2\x78\x37\xa7\x14\xa8\xff\xdd\x00"
++ "\xdd\xb4\x93\xa0\x45\xcc\x96\x90\xed\xad\xa9\xdd\xc4\xd6\xca"
++ "\x0c\xf0\xed\x4f\x72\x5e\x21\x49\x9a\x18\x12\x15\x8f\x90\x5a"
++ "\xdb\xb6\x33\x99\xa3\xe6\xb4\xf0\xc4\x97\x21\x26\xbb\xe3\xba"
++ "\xf2\xff\xa0\x72\xda\x89\x63\x8e\x8b\x3e\x08\x9d\x92\x2a\xbe"
++ "\x16\xe1\x43\x15\xfc\x57\xc7\x1f\x09\x11\x67\x1c\xa9\x96\xd1"
++ "\x8b\x3e\x80\x93\xc1\x59\xd0\x6d\x39\xf2\xac\x95\xcc\x10\x75"
++ "\xe9\x31\x24\xd1\x43\xaf\x68\x52\x4b\xe7\x16\xd7\x49\x65\x6f"
++ "\x26\xc0\x86\xad\xc0\x07\x0a\xc1\xe1\x2f\x87\x85\x86\x3b\xdc"
++ "\x5a\x99\xbe\xe9\xf9\xb9\xe9\x82\x27\x51\x04\x15\xab\x06\x0e"
++ "\x76\x5a\x28\x8d\x92\xbd\xc5\xb5\x7b\xa8\xdf\x4e\x47\xa2\xc1"
++ "\xe7\x52\xbf\x47\xf7\x62\xe0\x3a\x6f\x4d\x6a\x4d\x4e\xd4\xb9"
++ "\x59\x69\xfa\xb2\x14\xc1\xee\xe6\x2f\x95\xcd\x94\x72\xae\xe4"
++ "\xdb\x18\x9a\xc4\xcd\x70\xbd\xee\x31\x16\xb7\x49\x65\xac\x40"
++ "\x19\x0e\xb5\x6d\x83\xf1\x36\xbb\x08\x2f\x2e\x4e\x92\x62\xa4"
++ "\xff\x50\xdb\x20\x45\xa2\xeb\x16\x7a\xf2\xd5\x28\xc1\xfd\x4e" "\x03\x71";
+
+ static int corrupt_rsa;
+
+ static int setrsakey(RSA *key)
+ {
+- static const unsigned char e[] = "\x11";
++ static const unsigned char e[] = "\x01\x00\x01";
+
+ static const unsigned char d[] =
+- "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
+- "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
+- "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
+- "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
+- "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
+- "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
+- "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
+- "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
+- "\xC1";
++ "\x36\x27\x3d\xb1\xf9\x1b\xdb\xa7\xa0\x41\x7f\x12\x23\xac\x23"
++ "\x29\x99\xd5\x3a\x7b\x60\x67\x41\x07\x63\x53\xb4\xd2\xe7\x58"
++ "\x95\x0a\xc7\x05\xf3\x4e\xb2\xb4\x12\xd4\x70\xdc\x4f\x85\x06"
++ "\xd3\xdd\xd8\x63\x27\x3e\x67\x31\x21\x24\x39\x04\xbc\x06\xa4"
++ "\xcc\xce\x2b\x7a\xfe\x7b\xad\xde\x11\x6e\xa3\xa5\xe6\x04\x53"
++ "\x0e\xa3\x4e\x2d\xb4\x8f\x31\xbf\xca\x75\x25\x52\x02\x85\xde"
++ "\x3d\xb2\x72\x43\xb2\x89\x8a\x9a\x34\x41\x26\x3f\x9a\x67\xbe"
++ "\xa4\x96\x7b\x0e\x75\xba\xa6\x93\xd5\xb8\xd8\xb8\x57\xf2\x4b"
++ "\x0f\x14\x81\xd1\x57\x4e\xf6\x45\x4c\xa6\x3b\xd0\x70\xca\xd3"
++ "\x9d\x55\xde\x22\x05\xe7\x8e\x28\x4d\xee\x11\xcf\xb6\x67\x76"
++ "\x09\xd3\xe3\x3c\x13\xf9\x99\x34\x10\x7b\xec\x81\x38\xf0\xb6"
++ "\x34\x9c\x9b\x50\x6f\x0b\x91\x81\x4d\x89\x94\x04\x7b\xf0\x3c"
++ "\xf4\xb1\xb2\x00\x48\x8d\x5a\x8f\x88\x9e\xc5\xab\x3a\x9e\x44"
++ "\x3f\x54\xe7\xd9\x6e\x47\xaa\xa1\xbd\x40\x46\x31\xf9\xf0\x34"
++ "\xb6\x04\xe1\x2b\x5b\x73\x86\xdd\x3a\x92\x1b\x71\xc7\x3f\x32"
++ "\xe5\xc3\xc2\xab\xa1\x7e\xbf\xa4\x52\xa0\xb0\x68\x90\xd1\x20"
++ "\x12\x79\xe9\xd7\xc9\x40\xba\xf2\x19\xc7\xa5\x00\x92\x86\x0d" "\x01";
+
+ static const unsigned char p[] =
+- "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
+- "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
+- "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
+- "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
+- "\x99";
++ "\x00\xfc\x5c\x6e\x16\xce\x1f\x03\x7b\xcd\xf7\xb3\x72\xb2\x8f"
++ "\x16\x72\xb8\x56\xae\xf7\xcd\x67\xd8\x4e\x7d\x07\xaf\xd5\x43"
++ "\x26\xc3\x35\xbe\x43\x8f\x4e\x2f\x1c\x43\x4e\x6b\xd2\xb2\xec"
++ "\x52\x6d\x97\x52\x2b\xcc\x5c\x3a\x6b\xf4\x14\xc6\x74\xda\x66"
++ "\x38\x1c\x7a\x3f\x84\x2f\xe3\xf9\x5a\xb8\x65\x69\x46\x06\xa3"
++ "\x37\x79\xb2\xa1\x5b\x58\xed\x5e\xa7\x5f\x8c\x65\x66\xbb\xd1"
++ "\x24\x36\xe6\x37\xa7\x3d\x49\x77\x8a\x8c\x34\xd8\x69\x29\xf3"
++ "\x4d\x58\x22\xb0\x51\x24\xb6\x40\xa8\x86\x59\x0a\xb7\xba\x5c"
++ "\x97\xda\x57\xe8\x36\xda\x7a\x9c\xad";
+
+ static const unsigned char q[] =
+- "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+- "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+- "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+- "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
+- "\x03";
++ "\x00\xcc\xbe\x7b\x09\x69\x06\xee\x45\xbf\x88\x47\x38\xa8\xf8"
++ "\x17\xe5\xb6\xba\x67\x55\xe3\xe8\x05\x8b\xb8\xe2\x53\xd6\x8e"
++ "\xef\x2c\xe7\x4f\x4a\xf7\x4e\x26\x8d\x85\x0b\x3f\xec\xc3\x1c"
++ "\xd4\xeb\xec\x6a\xc8\x72\x2a\x25\x7d\xfd\xa6\x77\x96\xf0\x1e"
++ "\xcd\x28\x57\xf8\x37\x30\x75\x6b\xbd\xd4\x7b\x0c\x87\xc5\x6c"
++ "\x87\x40\xa5\xbb\x27\x2c\x78\xc9\x74\x5a\x54\x5b\x0b\x30\x6f"
++ "\x44\x4a\xfa\x71\xe4\x21\x61\x66\xf9\xee\x65\xde\x7c\x04\xd7"
++ "\xfd\xa9\x15\x5b\x7f\xe2\x7a\xba\x69\x86\x72\xa6\x06\x8d\x9b"
++ "\x90\x55\x60\x9e\x4c\x5d\xa9\xb6\x55";
+
+ static const unsigned char dmp1[] =
+- "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
+- "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
+- "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
+- "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
++ "\x7a\xd6\x12\xd0\x0e\xec\x91\xa9\x85\x8b\xf8\x50\xf0\x11\x2e"
++ "\x00\x11\x32\x40\x60\x66\x1f\x11\xee\xc2\x75\x27\x65\x4b\x16"
++ "\x67\x16\x95\xd2\x14\xc3\x1d\xb3\x48\x1f\xb7\xe4\x0b\x2b\x74"
++ "\xc3\xdb\x50\x27\xf9\x85\x3a\xfa\xa9\x08\x23\xc1\x65\x3d\x34"
++ "\x3a\xc8\x56\x7a\x65\x45\x36\x6e\xae\x2a\xce\x9f\x43\x43\xd7"
++ "\x10\xe9\x9e\x18\xf4\xa4\x35\xda\x8a\x6b\xb0\x3f\xdd\x53\xe3"
++ "\xa8\xc5\x4e\x79\x9d\x1f\x51\x8c\xa2\xca\x66\x3c\x6a\x2a\xff"
++ "\x8e\xd2\xf3\xb7\xcb\x82\xda\xde\x2c\xe6\xd2\x8c\xb3\xad\xb6"
++ "\x4c\x95\x55\x76\xbd\xc9\xc8\xd1";
+
+ static const unsigned char dmq1[] =
+- "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
+- "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
+- "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
+- "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
++ "\x00\x83\x23\x1d\xbb\x11\x42\x17\x2b\x25\x5a\x2c\x03\xe6\x75"
++ "\xc1\x18\xa8\xc9\x0b\x96\xbf\xba\xc4\x92\x91\x80\xa5\x22\x2f"
++ "\xba\x91\x90\x36\x01\x56\x15\x00\x2c\x74\xa2\x97\xf7\x15\xa1"
++ "\x49\xdf\x32\x35\xd2\xdd\x0c\x91\xa6\xf8\xe7\xbe\x81\x36\x9b"
++ "\x03\xdc\x6b\x3b\xd8\x5d\x79\x57\xe0\xe6\x4f\x49\xdf\x4c\x5c"
++ "\x0e\xe5\x21\x41\x95\xfd\xad\xff\x9a\x3e\xa0\xf9\x0f\x59\x9e"
++ "\x6a\xa7\x7b\x71\xa7\x24\x9a\x36\x52\xae\x97\x20\xc1\x5e\x78"
++ "\xd9\x47\x8b\x1e\x67\xf2\xaf\x98\xe6\x2d\xef\x10\xd7\xf1\xab"
++ "\x49\xee\xe5\x4b\x7e\xae\x1f\x1d\x61";
+
+ static const unsigned char iqmp[] =
+- "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
+- "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
+- "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
+- "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
+- "\xF7";
++ "\x23\x96\xc1\x91\x17\x5e\x0a\x83\xd2\xdc\x7b\x69\xb2\x59\x1d"
++ "\x33\x58\x52\x3f\x18\xc7\x09\x50\x1c\xb9\xa1\xbb\x4c\xa2\x38"
++ "\x40\x4c\x9a\x8e\xfe\x9c\x90\x92\xd0\x71\x9f\x89\x99\x50\x91"
++ "\x1f\x34\x8b\x74\x53\x11\x11\x4a\x70\xe2\xf7\x30\xd8\x8c\x80"
++ "\xe1\xcc\x9f\xf1\x63\x17\x1a\x7d\x67\x29\x4c\xcb\x4e\x74\x7b"
++ "\xe0\x3e\x9e\x2f\xf4\x67\x8f\xec\xb9\x5c\x00\x1e\x7e\xa2\x7b"
++ "\x92\xc9\x6f\x4c\xe4\x0e\xf9\x48\x63\xcd\x50\x22\x5d\xbf\xb6"
++ "\x9d\x01\x33\x6a\xf4\x50\xbe\x86\x98\x4f\xca\x3f\x3a\xfa\xcf"
++ "\x07\x40\xc4\xaa\xad\xae\xbe\xbf";
+
+ key->n = BN_bin2bn(n, sizeof(n) - 1, key->n);
+ if (corrupt_rsa)
+- BN_set_bit(key->n, 1024);
++ BN_set_bit(key->n, 2048);
+ key->e = BN_bin2bn(e, sizeof(e) - 1, key->e);
+ key->d = BN_bin2bn(d, sizeof(d) - 1, key->d);
+ key->p = BN_bin2bn(p, sizeof(p) - 1, key->p);
+@@ -145,200 +184,292 @@ static const unsigned char kat_tbs[] =
+ "OpenSSL FIPS 140-2 Public Key RSA KAT";
+
+ static const unsigned char kat_RSA_PSS_SHA1[] = {
+- 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
+- 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
+- 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
+- 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
+- 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
+- 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
+- 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
+- 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
+- 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
+- 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
+- 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
++ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3,
++ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B,
++ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84,
++ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B,
++ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9,
++ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19,
++ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98,
++ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5,
++ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4,
++ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A,
++ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70,
++ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1,
++ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C,
++ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF,
++ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99,
++ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45,
++ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF,
++ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F,
++ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01,
++ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC,
++ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05,
++ 0xCE, 0x08, 0x1D, 0x89
+ };
+
+ static const unsigned char kat_RSA_PSS_SHA224[] = {
+- 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
+- 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
+- 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
+- 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
+- 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
+- 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
+- 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
+- 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
+- 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
+- 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
+- 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
++ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA,
++ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3,
++ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3,
++ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3,
++ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7,
++ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53,
++ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A,
++ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE,
++ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06,
++ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08,
++ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D,
++ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07,
++ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70,
++ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64,
++ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17,
++ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69,
++ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97,
++ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D,
++ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5,
++ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B,
++ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD,
++ 0x2D, 0x84, 0x03, 0xB7
+ };
+
+ static const unsigned char kat_RSA_PSS_SHA256[] = {
+- 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
+- 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
+- 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
+- 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
+- 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
+- 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
+- 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
+- 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
+- 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
+- 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
+- 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
++ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
++ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
++ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,
++ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,
++ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,
++ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,
++ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,
++ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,
++ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,
++ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,
++ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,
++ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,
++ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,
++ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,
++ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,
++ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,
++ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,
++ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,
++ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,
++ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,
++ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,
++ 0x2B, 0x31, 0xB9, 0x7D
+ };
+
+ static const unsigned char kat_RSA_PSS_SHA384[] = {
+- 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
+- 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
+- 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
+- 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
+- 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
+- 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
+- 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
+- 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
+- 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
+- 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
+- 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
++ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D,
++ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03,
++ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27,
++ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC,
++ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1,
++ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6,
++ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA,
++ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB,
++ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3,
++ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5,
++ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70,
++ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E,
++ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C,
++ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0,
++ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62,
++ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07,
++ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88,
++ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7,
++ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5,
++ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D,
++ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF,
++ 0x90, 0xD2, 0xA6, 0x2B
+ };
+
+ static const unsigned char kat_RSA_PSS_SHA512[] = {
+- 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
+- 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
+- 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
+- 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
+- 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
+- 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
+- 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
+- 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
+- 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
+- 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
+- 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
++ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32,
++ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06,
++ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D,
++ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B,
++ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D,
++ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44,
++ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B,
++ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D,
++ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD,
++ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C,
++ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1,
++ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A,
++ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE,
++ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D,
++ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F,
++ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF,
++ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F,
++ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94,
++ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE,
++ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A,
++ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0,
++ 0x17, 0x2C, 0x13, 0xE0
+ };
+
+ static const unsigned char kat_RSA_SHA1[] = {
+- 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
+- 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
+- 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
+- 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
+- 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
+- 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
+- 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
+- 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
+- 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
+- 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
+- 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
++ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA,
++ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C,
++ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE,
++ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94,
++ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08,
++ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC,
++ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0,
++ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54,
++ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F,
++ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A,
++ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF,
++ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD,
++ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8,
++ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5,
++ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F,
++ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF,
++ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60,
++ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9,
++ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC,
++ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37,
++ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF,
++ 0x27, 0x90, 0xE2, 0x01
+ };
+
+ static const unsigned char kat_RSA_SHA224[] = {
+- 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
+- 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
+- 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
+- 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
+- 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
+- 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
+- 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
+- 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
+- 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
+- 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
+- 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
++ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86,
++ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8,
++ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89,
++ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39,
++ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3,
++ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E,
++ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8,
++ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4,
++ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66,
++ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6,
++ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC,
++ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9,
++ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53,
++ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA,
++ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45,
++ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC,
++ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33,
++ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5,
++ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8,
++ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83,
++ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B,
++ 0xDB, 0x70, 0x00, 0xF6
+ };
+
+ static const unsigned char kat_RSA_SHA256[] = {
+- 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
+- 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
+- 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
+- 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
+- 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
+- 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
+- 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
+- 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
+- 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
+- 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
+- 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
++ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
++ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
++ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,
++ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,
++ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,
++ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,
++ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,
++ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,
++ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,
++ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,
++ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,
++ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,
++ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,
++ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,
++ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,
++ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,
++ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,
++ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,
++ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,
++ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,
++ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,
++ 0x47, 0x9D, 0x18, 0xD7
+ };
+
+ static const unsigned char kat_RSA_SHA384[] = {
+- 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
+- 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
+- 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
+- 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
+- 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
+- 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
+- 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
+- 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
+- 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
+- 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
+- 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
++ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00,
++ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D,
++ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2,
++ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B,
++ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF,
++ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1,
++ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C,
++ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E,
++ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76,
++ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4,
++ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9,
++ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4,
++ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56,
++ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39,
++ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00,
++ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F,
++ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D,
++ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26,
++ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9,
++ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD,
++ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4,
++ 0x7E, 0x37, 0x1D, 0x96
+ };
+
+ static const unsigned char kat_RSA_SHA512[] = {
+- 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
+- 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
+- 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
+- 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
+- 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
+- 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
+- 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
+- 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
+- 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
+- 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
+- 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
++ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3,
++ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F,
++ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02,
++ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B,
++ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3,
++ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1,
++ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79,
++ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1,
++ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E,
++ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1,
++ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED,
++ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE,
++ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69,
++ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2,
++ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F,
++ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3,
++ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B,
++ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86,
++ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F,
++ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A,
++ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E,
++ 0x43, 0xA8, 0x34, 0x0A
+ };
+
+-static const unsigned char kat_RSA_X931_SHA1[] = {
+- 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
+- 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
+- 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
+- 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
+- 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
+- 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
+- 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
+- 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
+- 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
+- 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
+- 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
+-};
++static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext,
++ int ptlen)
++{
++ unsigned char *ctbuf = NULL, *ptbuf = NULL;
++ int ret = 0;
++ int len;
+
+-static const unsigned char kat_RSA_X931_SHA256[] = {
+- 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
+- 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
+- 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
+- 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
+- 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
+- 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
+- 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
+- 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
+- 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
+- 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
+- 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
+-};
++ ctbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ctbuf)
++ goto err;
+
+-static const unsigned char kat_RSA_X931_SHA384[] = {
+- 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
+- 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
+- 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
+- 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
+- 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
+- 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
+- 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
+- 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
+- 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
+- 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
+- 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
+-};
++ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);
++ if (len <= 0)
++ goto err;
++ /* Check ciphertext doesn't match plaintext */
++ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))
++ goto err;
+
+-static const unsigned char kat_RSA_X931_SHA512[] = {
+- 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
+- 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
+- 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
+- 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
+- 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
+- 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
+- 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
+- 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
+- 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
+- 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
+- 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
+-};
++ ptbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ptbuf)
++ goto err;
++
++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++ if (len != ptlen)
++ goto err;
++ if (memcmp(ptbuf, plaintext, len))
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (ctbuf)
++ OPENSSL_free(ctbuf);
++ if (ptbuf)
++ OPENSSL_free(ptbuf);
++ return ret;
++}
+
+ int FIPS_selftest_rsa()
+ {
+@@ -352,7 +483,7 @@ int FIPS_selftest_rsa()
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+- EVP_PKEY_assign_RSA(pk, key);
++ EVP_PKEY_set1_RSA(pk, key);
+
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
+@@ -406,29 +537,7 @@ int FIPS_selftest_rsa()
+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
+ goto err;
+
+- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+- kat_RSA_X931_SHA1,
+- sizeof(kat_RSA_X931_SHA1), EVP_sha1(),
+- EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931"))
+- goto err;
+- /* NB: SHA224 not supported in X9.31 */
+- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+- kat_RSA_X931_SHA256,
+- sizeof(kat_RSA_X931_SHA256), EVP_sha256(),
+- EVP_MD_CTX_FLAG_PAD_X931,
+- "RSA SHA256 X931"))
+- goto err;
+- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+- kat_RSA_X931_SHA384,
+- sizeof(kat_RSA_X931_SHA384), EVP_sha384(),
+- EVP_MD_CTX_FLAG_PAD_X931,
+- "RSA SHA384 X931"))
+- goto err;
+- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+- kat_RSA_X931_SHA512,
+- sizeof(kat_RSA_X931_SHA512), EVP_sha512(),
+- EVP_MD_CTX_FLAG_PAD_X931,
+- "RSA SHA512 X931"))
++ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
+ goto err;
+
+ ret = 1;
+@@ -436,7 +545,7 @@ int FIPS_selftest_rsa()
+ err:
+ if (pk)
+ EVP_PKEY_free(pk);
+- else if (key)
++ if (key)
+ RSA_free(key);
+ return ret;
+ }
+diff -up openssl-1.0.2j/crypto/fips/Makefile.fips-reqs openssl-1.0.2j/crypto/fips/Makefile
+--- openssl-1.0.2j/crypto/fips/Makefile.fips-reqs 2017-01-10 16:25:11.134340415 +0100
++++ openssl-1.0.2j/crypto/fips/Makefile 2017-01-10 16:25:11.144340641 +0100
+@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
+ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+- fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c
++ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \
++ fips_dh_selftest.c
+
+ LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
+ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
+ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
+ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
+- fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o
++ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o \
++ fips_dh_selftest.o
+
+ LIBCRYPTO=-L.. -lcrypto
+
+diff -up openssl-1.0.2j/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2j/crypto/rand/rand_lcl.h
+--- openssl-1.0.2j/crypto/rand/rand_lcl.h.fips-reqs 2017-01-10 16:25:10.830333571 +0100
++++ openssl-1.0.2j/crypto/rand/rand_lcl.h 2017-01-10 16:25:11.144340641 +0100
+@@ -112,7 +112,7 @@
+ #ifndef HEADER_RAND_LCL_H
+ # define HEADER_RAND_LCL_H
+
+-# define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
++# define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */
+
+ # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
+ # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+diff -up openssl-1.0.2j/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2j/crypto/rand/rand_lib.c
+--- openssl-1.0.2j/crypto/rand/rand_lib.c.fips-reqs 2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/crypto/rand/rand_lib.c 2017-01-10 16:25:11.145340663 +0100
+@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx,
+ double entropy)
+ {
+ RAND_SSLeay()->add(in, inlen, entropy);
++ if (FIPS_rand_status()) {
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ FIPS_drbg_reseed(ctx, NULL, 0);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ }
+ return 1;
+ }
+
+ static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
+ {
+ RAND_SSLeay()->seed(in, inlen);
++ if (FIPS_rand_status()) {
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ FIPS_drbg_reseed(ctx, NULL, 0);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ }
+ return 1;
+ }
+
+diff -up openssl-1.0.2j/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2j/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2j/crypto/rsa/rsa_gen.c.fips-reqs 2017-01-10 16:25:11.112339920 +0100
++++ openssl-1.0.2j/crypto/rsa/rsa_gen.c 2017-01-10 16:25:11.145340663 +0100
+@@ -1,5 +1,6 @@
+ /* crypto/rsa/rsa_gen.c */
+ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * Copyright (C) 2013 Red Hat, Inc.
