commit 8139825d2792f42cb6159d7fd23cecfbf2eff685 Author: MSVSphere Packaging Team Date: Thu Mar 28 18:01:06 2024 +0300 import openssl-fips-provider-3.0.7-2.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4b504de --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/fips_module-3.0.7-18.el9_2.tar.gz +SOURCES/openssl-3.0.7-hobbled.tar.gz diff --git a/.openssl-fips-provider.metadata b/.openssl-fips-provider.metadata new file mode 100644 index 0000000..4ff0424 --- /dev/null +++ b/.openssl-fips-provider.metadata @@ -0,0 +1,2 @@ +390196437b9e1fed3014acf2f1bbf799e72933bb SOURCES/fips_module-3.0.7-18.el9_2.tar.gz +54ab0e36f279f260196ac3274631bee93ab01d81 SOURCES/openssl-3.0.7-hobbled.tar.gz diff --git a/SOURCES/0001-Aarch64-and-ppc64le-use-lib64.patch b/SOURCES/0001-Aarch64-and-ppc64le-use-lib64.patch new file mode 100644 index 0000000..e5d23ba --- /dev/null +++ b/SOURCES/0001-Aarch64-and-ppc64le-use-lib64.patch @@ -0,0 +1,33 @@ +From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:01:41 +0200 +Subject: Aarch64 and ppc64le use lib64 + +(Was openssl-1.1.1-build.patch) +--- + Configurations/10-main.conf | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf +index d7580bf3e1..a7dbfd7f40 100644 +--- a/Configurations/10-main.conf ++++ b/Configurations/10-main.conf +@@ -723,6 +723,7 @@ my %targets = ( + lib_cppflags => add("-DL_ENDIAN"), + asm_arch => 'ppc64', + perlasm_scheme => "linux64le", ++ multilib => "64", + }, + + "linux-armv4" => { +@@ -765,6 +766,7 @@ my %targets = ( + inherit_from => [ "linux-generic64" ], + asm_arch => 'aarch64', + perlasm_scheme => "linux64", ++ multilib => "64", + }, + "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 + inherit_from => [ "linux-generic32" ], +-- +2.26.2 + diff --git a/SOURCES/0002-Use-more-general-default-values-in-openssl.cnf.patch b/SOURCES/0002-Use-more-general-default-values-in-openssl.cnf.patch new file mode 100644 index 0000000..83ed599 --- /dev/null +++ b/SOURCES/0002-Use-more-general-default-values-in-openssl.cnf.patch @@ -0,0 +1,68 @@ +From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:03:40 +0200 +Subject: Use more general default values in openssl.cnf + +Also set sha256 as default hash, although that should not be +necessary anymore. + +(was openssl-1.1.1-defaults.patch) +--- + apps/openssl.cnf | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/apps/openssl.cnf b/apps/openssl.cnf +index 97567a67be..eb25a0ac48 100644 +--- a/apps/openssl.cnf ++++ b/apps/openssl.cnf +@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options + + default_days = 365 # how long to certify for + default_crl_days= 30 # how long before next CRL +-default_md = default # use public key default MD ++default_md = sha256 # use SHA-256 by default + preserve = no # keep passed DN ordering + + # A few difference way of specifying how similar the request should look +@@ -136,6 +136,7 @@ emailAddress = optional + #################################################################### + [ req ] + default_bits = 2048 ++default_md = sha256 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +@@ -158,17 +159,18 @@ string_mask = utf8only + + [ req_distinguished_name ] + countryName = Country Name (2 letter code) +-countryName_default = AU ++countryName_default = XX + countryName_min = 2 + countryName_max = 2 + + stateOrProvinceName = State or Province Name (full name) +-stateOrProvinceName_default = Some-State ++#stateOrProvinceName_default = Default Province + + localityName = Locality Name (eg, city) ++localityName_default = Default City + + 0.organizationName = Organization Name (eg, company) +-0.organizationName_default = Internet Widgits Pty Ltd ++0.organizationName_default = Default Company Ltd + + # we can do this but it is not needed normally :-) + #1.organizationName = Second Organization Name (eg, company) +@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city) + organizationalUnitName = Organizational Unit Name (eg, section) + #organizationalUnitName_default = + +-commonName = Common Name (e.g. server FQDN or YOUR name) ++commonName = Common Name (eg, your name or your server\'s hostname) + commonName_max = 64 + + emailAddress = Email Address +-- +2.26.2 + diff --git a/SOURCES/0003-Do-not-install-html-docs.patch b/SOURCES/0003-Do-not-install-html-docs.patch new file mode 100644 index 0000000..66d62e0 --- /dev/null +++ b/SOURCES/0003-Do-not-install-html-docs.patch @@ -0,0 +1,26 @@ +From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:05:55 +0200 +Subject: Do not install html docs + +(was openssl-1.1.1-no-html.patch) +--- + Configurations/unix-Makefile.tmpl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 342e46d24d..9f369edf0e 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime + + uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev + +-install_docs: install_man_docs install_html_docs ++install_docs: install_man_docs + + uninstall_docs: uninstall_man_docs uninstall_html_docs + $(RM) -r $(DESTDIR)$(DOCDIR) +-- +2.26.2 + diff --git a/SOURCES/0004-Override-default-paths-for-the-CA-directory-tree.patch b/SOURCES/0004-Override-default-paths-for-the-CA-directory-tree.patch new file mode 100644 index 0000000..7c70c60 --- /dev/null +++ b/SOURCES/0004-Override-default-paths-for-the-CA-directory-tree.patch @@ -0,0 +1,73 @@ +From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:17:26 +0200 +Subject: Override