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+@@ -169,6 +170,259 @@ int RSA_generate_key_ex(RSA *rsa, int bi
+ return rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }
+
++#ifdef OPENSSL_FIPS
++static int FIPS_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
++ BN_GENCB *cb)
++{
++ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
++ BIGNUM local_r0, local_d, local_p;
++ BIGNUM *pr0, *d, *p;
++ BN_CTX *ctx = NULL;
++ int ok = -1;
++ int i;
++ int n = 0;
++ int test = 0;
++ int pbits = bits / 2;
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if ((pbits & 0xFF)
++ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits != 2048
++ && bits != 3072)) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
++
++ ctx = BN_CTX_new();
++ if (ctx == NULL)
++ goto err;
++ BN_CTX_start(ctx);
++ r0 = BN_CTX_get(ctx);
++ r1 = BN_CTX_get(ctx);
++ r2 = BN_CTX_get(ctx);
++ r3 = BN_CTX_get(ctx);
++
++ if (r3 == NULL)
++ goto err;
++
++ /* We need the RSA components non-NULL */
++ if (!rsa->n && ((rsa->n = BN_new()) == NULL))
++ goto err;
++ if (!rsa->d && ((rsa->d = BN_new()) == NULL))
++ goto err;
++ if (!rsa->e && ((rsa->e = BN_new()) == NULL))
++ goto err;
++ if (!rsa->p && ((rsa->p = BN_new()) == NULL))
++ goto err;
++ if (!rsa->q && ((rsa->q = BN_new()) == NULL))
++ goto err;
++ if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
++ goto err;
++ if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
++ goto err;
++ if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
++ goto err;
++
++ if (!BN_set_word(r0, RSA_F4))
++ goto err;
++ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) {
++ ok = 0; /* we set our own err */
++ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE);
++ goto err;
++ }
++
++ /* prepare approximate minimum p and q */
++ if (!BN_set_word(r0, 0xB504F334))
++ goto err;
++ if (!BN_lshift(r0, r0, pbits - 32))
++ goto err;
++
++ /* prepare minimum p and q difference */
++ if (!BN_one(r3))
++ goto err;
++ if (!BN_lshift(r3, r3, pbits - 100))
++ goto err;
++
++ BN_copy(rsa->e, e_value);
++
++ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
++ test = 1;
++
++ retry:
++ /* generate p and q */
++ for (i = 0; i < 5 * pbits; i++) {
++ ploop:
++ if (!test)
++ if (!BN_rand(rsa->p, pbits, 0, 1))
++ goto err;
++ if (BN_cmp(rsa->p, r0) < 0) {
++ if (test)
++ goto err;
++ goto ploop;
++ }
++
++ if (!BN_sub(r2, rsa->p, BN_value_one()))
++ goto err;
++ if (!BN_gcd(r1, r2, rsa->e, ctx))
++ goto err;
++ if (BN_is_one(r1)) {
++ int r;
++ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,
++ cb);
++ if (r == -1 || (test && r <= 0))
++ goto err;
++ if (r > 0)
++ break;
++ }
++
++ if (!BN_GENCB_call(cb, 2, n++))
++ goto err;
++ }
++
++ if (!BN_GENCB_call(cb, 3, 0))
++ goto err;
++
++ if (i >= 5 * pbits)
++ /* prime not found */
++ goto err;
++
++ for (i = 0; i < 5 * pbits; i++) {
++ qloop:
++ if (!test)
++ if (!BN_rand(rsa->q, pbits, 0, 1))
++ goto err;
++ if (BN_cmp(rsa->q, r0) < 0) {
++ if (test)
++ goto err;
++ goto qloop;
++ }
++ if (!BN_sub(r2, rsa->q, rsa->p))
++ goto err;
++ if (BN_ucmp(r2, r3) <= 0) {
++ if (test)
++ goto err;
++ goto qloop;
++ }
++
++ if (!BN_sub(r2, rsa->q, BN_value_one()))
++ goto err;
++ if (!BN_gcd(r1, r2, rsa->e, ctx))
++ goto err;
++ if (BN_is_one(r1)) {
++ int r;
++ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,
++ cb);
++ if (r == -1 || (test && r <= 0))
++ goto err;
++ if (r > 0)
++ break;
++ }
++
++ if (!BN_GENCB_call(cb, 2, n++))
++ goto err;
++ }
++
++ if (!BN_GENCB_call(cb, 3, 1))
++ goto err;
++
++ if (i >= 5 * pbits)
++ /* prime not found */
++ goto err;
++
++ if (test) {
++ /* do not try to calculate the remaining key values */
++ BN_clear(rsa->n);
++ ok = 1;
++ goto err;
++ }
++
++ if (BN_cmp(rsa->p, rsa->q) < 0) {
++ tmp = rsa->p;
++ rsa->p = rsa->q;
++ rsa->q = tmp;
++ }
++
++ /* calculate n */
++ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
++ goto err;
++
++ /* calculate d */
++ if (!BN_sub(r1, rsa->p, BN_value_one()))
++ goto err; /* p-1 */
++ if (!BN_sub(r2, rsa->q, BN_value_one()))
++ goto err; /* q-1 */
++
++ if (!BN_gcd(r0, r1, r2, ctx))
++ goto err;
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
++ pr0 = &local_r0;
++ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
++ } else
++ pr0 = r0;
++ if (!BN_div(r0, NULL, r1, pr0, ctx))
++ goto err;
++ if (!BN_mul(r0, r0, r2, ctx))
++ goto err; /* lcm(p-1, q-1) */
++
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
++ pr0 = &local_r0;
++ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
++ } else
++ pr0 = r0;
++ if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
++ goto err; /* d */
++
++ if (BN_num_bits(rsa->d) < pbits)
++ goto retry; /* d is too small */
++
++ /* set up d for correct BN_FLG_CONSTTIME flag */
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
++ d = &local_d;
++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
++ } else
++ d = rsa->d;
++
++ /* calculate d mod (p-1) */
++ if (!BN_mod(rsa->dmp1, d, r1, ctx))
++ goto err;
++
++ /* calculate d mod (q-1) */
++ if (!BN_mod(rsa->dmq1, d, r2, ctx))
++ goto err;
++
++ /* calculate inverse of q mod p */
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
++ p = &local_p;
++ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
++ } else
++ p = rsa->p;
++ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
++ goto err;
++
++ if (fips_rsa_pairwise_fail)
++ BN_add_word(rsa->n, 1);
++
++ if (!fips_check_rsa(rsa))
++ goto err;
++
++ ok = 1;
++ err:
++ if (ok == -1) {
++ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
++ ok = 0;
++ }
++ if (ctx != NULL) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++
++ return ok;
++}
++#endif
++
+ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+ BN_GENCB *cb)
+ {
+@@ -180,15 +434,11 @@ static int rsa_builtin_keygen(RSA *rsa,
+
+ #ifdef OPENSSL_FIPS
+ if (FIPS_module_mode()) {
+- if (FIPS_selftest_failed()) {
+- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
+- return 0;
+- }
+-
+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
+ return 0;
+ }
++ return FIPS_rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }
+ #endif
+
+@@ -317,16 +567,6 @@ static int rsa_builtin_keygen(RSA *rsa,
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+ goto err;
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_module_mode()) {
+- if (fips_rsa_pairwise_fail)
+- BN_add_word(rsa->n, 1);
+-
+- if (!fips_check_rsa(rsa))
+- goto err;
+- }
+-#endif
+-
+ ok = 1;
+ err:
+ if (ok == -1) {
+diff -up openssl-1.0.2j/ssl/t1_enc.c.fips-reqs openssl-1.0.2j/ssl/t1_enc.c
+--- openssl-1.0.2j/ssl/t1_enc.c.fips-reqs 2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/ssl/t1_enc.c 2017-01-10 16:25:11.145340663 +0100
+@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask,
+ return ret;
+ }
+
++int private_tls1_PRF(long digest_mask,
++ const void *seed1, int seed1_len,
++ const void *seed2, int seed2_len,
++ const void *seed3, int seed3_len,
++ const void *seed4, int seed4_len,
++ const void *seed5, int seed5_len,
++ const unsigned char *sec, int slen,
++ unsigned char *out1, unsigned char *out2, int olen)
++{
++ return tls1_PRF(digest_mask,
++ seed1, seed1_len,
++ seed2, seed2_len,
++ seed3, seed3_len,
++ seed4, seed4_len,
++ seed5, seed5_len, sec, slen, out1, out2, olen);
++}
++
+ static int tls1_generate_key_block(SSL *s, unsigned char *km,
+ unsigned char *tmp, int num)
+ {
diff --git a/SOURCES/openssl-1.0.2k-backports.patch b/SOURCES/openssl-1.0.2k-backports.patch
new file mode 100644
index 0000000..4d1e578
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-backports.patch
@@ -0,0 +1,244 @@
+diff -up openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl.backports openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl
+--- openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl.backports 2017-03-09 17:59:26.367233931 +0100
++++ openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl 2017-03-27 15:25:28.615014528 +0200
+@@ -1702,6 +1702,7 @@ $code.=<<___;
+ mov 240($key),$rounds
+ sub $in0,$out
+ movups ($key),$rndkey0 # $key[0]
++ movups ($ivp),$iv # load IV
+ movups 16($key),$rndkey[0] # forward reference
+ lea 112($key),$key # size optimization
+
+diff -up openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl.backports openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl
+--- openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl.backports 2017-03-09 17:59:26.369233978 +0100
++++ openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl 2017-03-27 15:25:28.618014599 +0200
+@@ -1299,6 +1299,7 @@ $code.=<<___;
+ mov 240($key),$rounds
+ sub $in0,$out
+ movups ($key),$rndkey0 # $key[0]
++ movups ($ivp),$iv # load IV
+ movups 16($key),$rndkey[0] # forward reference
+ lea 112($key),$key # size optimization
+
+diff -up openssl-1.0.2k/crypto/x86cpuid.pl.backports openssl-1.0.2k/crypto/x86cpuid.pl
+--- openssl-1.0.2k/crypto/x86cpuid.pl.backports 2017-03-09 17:59:26.339233278 +0100
++++ openssl-1.0.2k/crypto/x86cpuid.pl 2017-03-27 15:26:06.833916588 +0200
+@@ -20,10 +20,10 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ &pop ("eax");
+ &xor ("ecx","eax");
+ &xor ("eax","eax");
++ &mov ("esi",&wparam(0));
++ &mov (&DWP(8,"esi"),"eax"); # clear extended feature flags
+ &bt ("ecx",21);
+ &jnc (&label("nocpuid"));
+- &mov ("esi",&wparam(0));
+- &mov (&DWP(8,"esi"),"eax"); # clear 3rd word
+ &cpuid ();
+ &mov ("edi","eax"); # max value for standard query level
+
+@@ -81,26 +81,16 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ &jmp (&label("generic"));
+
+ &set_label("intel");
+- &cmp ("edi",7);
+- &jb (&label("cacheinfo"));
+-
+- &mov ("esi",&wparam(0));
+- &mov ("eax",7);
+- &xor ("ecx","ecx");
+- &cpuid ();
+- &mov (&DWP(8,"esi"),"ebx");
+-
+-&set_label("cacheinfo");
+ &cmp ("edi",4);
+- &mov ("edi",-1);
++ &mov ("esi",-1);
+ &jb (&label("nocacheinfo"));
+
+ &mov ("eax",4);
+ &mov ("ecx",0); # query L1D
+ &cpuid ();
+- &mov ("edi","eax");
+- &shr ("edi",14);
+- &and ("edi",0xfff); # number of cores -1 per L1D
++ &mov ("esi","eax");
++ &shr ("esi",14);
++ &and ("esi",0xfff); # number of cores -1 per L1D
+
+ &set_label("nocacheinfo");
+ &mov ("eax",1);
+@@ -118,7 +108,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ &bt ("edx",28); # test hyper-threading bit
+ &jnc (&label("generic"));
+ &and ("edx",0xefffffff);
+- &cmp ("edi",0);
++ &cmp ("esi",0);
+ &je (&label("generic"));
+
+ &or ("edx",0x10000000);
+@@ -130,10 +120,19 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ &set_label("generic");
+ &and ("ebp",1<<11); # isolate AMD XOP flag
+ &and ("ecx",0xfffff7ff); # force 11th bit to 0
+- &mov ("esi","edx");
++ &mov ("esi","edx"); # %ebp:%esi is copy of %ecx:%edx
+ &or ("ebp","ecx"); # merge AMD XOP flag
+
+- &bt ("ecx",27); # check OSXSAVE bit
++ &cmp ("edi",7);
++ &mov ("edi",&wparam(0));
++ &jb (&label("no_extended_info"));
++ &mov ("eax",7);
++ &xor ("ecx","ecx");
++ &cpuid ();
++ &mov (&DWP(8,"edi"),"ebx"); # save extended feature flag
++&set_label("no_extended_info");
++
++ &bt ("ebp",27); # check OSXSAVE bit
+ &jnc (&label("clear_avx"));
+ &xor ("ecx","ecx");
+ &data_byte(0x0f,0x01,0xd0); # xgetbv
+@@ -147,7 +146,6 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ &and ("esi",0xfeffffff); # clear FXSR
+ &set_label("clear_avx");
+ &and ("ebp",0xefffe7ff); # clear AVX, FMA and AMD XOP bits
+- &mov ("edi",&wparam(0));
+ &and (&DWP(8,"edi"),0xffffffdf); # clear AVX2
+ &set_label("done");
+ &mov ("eax","esi");
+diff -up openssl-1.0.2k/crypto/x86_64cpuid.pl.backports openssl-1.0.2k/crypto/x86_64cpuid.pl
+--- openssl-1.0.2k/crypto/x86_64cpuid.pl.backports 2017-03-09 17:59:26.339233278 +0100
++++ openssl-1.0.2k/crypto/x86_64cpuid.pl 2017-03-27 15:26:06.833916588 +0200
+@@ -59,7 +59,7 @@ OPENSSL_ia32_cpuid:
+ mov %rbx,%r8 # save %rbx
+
+ xor %eax,%eax
+- mov %eax,8(%rdi) # clear 3rd word
++ mov %eax,8(%rdi) # clear extended feature flags
+ cpuid
+ mov %eax,%r11d # max value for standard query level
+
+@@ -127,14 +127,6 @@ OPENSSL_ia32_cpuid:
+ shr \$14,%r10d
+ and \$0xfff,%r10d # number of cores -1 per L1D
+
+- cmp \$7,%r11d
+- jb .Lnocacheinfo
+-
+- mov \$7,%eax
+- xor %ecx,%ecx
+- cpuid
+- mov %ebx,8(%rdi)
+-
+ .Lnocacheinfo:
+ mov \$1,%eax
+ cpuid
+@@ -164,6 +156,15 @@ OPENSSL_ia32_cpuid:
+ or %ecx,%r9d # merge AMD XOP flag
+
+ mov %edx,%r10d # %r9d:%r10d is copy of %ecx:%edx
++
++ cmp \$7,%r11d
++ jb .Lno_extended_info
++ mov \$7,%eax
++ xor %ecx,%ecx
++ cpuid
++ mov %ebx,8(%rdi) # save extended feature flags
++.Lno_extended_info:
++
+ bt \$27,%r9d # check OSXSAVE bit
+ jnc .Lclear_avx
+ xor %ecx,%ecx # XCR0
+diff -up openssl-1.0.2k/ssl/ssl_locl.h.backports openssl-1.0.2k/ssl/ssl_locl.h
+--- openssl-1.0.2k/ssl/ssl_locl.h.backports 2017-03-09 17:59:26.183229642 +0100
++++ openssl-1.0.2k/ssl/ssl_locl.h 2017-03-09 17:59:26.311232626 +0100
+@@ -1430,7 +1430,7 @@ int ssl_parse_clienthello_renegotiate_ex
+ long ssl_get_algorithm2(SSL *s);
+ int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
+ int tls1_process_sigalgs(SSL *s);
+-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
++size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
+ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
+ const unsigned char *sig, EVP_PKEY *pkey);
+ void ssl_set_client_disabled(SSL *s);
+diff -up openssl-1.0.2k/ssl/s3_lib.c.backports openssl-1.0.2k/ssl/s3_lib.c
+--- openssl-1.0.2k/ssl/s3_lib.c.backports 2017-03-09 17:59:26.294232230 +0100
++++ openssl-1.0.2k/ssl/s3_lib.c 2017-03-09 17:59:26.311232626 +0100
+@@ -4237,7 +4237,7 @@ int ssl3_get_req_cert_type(SSL *s, unsig
+ return (int)s->cert->ctype_num;
+ }
+ /* get configured sigalgs */
+- siglen = tls12_get_psigalgs(s, &sig);
++ siglen = tls12_get_psigalgs(s, 1, &sig);
+ if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
+ nostrict = 0;
+ for (i = 0; i < siglen; i += 2, sig += 2) {
+diff -up openssl-1.0.2k/ssl/s3_srvr.c.backports openssl-1.0.2k/ssl/s3_srvr.c
+--- openssl-1.0.2k/ssl/s3_srvr.c.backports 2017-01-26 14:22:04.000000000 +0100
++++ openssl-1.0.2k/ssl/s3_srvr.c 2017-03-09 17:59:26.311232626 +0100
+@@ -2084,7 +2084,7 @@ int ssl3_send_certificate_request(SSL *s
+
+ if (SSL_USE_SIGALGS(s)) {
+ const unsigned char *psigs;
+- nl = tls12_get_psigalgs(s, &psigs);
++ nl = tls12_get_psigalgs(s, 1, &psigs);
+ s2n(nl, p);
+ memcpy(p, psigs, nl);
+ p += nl;
+diff -up openssl-1.0.2k/ssl/t1_lib.c.backports openssl-1.0.2k/ssl/t1_lib.c
+--- openssl-1.0.2k/ssl/t1_lib.c.backports 2017-03-09 17:59:26.297232299 +0100
++++ openssl-1.0.2k/ssl/t1_lib.c 2017-03-09 17:59:26.312232649 +0100
+@@ -1015,7 +1015,7 @@ static unsigned char suiteb_sigalgs[] =
+ tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
+ };
+ # endif
+-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
++size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
+ {
+ /*
+ * If Suite B mode use Suite B sigalgs only, ignore any other
+@@ -1037,7 +1037,7 @@ size_t tls12_get_psigalgs(SSL *s, const
+ }
+ # endif
+ /* If server use client authentication sigalgs if not NULL */
+- if (s->server && s->cert->client_sigalgs) {
++ if (s->server == sent && s->cert->client_sigalgs) {
+ *psigs = s->cert->client_sigalgs;
+ return s->cert->client_sigalgslen;
+ } else if (s->cert->conf_sigalgs) {
+@@ -1101,7 +1101,7 @@ int tls12_check_peer_sigalg(const EVP_MD
+ # endif
+
+ /* Check signature matches a type we sent */
+- sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
++ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
+ for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
+ if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
+ break;
+@@ -1149,7 +1149,7 @@ void ssl_set_client_disabled(SSL *s)
+ * Now go through all signature algorithms seeing if we support any for
+ * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
+ */
+- sigalgslen = tls12_get_psigalgs(s, &sigalgs);
++ sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
+ for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
+ switch (sigalgs[1]) {
+ # ifndef OPENSSL_NO_RSA
+@@ -1420,7 +1420,7 @@ unsigned char *ssl_add_clienthello_tlsex
+ if (SSL_CLIENT_USE_SIGALGS(s)) {
+ size_t salglen;
+ const unsigned char *salg;
+- salglen = tls12_get_psigalgs(s, &salg);
++ salglen = tls12_get_psigalgs(s, 1, &salg);
+
+ /*-
+ * check for enough space.
+@@ -3783,7 +3783,7 @@ static int tls1_set_shared_sigalgs(SSL *
+ conf = c->conf_sigalgs;
+ conflen = c->conf_sigalgslen;
+ } else
+- conflen = tls12_get_psigalgs(s, &conf);
++ conflen = tls12_get_psigalgs(s, 0, &conf);
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
+ pref = conf;
+ preflen = conflen;
diff --git a/SOURCES/openssl-1.0.2k-cc-reqs.patch b/SOURCES/openssl-1.0.2k-cc-reqs.patch
new file mode 100644
index 0000000..683d9af
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-cc-reqs.patch
@@ -0,0 +1,27 @@
+diff -up openssl-1.0.2k/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2k/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2k/crypto/rsa/rsa_gen.c.cc-reqs 2017-02-06 16:42:47.313963001 +0100
++++ openssl-1.0.2k/crypto/rsa/rsa_gen.c 2017-02-06 16:46:54.453628783 +0100
+@@ -474,6 +474,12 @@ static int rsa_builtin_keygen(RSA *rsa,
+ if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
+ goto err;
+
++ /* prepare minimum p and q difference */
++ if (!BN_one(r3))
++ goto err;
++ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
++ goto err;
++
+ if (BN_copy(rsa->e, e_value) == NULL)
+ goto err;
+
+@@ -502,7 +508,9 @@ static int rsa_builtin_keygen(RSA *rsa,
+ do {
+ if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+ goto err;
+- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
++ if (!BN_sub(r2, rsa->q, rsa->p))
++ goto err;
++ } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
+ if (degenerate == 3) {
+ ok = 0; /* we set our own err */
+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
diff --git a/SOURCES/openssl-1.0.2k-long-hello.patch b/SOURCES/openssl-1.0.2k-long-hello.patch
new file mode 100644
index 0000000..358b027
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-long-hello.patch
@@ -0,0 +1,36 @@
+diff -up openssl-1.0.2k/ssl/s3_srvr.c.long-hello openssl-1.0.2k/ssl/s3_srvr.c
+--- openssl-1.0.2k/ssl/s3_srvr.c.long-hello 2017-03-09 17:59:26.000000000 +0100
++++ openssl-1.0.2k/ssl/s3_srvr.c 2017-03-30 09:11:35.639338753 +0200
+@@ -899,6 +899,23 @@ int ssl3_send_hello_request(SSL *s)
+ return ssl_do_write(s);
+ }
+
++/*
++ * Maximum size (excluding the Handshake header) of a ClientHello message,
++ * calculated as follows:
++ *
++ * 2 + # client_version
++ * 32 + # only valid length for random
++ * 1 + # length of session_id
++ * 32 + # maximum size for session_id
++ * 2 + # length of cipher suites
++ * 2^16-2 + # maximum length of cipher suites array
++ * 1 + # length of compression_methods
++ * 2^8-1 + # maximum length of compression methods
++ * 2 + # length of extensions
++ * 2^16-1 # maximum length of extensions
++ */
++#define CLIENT_HELLO_MAX_LENGTH 131396
++
+ int ssl3_get_client_hello(SSL *s)
+ {
+ int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1, cookie_valid = 0;
+@@ -930,7 +947,7 @@ int ssl3_get_client_hello(SSL *s)
+ SSL3_ST_SR_CLNT_HELLO_B,
+ SSL3_ST_SR_CLNT_HELLO_C,
+ SSL3_MT_CLIENT_HELLO,
+- SSL3_RT_MAX_PLAIN_LENGTH, &ok);
++ CLIENT_HELLO_MAX_LENGTH, &ok);
+
+ if (!ok)
+ return ((int)n);
diff --git a/SOURCES/openssl-1.0.2k-no-ssl2.patch b/SOURCES/openssl-1.0.2k-no-ssl2.patch
new file mode 100644
index 0000000..c668417
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-no-ssl2.patch
@@ -0,0 +1,217 @@
+diff -up openssl-1.0.2k/apps/ciphers.c.no-ssl2 openssl-1.0.2k/apps/ciphers.c
+--- openssl-1.0.2k/apps/ciphers.c.no-ssl2 2017-01-26 14:22:03.000000000 +0100
++++ openssl-1.0.2k/apps/ciphers.c 2017-03-01 14:18:28.058046372 +0100
+@@ -73,7 +73,9 @@ static const char *ciphers_usage[] = {
+ "usage: ciphers args\n",
+ " -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
+ " -V - even more verbose\n",
++#ifndef OPENSSL_NO_SSL2
+ " -ssl2 - SSL2 mode\n",
++#endif
+ " -ssl3 - SSL3 mode\n",
+ " -tls1 - TLS1 mode\n",
+ NULL
+diff -up openssl-1.0.2k/apps/s_client.c.no-ssl2 openssl-1.0.2k/apps/s_client.c
+--- openssl-1.0.2k/apps/s_client.c.no-ssl2 2017-03-01 14:04:57.000000000 +0100
++++ openssl-1.0.2k/apps/s_client.c 2017-03-01 14:17:42.368974209 +0100
+@@ -380,7 +380,9 @@ static void sc_usage(void)
+ " -srp_strength int - minimal length in bits for N (default %d).\n",
+ SRP_MINIMAL_N);
+ #endif
++#ifndef OPENSSL_NO_SSL2
+ BIO_printf(bio_err, " -ssl2 - just use SSLv2\n");
++#endif
+ #ifndef OPENSSL_NO_SSL3_METHOD
+ BIO_printf(bio_err, " -ssl3 - just use SSLv3\n");
+ #endif
+diff -up openssl-1.0.2k/apps/s_server.c.no-ssl2 openssl-1.0.2k/apps/s_server.c
+--- openssl-1.0.2k/apps/s_server.c.no-ssl2 2017-02-15 11:33:38.000000000 +0100
++++ openssl-1.0.2k/apps/s_server.c 2017-03-01 14:13:54.154618822 +0100
+@@ -598,7 +598,9 @@ static void sv_usage(void)
+ BIO_printf(bio_err,
+ " -srpuserseed string - A seed string for a default user salt.\n");
+ #endif
++#ifndef OPENSSL_NO_SSL2
+ BIO_printf(bio_err, " -ssl2 - Just talk SSLv2\n");
++#endif
+ #ifndef OPENSSL_NO_SSL3_METHOD
+ BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n");
+ #endif
+@@ -610,7 +612,7 @@ static void sv_usage(void)
+ BIO_printf(bio_err, " -timeout - Enable timeouts\n");
+ BIO_printf(bio_err, " -mtu - Set link layer MTU\n");
+ BIO_printf(bio_err, " -chain - Read a certificate chain\n");
+- BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n");
++ BIO_printf(bio_err, " -no_ssl2 - No-op, SSLv2 is always disabled\n");
+ BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n");
+ BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n");
+ BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n");
+diff -up openssl-1.0.2k/apps/s_time.c.no-ssl2 openssl-1.0.2k/apps/s_time.c
+--- openssl-1.0.2k/apps/s_time.c.no-ssl2 2017-02-15 11:33:38.000000000 +0100
++++ openssl-1.0.2k/apps/s_time.c 2017-03-01 14:20:15.708572549 +0100
+@@ -191,7 +191,9 @@ static void s_time_usage(void)
+ SSL_CONNECT_NAME);
+ #ifdef FIONBIO
+ printf("-nbio - Run with non-blocking IO\n");
++#ifndef OPENSSL_NO_SSL2
+ printf("-ssl2 - Just use SSLv2\n");
++#endif
+ printf("-ssl3 - Just use SSLv3\n");
+ printf("-bugs - Turn on SSL bug compatibility\n");
+ printf("-new - Just time new connections\n");
+diff -up openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 openssl-1.0.2k/doc/apps/ciphers.pod
+--- openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 2017-01-26 14:22:04.000000000 +0100
++++ openssl-1.0.2k/doc/apps/ciphers.pod 2017-03-01 14:02:51.275041593 +0100
+@@ -9,7 +9,6 @@ ciphers - SSL cipher display and cipher
+ B<openssl> B<ciphers>
+ [B<-v>]
+ [B<-V>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
+ [B<cipherlist>]
+@@ -42,10 +41,6 @@ Like B<-v>, but include cipher suite cod
+
+ This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
+
+-=item B<-ssl2>
+-
+-Only include SSLv2 ciphers.
+-
+ =item B<-h>, B<-?>
+
+ Print a brief usage message.
+diff -up openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_client.pod
+--- openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 2017-03-01 14:04:57.000000000 +0100
++++ openssl-1.0.2k/doc/apps/s_client.pod 2017-03-01 14:06:28.389146669 +0100
+@@ -33,13 +33,11 @@ B<openssl> B<s_client>
+ [B<-ign_eof>]
+ [B<-no_ign_eof>]
+ [B<-quiet>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
+ [B<-tls1_1>]
+ [B<-tls1_2>]
+ [B<-dtls1>]
+-[B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+ [B<-no_tls1_1>]
+@@ -207,7 +205,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
+@@ -326,8 +324,8 @@ would typically be used (https uses port
+ then an HTTP command can be given such as "GET /" to retrieve a web page.
+
+ If the handshake fails then there are several possible causes, if it is
+-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
++nothing obvious like no client certificate then the B<-bugs>,
++B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
+ in case it is a buggy server. In particular you should play with these
+ options B<before> submitting a bug report to an OpenSSL mailing list.
+
+@@ -349,10 +347,6 @@ on the command line is no guarantee that
+ If there are problems verifying a server certificate then the
+ B<-showcerts> option can be used to show the whole chain.
+
+-Since the SSLv23 client hello cannot include compression methods or extensions
+-these will only be supported if its use is disabled, for example by using the
+-B<-no_sslv2> option.
+-
+ The B<s_client> utility is a test tool and is designed to continue the
+ handshake after any certificate verification errors. As a result it will
+ accept any certificate chain (trusted or not) sent by the peer. None test
+diff -up openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_server.pod
+--- openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 2017-03-01 14:04:57.000000000 +0100
++++ openssl-1.0.2k/doc/apps/s_server.pod 2017-03-01 14:04:17.871077754 +0100
+@@ -42,12 +42,10 @@ B<openssl> B<s_server>
+ [B<-keytab filename>]
+ [B<-quiet>]
+ [B<-no_tmp_rsa>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
+ [B<-tls1_1>]
+ [B<-tls1_2>]
+-[B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+ [B<-no_dhe>]
+@@ -229,7 +227,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
+diff -up openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_time.pod
+--- openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 2017-02-15 11:33:38.000000000 +0100
++++ openssl-1.0.2k/doc/apps/s_time.pod 2017-03-01 14:03:50.440432769 +0100
+@@ -20,7 +20,6 @@ B<openssl> B<s_time>
+ [B<-verify depth>]
+ [B<-nbio>]
+ [B<-time seconds>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-bugs>]
+ [B<-cipher cipherlist>]
+@@ -99,9 +98,9 @@ specified, they are both on by default a
+
+ turns on non-blocking I/O.
+
+-=item B<-ssl2>, B<-ssl3>
++=item B<-ssl3>
+
+-these options disable the use of certain SSL or TLS protocols. By default
++this option disables the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+ servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+ The timing program is not as rich in options to turn protocols on and off as
+@@ -109,8 +108,7 @@ the L<s_client(1)|s_client(1)> program a
+
+ Unfortunately there are a lot of ancient and broken servers in use which
+ cannot handle this technique and will fail to connect. Some servers only
+-work if TLS is turned off with the B<-ssl3> option; others
+-will only support SSL v2 and may need the B<-ssl2> option.
++work if TLS is turned off with the B<-ssl3> option.
+
+ =item B<-bugs>
+
+@@ -144,7 +142,7 @@ which both client and server can agree,
+ for details.
+
+ If the handshake fails then there are several possible causes, if it is
+-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
++nothing obvious like no client certificate then the B<-bugs>,
+ B<-ssl3> options can be tried
+ in case it is a buggy server. In particular you should play with these
+ options B<before> submitting a bug report to an OpenSSL mailing list.
+diff -up openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod
+--- openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 2017-01-26 14:22:04.000000000 +0100
++++ openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod 2017-03-01 14:09:12.981016773 +0100
+@@ -123,13 +123,8 @@ used.
+
+ =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
+
+-A TLS/SSL connection established with these methods will only understand the
+-SSLv2 protocol. A client will send out SSLv2 client hello messages and will
+-also indicate that it only understand SSLv2. A server will only understand
+-SSLv2 client hello messages. The SSLv2 protocol offers little to no security
+-and should not be used.
+-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available
+-with SSLv2.
++These calls are provided only as stubs for keeping ABI compatibility. There
++is no support for SSLv2 built in the library.
+
+ =item DTLS_method(), DTLS_server_method(), DTLS_client_method()
+
diff --git a/SOURCES/openssl-1.0.2k-ppc-update.patch b/SOURCES/openssl-1.0.2k-ppc-update.patch
new file mode 100644
index 0000000..a5efdfa
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-ppc-update.patch
@@ -0,0 +1,1932 @@
+diff -up openssl-1.0.2k/crypto/aes/asm/aesp8-ppc.pl.ppc-update openssl-1.0.2k/crypto/aes/asm/aesp8-ppc.pl
+--- openssl-1.0.2k/crypto/aes/asm/aesp8-ppc.pl.ppc-update 2017-01-26 14:22:03.000000000 +0100
++++ openssl-1.0.2k/crypto/aes/asm/aesp8-ppc.pl 2017-04-13 09:51:40.611133165 +0200
+@@ -20,6 +20,19 @@
+ # instructions are interleaved. It's reckoned that eventual
+ # misalignment penalties at page boundaries are in average lower
+ # than additional overhead in pure AltiVec approach.
++#
++# May 2016
++#
++# Add XTS subroutine, 9x on little- and 12x improvement on big-endian
++# systems were measured.
++#
++######################################################################
++# Current large-block performance in cycles per byte processed with
++# 128-bit key (less is better).
++#
++# CBC en-/decrypt CTR XTS
++# POWER8[le] 3.96/0.72 0.74 1.1
++# POWER8[be] 3.75/0.65 0.66 1.0
+
+ $flavour = shift;
+
+@@ -486,6 +499,8 @@ $code.=<<___;
+ .globl .${prefix}_cbc_encrypt
+ .align 5
+ .${prefix}_cbc_encrypt:
++ li $idx,15
++ andc $len,$len,$idx
+ ${UCMP}i $len,16
+ bltlr-
+
+@@ -494,7 +509,6 @@ $code.=<<___;
+ mfspr $vrsave,256
+ mtspr 256,r0
+
+- li $idx,15
+ vxor $rndkey0,$rndkey0,$rndkey0
+ le?vspltisb $tmp,0x0f
+
+@@ -1887,6 +1901,1849 @@ Lctr32_enc8x_done:
+ ___
+ }} }}}
+
++#########################################################################
++{{{ # XTS procedures #
++# int aes_p8_xts_[en|de]crypt(const char *inp, char *out, size_t len, #
++# const AES_KEY *key1, const AES_KEY *key2, #
++# [const] unsigned char iv[16]); #
++# If $key2 is NULL, then a "tweak chaining" mode is engaged, in which #
++# input tweak value is assumed to be encrypted already, and last tweak #
++# value, one suitable for consecutive call on same chunk of data, is #
++# written back to original buffer. In addition, in "tweak chaining" #
++# mode only complete input blocks are processed. #
++
++my ($inp,$out,$len,$key1,$key2,$ivp,$rounds,$idx) = map("r$_",(3..10));
++my ($rndkey0,$rndkey1,$inout) = map("v$_",(0..2));
++my ($output,$inptail,$inpperm,$leperm,$keyperm) = map("v$_",(3..7));
++my ($tweak,$seven,$eighty7,$tmp,$tweak1) = map("v$_",(8..12));
++my $taillen = $key2;
++
++ ($inp,$idx) = ($idx,$inp); # reassign
++
++$code.=<<___;
++.globl .${prefix}_xts_encrypt
++.align 5
++.${prefix}_xts_encrypt:
++ mr $inp,r3 # reassign
++ li r3,-1
++ ${UCMP}i $len,16
++ bltlr-
++
++ lis r0,0xfff0
++ mfspr r12,256 # save vrsave
++ li r11,0
++ mtspr 256,r0
++
++ vspltisb $seven,0x07 # 0x070707..07
++ le?lvsl $leperm,r11,r11
++ le?vspltisb $tmp,0x0f
++ le?vxor $leperm,$leperm,$seven
++
++ li $idx,15
++ lvx $tweak,0,$ivp # load [unaligned] iv
++ lvsl $inpperm,0,$ivp
++ lvx $inptail,$idx,$ivp
++ le?vxor $inpperm,$inpperm,$tmp
++ vperm $tweak,$tweak,$inptail,$inpperm
++
++ neg r11,$inp
++ lvsr $inpperm,0,r11 # prepare for unaligned load
++ lvx $inout,0,$inp
++ addi $inp,$inp,15 # 15 is not typo
++ le?vxor $inpperm,$inpperm,$tmp
++
++ ${UCMP}i $key2,0 # key2==NULL?
++ beq Lxts_enc_no_key2
++
++ ?lvsl $keyperm,0,$key2 # prepare for unaligned key
++ lwz $rounds,240($key2)
++ srwi $rounds,$rounds,1
++ subi $rounds,$rounds,1
++ li $idx,16
++
++ lvx $rndkey0,0,$key2
++ lvx $rndkey1,$idx,$key2
++ addi $idx,$idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vxor $tweak,$tweak,$rndkey0
++ lvx $rndkey0,$idx,$key2
++ addi $idx,$idx,16
++ mtctr $rounds
++
++Ltweak_xts_enc:
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vcipher $tweak,$tweak,$rndkey1
++ lvx $rndkey1,$idx,$key2
++ addi $idx,$idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vcipher $tweak,$tweak,$rndkey0
++ lvx $rndkey0,$idx,$key2
++ addi $idx,$idx,16
++ bdnz Ltweak_xts_enc
++
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vcipher $tweak,$tweak,$rndkey1
++ lvx $rndkey1,$idx,$key2
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vcipherlast $tweak,$tweak,$rndkey0
++
++ li $ivp,0 # don't chain the tweak
++ b Lxts_enc
++
++Lxts_enc_no_key2:
++ li $idx,-16
++ and $len,$len,$idx # in "tweak chaining"
++ # mode only complete
++ # blocks are processed
++Lxts_enc:
++ lvx $inptail,0,$inp
++ addi $inp,$inp,16
++
++ ?lvsl $keyperm,0,$key1 # prepare for unaligned key
++ lwz $rounds,240($key1)
++ srwi $rounds,$rounds,1
++ subi $rounds,$rounds,1
++ li $idx,16
++
++ vslb $eighty7,$seven,$seven # 0x808080..80
++ vor $eighty7,$eighty7,$seven # 0x878787..87
++ vspltisb $tmp,1 # 0x010101..01
++ vsldoi $eighty7,$eighty7,$tmp,15 # 0x870101..01
++
++ ${UCMP}i $len,96
++ bge _aesp8_xts_encrypt6x
++
++ andi. $taillen,$len,15
++ subic r0,$len,32
++ subi $taillen,$taillen,16
++ subfe r0,r0,r0
++ and r0,r0,$taillen
++ add $inp,$inp,r0
++
++ lvx $rndkey0,0,$key1
++ lvx $rndkey1,$idx,$key1
++ addi $idx,$idx,16
++ vperm $inout,$inout,$inptail,$inpperm
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vxor $inout,$inout,$tweak
++ vxor $inout,$inout,$rndkey0
++ lvx $rndkey0,$idx,$key1
++ addi $idx,$idx,16
++ mtctr $rounds
++ b Loop_xts_enc
++
++.align 5
++Loop_xts_enc:
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vcipher $inout,$inout,$rndkey1
++ lvx $rndkey1,$idx,$key1
++ addi $idx,$idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vcipher $inout,$inout,$rndkey0
++ lvx $rndkey0,$idx,$key1
++ addi $idx,$idx,16
++ bdnz Loop_xts_enc
++
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vcipher $inout,$inout,$rndkey1
++ lvx $rndkey1,$idx,$key1
++ li $idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vxor $rndkey0,$rndkey0,$tweak
++ vcipherlast $output,$inout,$rndkey0
++
++ le?vperm $tmp,$output,$output,$leperm
++ be?nop
++ le?stvx_u $tmp,0,$out
++ be?stvx_u $output,0,$out
++ addi $out,$out,16
++
++ subic. $len,$len,16
++ beq Lxts_enc_done
++
++ vmr $inout,$inptail
++ lvx $inptail,0,$inp
++ addi $inp,$inp,16
++ lvx $rndkey0,0,$key1
++ lvx $rndkey1,$idx,$key1
++ addi $idx,$idx,16
++
++ subic r0,$len,32
++ subfe r0,r0,r0
++ and r0,r0,$taillen
++ add $inp,$inp,r0
++
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vand $tmp,$tmp,$eighty7
++ vxor $tweak,$tweak,$tmp
++
++ vperm $inout,$inout,$inptail,$inpperm
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vxor $inout,$inout,$tweak
++ vxor $output,$output,$rndkey0 # just in case $len<16
++ vxor $inout,$inout,$rndkey0
++ lvx $rndkey0,$idx,$key1
++ addi $idx,$idx,16
++
++ mtctr $rounds
++ ${UCMP}i $len,16
++ bge Loop_xts_enc
++
++ vxor $output,$output,$tweak
++ lvsr $inpperm,0,$len # $inpperm is no longer needed
++ vxor $inptail,$inptail,$inptail # $inptail is no longer needed
++ vspltisb $tmp,-1
++ vperm $inptail,$inptail,$tmp,$inpperm
++ vsel $inout,$inout,$output,$inptail
++
++ subi r11,$out,17
++ subi $out,$out,16
++ mtctr $len
++ li $len,16
++Loop_xts_enc_steal:
++ lbzu r0,1(r11)
++ stb r0,16(r11)
++ bdnz Loop_xts_enc_steal
++
++ mtctr $rounds
++ b Loop_xts_enc # one more time...