default paths for the CA directory tree + +Also add default section to load crypto-policies configuration +for TLS. + +It needs to be reverted before running tests. + +(was openssl-1.1.1-conf-paths.patch) +--- + apps/CA.pl.in | 2 +- + apps/openssl.cnf | 20 ++++++++++++++++++-- + 2 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/apps/CA.pl.in b/apps/CA.pl.in +index c0afb96716..d6a5fabd16 100644 +--- a/apps/CA.pl.in ++++ b/apps/CA.pl.in +@@ -29,7 +29,7 @@ my $X509 = "$openssl x509"; + my $PKCS12 = "$openssl pkcs12"; + + # Default values for various configuration settings. +-my $CATOP = "./demoCA"; ++my $CATOP = "/etc/pki/CA"; + my $CAKEY = "cakey.pem"; + my $CAREQ = "careq.pem"; + my $CACERT = "cacert.pem"; +diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf +--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200 ++++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200 +@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7 + + [openssl_init] + providers = provider_sect ++# Load default TLS policy configuration ++ssl_conf = ssl_module + + # List of providers to load + [provider_sect] +@@ -64,6 +66,13 @@ default = default_sect + [default_sect] + # activate = 1 + ++[ ssl_module ] ++ ++system_default = crypto_policy ++ ++[ crypto_policy ] ++ ++.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] +@@ -72,7 +81,7 @@ default_ca = CA_default # The default c + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = /etc/pki/CA # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default + [ tsa_config1 ] + + # These are used by the TSA reply generation only. +-dir = ./demoCA # TSA root directory ++dir = /etc/pki/CA # TSA root directory + serial = $dir/tsaserial # The current serial number (mandatory) + crypto_device = builtin # OpenSSL engine to use for signing + signer_cert = $dir/tsacert.pem # The TSA signing certificate diff --git a/SOURCES/0005-apps-ca-fix-md-option-help-text.patch b/SOURCES/0005-apps-ca-fix-md-option-help-text.patch new file mode 100644 index 0000000..1fed4c4 --- /dev/null +++ b/SOURCES/0005-apps-ca-fix-md-option-help-text.patch @@ -0,0 +1,28 @@ +From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:27:18 +0200 +Subject: apps/ca: fix md option help text + +upstreamable + +(was openssl-1.1.1-apps-dgst.patch) +--- + apps/ca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/apps/ca.c b/apps/ca.c +index 0f21b4fa1c..3d4b2c1673 100755 +--- a/apps/ca.c ++++ b/apps/ca.c +@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = { + {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, + + OPT_SECTION("Signing"), +- {"md", OPT_MD, 's', "Digest to use, such as sha256"}, ++ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"}, + {"keyfile", OPT_KEYFILE, 's', "The CA private key"}, + {"keyform", OPT_KEYFORM, 'f', + "Private key file format (ENGINE, other values ignored)"}, +-- +2.26.2 + diff --git a/SOURCES/0006-Disable-signature-verification-with-totally-unsafe-h.patch b/SOURCES/0006-Disable-signature-verification-with-totally-unsafe-h.patch new file mode 100644 index 0000000..f9dd2dd --- /dev/null +++ b/SOURCES/0006-Disable-signature-verification-with-totally-unsafe-h.patch @@ -0,0 +1,29 @@ +From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:51:34 +0200 +Subject: Disable signature verification with totally unsafe hash algorithms + +(was openssl-1.1.1-no-weak-verify.patch) +--- + crypto/asn1/a_verify.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c +index b7eed914b0..af62f0ef08 100644 +--- a/crypto/asn1/a_verify.c ++++ b/crypto/asn1/a_verify.c +@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg, + ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB); + if (ret <= 1) + goto err; ++ } else if ((mdnid == NID_md5 ++ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) || ++ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) { ++ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); ++ goto err; + } else { + const EVP_MD *type = NULL; + +-- +2.26.2 + diff --git a/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch new file mode 100644 index 0000000..7a97dee --- /dev/null +++ b/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -0,0 +1,323 @@ +From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 10:16:46 +0200 +Subject: Add support for PROFILE=SYSTEM system default cipherlist + +(was openssl-1.1.1-system-cipherlist.patch) +--- + Configurations/unix-Makefile.tmpl | 5 ++ + Configure | 10 +++- + doc/man1/openssl-ciphers.pod.in | 9 ++++ + include/openssl/ssl.h.in | 5 ++ + ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++---- + ssl/ssl_lib.c | 4 +- + test/cipherlist_test.c | 2 + + util/libcrypto.num | 1 + + 8 files changed, 110 insertions(+), 14 deletions(-) + +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 9f369edf0e..c52389f831 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -269,6 +269,10 @@ MANDIR=$(INSTALLTOP)/share/man + DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) + HTMLDIR=$(DOCDIR)/html + ++{- output_off() if $config{system_ciphers_file} eq ""; "" -} ++SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\"" ++{- output_on() if $config{system_ciphers_file} eq ""; "" -} ++ + # MANSUFFIX is for the benefit of anyone who may want to have a suffix + # appended after the manpage file section number. "ssl" is popular, + # resulting in files such as config.5ssl rather than config.5. +@@ -292,6 +296,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} + CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} + CPPFLAGS={- our $cppflags1 = join(" ", + (map { "-D".