++
++Lxts_enc_done:
++ ${UCMP}i $ivp,0
++ beq Lxts_enc_ret
++
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vand $tmp,$tmp,$eighty7
++ vxor $tweak,$tweak,$tmp
++
++ le?vperm $tweak,$tweak,$tweak,$leperm
++ stvx_u $tweak,0,$ivp
++
++Lxts_enc_ret:
++ mtspr 256,r12 # restore vrsave
++ li r3,0
++ blr
++ .long 0
++ .byte 0,12,0x04,0,0x80,6,6,0
++ .long 0
++.size .${prefix}_xts_encrypt,.-.${prefix}_xts_encrypt
++
++.globl .${prefix}_xts_decrypt
++.align 5
++.${prefix}_xts_decrypt:
++ mr $inp,r3 # reassign
++ li r3,-1
++ ${UCMP}i $len,16
++ bltlr-
++
++ lis r0,0xfff8
++ mfspr r12,256 # save vrsave
++ li r11,0
++ mtspr 256,r0
++
++ andi. r0,$len,15
++ neg r0,r0
++ andi. r0,r0,16
++ sub $len,$len,r0
++
++ vspltisb $seven,0x07 # 0x070707..07
++ le?lvsl $leperm,r11,r11
++ le?vspltisb $tmp,0x0f
++ le?vxor $leperm,$leperm,$seven
++
++ li $idx,15
++ lvx $tweak,0,$ivp # load [unaligned] iv
++ lvsl $inpperm,0,$ivp
++ lvx $inptail,$idx,$ivp
++ le?vxor $inpperm,$inpperm,$tmp
++ vperm $tweak,$tweak,$inptail,$inpperm
++
++ neg r11,$inp
++ lvsr $inpperm,0,r11 # prepare for unaligned load
++ lvx $inout,0,$inp
++ addi $inp,$inp,15 # 15 is not typo
++ le?vxor $inpperm,$inpperm,$tmp
++
++ ${UCMP}i $key2,0 # key2==NULL?
++ beq Lxts_dec_no_key2
++
++ ?lvsl $keyperm,0,$key2 # prepare for unaligned key
++ lwz $rounds,240($key2)
++ srwi $rounds,$rounds,1
++ subi $rounds,$rounds,1
++ li $idx,16
++
++ lvx $rndkey0,0,$key2
++ lvx $rndkey1,$idx,$key2
++ addi $idx,$idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vxor $tweak,$tweak,$rndkey0
++ lvx $rndkey0,$idx,$key2
++ addi $idx,$idx,16
++ mtctr $rounds
++
++Ltweak_xts_dec:
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vcipher $tweak,$tweak,$rndkey1
++ lvx $rndkey1,$idx,$key2
++ addi $idx,$idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vcipher $tweak,$tweak,$rndkey0
++ lvx $rndkey0,$idx,$key2
++ addi $idx,$idx,16
++ bdnz Ltweak_xts_dec
++
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vcipher $tweak,$tweak,$rndkey1
++ lvx $rndkey1,$idx,$key2
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vcipherlast $tweak,$tweak,$rndkey0
++
++ li $ivp,0 # don't chain the tweak
++ b Lxts_dec
++
++Lxts_dec_no_key2:
++ neg $idx,$len
++ andi. $idx,$idx,15
++ add $len,$len,$idx # in "tweak chaining"
++ # mode only complete
++ # blocks are processed
++Lxts_dec:
++ lvx $inptail,0,$inp
++ addi $inp,$inp,16
++
++ ?lvsl $keyperm,0,$key1 # prepare for unaligned key
++ lwz $rounds,240($key1)
++ srwi $rounds,$rounds,1
++ subi $rounds,$rounds,1
++ li $idx,16
++
++ vslb $eighty7,$seven,$seven # 0x808080..80
++ vor $eighty7,$eighty7,$seven # 0x878787..87
++ vspltisb $tmp,1 # 0x010101..01
++ vsldoi $eighty7,$eighty7,$tmp,15 # 0x870101..01
++
++ ${UCMP}i $len,96
++ bge _aesp8_xts_decrypt6x
++
++ lvx $rndkey0,0,$key1
++ lvx $rndkey1,$idx,$key1
++ addi $idx,$idx,16
++ vperm $inout,$inout,$inptail,$inpperm
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vxor $inout,$inout,$tweak
++ vxor $inout,$inout,$rndkey0
++ lvx $rndkey0,$idx,$key1
++ addi $idx,$idx,16
++ mtctr $rounds
++
++ ${UCMP}i $len,16
++ blt Ltail_xts_dec
++ be?b Loop_xts_dec
++
++.align 5
++Loop_xts_dec:
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vncipher $inout,$inout,$rndkey1
++ lvx $rndkey1,$idx,$key1
++ addi $idx,$idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vncipher $inout,$inout,$rndkey0
++ lvx $rndkey0,$idx,$key1
++ addi $idx,$idx,16
++ bdnz Loop_xts_dec
++
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vncipher $inout,$inout,$rndkey1
++ lvx $rndkey1,$idx,$key1
++ li $idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vxor $rndkey0,$rndkey0,$tweak
++ vncipherlast $output,$inout,$rndkey0
++
++ le?vperm $tmp,$output,$output,$leperm
++ be?nop
++ le?stvx_u $tmp,0,$out
++ be?stvx_u $output,0,$out
++ addi $out,$out,16
++
++ subic. $len,$len,16
++ beq Lxts_dec_done
++
++ vmr $inout,$inptail
++ lvx $inptail,0,$inp
++ addi $inp,$inp,16
++ lvx $rndkey0,0,$key1
++ lvx $rndkey1,$idx,$key1
++ addi $idx,$idx,16
++
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vand $tmp,$tmp,$eighty7
++ vxor $tweak,$tweak,$tmp
++
++ vperm $inout,$inout,$inptail,$inpperm
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vxor $inout,$inout,$tweak
++ vxor $inout,$inout,$rndkey0
++ lvx $rndkey0,$idx,$key1
++ addi $idx,$idx,16
++
++ mtctr $rounds
++ ${UCMP}i $len,16
++ bge Loop_xts_dec
++
++Ltail_xts_dec:
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak1,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vand $tmp,$tmp,$eighty7
++ vxor $tweak1,$tweak1,$tmp
++
++ subi $inp,$inp,16
++ add $inp,$inp,$len
++
++ vxor $inout,$inout,$tweak # :-(
++ vxor $inout,$inout,$tweak1 # :-)
++
++Loop_xts_dec_short:
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vncipher $inout,$inout,$rndkey1
++ lvx $rndkey1,$idx,$key1
++ addi $idx,$idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vncipher $inout,$inout,$rndkey0
++ lvx $rndkey0,$idx,$key1
++ addi $idx,$idx,16
++ bdnz Loop_xts_dec_short
++
++ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
++ vncipher $inout,$inout,$rndkey1
++ lvx $rndkey1,$idx,$key1
++ li $idx,16
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++ vxor $rndkey0,$rndkey0,$tweak1
++ vncipherlast $output,$inout,$rndkey0
++
++ le?vperm $tmp,$output,$output,$leperm
++ be?nop
++ le?stvx_u $tmp,0,$out
++ be?stvx_u $output,0,$out
++
++ vmr $inout,$inptail
++ lvx $inptail,0,$inp
++ #addi $inp,$inp,16
++ lvx $rndkey0,0,$key1
++ lvx $rndkey1,$idx,$key1
++ addi $idx,$idx,16
++ vperm $inout,$inout,$inptail,$inpperm
++ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
++
++ lvsr $inpperm,0,$len # $inpperm is no longer needed
++ vxor $inptail,$inptail,$inptail # $inptail is no longer needed
++ vspltisb $tmp,-1
++ vperm $inptail,$inptail,$tmp,$inpperm
++ vsel $inout,$inout,$output,$inptail
++
++ vxor $rndkey0,$rndkey0,$tweak
++ vxor $inout,$inout,$rndkey0
++ lvx $rndkey0,$idx,$key1
++ addi $idx,$idx,16
++
++ subi r11,$out,1
++ mtctr $len
++ li $len,16
++Loop_xts_dec_steal:
++ lbzu r0,1(r11)
++ stb r0,16(r11)
++ bdnz Loop_xts_dec_steal
++
++ mtctr $rounds
++ b Loop_xts_dec # one more time...
++
++Lxts_dec_done:
++ ${UCMP}i $ivp,0
++ beq Lxts_dec_ret
++
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vand $tmp,$tmp,$eighty7
++ vxor $tweak,$tweak,$tmp
++
++ le?vperm $tweak,$tweak,$tweak,$leperm
++ stvx_u $tweak,0,$ivp
++
++Lxts_dec_ret:
++ mtspr 256,r12 # restore vrsave
++ li r3,0
++ blr
++ .long 0
++ .byte 0,12,0x04,0,0x80,6,6,0
++ .long 0
++.size .${prefix}_xts_decrypt,.-.${prefix}_xts_decrypt
++___
++#########################################################################
++{{ # Optimized XTS procedures #
++my $key_=$key2;
++my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
++ $x00=0 if ($flavour =~ /osx/);
++my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
++my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
++my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
++my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
++ # v26-v31 last 6 round keys
++my ($keyperm)=($out0); # aliases with "caller", redundant assignment
++my $taillen=$x70;
++
++$code.=<<___;
++.align 5
++_aesp8_xts_encrypt6x:
++ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
++ mflr r11
++ li r7,`$FRAME+8*16+15`
++ li r3,`$FRAME+8*16+31`
++ $PUSH r11,`$FRAME+21*16+6*$SIZE_T+$LRSAVE`($sp)
++ stvx v20,r7,$sp # ABI says so
++ addi r7,r7,32
++ stvx v21,r3,$sp
++ addi r3,r3,32
++ stvx v22,r7,$sp
++ addi r7,r7,32
++ stvx v23,r3,$sp
++ addi r3,r3,32
++ stvx v24,r7,$sp
++ addi r7,r7,32
++ stvx v25,r3,$sp
++ addi r3,r3,32
++ stvx v26,r7,$sp
++ addi r7,r7,32
++ stvx v27,r3,$sp
++ addi r3,r3,32
++ stvx v28,r7,$sp
++ addi r7,r7,32
++ stvx v29,r3,$sp
++ addi r3,r3,32
++ stvx v30,r7,$sp
++ stvx v31,r3,$sp
++ li r0,-1
++ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
++ li $x10,0x10
++ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
++ li $x20,0x20
++ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
++ li $x30,0x30
++ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
++ li $x40,0x40
++ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
++ li $x50,0x50
++ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
++ li $x60,0x60
++ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
++ li $x70,0x70
++ mtspr 256,r0
++
++ subi $rounds,$rounds,3 # -4 in total
++
++ lvx $rndkey0,$x00,$key1 # load key schedule
++ lvx v30,$x10,$key1
++ addi $key1,$key1,0x20
++ lvx v31,$x00,$key1
++ ?vperm $rndkey0,$rndkey0,v30,$keyperm
++ addi $key_,$sp,$FRAME+15
++ mtctr $rounds
++
++Load_xts_enc_key:
++ ?vperm v24,v30,v31,$keyperm
++ lvx v30,$x10,$key1
++ addi $key1,$key1,0x20
++ stvx v24,$x00,$key_ # off-load round[1]
++ ?vperm v25,v31,v30,$keyperm
++ lvx v31,$x00,$key1
++ stvx v25,$x10,$key_ # off-load round[2]
++ addi $key_,$key_,0x20
++ bdnz Load_xts_enc_key
++
++ lvx v26,$x10,$key1
++ ?vperm v24,v30,v31,$keyperm
++ lvx v27,$x20,$key1
++ stvx v24,$x00,$key_ # off-load round[3]
++ ?vperm v25,v31,v26,$keyperm
++ lvx v28,$x30,$key1
++ stvx v25,$x10,$key_ # off-load round[4]
++ addi $key_,$sp,$FRAME+15 # rewind $key_
++ ?vperm v26,v26,v27,$keyperm
++ lvx v29,$x40,$key1
++ ?vperm v27,v27,v28,$keyperm
++ lvx v30,$x50,$key1
++ ?vperm v28,v28,v29,$keyperm
++ lvx v31,$x60,$key1
++ ?vperm v29,v29,v30,$keyperm
++ lvx $twk5,$x70,$key1 # borrow $twk5
++ ?vperm v30,v30,v31,$keyperm
++ lvx v24,$x00,$key_ # pre-load round[1]
++ ?vperm v31,v31,$twk5,$keyperm
++ lvx v25,$x10,$key_ # pre-load round[2]
++
++ vperm $in0,$inout,$inptail,$inpperm
++ subi $inp,$inp,31 # undo "caller"
++ vxor $twk0,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vand $tmp,$tmp,$eighty7
++ vxor $out0,$in0,$twk0
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in1,$x10,$inp
++ vxor $twk1,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in1,$in1,$in1,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out1,$in1,$twk1
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in2,$x20,$inp
++ andi. $taillen,$len,15
++ vxor $twk2,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in2,$in2,$in2,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out2,$in2,$twk2
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in3,$x30,$inp
++ sub $len,$len,$taillen
++ vxor $twk3,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in3,$in3,$in3,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out3,$in3,$twk3
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in4,$x40,$inp
++ subi $len,$len,0x60
++ vxor $twk4,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in4,$in4,$in4,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out4,$in4,$twk4
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in5,$x50,$inp
++ addi $inp,$inp,0x60
++ vxor $twk5,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in5,$in5,$in5,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out5,$in5,$twk5
++ vxor $tweak,$tweak,$tmp
++
++ vxor v31,v31,$rndkey0
++ mtctr $rounds
++ b Loop_xts_enc6x
++
++.align 5
++Loop_xts_enc6x:
++ vcipher $out0,$out0,v24
++ vcipher $out1,$out1,v24
++ vcipher $out2,$out2,v24
++ vcipher $out3,$out3,v24
++ vcipher $out4,$out4,v24
++ vcipher $out5,$out5,v24
++ lvx v24,$x20,$key_ # round[3]
++ addi $key_,$key_,0x20
++
++ vcipher $out0,$out0,v25
++ vcipher $out1,$out1,v25
++ vcipher $out2,$out2,v25
++ vcipher $out3,$out3,v25
++ vcipher $out4,$out4,v25
++ vcipher $out5,$out5,v25
++ lvx v25,$x10,$key_ # round[4]
++ bdnz Loop_xts_enc6x
++
++ subic $len,$len,96 # $len-=96
++ vxor $in0,$twk0,v31 # xor with last round key
++ vcipher $out0,$out0,v24
++ vcipher $out1,$out1,v24
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk0,$tweak,$rndkey0
++ vaddubm $tweak,$tweak,$tweak
++ vcipher $out2,$out2,v24
++ vcipher $out3,$out3,v24
++ vsldoi $tmp,$tmp,$tmp,15
++ vcipher $out4,$out4,v24
++ vcipher $out5,$out5,v24
++
++ subfe. r0,r0,r0 # borrow?-1:0
++ vand $tmp,$tmp,$eighty7
++ vcipher $out0,$out0,v25
++ vcipher $out1,$out1,v25
++ vxor $tweak,$tweak,$tmp
++ vcipher $out2,$out2,v25
++ vcipher $out3,$out3,v25
++ vxor $in1,$twk1,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk1,$tweak,$rndkey0
++ vcipher $out4,$out4,v25
++ vcipher $out5,$out5,v25
++
++ and r0,r0,$len
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vcipher $out0,$out0,v26
++ vcipher $out1,$out1,v26
++ vand $tmp,$tmp,$eighty7
++ vcipher $out2,$out2,v26
++ vcipher $out3,$out3,v26
++ vxor $tweak,$tweak,$tmp
++ vcipher $out4,$out4,v26
++ vcipher $out5,$out5,v26
++
++ add $inp,$inp,r0 # $inp is adjusted in such
++ # way that at exit from the
++ # loop inX-in5 are loaded
++ # with last "words"
++ vxor $in2,$twk2,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk2,$tweak,$rndkey0
++ vaddubm $tweak,$tweak,$tweak
++ vcipher $out0,$out0,v27
++ vcipher $out1,$out1,v27
++ vsldoi $tmp,$tmp,$tmp,15
++ vcipher $out2,$out2,v27
++ vcipher $out3,$out3,v27
++ vand $tmp,$tmp,$eighty7
++ vcipher $out4,$out4,v27
++ vcipher $out5,$out5,v27
++
++ addi $key_,$sp,$FRAME+15 # rewind $key_
++ vxor $tweak,$tweak,$tmp
++ vcipher $out0,$out0,v28
++ vcipher $out1,$out1,v28
++ vxor $in3,$twk3,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk3,$tweak,$rndkey0
++ vcipher $out2,$out2,v28
++ vcipher $out3,$out3,v28
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vcipher $out4,$out4,v28
++ vcipher $out5,$out5,v28
++ lvx v24,$x00,$key_ # re-pre-load round[1]
++ vand $tmp,$tmp,$eighty7
++
++ vcipher $out0,$out0,v29
++ vcipher $out1,$out1,v29
++ vxor $tweak,$tweak,$tmp
++ vcipher $out2,$out2,v29
++ vcipher $out3,$out3,v29
++ vxor $in4,$twk4,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk4,$tweak,$rndkey0
++ vcipher $out4,$out4,v29
++ vcipher $out5,$out5,v29
++ lvx v25,$x10,$key_ # re-pre-load round[2]
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++
++ vcipher $out0,$out0,v30
++ vcipher $out1,$out1,v30
++ vand $tmp,$tmp,$eighty7
++ vcipher $out2,$out2,v30
++ vcipher $out3,$out3,v30
++ vxor $tweak,$tweak,$tmp
++ vcipher $out4,$out4,v30
++ vcipher $out5,$out5,v30
++ vxor $in5,$twk5,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk5,$tweak,$rndkey0
++
++ vcipherlast $out0,$out0,$in0
++ lvx_u $in0,$x00,$inp # load next input block
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vcipherlast $out1,$out1,$in1
++ lvx_u $in1,$x10,$inp
++ vcipherlast $out2,$out2,$in2
++ le?vperm $in0,$in0,$in0,$leperm
++ lvx_u $in2,$x20,$inp
++ vand $tmp,$tmp,$eighty7
++ vcipherlast $out3,$out3,$in3
++ le?vperm $in1,$in1,$in1,$leperm
++ lvx_u $in3,$x30,$inp
++ vcipherlast $out4,$out4,$in4
++ le?vperm $in2,$in2,$in2,$leperm
++ lvx_u $in4,$x40,$inp
++ vxor $tweak,$tweak,$tmp
++ vcipherlast $tmp,$out5,$in5 # last block might be needed
++ # in stealing mode
++ le?vperm $in3,$in3,$in3,$leperm
++ lvx_u $in5,$x50,$inp
++ addi $inp,$inp,0x60
++ le?vperm $in4,$in4,$in4,$leperm
++ le?vperm $in5,$in5,$in5,$leperm
++
++ le?vperm $out0,$out0,$out0,$leperm
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ vxor $out0,$in0,$twk0
++ le?vperm $out2,$out2,$out2,$leperm
++ stvx_u $out1,$x10,$out
++ vxor $out1,$in1,$twk1
++ le?vperm $out3,$out3,$out3,$leperm
++ stvx_u $out2,$x20,$out
++ vxor $out2,$in2,$twk2
++ le?vperm $out4,$out4,$out4,$leperm
++ stvx_u $out3,$x30,$out
++ vxor $out3,$in3,$twk3
++ le?vperm $out5,$tmp,$tmp,$leperm
++ stvx_u $out4,$x40,$out
++ vxor $out4,$in4,$twk4
++ le?stvx_u $out5,$x50,$out
++ be?stvx_u $tmp, $x50,$out
++ vxor $out5,$in5,$twk5
++ addi $out,$out,0x60
++
++ mtctr $rounds
++ beq Loop_xts_enc6x # did $len-=96 borrow?
++
++ addic. $len,$len,0x60
++ beq Lxts_enc6x_zero
++ cmpwi $len,0x20
++ blt Lxts_enc6x_one
++ nop
++ beq Lxts_enc6x_two
++ cmpwi $len,0x40
++ blt Lxts_enc6x_three
++ nop
++ beq Lxts_enc6x_four
++
++Lxts_enc6x_five:
++ vxor $out0,$in1,$twk0
++ vxor $out1,$in2,$twk1
++ vxor $out2,$in3,$twk2
++ vxor $out3,$in4,$twk3
++ vxor $out4,$in5,$twk4
++
++ bl _aesp8_xts_enc5x
++
++ le?vperm $out0,$out0,$out0,$leperm
++ vmr $twk0,$twk5 # unused tweak
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ le?vperm $out2,$out2,$out2,$leperm
++ stvx_u $out1,$x10,$out
++ le?vperm $out3,$out3,$out3,$leperm
++ stvx_u $out2,$x20,$out
++ vxor $tmp,$out4,$twk5 # last block prep for stealing
++ le?vperm $out4,$out4,$out4,$leperm
++ stvx_u $out3,$x30,$out
++ stvx_u $out4,$x40,$out
++ addi $out,$out,0x50
++ bne Lxts_enc6x_steal
++ b Lxts_enc6x_done
++
++.align 4
++Lxts_enc6x_four:
++ vxor $out0,$in2,$twk0
++ vxor $out1,$in3,$twk1
++ vxor $out2,$in4,$twk2
++ vxor $out3,$in5,$twk3
++ vxor $out4,$out4,$out4
++
++ bl _aesp8_xts_enc5x
++
++ le?vperm $out0,$out0,$out0,$leperm
++ vmr $twk0,$twk4 # unused tweak
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ le?vperm $out2,$out2,$out2,$leperm
++ stvx_u $out1,$x10,$out
++ vxor $tmp,$out3,$twk4 # last block prep for stealing
++ le?vperm $out3,$out3,$out3,$leperm
++ stvx_u $out2,$x20,$out
++ stvx_u $out3,$x30,$out
++ addi $out,$out,0x40
++ bne Lxts_enc6x_steal
++ b Lxts_enc6x_done
++
++.align 4
++Lxts_enc6x_three:
++ vxor $out0,$in3,$twk0
++ vxor $out1,$in4,$twk1
++ vxor $out2,$in5,$twk2
++ vxor $out3,$out3,$out3
++ vxor $out4,$out4,$out4
++
++ bl _aesp8_xts_enc5x
++
++ le?vperm $out0,$out0,$out0,$leperm
++ vmr $twk0,$twk3 # unused tweak
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ vxor $tmp,$out2,$twk3 # last block prep for stealing
++ le?vperm $out2,$out2,$out2,$leperm
++ stvx_u $out1,$x10,$out
++ stvx_u $out2,$x20,$out
++ addi $out,$out,0x30
++ bne Lxts_enc6x_steal
++ b Lxts_enc6x_done
++
++.align 4
++Lxts_enc6x_two:
++ vxor $out0,$in4,$twk0
++ vxor $out1,$in5,$twk1
++ vxor $out2,$out2,$out2
++ vxor $out3,$out3,$out3
++ vxor $out4,$out4,$out4
++
++ bl _aesp8_xts_enc5x
++
++ le?vperm $out0,$out0,$out0,$leperm
++ vmr $twk0,$twk2 # unused tweak
++ vxor $tmp,$out1,$twk2 # last block prep for stealing
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ stvx_u $out1,$x10,$out
++ addi $out,$out,0x20
++ bne Lxts_enc6x_steal
++ b Lxts_enc6x_done
++
++.align 4
++Lxts_enc6x_one:
++ vxor $out0,$in5,$twk0
++ nop
++Loop_xts_enc1x:
++ vcipher $out0,$out0,v24
++ lvx v24,$x20,$key_ # round[3]
++ addi $key_,$key_,0x20
++
++ vcipher $out0,$out0,v25
++ lvx v25,$x10,$key_ # round[4]
++ bdnz Loop_xts_enc1x
++
++ add $inp,$inp,$taillen
++ cmpwi $taillen,0
++ vcipher $out0,$out0,v24
++
++ subi $inp,$inp,16
++ vcipher $out0,$out0,v25
++
++ lvsr $inpperm,0,$taillen
++ vcipher $out0,$out0,v26
++
++ lvx_u $in0,0,$inp
++ vcipher $out0,$out0,v27
++
++ addi $key_,$sp,$FRAME+15 # rewind $key_
++ vcipher $out0,$out0,v28
++ lvx v24,$x00,$key_ # re-pre-load round[1]
++
++ vcipher $out0,$out0,v29
++ lvx v25,$x10,$key_ # re-pre-load round[2]
++ vxor $twk0,$twk0,v31
++
++ le?vperm $in0,$in0,$in0,$leperm
++ vcipher $out0,$out0,v30
++
++ vperm $in0,$in0,$in0,$inpperm
++ vcipherlast $out0,$out0,$twk0
++
++ vmr $twk0,$twk1 # unused tweak
++ vxor $tmp,$out0,$twk1 # last block prep for stealing
++ le?vperm $out0,$out0,$out0,$leperm
++ stvx_u $out0,$x00,$out # store output
++ addi $out,$out,0x10
++ bne Lxts_enc6x_steal
++ b Lxts_enc6x_done
++
++.align 4
++Lxts_enc6x_zero:
++ cmpwi $taillen,0
++ beq Lxts_enc6x_done
++
++ add $inp,$inp,$taillen
++ subi $inp,$inp,16
++ lvx_u $in0,0,$inp
++ lvsr $inpperm,0,$taillen # $in5 is no more
++ le?vperm $in0,$in0,$in0,$leperm
++ vperm $in0,$in0,$in0,$inpperm
++ vxor $tmp,$tmp,$twk0
++Lxts_enc6x_steal:
++ vxor $in0,$in0,$twk0
++ vxor $out0,$out0,$out0
++ vspltisb $out1,-1
++ vperm $out0,$out0,$out1,$inpperm
++ vsel $out0,$in0,$tmp,$out0 # $tmp is last block, remember?
++
++ subi r30,$out,17
++ subi $out,$out,16
++ mtctr $taillen
++Loop_xts_enc6x_steal:
++ lbzu r0,1(r30)
++ stb r0,16(r30)
++ bdnz Loop_xts_enc6x_steal
++
++ li $taillen,0
++ mtctr $rounds
++ b Loop_xts_enc1x # one more time...
++
++.align 4
++Lxts_enc6x_done:
++ ${UCMP}i $ivp,0
++ beq Lxts_enc6x_ret
++
++ vxor $tweak,$twk0,$rndkey0
++ le?vperm $tweak,$tweak,$tweak,$leperm
++ stvx_u $tweak,0,$ivp
++
++Lxts_enc6x_ret:
++ mtlr r11
++ li r10,`$FRAME+15`
++ li r11,`$FRAME+31`
++ stvx $seven,r10,$sp # wipe copies of round keys
++ addi r10,r10,32
++ stvx $seven,r11,$sp
++ addi r11,r11,32
++ stvx $seven,r10,$sp
++ addi r10,r10,32
++ stvx $seven,r11,$sp
++ addi r11,r11,32
++ stvx $seven,r10,$sp
++ addi r10,r10,32
++ stvx $seven,r11,$sp
++ addi r11,r11,32
++ stvx $seven,r10,$sp
++ addi r10,r10,32
++ stvx $seven,r11,$sp
++ addi r11,r11,32
++
++ mtspr 256,$vrsave
++ lvx v20,r10,$sp # ABI says so
++ addi r10,r10,32
++ lvx v21,r11,$sp
++ addi r11,r11,32
++ lvx v22,r10,$sp
++ addi r10,r10,32
++ lvx v23,r11,$sp
++ addi r11,r11,32
++ lvx v24,r10,$sp
++ addi r10,r10,32
++ lvx v25,r11,$sp
++ addi r11,r11,32
++ lvx v26,r10,$sp
++ addi r10,r10,32
++ lvx v27,r11,$sp
++ addi r11,r11,32
++ lvx v28,r10,$sp
++ addi r10,r10,32
++ lvx v29,r11,$sp
++ addi r11,r11,32
++ lvx v30,r10,$sp
++ lvx v31,r11,$sp
++ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
++ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
++ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
++ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
++ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
++ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
++ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
++ blr
++ .long 0
++ .byte 0,12,0x04,1,0x80,6,6,0
++ .long 0
++
++.align 5
++_aesp8_xts_enc5x:
++ vcipher $out0,$out0,v24
++ vcipher $out1,$out1,v24
++ vcipher $out2,$out2,v24
++ vcipher $out3,$out3,v24
++ vcipher $out4,$out4,v24
++ lvx v24,$x20,$key_ # round[3]
++ addi $key_,$key_,0x20
++
++ vcipher $out0,$out0,v25
++ vcipher $out1,$out1,v25
++ vcipher $out2,$out2,v25
++ vcipher $out3,$out3,v25
++ vcipher $out4,$out4,v25
++ lvx v25,$x10,$key_ # round[4]
++ bdnz _aesp8_xts_enc5x
++
++ add $inp,$inp,$taillen
++ cmpwi $taillen,0
++ vcipher $out0,$out0,v24
++ vcipher $out1,$out1,v24
++ vcipher $out2,$out2,v24
++ vcipher $out3,$out3,v24
++ vcipher $out4,$out4,v24
++
++ subi $inp,$inp,16
++ vcipher $out0,$out0,v25
++ vcipher $out1,$out1,v25
++ vcipher $out2,$out2,v25
++ vcipher $out3,$out3,v25
++ vcipher $out4,$out4,v25
++ vxor $twk0,$twk0,v31
++
++ vcipher $out0,$out0,v26
++ lvsr $inpperm,r0,$taillen # $in5 is no more
++ vcipher $out1,$out1,v26
++ vcipher $out2,$out2,v26
++ vcipher $out3,$out3,v26
++ vcipher $out4,$out4,v26
++ vxor $in1,$twk1,v31
++
++ vcipher $out0,$out0,v27
++ lvx_u $in0,0,$inp
++ vcipher $out1,$out1,v27
++ vcipher $out2,$out2,v27
++ vcipher $out3,$out3,v27
++ vcipher $out4,$out4,v27
++ vxor $in2,$twk2,v31
++
++ addi $key_,$sp,$FRAME+15 # rewind $key_
++ vcipher $out0,$out0,v28
++ vcipher $out1,$out1,v28
++ vcipher $out2,$out2,v28
++ vcipher $out3,$out3,v28
++ vcipher $out4,$out4,v28
++ lvx v24,$x00,$key_ # re-pre-load round[1]
++ vxor $in3,$twk3,v31
++
++ vcipher $out0,$out0,v29
++ le?vperm $in0,$in0,$in0,$leperm
++ vcipher $out1,$out1,v29
++ vcipher $out2,$out2,v29
++ vcipher $out3,$out3,v29
++ vcipher $out4,$out4,v29
++ lvx v25,$x10,$key_ # re-pre-load round[2]
++ vxor $in4,$twk4,v31
++
++ vcipher $out0,$out0,v30
++ vperm $in0,$in0,$in0,$inpperm
++ vcipher $out1,$out1,v30
++ vcipher $out2,$out2,v30
++ vcipher $out3,$out3,v30
++ vcipher $out4,$out4,v30
++
++ vcipherlast $out0,$out0,$twk0
++ vcipherlast $out1,$out1,$in1
++ vcipherlast $out2,$out2,$in2
++ vcipherlast $out3,$out3,$in3
++ vcipherlast $out4,$out4,$in4
++ blr
++ .long 0
++ .byte 0,12,0x14,0,0,0,0,0
++
++.align 5
++_aesp8_xts_decrypt6x:
++ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
++ mflr r11
++ li r7,`$FRAME+8*16+15`
++ li r3,`$FRAME+8*16+31`
++ $PUSH r11,`$FRAME+21*16+6*$SIZE_T+$LRSAVE`($sp)
++ stvx v20,r7,$sp # ABI says so
++ addi r7,r7,32
++ stvx v21,r3,$sp
++ addi r3,r3,32
++ stvx v22,r7,$sp
++ addi r7,r7,32
++ stvx v23,r3,$sp
++ addi r3,r3,32
++ stvx v24,r7,$sp
++ addi r7,r7,32
++ stvx v25,r3,$sp
++ addi r3,r3,32
++ stvx v26,r7,$sp
++ addi r7,r7,32
++ stvx v27,r3,$sp
++ addi r3,r3,32
++ stvx v28,r7,$sp
++ addi r7,r7,32
++ stvx v29,r3,$sp
++ addi r3,r3,32
++ stvx v30,r7,$sp
++ stvx v31,r3,$sp
++ li r0,-1
++ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
++ li $x10,0x10
++ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
++ li $x20,0x20
++ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
++ li $x30,0x30
++ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
++ li $x40,0x40
++ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
++ li $x50,0x50
++ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
++ li $x60,0x60
++ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
++ li $x70,0x70
++ mtspr 256,r0
++
++ subi $rounds,$rounds,3 # -4 in total
++
++ lvx $rndkey0,$x00,$key1 # load key schedule
++ lvx v30,$x10,$key1
++ addi $key1,$key1,0x20
++ lvx v31,$x00,$key1
++ ?vperm $rndkey0,$rndkey0,v30,$keyperm
++ addi $key_,$sp,$FRAME+15
++ mtctr $rounds
++
++Load_xts_dec_key:
++ ?vperm v24,v30,v31,$keyperm
++ lvx v30,$x10,$key1
++ addi $key1,$key1,0x20
++ stvx v24,$x00,$key_ # off-load round[1]
++ ?vperm v25,v31,v30,$keyperm
++ lvx v31,$x00,$key1
++ stvx v25,$x10,$key_ # off-load round[2]
++ addi $key_,$key_,0x20
++ bdnz Load_xts_dec_key
++
++ lvx v26,$x10,$key1
++ ?vperm v24,v30,v31,$keyperm
++ lvx v27,$x20,$key1
++ stvx v24,$x00,$key_ # off-load round[3]
++ ?vperm v25,v31,v26,$keyperm
++ lvx v28,$x30,$key1
++ stvx v25,$x10,$key_ # off-load round[4]
++ addi $key_,$sp,$FRAME+15 # rewind $key_
++ ?vperm v26,v26,v27,$keyperm
++ lvx v29,$x40,$key1
++ ?vperm v27,v27,v28,$keyperm
++ lvx v30,$x50,$key1
++ ?vperm v28,v28,v29,$keyperm
++ lvx v31,$x60,$key1
++ ?vperm v29,v29,v30,$keyperm
++ lvx $twk5,$x70,$key1 # borrow $twk5
++ ?vperm v30,v30,v31,$keyperm
++ lvx v24,$x00,$key_ # pre-load round[1]
++ ?vperm v31,v31,$twk5,$keyperm
++ lvx v25,$x10,$key_ # pre-load round[2]
++
++ vperm $in0,$inout,$inptail,$inpperm
++ subi $inp,$inp,31 # undo "caller"
++ vxor $twk0,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vand $tmp,$tmp,$eighty7
++ vxor $out0,$in0,$twk0
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in1,$x10,$inp
++ vxor $twk1,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in1,$in1,$in1,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out1,$in1,$twk1
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in2,$x20,$inp
++ andi. $taillen,$len,15
++ vxor $twk2,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in2,$in2,$in2,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out2,$in2,$twk2
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in3,$x30,$inp
++ sub $len,$len,$taillen
++ vxor $twk3,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in3,$in3,$in3,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out3,$in3,$twk3
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in4,$x40,$inp
++ subi $len,$len,0x60
++ vxor $twk4,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in4,$in4,$in4,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out4,$in4,$twk4
++ vxor $tweak,$tweak,$tmp
++
++ lvx_u $in5,$x50,$inp
++ addi $inp,$inp,0x60
++ vxor $twk5,$tweak,$rndkey0
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ le?vperm $in5,$in5,$in5,$leperm
++ vand $tmp,$tmp,$eighty7
++ vxor $out5,$in5,$twk5
++ vxor $tweak,$tweak,$tmp
++
++ vxor v31,v31,$rndkey0
++ mtctr $rounds
++ b Loop_xts_dec6x
++
++.align 5
++Loop_xts_dec6x:
++ vncipher $out0,$out0,v24
++ vncipher $out1,$out1,v24
++ vncipher $out2,$out2,v24
++ vncipher $out3,$out3,v24
++ vncipher $out4,$out4,v24
++ vncipher $out5,$out5,v24
++ lvx v24,$x20,$key_ # round[3]
++ addi $key_,$key_,0x20
++
++ vncipher $out0,$out0,v25
++ vncipher $out1,$out1,v25
++ vncipher $out2,$out2,v25
++ vncipher $out3,$out3,v25
++ vncipher $out4,$out4,v25
++ vncipher $out5,$out5,v25
++ lvx v25,$x10,$key_ # round[4]
++ bdnz Loop_xts_dec6x
++
++ subic $len,$len,96 # $len-=96
++ vxor $in0,$twk0,v31 # xor with last round key
++ vncipher $out0,$out0,v24
++ vncipher $out1,$out1,v24
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk0,$tweak,$rndkey0
++ vaddubm $tweak,$tweak,$tweak
++ vncipher $out2,$out2,v24
++ vncipher $out3,$out3,v24
++ vsldoi $tmp,$tmp,$tmp,15
++ vncipher $out4,$out4,v24
++ vncipher $out5,$out5,v24
++
++ subfe. r0,r0,r0 # borrow?-1:0
++ vand $tmp,$tmp,$eighty7
++ vncipher $out0,$out0,v25
++ vncipher $out1,$out1,v25
++ vxor $tweak,$tweak,$tmp
++ vncipher $out2,$out2,v25
++ vncipher $out3,$out3,v25
++ vxor $in1,$twk1,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk1,$tweak,$rndkey0
++ vncipher $out4,$out4,v25
++ vncipher $out5,$out5,v25
++
++ and r0,r0,$len
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vncipher $out0,$out0,v26
++ vncipher $out1,$out1,v26
++ vand $tmp,$tmp,$eighty7
++ vncipher $out2,$out2,v26
++ vncipher $out3,$out3,v26
++ vxor $tweak,$tweak,$tmp
++ vncipher $out4,$out4,v26
++ vncipher $out5,$out5,v26
++
++ add $inp,$inp,r0 # $inp is adjusted in such
++ # way that at exit from the
++ # loop inX-in5 are loaded
++ # with last "words"
++ vxor $in2,$twk2,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk2,$tweak,$rndkey0
++ vaddubm $tweak,$tweak,$tweak
++ vncipher $out0,$out0,v27
++ vncipher $out1,$out1,v27
++ vsldoi $tmp,$tmp,$tmp,15
++ vncipher $out2,$out2,v27
++ vncipher $out3,$out3,v27
++ vand $tmp,$tmp,$eighty7
++ vncipher $out4,$out4,v27
++ vncipher $out5,$out5,v27
++
++ addi $key_,$sp,$FRAME+15 # rewind $key_
++ vxor $tweak,$tweak,$tmp
++ vncipher $out0,$out0,v28
++ vncipher $out1,$out1,v28
++ vxor $in3,$twk3,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk3,$tweak,$rndkey0
++ vncipher $out2,$out2,v28
++ vncipher $out3,$out3,v28
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vncipher $out4,$out4,v28
++ vncipher $out5,$out5,v28
++ lvx v24,$x00,$key_ # re-pre-load round[1]
++ vand $tmp,$tmp,$eighty7
++
++ vncipher $out0,$out0,v29
++ vncipher $out1,$out1,v29
++ vxor $tweak,$tweak,$tmp
++ vncipher $out2,$out2,v29
++ vncipher $out3,$out3,v29
++ vxor $in4,$twk4,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk4,$tweak,$rndkey0
++ vncipher $out4,$out4,v29
++ vncipher $out5,$out5,v29
++ lvx v25,$x10,$key_ # re-pre-load round[2]
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++
++ vncipher $out0,$out0,v30
++ vncipher $out1,$out1,v30
++ vand $tmp,$tmp,$eighty7
++ vncipher $out2,$out2,v30
++ vncipher $out3,$out3,v30
++ vxor $tweak,$tweak,$tmp
++ vncipher $out4,$out4,v30
++ vncipher $out5,$out5,v30
++ vxor $in5,$twk5,v31
++ vsrab $tmp,$tweak,$seven # next tweak value
++ vxor $twk5,$tweak,$rndkey0
++
++ vncipherlast $out0,$out0,$in0
++ lvx_u $in0,$x00,$inp # load next input block
++ vaddubm $tweak,$tweak,$tweak
++ vsldoi $tmp,$tmp,$tmp,15
++ vncipherlast $out1,$out1,$in1
++ lvx_u $in1,$x10,$inp
++ vncipherlast $out2,$out2,$in2
++ le?vperm $in0,$in0,$in0,$leperm
++ lvx_u $in2,$x20,$inp
++ vand $tmp,$tmp,$eighty7
++ vncipherlast $out3,$out3,$in3
++ le?vperm $in1,$in1,$in1,$leperm
++ lvx_u $in3,$x30,$inp
++ vncipherlast $out4,$out4,$in4
++ le?vperm $in2,$in2,$in2,$leperm
++ lvx_u $in4,$x40,$inp
++ vxor $tweak,$tweak,$tmp
++ vncipherlast $out5,$out5,$in5
++ le?vperm $in3,$in3,$in3,$leperm
++ lvx_u $in5,$x50,$inp
++ addi $inp,$inp,0x60
++ le?vperm $in4,$in4,$in4,$leperm
++ le?vperm $in5,$in5,$in5,$leperm
++
++ le?vperm $out0,$out0,$out0,$leperm
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ vxor $out0,$in0,$twk0
++ le?vperm $out2,$out2,$out2,$leperm
++ stvx_u $out1,$x10,$out
++ vxor $out1,$in1,$twk1
++ le?vperm $out3,$out3,$out3,$leperm
++ stvx_u $out2,$x20,$out
++ vxor $out2,$in2,$twk2
++ le?vperm $out4,$out4,$out4,$leperm
++ stvx_u $out3,$x30,$out
++ vxor $out3,$in3,$twk3
++ le?vperm $out5,$out5,$out5,$leperm
++ stvx_u $out4,$x40,$out
++ vxor $out4,$in4,$twk4
++ stvx_u $out5,$x50,$out
++ vxor $out5,$in5,$twk5
++ addi $out,$out,0x60
++
++ mtctr $rounds
++ beq Loop_xts_dec6x # did $len-=96 borrow?