$_} @{$config{CPPDEFINES}}), ++ "\$(SYSTEM_CIPHERS_FILE_DEFINE)", + (map { "-I".$_} @{$config{CPPINCLUDES}}), + @{$config{CPPFLAGS}}) -} + CFLAGS={- join(' ', @{$config{CFLAGS}}) -} +diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in +index b4ed3e51d5..2122e6bdfd 100644 +--- a/doc/man1/openssl-ciphers.pod.in ++++ b/doc/man1/openssl-ciphers.pod.in +@@ -187,6 +187,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. + + The cipher suites not enabled by B, currently B. + ++=item B ++ ++The list of enabled cipher suites will be loaded from the system crypto policy ++configuration file B. ++See also L. ++This is the default behavior unless an application explicitly sets a cipher ++list. If used in a cipher list configuration value this string must be at the ++beginning of the cipher list, otherwise it will not be recognized. ++ + =item B + + "High" encryption cipher suites. This currently means those with key lengths +diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in +index f9a61609e4..c6f95fed3f 100644 +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -209,6 +209,11 @@ extern "C" { + * throwing out anonymous and unencrypted ciphersuites! (The latter are not + * actually enabled by ALL, but "ALL:RSA" would enable some of them.) + */ ++# ifdef SYSTEM_CIPHERS_FILE ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM" ++# else ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list() ++# endif + + /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ + # define SSL_SENT_SHUTDOWN 1 +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index b1d3f7919e..f7cc7fed48 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -1411,6 +1411,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) + return ret; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++static char *load_system_str(const char *suffix) ++{ ++ FILE *fp; ++ char buf[1024]; ++ char *new_rules; ++ const char *ciphers_path; ++ unsigned len, slen; ++ ++ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) ++ ciphers_path = SYSTEM_CIPHERS_FILE; ++ fp = fopen(ciphers_path, "r"); ++ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { ++ /* cannot open or file is empty */ ++ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); ++ } ++ ++ if (fp) ++ fclose(fp); ++ ++ slen = strlen(suffix); ++ len = strlen(buf); ++ ++ if (buf[len - 1] == '\n') { ++ len--; ++ buf[len] = 0; ++ } ++ if (buf[len - 1] == '\r') { ++ len--; ++ buf[len] = 0; ++ } ++ ++ new_rules = OPENSSL_malloc(len + slen + 1); ++ if (new_rules == 0) ++ return NULL; ++ ++ memcpy(new_rules, buf, len); ++ if (slen > 0) { ++ memcpy(&new_rules[len], suffix, slen); ++ len += slen; ++ } ++ new_rules[len] = 0; ++ ++ return new_rules; ++} ++#endif ++ + STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites, + STACK_OF(SSL_CIPHER) **cipher_list, +@@ -1425,15 +1472,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; + const SSL_CIPHER **ca_list = NULL; + const SSL_METHOD *ssl_method = ctx->method; ++#ifdef SYSTEM_CIPHERS_FILE ++ char *new_rules = NULL; ++ ++ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { ++ char *p = rule_str + 14; ++ ++ new_rules = load_system_str(p); ++ rule_str = new_rules; ++ } ++#endif + + /* + * Return with error if nothing to do. + */ + if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) +- return NULL; ++ goto err; + + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) +- return NULL; ++ goto err; + + /* + * To reduce the work to do we only want to process the compiled +@@ -1456,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); +- return NULL; /* Failure */ ++ goto err; + } + + ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, +@@ -1522,8 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + * in force within each class + */ + if (!ssl_cipher_strength_sort(&head, &tail)) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1568,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; + ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); + if (ca_list == NULL) { +- OPENSSL_free(co_list); + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); +- return NULL; /* Failure */ ++ goto err; + } + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, + disabled_mkey, disabled_auth, disabled_enc, +@@ -1596,8 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + OPENSSL_free(ca_list); /* Not needed anymore */ + + if (!ok) { /* Rule processing failure */ +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1605,10 +1659,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + * if we cannot get one. + */ + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); /* Not needed anymore */ ++#endif ++ + /* Add TLSv1.3 ciphers first - we always prefer those if possible */ + for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { + const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); +@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + *cipher_list = cipherstack; + + return cipherstack; ++ ++err: ++ OPENSSL_free(co_list); ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); ++#endif ++ return NULL; ++ + } + + char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index d14d5819ba..48d491219a 