++
++ addic. $len,$len,0x60
++ beq Lxts_dec6x_zero
++ cmpwi $len,0x20
++ blt Lxts_dec6x_one
++ nop
++ beq Lxts_dec6x_two
++ cmpwi $len,0x40
++ blt Lxts_dec6x_three
++ nop
++ beq Lxts_dec6x_four
++
++Lxts_dec6x_five:
++ vxor $out0,$in1,$twk0
++ vxor $out1,$in2,$twk1
++ vxor $out2,$in3,$twk2
++ vxor $out3,$in4,$twk3
++ vxor $out4,$in5,$twk4
++
++ bl _aesp8_xts_dec5x
++
++ le?vperm $out0,$out0,$out0,$leperm
++ vmr $twk0,$twk5 # unused tweak
++ vxor $twk1,$tweak,$rndkey0
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ vxor $out0,$in0,$twk1
++ le?vperm $out2,$out2,$out2,$leperm
++ stvx_u $out1,$x10,$out
++ le?vperm $out3,$out3,$out3,$leperm
++ stvx_u $out2,$x20,$out
++ le?vperm $out4,$out4,$out4,$leperm
++ stvx_u $out3,$x30,$out
++ stvx_u $out4,$x40,$out
++ addi $out,$out,0x50
++ bne Lxts_dec6x_steal
++ b Lxts_dec6x_done
++
++.align 4
++Lxts_dec6x_four:
++ vxor $out0,$in2,$twk0
++ vxor $out1,$in3,$twk1
++ vxor $out2,$in4,$twk2
++ vxor $out3,$in5,$twk3
++ vxor $out4,$out4,$out4
++
++ bl _aesp8_xts_dec5x
++
++ le?vperm $out0,$out0,$out0,$leperm
++ vmr $twk0,$twk4 # unused tweak
++ vmr $twk1,$twk5
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ vxor $out0,$in0,$twk5
++ le?vperm $out2,$out2,$out2,$leperm
++ stvx_u $out1,$x10,$out
++ le?vperm $out3,$out3,$out3,$leperm
++ stvx_u $out2,$x20,$out
++ stvx_u $out3,$x30,$out
++ addi $out,$out,0x40
++ bne Lxts_dec6x_steal
++ b Lxts_dec6x_done
++
++.align 4
++Lxts_dec6x_three:
++ vxor $out0,$in3,$twk0
++ vxor $out1,$in4,$twk1
++ vxor $out2,$in5,$twk2
++ vxor $out3,$out3,$out3
++ vxor $out4,$out4,$out4
++
++ bl _aesp8_xts_dec5x
++
++ le?vperm $out0,$out0,$out0,$leperm
++ vmr $twk0,$twk3 # unused tweak
++ vmr $twk1,$twk4
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ vxor $out0,$in0,$twk4
++ le?vperm $out2,$out2,$out2,$leperm
++ stvx_u $out1,$x10,$out
++ stvx_u $out2,$x20,$out
++ addi $out,$out,0x30
++ bne Lxts_dec6x_steal
++ b Lxts_dec6x_done
++
++.align 4
++Lxts_dec6x_two:
++ vxor $out0,$in4,$twk0
++ vxor $out1,$in5,$twk1
++ vxor $out2,$out2,$out2
++ vxor $out3,$out3,$out3
++ vxor $out4,$out4,$out4
++
++ bl _aesp8_xts_dec5x
++
++ le?vperm $out0,$out0,$out0,$leperm
++ vmr $twk0,$twk2 # unused tweak
++ vmr $twk1,$twk3
++ le?vperm $out1,$out1,$out1,$leperm
++ stvx_u $out0,$x00,$out # store output
++ vxor $out0,$in0,$twk3
++ stvx_u $out1,$x10,$out
++ addi $out,$out,0x20
++ bne Lxts_dec6x_steal
++ b Lxts_dec6x_done
++
++.align 4
++Lxts_dec6x_one:
++ vxor $out0,$in5,$twk0
++ nop
++Loop_xts_dec1x:
++ vncipher $out0,$out0,v24
++ lvx v24,$x20,$key_ # round[3]
++ addi $key_,$key_,0x20
++
++ vncipher $out0,$out0,v25
++ lvx v25,$x10,$key_ # round[4]
++ bdnz Loop_xts_dec1x
++
++ subi r0,$taillen,1
++ vncipher $out0,$out0,v24
++
++ andi. r0,r0,16
++ cmpwi $taillen,0
++ vncipher $out0,$out0,v25
++
++ sub $inp,$inp,r0
++ vncipher $out0,$out0,v26
++
++ lvx_u $in0,0,$inp
++ vncipher $out0,$out0,v27
++
++ addi $key_,$sp,$FRAME+15 # rewind $key_
++ vncipher $out0,$out0,v28
++ lvx v24,$x00,$key_ # re-pre-load round[1]
++
++ vncipher $out0,$out0,v29
++ lvx v25,$x10,$key_ # re-pre-load round[2]
++ vxor $twk0,$twk0,v31
++
++ le?vperm $in0,$in0,$in0,$leperm
++ vncipher $out0,$out0,v30
++
++ mtctr $rounds
++ vncipherlast $out0,$out0,$twk0
++
++ vmr $twk0,$twk1 # unused tweak
++ vmr $twk1,$twk2
++ le?vperm $out0,$out0,$out0,$leperm
++ stvx_u $out0,$x00,$out # store output
++ addi $out,$out,0x10
++ vxor $out0,$in0,$twk2
++ bne Lxts_dec6x_steal
++ b Lxts_dec6x_done
++
++.align 4
++Lxts_dec6x_zero:
++ cmpwi $taillen,0
++ beq Lxts_dec6x_done
++
++ lvx_u $in0,0,$inp
++ le?vperm $in0,$in0,$in0,$leperm
++ vxor $out0,$in0,$twk1
++Lxts_dec6x_steal:
++ vncipher $out0,$out0,v24
++ lvx v24,$x20,$key_ # round[3]
++ addi $key_,$key_,0x20
++
++ vncipher $out0,$out0,v25
++ lvx v25,$x10,$key_ # round[4]
++ bdnz Lxts_dec6x_steal
++
++ add $inp,$inp,$taillen
++ vncipher $out0,$out0,v24
++
++ cmpwi $taillen,0
++ vncipher $out0,$out0,v25
++
++ lvx_u $in0,0,$inp
++ vncipher $out0,$out0,v26
++
++ lvsr $inpperm,0,$taillen # $in5 is no more
++ vncipher $out0,$out0,v27
++
++ addi $key_,$sp,$FRAME+15 # rewind $key_
++ vncipher $out0,$out0,v28
++ lvx v24,$x00,$key_ # re-pre-load round[1]
++
++ vncipher $out0,$out0,v29
++ lvx v25,$x10,$key_ # re-pre-load round[2]
++ vxor $twk1,$twk1,v31
++
++ le?vperm $in0,$in0,$in0,$leperm
++ vncipher $out0,$out0,v30
++
++ vperm $in0,$in0,$in0,$inpperm
++ vncipherlast $tmp,$out0,$twk1
++
++ le?vperm $out0,$tmp,$tmp,$leperm
++ le?stvx_u $out0,0,$out
++ be?stvx_u $tmp,0,$out
++
++ vxor $out0,$out0,$out0
++ vspltisb $out1,-1
++ vperm $out0,$out0,$out1,$inpperm
++ vsel $out0,$in0,$tmp,$out0
++ vxor $out0,$out0,$twk0
++
++ subi r30,$out,1
++ mtctr $taillen
++Loop_xts_dec6x_steal:
++ lbzu r0,1(r30)
++ stb r0,16(r30)
++ bdnz Loop_xts_dec6x_steal
++
++ li $taillen,0
++ mtctr $rounds
++ b Loop_xts_dec1x # one more time...
++
++.align 4
++Lxts_dec6x_done:
++ ${UCMP}i $ivp,0
++ beq Lxts_dec6x_ret
++
++ vxor $tweak,$twk0,$rndkey0
++ le?vperm $tweak,$tweak,$tweak,$leperm
++ stvx_u $tweak,0,$ivp
++
++Lxts_dec6x_ret:
++ mtlr r11
++ li r10,`$FRAME+15`
++ li r11,`$FRAME+31`
++ stvx $seven,r10,$sp # wipe copies of round keys
++ addi r10,r10,32
++ stvx $seven,r11,$sp
++ addi r11,r11,32
++ stvx $seven,r10,$sp
++ addi r10,r10,32
++ stvx $seven,r11,$sp
++ addi r11,r11,32
++ stvx $seven,r10,$sp
++ addi r10,r10,32
++ stvx $seven,r11,$sp
++ addi r11,r11,32
++ stvx $seven,r10,$sp
++ addi r10,r10,32
++ stvx $seven,r11,$sp
++ addi r11,r11,32
++
++ mtspr 256,$vrsave
++ lvx v20,r10,$sp # ABI says so
++ addi r10,r10,32
++ lvx v21,r11,$sp
++ addi r11,r11,32
++ lvx v22,r10,$sp
++ addi r10,r10,32
++ lvx v23,r11,$sp
++ addi r11,r11,32
++ lvx v24,r10,$sp
++ addi r10,r10,32
++ lvx v25,r11,$sp
++ addi r11,r11,32
++ lvx v26,r10,$sp
++ addi r10,r10,32
++ lvx v27,r11,$sp
++ addi r11,r11,32
++ lvx v28,r10,$sp
++ addi r10,r10,32
++ lvx v29,r11,$sp
++ addi r11,r11,32
++ lvx v30,r10,$sp
++ lvx v31,r11,$sp
++ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
++ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
++ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
++ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
++ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
++ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
++ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
++ blr
++ .long 0
++ .byte 0,12,0x04,1,0x80,6,6,0
++ .long 0
++
++.align 5
++_aesp8_xts_dec5x:
++ vncipher $out0,$out0,v24
++ vncipher $out1,$out1,v24
++ vncipher $out2,$out2,v24
++ vncipher $out3,$out3,v24
++ vncipher $out4,$out4,v24
++ lvx v24,$x20,$key_ # round[3]
++ addi $key_,$key_,0x20
++
++ vncipher $out0,$out0,v25
++ vncipher $out1,$out1,v25
++ vncipher $out2,$out2,v25
++ vncipher $out3,$out3,v25
++ vncipher $out4,$out4,v25
++ lvx v25,$x10,$key_ # round[4]
++ bdnz _aesp8_xts_dec5x
++
++ subi r0,$taillen,1
++ vncipher $out0,$out0,v24
++ vncipher $out1,$out1,v24
++ vncipher $out2,$out2,v24
++ vncipher $out3,$out3,v24
++ vncipher $out4,$out4,v24
++
++ andi. r0,r0,16
++ cmpwi $taillen,0
++ vncipher $out0,$out0,v25
++ vncipher $out1,$out1,v25
++ vncipher $out2,$out2,v25
++ vncipher $out3,$out3,v25
++ vncipher $out4,$out4,v25
++ vxor $twk0,$twk0,v31
++
++ sub $inp,$inp,r0
++ vncipher $out0,$out0,v26
++ vncipher $out1,$out1,v26
++ vncipher $out2,$out2,v26
++ vncipher $out3,$out3,v26
++ vncipher $out4,$out4,v26
++ vxor $in1,$twk1,v31
++
++ vncipher $out0,$out0,v27
++ lvx_u $in0,0,$inp
++ vncipher $out1,$out1,v27
++ vncipher $out2,$out2,v27
++ vncipher $out3,$out3,v27
++ vncipher $out4,$out4,v27
++ vxor $in2,$twk2,v31
++
++ addi $key_,$sp,$FRAME+15 # rewind $key_
++ vncipher $out0,$out0,v28
++ vncipher $out1,$out1,v28
++ vncipher $out2,$out2,v28
++ vncipher $out3,$out3,v28
++ vncipher $out4,$out4,v28
++ lvx v24,$x00,$key_ # re-pre-load round[1]
++ vxor $in3,$twk3,v31
++
++ vncipher $out0,$out0,v29
++ le?vperm $in0,$in0,$in0,$leperm
++ vncipher $out1,$out1,v29
++ vncipher $out2,$out2,v29
++ vncipher $out3,$out3,v29
++ vncipher $out4,$out4,v29
++ lvx v25,$x10,$key_ # re-pre-load round[2]
++ vxor $in4,$twk4,v31
++
++ vncipher $out0,$out0,v30
++ vncipher $out1,$out1,v30
++ vncipher $out2,$out2,v30
++ vncipher $out3,$out3,v30
++ vncipher $out4,$out4,v30
++
++ vncipherlast $out0,$out0,$twk0
++ vncipherlast $out1,$out1,$in1
++ vncipherlast $out2,$out2,$in2
++ vncipherlast $out3,$out3,$in3
++ vncipherlast $out4,$out4,$in4
++ mtctr $rounds
++ blr
++ .long 0
++ .byte 0,12,0x14,0,0,0,0,0
++___
++}} }}}
++
+ my $consts=1;
+ foreach(split("\n",$code)) {
+ s/\`([^\`]*)\`/eval($1)/geo;
+diff -up openssl-1.0.2k/crypto/evp/e_aes.c.ppc-update openssl-1.0.2k/crypto/evp/e_aes.c
+--- openssl-1.0.2k/crypto/evp/e_aes.c.ppc-update 2017-03-09 17:59:26.303232439 +0100
++++ openssl-1.0.2k/crypto/evp/e_aes.c 2017-03-09 17:59:26.314232696 +0100
+@@ -172,6 +172,8 @@ void AES_xts_decrypt(const unsigned char
+ # define HWAES_decrypt aes_p8_decrypt
+ # define HWAES_cbc_encrypt aes_p8_cbc_encrypt
+ # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
++# define HWAES_xts_encrypt aes_p8_xts_encrypt
++# define HWAES_xts_decrypt aes_p8_xts_decrypt
+ # endif
+
+ # if defined(AES_ASM) && !defined(I386_ONLY) && ( \
+@@ -911,6 +913,12 @@ void HWAES_cbc_encrypt(const unsigned ch
+ void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+ size_t len, const AES_KEY *key,
+ const unsigned char ivec[16]);
++void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
++ size_t len, const AES_KEY *key1,
++ const AES_KEY *key2, const unsigned char iv[16]);
++void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
++ size_t len, const AES_KEY *key1,
++ const AES_KEY *key2, const unsigned char iv[16]);
+ # endif
+
+ # define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
+@@ -1664,10 +1672,16 @@ static int aes_xts_init_key(EVP_CIPHER_C
+ HWAES_set_encrypt_key(key, ctx->key_len * 4,
+ &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) HWAES_encrypt;
++# ifdef HWAES_xts_encrypt
++ xctx->stream = HWAES_xts_encrypt;
++# endif
+ } else {
+ HWAES_set_decrypt_key(key, ctx->key_len * 4,
+ &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) HWAES_decrypt;
++# ifdef HWAES_xts_decrypt
++ xctx->stream = HWAES_xts_decrypt;
++#endif
+ }
+
+ HWAES_set_encrypt_key(key + ctx->key_len / 2,
diff --git a/SOURCES/openssl-1.0.2k-req-x509.patch b/SOURCES/openssl-1.0.2k-req-x509.patch
new file mode 100644
index 0000000..0be9167
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-req-x509.patch
@@ -0,0 +1,30 @@
+diff -up openssl-1.0.2k/apps/req.c.req-x509 openssl-1.0.2k/apps/req.c
+--- openssl-1.0.2k/apps/req.c.req-x509 2017-03-09 17:59:26.269231647 +0100
++++ openssl-1.0.2k/apps/req.c 2017-05-17 13:23:31.236556216 +0200
+@@ -331,7 +331,6 @@ int MAIN(int argc, char **argv)
+ else if (strcmp(*argv, "-text") == 0)
+ text = 1;
+ else if (strcmp(*argv, "-x509") == 0) {
+- newreq = 1;
+ x509 = 1;
+ } else if (strcmp(*argv, "-asn1-kludge") == 0)
+ kludge = 1;
+@@ -447,6 +446,9 @@ int MAIN(int argc, char **argv)
+ goto end;
+ }
+
++ if (x509 && infile == NULL)
++ newreq = 1;
++
+ ERR_load_crypto_strings();
+ if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+ BIO_printf(bio_err, "Error getting passwords\n");
+@@ -753,7 +755,7 @@ int MAIN(int argc, char **argv)
+ }
+ }
+
+- if (newreq) {
++ if (newreq || x509) {
+ if (pkey == NULL) {
+ BIO_printf(bio_err, "you need to specify a private key\n");
+ goto end;
diff --git a/SOURCES/openssl-1.0.2k-starttls.patch b/SOURCES/openssl-1.0.2k-starttls.patch
new file mode 100644
index 0000000..da987f8
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-starttls.patch
@@ -0,0 +1,604 @@
+diff -up openssl-1.0.2k/apps/apps.c.starttls openssl-1.0.2k/apps/apps.c
+--- openssl-1.0.2k/apps/apps.c.starttls 2017-01-26 14:22:03.000000000 +0100
++++ openssl-1.0.2k/apps/apps.c 2017-03-09 17:35:35.519765927 +0100
+@@ -3277,3 +3277,11 @@ int raw_write_stdout(const void *buf, in
+ return write(fileno_stdout(), buf, siz);
+ }
+ #endif
++
++void make_uppercase(char *string)
++{
++ int i;
++
++ for (i = 0; string[i] != '\0'; i++)
++ string[i] = toupper((unsigned char)string[i]);
++}
+diff -up openssl-1.0.2k/apps/apps.h.starttls openssl-1.0.2k/apps/apps.h
+--- openssl-1.0.2k/apps/apps.h.starttls 2017-03-09 17:35:28.632604234 +0100
++++ openssl-1.0.2k/apps/apps.h 2017-03-09 17:35:35.520765950 +0100
+@@ -384,6 +384,8 @@ int raw_write_stdout(const void *, int);
+ # define TM_STOP 1
+ double app_tminterval(int stop, int usertime);
+
++void make_uppercase(char *string);
++
+ # define OPENSSL_NO_SSL_INTERN
+
+ #endif
+diff -up openssl-1.0.2k/apps/s_client.c.starttls openssl-1.0.2k/apps/s_client.c
+--- openssl-1.0.2k/apps/s_client.c.starttls 2017-03-09 17:35:28.684605455 +0100
++++ openssl-1.0.2k/apps/s_client.c 2017-03-09 17:52:59.153207946 +0100
+@@ -134,7 +134,8 @@
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
+-
++/* for strcasestr */
++#define _GNU_SOURCE
+ #include <assert.h>
+ #include <ctype.h>
+ #include <stdio.h>
+@@ -202,6 +203,7 @@ static char *krb5svc = NULL;
+
+ #undef BUFSIZZ
+ #define BUFSIZZ 1024*8
++#define S_CLIENT_IRC_READ_TIMEOUT 8
+
+ extern int verify_depth;
+ extern int verify_error;
+@@ -228,6 +230,7 @@ static void print_stuff(BIO *berr, SSL *
+ #ifndef OPENSSL_NO_TLSEXT
+ static int ocsp_resp_cb(SSL *s, void *arg);
+ #endif
++static int ldap_ExtendedResponse_parse(const char *buf, long rem);
+ static BIO *bio_c_out = NULL;
+ static BIO *bio_c_msg = NULL;
+ static int c_quiet = 0;
+@@ -402,8 +405,14 @@ static void sc_usage(void)
+ BIO_printf(bio_err,
+ " 'prot' defines which one to assume. Currently,\n");
+ BIO_printf(bio_err,
+- " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+- BIO_printf(bio_err, " are supported.\n");
++ " only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\",\n");
++ BIO_printf(bio_err,
++ " \"xmpp-server\", \"irc\", \"postgres\", \"lmtp\", \"nntp\",\n");
++ BIO_printf(bio_err, " \"sieve\" and \"ldap\" are supported.\n");
++ BIO_printf(bio_err,
++ " -xmpphost host - Host to use with \"-starttls xmpp[-server]\"\n");
++ BIO_printf(bio_err,
++ " -name host - Hostname to use for \"-starttls lmtp\" or \"-starttls smtp\"\n");
+ #ifndef OPENSSL_NO_KRB5
+ BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
+ #endif
+@@ -657,7 +666,15 @@ enum {
+ PROTO_POP3,
+ PROTO_IMAP,
+ PROTO_FTP,
+- PROTO_XMPP
++ PROTO_TELNET,
++ PROTO_XMPP,
++ PROTO_XMPP_SERVER,
++ PROTO_IRC,
++ PROTO_POSTGRES,
++ PROTO_LMTP,
++ PROTO_NNTP,
++ PROTO_SIEVE,
++ PROTO_LDAP
+ };
+
+ int MAIN(int, char **);
+@@ -726,6 +743,8 @@ int MAIN(int argc, char **argv)
+ #endif
+ char *sess_in = NULL;
+ char *sess_out = NULL;
++ char *xmpphost = NULL;
++ const char *ehlo = "openssl.client.net";
+ struct sockaddr peer;
+ int peerlen = sizeof(peer);
+ int fallback_scsv = 0;
+@@ -1097,8 +1116,32 @@ int MAIN(int argc, char **argv)
+ starttls_proto = PROTO_FTP;
+ else if (strcmp(*argv, "xmpp") == 0)
+ starttls_proto = PROTO_XMPP;
++ else if (strcmp(*argv, "xmpp-server") == 0)
++ starttls_proto = PROTO_XMPP_SERVER;
++ else if (strcmp(*argv, "telnet") == 0)
++ starttls_proto = PROTO_TELNET;
++ else if (strcmp(*argv, "irc") == 0)
++ starttls_proto = PROTO_IRC;
++ else if (strcmp(*argv, "postgres") == 0)
++ starttls_proto = PROTO_POSTGRES;
++ else if (strcmp(*argv, "lmtp") == 0)
++ starttls_proto = PROTO_LMTP;
++ else if (strcmp(*argv, "nntp") == 0)
++ starttls_proto = PROTO_NNTP;
++ else if (strcmp(*argv, "sieve") == 0)
++ starttls_proto = PROTO_SIEVE;
++ else if (strcmp(*argv, "ldap") == 0)
++ starttls_proto = PROTO_LDAP;
+ else
+ goto bad;
++ } else if (strcmp(*argv, "-xmpphost") == 0) {
++ if (--argc < 1)
++ goto bad;
++ xmpphost = *(++argv);
++ } else if (strcmp(*argv, "-name") == 0) {
++ if (--argc < 1)
++ goto bad;
++ ehlo = *(++argv);
+ }
+ #ifndef OPENSSL_NO_ENGINE
+ else if (strcmp(*argv, "-engine") == 0) {
+@@ -1599,19 +1642,24 @@ int MAIN(int argc, char **argv)
+ * BIO into the chain that is removed again later on to not disturb the
+ * rest of the s_client operation.
+ */
+- if (starttls_proto == PROTO_SMTP) {
++ if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) {
+ int foundit = 0;
+ BIO *fbio = BIO_new(BIO_f_buffer());
+ BIO_push(fbio, sbio);
+- /* wait for multi-line response to end from SMTP */
++ /* Wait for multi-line response to end from LMTP or SMTP */
+ do {
+ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+ }
+ while (mbuf_len > 3 && mbuf[3] == '-');
+- /* STARTTLS command requires EHLO... */
+- BIO_printf(fbio, "EHLO openssl.client.net\r\n");
++ if (starttls_proto == PROTO_LMTP)
++ BIO_printf(fbio, "LHLO %s\r\n", ehlo);
++ else
++ BIO_printf(fbio, "EHLO %s\r\n", ehlo);
+ (void)BIO_flush(fbio);
+- /* wait for multi-line response to end EHLO SMTP response */
++ /*
++ * Wait for multi-line response to end LHLO LMTP or EHLO SMTP
++ * response.
++ */
+ do {
+ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+ if (strstr(mbuf, "STARTTLS"))
+@@ -1630,10 +1678,15 @@ int MAIN(int argc, char **argv)
+ } else if (starttls_proto == PROTO_POP3) {
+ BIO_read(sbio, mbuf, BUFSIZZ);
+ BIO_printf(sbio, "STLS\r\n");
+- BIO_read(sbio, sbuf, BUFSIZZ);
++ mbuf_len = BIO_read(sbio, sbuf, BUFSIZZ);
++ if (mbuf_len < 0) {
++ BIO_printf(bio_err, "BIO_read failed\n");
++ goto end;
++ }
+ } else if (starttls_proto == PROTO_IMAP) {
+ int foundit = 0;
+ BIO *fbio = BIO_new(BIO_f_buffer());
++
+ BIO_push(fbio, sbio);
+ BIO_gets(fbio, mbuf, BUFSIZZ);
+ /* STARTTLS command requires CAPABILITY... */
+@@ -1669,27 +1722,287 @@ int MAIN(int argc, char **argv)
+ BIO_printf(sbio, "AUTH TLS\r\n");
+ BIO_read(sbio, sbuf, BUFSIZZ);
+ }
+- if (starttls_proto == PROTO_XMPP) {
++ else if (starttls_proto == PROTO_XMPP || starttls_proto == PROTO_XMPP_SERVER) {
+ int seen = 0;
+ BIO_printf(sbio, "<stream:stream "
+ "xmlns:stream='http://etherx.jabber.org/streams' "
+- "xmlns='jabber:client' to='%s' version='1.0'>", host);
++ "xmlns='jabber:%s' to='%s' version='1.0'>",
++ starttls_proto == PROTO_XMPP ? "client" : "server",
++ xmpphost ? xmpphost : host);
+ seen = BIO_read(sbio, mbuf, BUFSIZZ);
++ if (seen < 0) {
++ BIO_printf(bio_err, "BIO_read failed\n");
++ goto end;
++ }
+ mbuf[seen] = 0;
+- while (!strstr
+- (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
+- if (strstr(mbuf, "/stream:features>"))
+- goto shut;
++ while (!strcasestr
++ (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
++ && !strcasestr(mbuf,
++ "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
++ {
+ seen = BIO_read(sbio, mbuf, BUFSIZZ);
++
++ if (seen <= 0)
++ goto shut;
++
+ mbuf[seen] = 0;
+ }
+ BIO_printf(sbio,
+ "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
+ seen = BIO_read(sbio, sbuf, BUFSIZZ);
++ if (seen < 0) {
++ BIO_printf(bio_err, "BIO_read failed\n");
++ goto shut;
++ }
+ sbuf[seen] = 0;
+ if (!strstr(sbuf, "<proceed"))
+ goto shut;
+ mbuf[0] = 0;
++ } else if (starttls_proto == PROTO_TELNET) {
++ static const unsigned char tls_do[] = {
++ /* IAC DO START_TLS */
++ 255, 253, 46
++ };
++ static const unsigned char tls_will[] = {
++ /* IAC WILL START_TLS */
++ 255, 251, 46
++ };
++ static const unsigned char tls_follows[] = {
++ /* IAC SB START_TLS FOLLOWS IAC SE */
++ 255, 250, 46, 1, 255, 240
++ };
++ int bytes;
++
++ /* Telnet server should demand we issue START_TLS */
++ bytes = BIO_read(sbio, mbuf, BUFSIZZ);
++ if (bytes != 3 || memcmp(mbuf, tls_do, 3) != 0)
++ goto shut;
++ /* Agree to issue START_TLS and send the FOLLOWS sub-command */
++ BIO_write(sbio, tls_will, 3);
++ BIO_write(sbio, tls_follows, 6);
++ (void)BIO_flush(sbio);
++ /* Telnet server also sent the FOLLOWS sub-command */
++ bytes = BIO_read(sbio, mbuf, BUFSIZZ);
++ if (bytes != 6 || memcmp(mbuf, tls_follows, 6) != 0)
++ goto shut;
++ } else if (starttls_proto == PROTO_IRC) {
++ int numeric;
++ BIO *fbio = BIO_new(BIO_f_buffer());
++
++ BIO_push(fbio, sbio);
++ BIO_printf(fbio, "STARTTLS\r\n");
++ (void)BIO_flush(fbio);
++ width = SSL_get_fd(con) + 1;
++
++ do {
++ numeric = 0;
++
++ FD_ZERO(&readfds);
++ openssl_fdset(SSL_get_fd(con), &readfds);
++ timeout.tv_sec = S_CLIENT_IRC_READ_TIMEOUT;
++ timeout.tv_usec = 0;
++ /*
++ * If the IRCd doesn't respond within
++ * S_CLIENT_IRC_READ_TIMEOUT seconds, assume
++ * it doesn't support STARTTLS. Many IRCds
++ * will not give _any_ sort of response to a
++ * STARTTLS command when it's not supported.
++ */
++ if (!BIO_get_buffer_num_lines(fbio)
++ && !BIO_pending(fbio)
++ && !BIO_pending(sbio)
++ && select(width, (void *)&readfds, NULL, NULL,
++ &timeout) < 1) {
++ BIO_printf(bio_err,
++ "Timeout waiting for response (%d seconds).\n",
++ S_CLIENT_IRC_READ_TIMEOUT);
++ break;
++ }
++
++ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
++ if (mbuf_len < 1 || sscanf(mbuf, "%*s %d", &numeric) != 1)
++ break;
++ /* :example.net 451 STARTTLS :You have not registered */
++ /* :example.net 421 STARTTLS :Unknown command */
++ if ((numeric == 451 || numeric == 421)
++ && strstr(mbuf, "STARTTLS") != NULL) {
++ BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
++ break;
++ }
++ if (numeric == 691) {
++ BIO_printf(bio_err, "STARTTLS negotiation failed: ");
++ ERR_print_errors(bio_err);
++ break;
++ }
++ } while (numeric != 670);
++
++ (void)BIO_flush(fbio);
++ BIO_pop(fbio);
++ BIO_free(fbio);
++ if (numeric != 670) {
++ BIO_printf(bio_err, "Server does not support STARTTLS.\n");
++ ret = 1;
++ goto shut;
++ }
++ } else if (starttls_proto == PROTO_POSTGRES) {
++ static const unsigned char ssl_request[] = {
++ /* Length SSLRequest */
++ 0, 0, 0, 8, 4, 210, 22, 47
++ };
++ int bytes;
++
++ /* Send SSLRequest packet */
++ BIO_write(sbio, ssl_request, 8);
++ (void)BIO_flush(sbio);
++
++ /* Reply will be a single S if SSL is enabled */
++ bytes = BIO_read(sbio, sbuf, BUFSIZZ);
++ if (bytes != 1 || sbuf[0] != 'S')
++ goto shut;
++ } else if (starttls_proto == PROTO_NNTP) {
++ int foundit = 0;
++ BIO *fbio = BIO_new(BIO_f_buffer());
++
++ BIO_push(fbio, sbio);
++ BIO_gets(fbio, mbuf, BUFSIZZ);
++ /* STARTTLS command requires CAPABILITIES... */
++ BIO_printf(fbio, "CAPABILITIES\r\n");
++ (void)BIO_flush(fbio);
++ /* wait for multi-line CAPABILITIES response */
++ do {
++ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
++ if (strstr(mbuf, "STARTTLS"))
++ foundit = 1;
++ } while (mbuf_len > 1 && mbuf[0] != '.');
++ (void)BIO_flush(fbio);
++ BIO_pop(fbio);
++ BIO_free(fbio);
++ if (!foundit)
++ BIO_printf(bio_err,
++ "Didn't find STARTTLS in server response,"
++ " trying anyway...\n");
++ BIO_printf(sbio, "STARTTLS\r\n");
++ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
++ if (mbuf_len < 0) {
++ BIO_printf(bio_err, "BIO_read failed\n");
++ goto end;
++ }
++ mbuf[mbuf_len] = '\0';
++ if (strstr(mbuf, "382") == NULL) {
++ BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
++ goto shut;
++ }
++ } else if (starttls_proto == PROTO_SIEVE) {
++ int foundit = 0;
++ BIO *fbio = BIO_new(BIO_f_buffer());
++
++ BIO_push(fbio, sbio);
++ /* wait for multi-line response to end from Sieve */
++ do {
++ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
++ /*
++ * According to RFC 5804 § 1.7, capability
++ * is case-insensitive, make it uppercase
++ */
++ if (mbuf_len > 1 && mbuf[0] == '"') {
++ make_uppercase(mbuf);
++ if (strncmp(mbuf, "\"STARTTLS\"", 10) == 0)
++ foundit = 1;
++ }
++ } while (mbuf_len > 1 && mbuf[0] == '"');
++ (void)BIO_flush(fbio);
++ BIO_pop(fbio);
++ BIO_free(fbio);
++ if (!foundit)
++ BIO_printf(bio_err,
++ "Didn't find STARTTLS in server response,"
++ " trying anyway...\n");
++ BIO_printf(sbio, "STARTTLS\r\n");
++ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
++ if (mbuf_len < 0) {
++ BIO_printf(bio_err, "BIO_read failed\n");
++ goto end;
++ }
++ mbuf[mbuf_len] = '\0';
++ if (mbuf_len < 2) {
++ BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
++ goto shut;
++ }
++ /*
++ * According to RFC 5804 § 2.2, response codes are case-
++ * insensitive, make it uppercase but preserve the response.
++ */
++ strncpy(sbuf, mbuf, 2);
++ make_uppercase(sbuf);
++ if (strncmp(sbuf, "OK", 2) != 0) {
++ BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
++ goto shut;
++ }
++ } else if (starttls_proto == PROTO_LDAP) {
++ /* StartTLS Operation according to RFC 4511 */
++ static char ldap_tls_genconf[] = "asn1=SEQUENCE:LDAPMessage\n"
++ "[LDAPMessage]\n"
++ "messageID=INTEGER:1\n"
++ "extendedReq=EXPLICIT:23A,IMPLICIT:0C,"
++ "FORMAT:ASCII,OCT:1.3.6.1.4.1.1466.20037\n";
++ long errline = -1;
++ char *genstr = NULL;
++ int result = -1;
++ ASN1_TYPE *atyp = NULL;
++ BIO *ldapbio = BIO_new(BIO_s_mem());
++ CONF *cnf = NCONF_new(NULL);
++
++ if (cnf == NULL) {
++ BIO_free(ldapbio);
++ goto end;
++ }
++ BIO_puts(ldapbio, ldap_tls_genconf);
++ if (NCONF_load_bio(cnf, ldapbio, &errline) <= 0) {
++ BIO_free(ldapbio);
++ NCONF_free(cnf);
++ if (errline <= 0) {
++ BIO_printf(bio_err, "NCONF_load_bio failed\n");
++ goto end;
++ } else {
++ BIO_printf(bio_err, "Error on line %ld\n", errline);
++ goto end;
++ }
++ }
++ BIO_free(ldapbio);
++ genstr = NCONF_get_string(cnf, "default", "asn1");
++ if (genstr == NULL) {
++ NCONF_free(cnf);
++ BIO_printf(bio_err, "NCONF_get_string failed\n");
++ goto end;
++ }
++ atyp = ASN1_generate_nconf(genstr, cnf);
++ if (atyp == NULL) {
++ NCONF_free(cnf);
++ BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
++ goto end;
++ }
++ NCONF_free(cnf);
++ /* Send SSLRequest packet */
++ BIO_write(sbio, atyp->value.sequence->data,
++ atyp->value.sequence->length);
++ (void)BIO_flush(sbio);
++ ASN1_TYPE_free(atyp);
++
++ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
++ if (mbuf_len < 0) {
++ BIO_printf(bio_err, "BIO_read failed\n");
++ goto end;
++ }
++ result = ldap_ExtendedResponse_parse(mbuf, mbuf_len);
++ if (result < 0) {
++ BIO_printf(bio_err, "ldap_ExtendedResponse_parse failed\n");
++ goto shut;
++ } else if (result > 0) {
++ BIO_printf(bio_err, "STARTTLS failed, LDAP Result Code: %i\n",
++ result);
++ goto shut;
++ }
++ mbuf_len = 0;
+ }
+
+ for (;;) {
+@@ -1738,7 +2051,7 @@ int MAIN(int argc, char **argv)
+ full_log--;
+
+ if (starttls_proto) {
+- BIO_printf(bio_err, "%s", mbuf);
++ BIO_write(bio_err, mbuf, mbuf_len);
+ /* We don't need to know any more */
+ starttls_proto = PROTO_OFF;
+ }
+@@ -2372,3 +2685,87 @@ static int ocsp_resp_cb(SSL *s, void *ar
+ }
+
+ #endif
++
++static int ldap_ExtendedResponse_parse(const char *buf, long rem)
++{
++ const unsigned char *cur, *end;
++ long len;
++ int tag, xclass, inf, ret = -1;
++
++ cur = (const unsigned char *)buf;
++ end = cur + rem;
++
++ /*
++ * From RFC 4511:
++ *
++ * LDAPMessage ::= SEQUENCE {
++ * messageID MessageID,
++ * protocolOp CHOICE {
++ * ...
++ * extendedResp ExtendedResponse,
++ * ... },
++ * controls [0] Controls OPTIONAL }
++ *
++ * ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
++ * COMPONENTS OF LDAPResult,
++ * responseName [10] LDAPOID OPTIONAL,
++ * responseValue [11] OCTET STRING OPTIONAL }
++ *
++ * LDAPResult ::= SEQUENCE {
++ * resultCode ENUMERATED {
++ * success (0),
++ * ...
++ * other (80),
++ * ... },
++ * matchedDN LDAPDN,
++ * diagnosticMessage LDAPString,
++ * referral [3] Referral OPTIONAL }
++ */
++
++ /* pull SEQUENCE */
++ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
++ if (inf != V_ASN1_CONSTRUCTED || tag != V_ASN1_SEQUENCE ||
++ (rem = end - cur, len > rem)) {
++ BIO_printf(bio_err, "Unexpected LDAP response\n");
++ goto end;
++ }
++
++ rem = len; /* ensure that we don't overstep the SEQUENCE */
++
++ /* pull MessageID */
++ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
++ if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_INTEGER ||
++ (rem = end - cur, len > rem)) {
++ BIO_printf(bio_err, "No MessageID\n");
++ goto end;
++ }
++
++ cur += len; /* shall we check for MessageId match or just skip? */
++
++ /* pull [APPLICATION 24] */
++ rem = end - cur;
++ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
++ if (inf != V_ASN1_CONSTRUCTED || xclass != V_ASN1_APPLICATION ||
++ tag != 24) {
++ BIO_printf(bio_err, "Not ExtendedResponse\n");
++ goto end;
++ }
++
++ /* pull resultCode */
++ rem = end - cur;
++ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
++ if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_ENUMERATED || len == 0 ||
++ (rem = end - cur, len > rem)) {
++ BIO_printf(bio_err, "Not LDAPResult\n");
++ goto end;
++ }
++
++ /* len should always be one, but just in case... */
++ for (ret = 0, inf = 0; inf < len; inf++) {
++ ret <<= 8;
++ ret |= cur[inf];
++ }
++ /* There is more data, but we don't care... */
++ end:
++ return ret;
++}
+diff -up openssl-1.0.2k/doc/apps/s_client.pod.starttls openssl-1.0.2k/doc/apps/s_client.pod
+--- openssl-1.0.2k/doc/apps/s_client.pod.starttls 2017-03-09 17:35:28.684605455 +0100
++++ openssl-1.0.2k/doc/apps/s_client.pod 2017-03-09 17:42:54.455070967 +0100
+@@ -46,6 +46,8 @@ B<openssl> B<s_client>
+ [B<-krb5svc service>]
+ [B<-serverpref>]
+ [B<-starttls protocol>]
++[B<-xmpphost hostname>]
++[B<-name hostname>]
+ [B<-engine id>]
+ [B<-tlsextdebug>]
+ [B<-no_ticket>]
+@@ -239,7 +241,20 @@ need keys for that principal in its keyt
+
+ send the protocol-specific message(s) to switch to TLS for communication.
+ B<protocol> is a keyword for the intended protocol. Currently, the only
+-supported keywords are "smtp", "pop3", "imap", and "ftp".
++supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
++"irc", "postgres", "lmtp", "nntp", "sieve" and "ldap".
++
++=item B<-xmpphost hostname>
++
++This option, when used with "-starttls xmpp" or "-starttls xmpp-server",
++specifies the host for the "to" attribute of the stream element.
++If this option is not specified, then the host specified with "-connect"
++will be used.
++
++=item B<-name hostname>
++
++the host name to use with "-starttls smtp".
++If this option is not specified, the default "openssl.client.net" will be used.
+
+ =item B<-tlsextdebug>
+
diff --git a/SOURCES/opensslconf-new.h b/SOURCES/opensslconf-new.h
index bd56c73..04363c3 100644
--- a/SOURCES/opensslconf-new.h
+++ b/SOURCES/opensslconf-new.h
@@ -13,6 +13,14 @@
#include "opensslconf-i386.h"
#elif defined(__ia64__)
#include "opensslconf-ia64.h"
+#elif defined(__mips64) && defined(__MIPSEL__)
+#include "opensslconf-mips64el.h"
+#elif defined(__mips64)
+#include "opensslconf-mips64.h"
+#elif defined(__mips) && defined(__MIPSEL__)
+#include "opensslconf-mipsel.h"
+#elif defined(__mips)
+#include "opensslconf-mips.h"
#elif defined(__powerpc64__)
#include <endian.h>
#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index 9adae69..b86a4e9 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -16,14 +16,14 @@
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
# also be handled in opensslconf-new.h.
-%define multilib_arches %{ix86} ia64 ppc %{power64} s390 s390x sparcv9 sparc64 x86_64
+%define multilib_arches %{ix86} ia64 %{mips} ppc %{power64} s390 s390x sparcv9 sparc64 x86_64
%global _performance_build 1
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.0.1e
-Release: 60%{?dist}.1
+Version: 1.0.2k
+Release: 8%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -31,6 +31,7 @@ Epoch: 1
Source: openssl-%{version}-hobbled.tar.xz
Source1: hobble-openssl
Source2: Makefile.certificate
+Source5: README.legacy-settings
Source6: make-dummy-cert
Source7: renew-dummy-cert
Source8: openssl-thread-test.c
@@ -40,139 +41,58 @@ Source11: README.FIPS
Source12: ec_curve.c
Source13: ectest.c
# Build changes
-Patch1: openssl-1.0.1e-rpmbuild.patch
-Patch2: openssl-1.0.1e-defaults.patch
-Patch4: openssl-1.0.0-beta5-enginesdir.patch
-Patch5: openssl-0.9.8a-no-rpath.patch
-Patch6: openssl-0.9.8b-test-use-localhost.patch
+Patch1: openssl-1.0.2e-rpmbuild.patch
+Patch2: openssl-1.0.2a-defaults.patch
+Patch4: openssl-1.0.2i-enginesdir.patch
+Patch5: openssl-1.0.2a-no-rpath.patch
+Patch6: openssl-1.0.2a-test-use-localhost.patch
Patch7: openssl-1.0.0-timezone.patch
Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch
-# This patch must be applied first
-Patch10: openssl-1.0.1e-ppc-asm-update.patch
# Bug fixes
-Patch23: openssl-1.0.1c-default-paths.patch
-Patch24: openssl-1.0.1e-issuer-hash.patch
+Patch23: openssl-1.0.2c-default-paths.patch
+Patch24: openssl-1.0.2a-issuer-hash.patch
# Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch
-Patch34: openssl-0.9.6-x509.patch
-Patch35: openssl-0.9.8j-version-add-engines.patch
-Patch36: openssl-1.0.0e-doc-noeof.patch
-Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
-Patch39: openssl-1.0.1c-ipv6-apps.patch
-Patch40: openssl-1.0.1e-fips.patch
-Patch43: openssl-1.0.1e-krb5keytab.patch
-Patch45: openssl-1.0.1e-env-zlib.patch
-Patch47: openssl-1.0.0-beta5-readme-warning.patch
-Patch49: openssl-1.0.1a-algo-doc.patch
-Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
-Patch51: openssl-1.0.1e-version.patch
-Patch56: openssl-1.0.0c-rsa-x931.patch
-Patch58: openssl-1.0.1-beta2-fips-md5-allow.patch
-Patch60: openssl-1.0.0d-apps-dgst.patch
-Patch63: openssl-1.0.0d-xmpp-starttls.patch
-Patch65: openssl-1.0.0e-chil-fixes.patch
-Patch66: openssl-1.0.1-pkgconfig-krb5.patch
-Patch68: openssl-1.0.1e-secure-getenv.patch
-Patch69: openssl-1.0.1c-dh-1024.patch
-Patch70: openssl-1.0.1e-fips-ec.patch
-Patch71: openssl-1.0.1e-manfix.patch
-Patch72: openssl-1.0.1e-fips-ctor.patch
-Patch73: openssl-1.0.1e-ecc-suiteb.patch
-Patch74: openssl-1.0.1e-no-md5-verify.patch
-Patch75: openssl-1.0.1e-compat-symbols.patch
-Patch76: openssl-1.0.1e-new-fips-reqs.patch
-Patch77: openssl-1.0.1e-weak-ciphers.patch
-Patch78: openssl-1.0.1e-3des-strength.patch
-Patch79: openssl-1.0.1e-req-keylen.patch
-Patch41: openssl-1.0.1e-ssl2-no-ec.patch
-Patch42: openssl-1.0.1e-enc-fail.patch
+Patch34: openssl-1.0.2a-x509.patch
+Patch35: openssl-1.0.2a-version-add-engines.patch
+Patch39: openssl-1.0.2a-ipv6-apps.patch
+Patch40: openssl-1.0.2i-fips.patch
+Patch43: openssl-1.0.2j-krb5keytab.patch
+Patch45: openssl-1.0.2a-env-zlib.patch
+Patch47: openssl-1.0.2a-readme-warning.patch
+Patch49: openssl-1.0.1i-algo-doc.patch
+Patch50: openssl-1.0.2a-dtls1-abi.patch
+Patch51: openssl-1.0.2a-version.patch
+Patch56: openssl-1.0.2a-rsa-x931.patch
+Patch58: openssl-1.0.2a-fips-md5-allow.patch
+Patch60: openssl-1.0.2a-apps-dgst.patch
+Patch63: openssl-1.0.2k-starttls.patch
+Patch65: openssl-1.0.2i-chil-fixes.patch
+Patch66: openssl-1.0.2h-pkgconfig.patch
+Patch68: openssl-1.0.2i-secure-getenv.patch
+Patch70: openssl-1.0.2a-fips-ec.patch
+Patch71: openssl-1.0.2g-manfix.patch
+Patch72: openssl-1.0.2a-fips-ctor.patch
+Patch73: openssl-1.0.2c-ecc-suiteb.patch
+Patch74: openssl-1.0.2j-deprecate-algos.patch
+Patch75: openssl-1.0.2a-compat-symbols.patch
+Patch76: openssl-1.0.2j-new-fips-reqs.patch
+Patch77: openssl-1.0.2j-downgrade-strength.patch
+Patch78: openssl-1.0.2k-cc-reqs.patch
+Patch90: openssl-1.0.2i-enc-fail.patch
+Patch94: openssl-1.0.2d-secp256k1.patch
+Patch95: openssl-1.0.2e-remove-nistp224.patch
+Patch96: openssl-1.0.2e-speed-doc.patch
+Patch97: openssl-1.0.2k-no-ssl2.patch
+Patch98: openssl-1.0.2k-long-hello.patch
# Backported fixes including security fixes
-Patch80: openssl-1.0.1e-evp-wrap.patch
-Patch81: openssl-1.0.1-beta2-padlock64.patch
-Patch82: openssl-1.0.1e-backports.patch
-Patch83: openssl-1.0.1e-bad-mac.patch
-Patch84: openssl-1.0.1e-trusted-first.patch
-Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
-Patch86: openssl-1.0.1e-cve-2013-6449.patch
-Patch87: openssl-1.0.1e-cve-2013-6450.patch
-Patch88: openssl-1.0.1e-cve-2013-4353.patch
-Patch89: openssl-1.0.1e-ephemeral-key-size.patch
-Patch90: openssl-1.0.1e-cve-2014-0160.patch
-Patch91: openssl-1.0.1e-cve-2010-5298.patch
-Patch92: openssl-1.0.1e-cve-2014-0195.patch
-Patch93: openssl-1.0.1e-cve-2014-0198.patch
-Patch94: openssl-1.0.1e-cve-2014-0221.patch
-Patch95: openssl-1.0.1e-cve-2014-0224.patch
-Patch96: openssl-1.0.1e-cve-2014-3470.patch
-Patch97: openssl-1.0.1e-dtls-ecc-ext.patch
-Patch100: openssl-1.0.1e-cve-2014-3505.patch
-Patch101: openssl-1.0.1e-cve-2014-3506.patch
-Patch102: openssl-1.0.1e-cve-2014-3507.patch
-Patch103: openssl-1.0.1e-cve-2014-3508.patch
-Patch104: openssl-1.0.1e-cve-2014-3509.patch
-Patch105: openssl-1.0.1e-cve-2014-3510.patch
-Patch106: openssl-1.0.1e-cve-2014-3511.patch
-Patch107: openssl-1.0.1e-doc-ciphersuites.patch
-Patch108: openssl-1.0.1e-sn-case.patch
-Patch109: openssl-1.0.1e-ecdh-auto.patch
-Patch110: openssl-1.0.1e-cve-2014-3567.patch
-Patch111: openssl-1.0.1e-cve-2014-3513.patch
-Patch112: openssl-1.0.1e-fallback-scsv.patch
-Patch113: openssl-1.0.1e-copy-algo.patch
-Patch114: openssl-1.0.1e-cve-2014-3570.patch
-Patch115: openssl-1.0.1e-cve-2014-3571.patch
-Patch116: openssl-1.0.1e-cve-2014-3572.patch
-Patch117: openssl-1.0.1e-cve-2014-8275.patch
-Patch118: openssl-1.0.1e-cve-2015-0204.patch
-Patch119: openssl-1.0.1e-cve-2015-0205.patch
-Patch120: openssl-1.0.1e-cve-2015-0206.patch
-Patch121: openssl-1.0.1e-cc-reqs.patch
-Patch122: openssl-1.0.1e-cve-2015-0209.patch
-Patch123: openssl-1.0.1e-cve-2015-0286.patch
-Patch124: openssl-1.0.1e-cve-2015-0287.patch
-Patch125: openssl-1.0.1e-cve-2015-0288.patch
-Patch126: openssl-1.0.1e-cve-2015-0289.patch
-Patch127: openssl-1.0.1e-cve-2015-0292.patch
-Patch128: openssl-1.0.1e-cve-2015-0293.patch
-Patch129: openssl-1.0.1e-cve-2015-4000.patch
-Patch130: openssl-1.0.1e-cve-2014-8176.patch
-Patch131: openssl-1.0.1e-cve-2015-1789.patch
-Patch132: openssl-1.0.1e-cve-2015-1790.patch
-Patch133: openssl-1.0.1e-cve-2015-1791.patch
-Patch134: openssl-1.0.1e-cve-2015-1792.patch
-Patch135: openssl-1.0.1e-cve-2015-3194.patch
-Patch136: openssl-1.0.1e-cve-2015-3195.patch
-Patch137: openssl-1.0.1e-cve-2015-3196.patch
-Patch138: openssl-1.0.1e-cve-2015-7575.patch
-Patch139: openssl-1.0.1e-timestamp.patch
-Patch140: openssl-1.0.1e-pkcs12-memleak.patch
-Patch141: openssl-1.0.1e-speed-doc.patch
-Patch142: openssl-1.0.1e-cve-2015-3197.patch
-Patch143: openssl-1.0.1e-disable-sslv2.patch
-Patch144: openssl-1.0.1e-cve-2016-0702.patch
-Patch145: openssl-1.0.1e-cve-2016-0705.patch
-Patch146: openssl-1.0.1e-cve-2016-0797.patch
-Patch147: openssl-1.0.1e-cve-2016-0799.patch
-Patch148: openssl-1.0.1e-sctp-updates.patch
-Patch149: openssl-1.0.1e-keymat-algo.patch
-Patch150: openssl-1.0.1e-cve-2016-2105.patch
-Patch151: openssl-1.0.1e-cve-2016-2106.patch
-Patch152: openssl-1.0.1e-cve-2016-2107.patch
-Patch153: openssl-1.0.1e-cve-2016-2108.patch
-Patch154: openssl-1.0.1e-cve-2016-2109.patch
-Patch155: openssl-1.0.1e-update-test-certs.patch
-Patch156: openssl-1.0.1e-cve-2016-2177.patch
-Patch157: openssl-1.0.1e-cve-2016-2178.patch
-Patch158: openssl-1.0.1e-cve-2016-2179.patch
-Patch159: openssl-1.0.1e-cve-2016-2180.patch
-Patch160: openssl-1.0.1e-cve-2016-2181.patch
-Patch161: openssl-1.0.1e-cve-2016-2182.patch
-Patch162: openssl-1.0.1e-cve-2016-6302.patch
-Patch163: openssl-1.0.1e-cve-2016-6304.patch
-Patch164: openssl-1.0.1e-cve-2016-6306.patch
-Patch166: openssl-1.0.1e-cve-2016-8610.patch
-Patch167: openssl-1.0.1e-cve-2017-3731.patch
+Patch80: openssl-1.0.2e-wrap-pad.patch
+Patch81: openssl-1.0.2a-padlock64.patch
+Patch82: openssl-1.0.2i-trusted-first-doc.patch
+Patch83: openssl-1.0.2k-backports.patch
+Patch84: openssl-1.0.2k-ppc-update.patch
+Patch85: openssl-1.0.2k-req-x509.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -181,6 +101,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: coreutils, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename
+BuildRequires: /usr/bin/pod2man
Requires: coreutils, make
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@@ -245,7 +166,6 @@ from other formats to the formats used by the OpenSSL toolkit.
cp %{SOURCE12} %{SOURCE13} crypto/ec/
-%patch10 -p1 -b .ppc-asm
%patch1 -p1 -b .rpmbuild
%patch2 -p1 -b .defaults
%patch4 -p1 -b .enginesdir %{?_rawbuild}
@@ -261,10 +181,9 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch33 -p1 -b .ca-dir
%patch34 -p1 -b .x509
%patch35 -p1 -b .version-add-engines
-%patch36 -p1 -b .doc-noeof
-%patch38 -p1 -b .op-all
%patch39 -p1 -b .ipv6-apps
%patch40 -p1 -b .fips
+%patch43 -p1 -b .krb5keytab
%patch45 -p1 -b .env-zlib
%patch47 -p1 -b .warning
%patch49 -p1 -b .algo-doc
@@ -275,108 +194,30 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch60 -p1 -b .dgst
%patch63 -p1 -b .starttls
%patch65 -p1 -b .chil
-%patch66 -p1 -b .krb5
+%patch66 -p1 -b .pkgconfig
%patch68 -p1 -b .secure-getenv
-%patch69 -p1 -b .dh1024
%patch70 -p1 -b .fips-ec
+%patch71 -p1 -b .manfix
%patch72 -p1 -b .fips-ctor
%patch73 -p1 -b .suiteb
-%patch74 -p1 -b .no-md5-verify
+%patch74 -p1 -b .deprecate-algos
%patch75 -p1 -b .compat
%patch76 -p1 -b .fips-reqs
-%patch77 -p1 -b .weak-ciphers
-%patch78 -p1 -b .3des-strength
-%patch79 -p1 -b .keylen
-%patch41 -p1 -b .ssl2-noec
-%patch42 -p1 -b .enc-fail
+%patch77 -p1 -b .strength
+%patch78 -p1 -b .cc-reqs
+%patch90 -p1 -b .enc-fail
+%patch94 -p1 -b .secp256k1
+%patch95 -p1 -b .nistp224
+%patch96 -p1 -b .speed-doc
+%patch97 -p1 -b .no-ssl2
+%patch98 -p1 -b .long-hello
%patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64
-%patch82 -p1 -b .backports
-%patch71 -p1 -b .manfix
-%patch83 -p1 -b .bad-mac
-%patch84 -p1 -b .trusted-first
-%patch85 -p1 -b .armcap
-%patch86 -p1 -b .hash-crash
-%patch87 -p1 -b .dtls1-mitm
-%patch88 -p1 -b .handshake-crash
-%patch89 -p1 -b .ephemeral
-%patch90 -p1 -b .heartbeat
-%patch91 -p1 -b .freelist
-%patch92 -p1 -b .dtls1-overflow
-%patch93 -p1 -b .null-deref
-%patch94 -p1 -b .dtls1-dos
-%patch95 -p1 -b .keying-mitm
-%patch96 -p1 -b .anon-ecdh-dos
-%patch97 -p1 -b .dtls-ecc-ext
-%patch100 -p1 -b .dtls-doublefree
-%patch101 -p1 -b .dtls-sizechecks
-%patch102 -p1 -b .dtls-memleak
-%patch103 -p1 -b .oid-handling
-%patch104 -p1 -b .tlsext-race
-%patch105 -p1 -b .adh-dos
-%patch106 -p1 -b .frag-downgrade
-%patch107 -p1 -b .doc-ciphersuites
-%patch108 -p1 -b .sn-case
-%patch109 -p1 -b .ecdh-auto
-%patch110 -p1 -b .ticket-leak
-%patch111 -p1 -b .srtp-leak
-%patch112 -p1 -b .fallback-scsv
-%patch113 -p1 -b .copy-algo
-%patch114 -p1 -b .bn-sqr
-%patch115 -p1 -b .dtls1-reads
-%patch116 -p1 -b .ecdh-downgrade
-%patch117 -p1 -b .cert-fingerprint
-%patch118 -p1 -b .rsa-ephemeral
-%patch119 -p1 -b .dh-unauthenticated
-%patch120 -p1 -b .dtls-rec-leak
-%patch121 -p1 -b .cc-reqs
-%patch43 -p1 -b .krb5keytab
-%patch122 -p1 -b .use-after-free
-%patch123 -p1 -b .bool-cmp
-%patch124 -p1 -b .item-reuse
-%patch125 -p1 -b .req-null-deref
-%patch126 -p1 -b .pkcs7-null-deref
-%patch127 -p1 -b .b64-underflow
-%patch128 -p1 -b .ssl2-assert
-%patch129 -p1 -b .logjam
-%patch130 -p1 -b .appdata-free
-%patch131 -p1 -b .oob-read
-%patch132 -p1 -b .missing-content
-%patch133 -p1 -b .ticket-race
-%patch134 -p1 -b .unknown-hash
-%patch135 -p1 -b .pss-check
-%patch136 -p1 -b .combine-leak
-%patch137 -p1 -b .psk-identity
-%patch138 -p1 -b .no-md5-tls
-%patch139 -p1 -b .timestamp
-%patch140 -p1 -b .memleak
-%patch141 -p1 -b .speed-doc
-%patch142 -p1 -b .ssl2-ciphers
-%patch143 -p1 -b .disable-sslv2
-%patch144 -p1 -b .rsa-const
-%patch145 -p1 -b .dsa-doublefree
-%patch146 -p1 -b .bn-hex
-%patch147 -p1 -b .bio-printf
-%patch148 -p1 -b .sctp
-%patch149 -p1 -b .keymat-algo
-%patch150 -p1 -b .b64-overflow
-%patch151 -p1 -b .enc-overflow
-%patch152 -p1 -b .padding-check
-%patch153 -p1 -b .asn1-negative
-%patch154 -p1 -b .asn1-bio-dos
-%patch155 -p1 -b .update-certs
-%patch156 -p1 -b .pointer-arithmetic
-%patch157 -p1 -b .dsa-consttime
-%patch158 -p1 -b .dtls1-dos2
-%patch159 -p1 -b .ts-oob-read
-%patch160 -p1 -b .dtls1-replay
-%patch161 -p1 -b .bn-overflow
-%patch162 -p1 -b .ticket-length
-%patch163 -p1 -b .ocsp-memgrowth
-%patch164 -p1 -b .certmsg-len
-%patch166 -p1 -b .many-alerts
-%patch167 -p1 -b .truncated
+%patch82 -p1 -b .trusted-first
+%patch83 -p1 -b .backports
+%patch84 -p1 -b .ppc-update
+%patch85 -p1 -b .req-x509
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@@ -397,6 +238,9 @@ if ! echo %{_target} | grep -q i686 ; then
sslflags="no-asm 386"
fi
%endif
+%ifarch x86_64
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
%ifarch sparcv9
sslarch=linux-sparcv9
sslflags=no-asm
@@ -417,6 +261,10 @@ sslarch="linux64-s390x"
%ifarch %{arm}
sslarch=linux-armv4
%endif
+%ifarch aarch64
+sslarch=linux-aarch64
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
%ifarch sh3 sh4
sslarch=linux-generic32
%endif
@@ -425,6 +273,19 @@ sslarch=linux-ppc64
%endif
%ifarch ppc64le
sslarch="linux-ppc64le"
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
+%ifarch mips mipsel
+sslarch="linux-mips32 -mips32r2"
+%endif
+%ifarch mips64 mips64el
+sslarch="linux64-mips64 -mips64r2"
+%endif
+%ifarch mips64el
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
+%ifarch riscv64
+sslarch=linux-generic64
%endif
# ia64, x86_64, ppc are OK by default
@@ -433,9 +294,9 @@ sslarch="linux-ppc64le"
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
- zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
- enable-cms enable-md2 enable-sctp \
- no-mdc2 no-rc5 no-ec2m no-gost no-srp \
+ zlib sctp enable-camellia enable-seed enable-tlsext enable-rfc3779 \
+ enable-cms enable-md2 enable-rc5 \
+ no-mdc2 no-ec2m no-gost no-srp \
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}
@@ -450,8 +311,13 @@ make all
# Generate hashes for the included certs.
make rehash
-# Overwrite FIPS README
-cp -f %{SOURCE11} .
+# Overwrite FIPS README and copy README.legacy-settings
+cp -f %{SOURCE5} %{SOURCE11} .
+
+# Clean up the .pc files
+for i in libcrypto.pc libssl.pc openssl.pc ; do
+ sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
+done
%check
# Verify that what was compiled actually works.
@@ -585,11 +451,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%files
%defattr(-,root,root)
-%doc FAQ LICENSE CHANGES NEWS INSTALL README
-%doc doc/c-indentation.el doc/openssl.txt
-%doc doc/openssl_button.html doc/openssl_button.gif
-%doc doc/ssleay.txt
+%{!?_licensedir:%global license %%doc}
+%license LICENSE
+%doc FAQ NEWS README
%doc README.FIPS
+%doc README.legacy-settings
%{_sysconfdir}/pki/tls/certs/make-dummy-cert
%{_sysconfdir}/pki/tls/certs/renew-dummy-cert
%{_sysconfdir}/pki/tls/certs/Makefile
@@ -601,13 +467,17 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%dir %{_sysconfdir}/pki/CA/newcerts
%{_sysconfdir}/pki/tls/misc/c_*
%attr(0755,root,root) %{_bindir}/openssl
-%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]*
+%attr(0644,root,root) %{_mandir}/man1*/*
+%exclude %{_mandir}/man1*/*.pl*
+%exclude %{_mandir}/man1*/c_rehash*
+%exclude %{_mandir}/man1*/tsget*
%attr(0644,root,root) %{_mandir}/man5*/*
%attr(0644,root,root) %{_mandir}/man7*/*
%files libs
%defattr(-,root,root)
-%doc LICENSE
+%{!?_licensedir:%global license %%doc}
+%license LICENSE
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
@@ -623,6 +493,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%files devel
%defattr(-,root,root)
+%doc doc/c-indentation.el doc/openssl.txt CHANGES
%{_prefix}/include/openssl
%attr(0755,root,root) %{_libdir}/*.so
%attr(0644,root,root) %{_mandir}/man3*/*
@@ -636,6 +507,8 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/c_rehash
%attr(0644,root,root) %{_mandir}/man1*/*.pl*
+%attr(0644,root,root) %{_mandir}/man1*/c_rehash*
+%attr(0644,root,root) %{_mandir}/man1*/tsget*
%{_sysconfdir}/pki/tls/misc/*.pl
%{_sysconfdir}/pki/tls/misc/tsget
@@ -644,9 +517,39 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
-* Mon Feb 6 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-60.1
-- fix CVE-2017-3731 - DoS via truncated packets with RC4-MD5 cipher
-- fix CVE-2016-8610 - DoS of single-threaded servers via excessive alerts
+* Wed May 17 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-8
+- fix regression in openssl req -x509 command (#1450015)
+
+* Thu Apr 13 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-7
+- handle incorrect size gracefully in aes_p8_cbc_encrypt()
+
+* Mon Mar 27 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-6
+- allow long client hellos to be received by server
+
+* Mon Mar 27 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-5
+- fix CPU features detection on new AMD processors
+
+* Thu Mar 9 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-4
+- add support for additional STARTTLS protocols to s_client
+ original backported patch by Robert Scheck (#1396209)
+
+* Wed Mar 1 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-3
+- properly document the SSLv2 support removal
+
+* Mon Feb 20 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-2
+- add PPC assembler updates
+
+* Tue Feb 7 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-1
+- minor upstream release 1.0.2k fixing security issues
+
+* Tue Jan 10 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2j-2
+- deprecate and disable verification of insecure hash algorithms
+- add support for /etc/pki/tls/legacy-settings also for minimum DH length
+ accepted by SSL client
+- compare the encrypt and tweak key in XTS as required by FIPS
+
+* Thu Jan 5 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2j-1
+- rebase to latest upstream release from the 1.0.2 branch, ABI compatible
* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-60
- fix CVE-2016-2177 - possible integer overflow