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) + ctx->tls13_ciphersuites, + &(ctx->cipher_list), + &(ctx->cipher_list_by_id), +- OSSL_default_cipher_list(), ctx->cert); ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert); + if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { + ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + return 0; +@@ -3193,7 +3193,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, + if (!ssl_create_cipher_list(ret, + ret->tls13_ciphersuites, + &ret->cipher_list, &ret->cipher_list_by_id, +- OSSL_default_cipher_list(), ret->cert) ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) + || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { + ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); + goto err2; +diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c +index 380f0727fc..6922a87c30 100644 +--- a/test/cipherlist_test.c ++++ b/test/cipherlist_test.c +@@ -244,7 +244,9 @@ end: + + int setup_tests(void) + { ++#ifndef SYSTEM_CIPHERS_FILE + ADD_TEST(test_default_cipherlist_implicit); ++#endif + ADD_TEST(test_default_cipherlist_explicit); + ADD_TEST(test_default_cipherlist_clear); + return 1; +diff --git a/util/libcrypto.num b/util/libcrypto.num +index 404a706fab..e81fa9ec3e 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION: + EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: ++ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +-- +2.26.2 + +diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure +--- openssl-3.0.0-beta1/Configure.sys-default 2021-06-29 11:47:58.978144386 +0200 ++++ openssl-3.0.0-beta1/Configure 2021-06-29 11:52:01.631126260 +0200 +@@ -27,7 +27,7 @@ use OpenSSL::config; + my $orig_death_handler = $SIG{__DIE__}; + $SIG{__DIE__} = \&death_handler; + +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; + + my $banner = <<"EOF"; + +@@ -61,6 +61,10 @@ EOF + # given with --prefix. + # This becomes the value of OPENSSLDIR in Makefile and in C. + # (Default: PREFIX/ssl) ++# ++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM ++# cipher is specified (default). ++# + # --banner=".." Output specified text instead of default completion banner + # + # -w Don't wait after showing a Configure warning +@@ -385,6 +389,7 @@ $config{prefix}=""; + $config{openssldir}=""; + $config{processor}=""; + $config{libdir}=""; ++$config{system_ciphers_file}=""; + my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + +@@ -987,6 +992,10 @@ while (@argvcopy) + die "FIPS key too long (64 bytes max)\n" + if length $1 > 64; + } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } + elsif (/^--banner=(.*)$/) + { + $banner = $1 . "\n"; diff --git a/SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch b/SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch new file mode 100644 index 0000000..2e72999 --- /dev/null +++ b/SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch @@ -0,0 +1,77 @@ +From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 26 Nov 2020 14:00:16 +0100 +Subject: Add FIPS_mode() compatibility macro + +The macro calls EVP_default_properties_is_fips_enabled() on the +default context. +--- + include/openssl/crypto.h.in | 1 + + include/openssl/fips.h | 25 +++++++++++++++++++++++++ + test/property_test.c | 13 +++++++++++++ + 3 files changed, 39 insertions(+) + create mode 100644 include/openssl/fips.h + +diff --git a/include/openssl/fips.h b/include/openssl/fips.h +new file mode 100644 +index 0000000000..c64f0f8e8f +--- /dev/null ++++ b/include/openssl/fips.h +@@ -0,0 +1,26 @@ ++/* ++ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef OPENSSL_FIPS_H ++# define OPENSSL_FIPS_H ++# pragma once ++ ++# include ++# include ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL) ++ ++# ifdef __cplusplus ++} ++# endif ++#endif +diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c +--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200 ++++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200 +@@ -488,6 +488,19 @@ static int test_property_list_to_string( + return ret; + } + ++#include ++static int test_downstream_FIPS_mode(void) ++{ ++ int ret = 0; ++ ++ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes")) ++ && TEST_true(FIPS_mode()) ++ && TEST_true(EVP_set_default_properties(NULL, "fips=no")) ++ && TEST_false(FIPS_mode()); ++ ++ return ret; ++} ++ + int setup_tests(void) + { + ADD_TEST(test_property_string); +@@ -500,6 +512,7 @@ int setup_tests(void) + ADD_TEST(test_property); + ADD_TEST(test_query_cache_stochastic); + ADD_TEST(test_fips_mode); ++ ADD_TEST(test_downstream_FIPS_mode); + ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests)); + return 1; + } diff --git a/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch b/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch new file mode 100644 index 0000000..30ff325 --- /dev/null +++ b/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch @@ -0,0 +1,71 @@ +diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c +--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100 ++++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100 +@@ -12,11 +12,46 @@ + #include "internal/provider.h" + #include "crypto/ctype.h" + ++# include ++# include ++# include ++# include ++# include ++ + struct ossl_lib_ctx_onfree_list_st { + ossl_lib_ctx_onfree_fn *fn; + struct ossl_lib_ctx_onfree_list_st *next; + }; + ++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ ++static int kernel_fips_flag; ++ ++static void read_kernel_fips_flag(void) ++{ ++ char buf[2] = "0"; ++ int fd; ++ ++ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ buf[0] = '1'; ++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; ++ close(fd); ++ } ++ ++ if (buf[0] == '1') { ++ kernel_fips_flag = 1; ++ } ++ ++ return; ++} ++ ++int ossl_get_kernel_fips_flag() ++{ ++ return kernel_fips_flag; ++} ++ ++ + struct ossl_lib_ctx_st { + CRYPTO_RWLOCK *lock; + CRYPTO_EX_DATA data; +@@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte + + DEFINE_RUN_ONCE_STATIC(default_context_do_init) + { ++ read_kernel_fips_flag(); + return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL) + && context_init(&default_context_int); + } +diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h +--- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100 ++++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100 +@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB + const OSSL_DISPATCH *in); + void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); + ++/* FIPS flag access */ ++int ossl_get_kernel_fips_flag(void); ++ + # ifdef __cplusplus + } + # endif diff --git a/SOURCES/0011-Remove-EC-curves.patch b/SOURCES/0011-Remove-EC-curves.patch new file mode 100644 index 0000000..10e200c --- /dev/null +++ b/SOURCES/0011-Remove-EC-curves.patch @@ -0,0 +1,5025 @@ +diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps/speed.c +--- openssl-3.0.0-alpha13/apps/speed.c.ec-curves 2021-04-10 12:12:00.620129302 +0200 ++++ openssl-3.0.0-alpha13/apps/speed.c 2021-04-10 12:18:11.872369417 +0200 +@@ -364,68 +364,23 @@ static double ffdh_results[FFDH_NUM][1]; + #endif /* OPENSSL_NO_DH */ + + enum ec_curves_t { +- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, +-#ifndef OPENSSL_NO_EC2M +- R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, +- R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, +-#endif +- R_EC_BRP256R1, R_EC_BRP256T1, R_EC_BRP384R1, R_EC_BRP384T1, +- R_EC_BRP512R1, R_EC_BRP512T1, ECDSA_NUM ++ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, ++ ECDSA_NUM + }; + /* list of ecdsa curves */ + static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { +- {"ecdsap160", R_EC_P160}, +- {"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, + {"ecdsap521", R_EC_P521}, +-#ifndef OPENSSL_NO_EC2M +- {"ecdsak163", R_EC_K163}, +- {"ecdsak233", R_EC_K233}, +- {"ecdsak283", R_EC_K283}, +- {"ecdsak409", R_EC_K409}, +- {"ecdsak571", R_EC_K571}, +- {"ecdsab163", R_EC_B163}, +- {"ecdsab233", R_EC_B233}, +- {"ecdsab283", R_EC_B283}, +- {"ecdsab409", R_EC_B409}, +- {"ecdsab571", R_EC_B571}, +-#endif +- {"ecdsabrp256r1", R_EC_BRP256R1}, +- {"ecdsabrp256t1", R_EC_BRP256T1}, +- {"ecdsabrp384r1", R_EC_BRP384R1}, +- {"ecdsabrp384t1", R_EC_BRP384T1}, +- {"ecdsabrp512r1", R_EC_BRP512R1}, +- {"ecdsabrp512t1", R_EC_BRP512T1} + }; + enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; + /* list of ecdh curves, extension of |ecdsa_choices| list above */ + static const OPT_PAIR ecdh_choices[EC_NUM] = { +- {"ecdhp160", R_EC_P160}, +- {"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, + {"ecdhp521", R_EC_P521}, +-#ifndef OPENSSL_NO_EC2M +- {"ecdhk163", R_EC_K163}, +- {"ecdhk233", R_EC_K233}, +- {"ecdhk283", R_EC_K283}, +- {"ecdhk409", R_EC_K409}, +- {"ecdhk571", R_EC_K571}, +- {"ecdhb163", R_EC_B163}, +- {"ecdhb233", R_EC_B233}, +- {"ecdhb283", R_EC_B283}, +- {"ecdhb409", R_EC_B409}, +- {"ecdhb571", R_EC_B571}, +-#endif +- {"ecdhbrp256r1", R_EC_BRP256R1}, +- {"ecdhbrp256t1", R_EC_BRP256T1}, +- {"ecdhbrp384r1", R_EC_BRP384R1}, +- {"ecdhbrp384t1", R_EC_BRP384T1}, +- {"ecdhbrp512r1", R_EC_BRP512R1}, +- {"ecdhbrp512t1", R_EC_BRP512T1}, + {"ecdhx25519", R_EC_X25519}, + {"ecdhx448", R_EC_X448} + }; +@@ -1449,31 +1404,10 @@ int speed_main(int argc, char **argv) + */ + static const EC_CURVE ec_curves[EC_NUM] = { + /* Prime Curves */ +- {"secp160r1", NID_secp160r1, 160}, +- {"nistp192", NID_X9_62_prime192v1, 192}, + {"nistp224", NID_secp224r1, 224}, + {"nistp256", NID_X9_62_prime256v1, 256}, + {"nistp384", NID_secp384r1, 384}, + {"nistp521", NID_secp521r1, 521}, +-#ifndef OPENSSL_NO_EC2M +- /* Binary Curves */ +- {"nistk163", NID_sect163k1, 163}, +- {"nistk233", NID_sect233k1, 233}, +- {"nistk283", NID_sect283k1, 283}, +- {"nistk409", NID_sect409k1, 409}, +- {"nistk571", NID_sect571k1, 571}, +- {"nistb163", NID_sect163r2, 163}, +- {"nistb233", NID_sect233r1, 233}, +- {"nistb283", NID_sect283r1, 283}, +- {"nistb409", NID_sect409r1, 409}, +- {"nistb571", NID_sect571r1, 571}, +-#endif +- {"brainpoolP256r1", NID_brainpoolP256r1, 256}, +- {"brainpoolP256t1", NID_brainpoolP256t1, 256}, +- {"brainpoolP384r1", NID_brainpoolP384r1, 384}, +- {"brainpoolP384t1", NID_brainpoolP384t1, 384}, +- {"brainpoolP512r1", NID_brainpoolP512r1, 512}, +- {"brainpoolP512t1", NID_brainpoolP512t1, 512}, + /* Other and ECDH only ones */ + {"X25519", NID_X25519, 253}, + {"X448", NID_X448, 448} +diff -up openssl-3.0.0-alpha13/test/ecdsatest.h.ec-curves openssl-3.0.0-alpha13/test/ecdsatest.h +--- openssl-3.0.0-alpha13/test/ecdsatest.h.ec-curves 2021-04-10 12:07:43.158013028 +0200 ++++ openssl-3.0.0-alpha13/test/ecdsatest.h 2021-04-10 12:11:21.601828737 +0200 +@@ -32,23 +32,6 @@ typedef struct { + } ecdsa_cavs_kat_t; + + static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { +- /* prime KATs from X9.62 */ +- {NID_X9_62_prime192v1, NID_sha1, +- "616263", /* "abc" */ +- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", +- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" +- "5ca5c0d69716dfcb3474373902", +- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", +- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", +- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, +- {NID_X9_62_prime239v1, NID_sha1, +- "616263", /* "abc" */ +- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", +- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" +- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", +- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", +- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", +- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, + /* prime KATs from NIST CAVP */ + {NID_secp224r1, NID_sha224, + "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" +diff -up openssl-3.0.0-alpha13/test/recipes/15-test_genec.t.ec-curves openssl-3.0.0-alpha13/test/recipes/15-test_genec.t +--- openssl-3.0.0-alpha13/test/recipes/15-test_genec.t.ec-curves 2021-04-10 11:59:37.453332668 +0200 ++++ openssl-3.0.0-alpha13/test/recipes/15-test_genec.t 2021-04-10 12:03:43.363538976 +0200 +@@ -41,45 +41,11 @@ plan skip_all => "This test is unsupport + if disabled("ec"); + + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 +- brainpoolP256r1 +- brainpoolP256t1 +- brainpoolP320r1 +- brainpoolP320t1 +- brainpoolP384r1 +- brainpoolP384t1 +- brainpoolP512r1 +- brainpoolP512t1 + ); + + my @binary_curves = qw( +@@ -136,7 +102,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); + + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 +diff -up openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t.ec-curves openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t +--- openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t.ec-curves 2021-04-10 12:40:59.871858764 +0200 ++++ openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t 2021-04-10 12:41:41.140455070 +0200 +@@ -33,7 +33,7 @@ my %certs_info = + 'ee-cert-ec-named-explicit' => 'ca-cert-ec-explicit', + 'ee-cert-ec-named-named' => 'ca-cert-ec-named', + # 'server-ed448-cert' => 'root-ed448-cert' +- 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', ++ # 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', + ) + ) + ); +diff -up openssl-3.0.0-alpha13/test/recipes/15-test_ec.t.ec-curves openssl-3.0.0-alpha13/test/recipes/15-test_ec.t +diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t +diff -up openssl-3.0.0-alpha13/test/recipes/30-test_acvp.t.ec-curves openssl-3.0.0-alpha13/test/recipes/30-test_acvp.t +diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf +--- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves 2021-04-10 13:21:52.123040226 +0200 ++++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf 2021-04-10 13:28:20.856023985 +0200 +@@ -776,14 +776,12 @@ server = 22-ECDSA with brainpool-server + client = 22-ECDSA with brainpool-client + + [22-ECDSA with brainpool-server] +-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT +-Groups = brainpoolP256r1 +-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem + + [22-ECDSA with brainpool-client] + CipherString = aECDSA +-Groups = brainpoolP256r1 + MaxProtocol = TLSv1.2 + RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +@@ -791,9 +789,6 @@ VerifyMode = Peer + + [test-22] + ExpectedResult = Success +-ExpectedServerCANames = empty +-ExpectedServerCertType = brainpoolP256r1 +-ExpectedServerSignType = EC + + + # =========================================================== +@@ -1741,9 +1736,9 @@ server = 53-TLS 1.3 ECDSA with brainpool + client = 53-TLS 1.3 ECDSA with brainpool-client + + [53-TLS 1.3 ECDSA with brainpool-server] +-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT +-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem + + [53-TLS 1.3 ECDSA with brainpool-client] + CipherString = DEFAULT +@@ -1754,7 +1749,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro + VerifyMode = Peer + + [test-53] +-ExpectedResult = ServerFail ++ExpectedResult = Success + + + # =========================================================== +diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in +--- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves 2021-04-10 13:22:06.275221662 +0200 ++++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in 2021-04-10 13:35:18.774623319 +0200 +@@ -428,21 +428,21 @@ my @tests_non_fips = ( + { + name => "ECDSA with brainpool", + server => { +- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), +- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), +- "Groups" => "brainpoolP256r1", ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), ++ #"Groups" => "brainpoolP256r1", + }, + client => { + "MaxProtocol" => "TLSv1.2", + "CipherString" => "aECDSA", + "RequestCAFile" => test_pem("root-cert.pem"), +- "Groups" => "brainpoolP256r1", ++ #"Groups" => "brainpoolP256r1", + }, + test => { +- "ExpectedServerCertType" =>, "brainpoolP256r1", +- "ExpectedServerSignType" =>, "EC", ++ #"ExpectedServerCertType" =>, "brainpoolP256r1", ++ #"ExpectedServerSignType" =>, "EC", + # Note: certificate_authorities not sent for TLS < 1.3 +- "ExpectedServerCANames" =>, "empty", ++ #"ExpectedServerCANames" =>, "empty", + "ExpectedResult" => "Success" + }, + }, +@@ -915,8 +915,8 @@ my @tests_tls_1_3_non_fips = ( + { + name => "TLS 1.3 ECDSA with brainpool", + server => { +- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), +- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), + }, + client => { + "RequestCAFile" => test_pem("root-cert.pem"), +@@ -924,7 +924,7 @@ my @tests_tls_1_3_non_fips = ( + "MaxProtocol" => "TLSv1.3" + }, + test => { +- "ExpectedResult" => "ServerFail" ++ "ExpectedResult" => "Success" + }, + }, + ); +diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t +--- openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves 2021-04-10 14:00:22.482782216 +0200 ++++ openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t 2021-04-10 14:08:50.769727651 +0200 +@@ -158,60 +158,6 @@ sub tsignverify { + $testtext); + } + +-SKIP : { +- skip "FIPS EC tests because of no ec in this build", 1 +- if disabled("ec"); +- +- subtest EC => sub { +- my $testtext_prefix = 'EC'; +- my $a_fips_curve = 'prime256v1'; +- my $fips_key = $testtext_prefix.'.fips.priv.pem'; +- my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; +- my $a_nonfips_curve = 'brainpoolP256r1'; +- my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; +- my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; +- my $testtext = ''; +- my $curvename = ''; +- +- plan tests => 5 + $tsignverify_count; +- +- $ENV{OPENSSL_CONF} = $defaultconf; +- $curvename = $a_nonfips_curve; +- $testtext = $testtext_prefix.': '. +- 'Generate a key with a non-FIPS algorithm with the default provider'; +- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', +- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, +- '-out', $nonfips_key])), +- $testtext); +- +- pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); +- +- $ENV{OPENSSL_CONF} = $fipsconf; +- +- $curvename = $a_fips_curve; +- $testtext = $testtext_prefix.': '. +- 'Generate a key with a FIPS algorithm'; +- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', +- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, +- '-out', $fips_key])), +- $testtext); +- +- pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); +- +- $curvename = $a_nonfips_curve; +- $testtext = $testtext_prefix.': '. +- 'Generate a key with a non-FIPS algorithm'. +- ' (should fail)'; +- ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC', +- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, +- '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])), +- $testtext); +- +- tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, +- $nonfips_pub_key); +- }; +-} +- + SKIP: { + skip "FIPS RSA tests because of no rsa in this build", 1 + if disabled("rsa"); +diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t +--- openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves 2021-04-10 14:23:09.805468483 +0200 ++++ openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t 2021-04-10 14:23:33.002784265 +0200 +@@ -26,7 +26,7 @@ use platform; + my $no_check = disabled("fips") || disabled('fips-securitychecks'); + plan skip_all => "Test only supported in a fips build with security checks" + if $no_check; +-plan tests => 11; ++plan tests => 10; + + my $fipsmodule = bldtop_file('providers', platform->dso('fips')); + my $fipsconf = srctop_file("test", "fips-and-base.cnf"); +diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf +--- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves 2021-04-10 17:52:46.478721611 +0200 ++++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf 2021-04-10 17:54:11.371688446 +0200 +@@ -1710,20 +1710,18 @@ server = 52-TLS 1.3 ECDSA with brainpool + client = 52-TLS 1.3 ECDSA with brainpool but no suitable groups-client + + [52-TLS 1.3 ECDSA with brainpool but no suitable groups-server] +-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT +-Groups = brainpoolP256r1 +-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem + + [52-TLS 1.3 ECDSA with brainpool but no suitable groups-client] + CipherString = aECDSA +-Groups = brainpoolP256r1 + RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + + [test-52] +-ExpectedResult = ClientFail ++ExpectedResult = Success + + + # =========================================================== +diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in +--- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves 2021-04-10 17:53:03.317913390 +0200 ++++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in 2021-04-10 17:55:22.507498606 +0200 +@@ -896,20 +896,20 @@ my @tests_tls_1_3_non_fips = ( + { + name => "TLS 1.3 ECDSA with brainpool but no suitable groups", + server => { +- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), +- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), +- "Groups" => "brainpoolP256r1", ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), ++ #"Groups" => "brainpoolP256r1", + }, + client => { + "CipherString" => "aECDSA", + "RequestCAFile" => test_pem("root-cert.pem"), +- "Groups" => "brainpoolP256r1", ++ #"Groups" => "brainpoolP256r1", + }, + test => { + #We only configured brainpoolP256r1 on the client side, but TLSv1.3 + #is enabled and this group is not allowed in TLSv1.3. Therefore this + #should fail +- "ExpectedResult" => "ClientFail" ++ "ExpectedResult" => "Success" + }, + }, + { +diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-alpha13/crypto/evp/ec_support.c +--- openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves 2021-04-11 11:13:14.236891844 +0200 ++++ openssl-3.0.0-alpha13/crypto/evp/ec_support.c 2021-04-11 11:12:05.128098714 +0200 +@@ -20,99 +20,13 @@ typedef struct ec_name2nid_st { + static const EC_NAME2NID curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {"secp112r1", NID_secp112r1 }, +- {"secp112r2", NID_secp112r2 }, +- {"secp128r1", NID_secp128r1 }, +- {"secp128r2", NID_secp128r2 }, +- {"secp160k1", NID_secp160k1 }, +- {"secp160r1", NID_secp160r1 }, +- {"secp160r2", NID_secp160r2 }, +- {"secp192k1", NID_secp192k1 }, + {"secp224k1", NID_secp224k1 }, + {"secp224r1", NID_secp224r1 }, + {"secp256k1", NID_secp256k1 }, + {"secp384r1", NID_secp384r1 }, + {"secp521r1", NID_secp521r1 }, + /* X9.62 curves */ +- {"prime192v1", NID_X9_62_prime192v1 }, +- {"prime192v2", NID_X9_62_prime192v2 }, +- {"prime192v3", NID_X9_62_prime192v3 }, +- {"prime239v1", NID_X9_62_prime239v1 }, +- {"prime239v2", NID_X9_62_prime239v2 }, +- {"prime239v3", NID_X9_62_prime239v3 }, + {"prime256v1", NID_X9_62_prime256v1 }, +- /* characteristic two field curves */ +- /* NIST/SECG curves */ +- {"sect113r1", NID_sect113r1 }, +- {"sect113r2", NID_sect113r2 }, +- {"sect131r1", NID_sect131r1 }, +- {"sect131r2", NID_sect131r2 }, +- {"sect163k1", NID_sect163k1 }, +- {"sect163r1", NID_sect163r1 }, +- {"sect163r2", NID_sect163r2 }, +- {"sect193r1", NID_sect193r1 }, +- {"sect193r2", NID_sect193r2 }, +- {"sect233k1", NID_sect233k1 }, +- {"sect233r1", NID_sect233r1 }, +- {"sect239k1", NID_sect239k1 }, +- {"sect283k1", NID_sect283k1 }, +- {"sect283r1", NID_sect283r1 }, +- {"sect409k1", NID_sect409k1 }, +- {"sect409r1", NID_sect409r1 }, +- {"sect571k1", NID_sect571k1 }, +- {"sect571r1", NID_sect571r1 }, +- /* X9.62 curves */ +- {"c2pnb163v1", NID_X9_62_c2pnb163v1 }, +- {"c2pnb163v2", NID_X9_62_c2pnb163v2 }, +- {"c2pnb163v3", NID_X9_62_c2pnb163v3 }, +- {"c2pnb176v1", NID_X9_62_c2pnb176v1 }, +- {"c2tnb191v1", NID_X9_62_c2tnb191v1 }, +- {"c2tnb191v2", NID_X9_62_c2tnb191v2 }, +- {"c2tnb191v3", NID_X9_62_c2tnb191v3 }, +- {"c2pnb208w1", NID_X9_62_c2pnb208w1 }, +- {"c2tnb239v1", NID_X9_62_c2tnb239v1 }, +- {"c2tnb239v2", NID_X9_62_c2tnb239v2 }, +- {"c2tnb239v3", NID_X9_62_c2tnb239v3 }, +- {"c2pnb272w1", NID_X9_62_c2pnb272w1 }, +- {"c2pnb304w1", NID_X9_62_c2pnb304w1 }, +- {"c2tnb359v1", NID_X9_62_c2tnb359v1 }, +- {"c2pnb368w1", NID_X9_62_c2pnb368w1 }, +- {"c2tnb431r1", NID_X9_62_c2tnb431r1 }, +- /* +- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves +- * from X9.62] +- */ +- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 }, +- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 }, +- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 }, +- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 }, +- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 }, +- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 }, +- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 }, +- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 }, +- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 }, +- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 }, +- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 }, +- /* IPSec curves */ +- {"Oakley-EC2N-3", NID_ipsec3 }, +- {"Oakley-EC2N-4", NID_ipsec4 }, +- /* brainpool curves */ +- {"brainpoolP160r1", NID_brainpoolP160r1 }, +- {"brainpoolP160t1", NID_brainpoolP160t1 }, +- {"brainpoolP192r1", NID_brainpoolP192r1 }, +- {"brainpoolP192t1", NID_brainpoolP192t1 }, +- {"brainpoolP224r1", NID_brainpoolP224r1 }, +- {"brainpoolP224t1", NID_brainpoolP224t1 }, +- {"brainpoolP256r1", NID_brainpoolP256r1 }, +- {"brainpoolP256t1", NID_brainpoolP256t1 }, +- {"brainpoolP320r1", NID_brainpoolP320r1 }, +- {"brainpoolP320t1", NID_brainpoolP320t1 }, +- {"brainpoolP384r1", NID_brainpoolP384r1 }, +- {"brainpoolP384t1", NID_brainpoolP384t1 }, +- {"brainpoolP512r1", NID_brainpoolP512r1 }, +- {"brainpoolP512t1", NID_brainpoolP512t1 }, +- /* SM2 curve */ +- {"SM2", NID_sm2 }, + }; + + const char *OSSL_EC_curve_nid2name(int nid) +diff -up openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves openssl-3.0.0-alpha13/test/acvp_test.inc +--- openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves 2021-04-11 13:46:57.286828933 +0200 ++++ openssl-3.0.0-alpha13/test/acvp_test.inc 2021-04-11 13:48:01.356704526 +0200 +@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_ + }; + static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { + { +- "SHA-1", +- "P-192", +- ITM(ecdsa_sigver_msg0), +- ITM(ecdsa_sigver_pub0), +- ITM(ecdsa_sigver_r0), +- ITM(ecdsa_sigver_s0), +- PASS, +- }, +- { + "SHA2-512", + "P-521", + ITM(ecdsa_sigver_msg1), +diff -up openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t.ec-curves openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t +--- openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t.ec-curves 2021-04-11 21:45:04.949948725 +0200 ++++ openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t 2021-04-11 21:44:09.585283604 +0200 +@@ -7,7 +7,6 @@ + # this file except in compliance with the License. You can obtain a copy + # in the file LICENSE in the source distribution or at + # https://www.openssl.org/source/license.html +- + use strict; + use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; + use OpenSSL::Test::Utils; +@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a shared library build on Windows" + if $^O eq 'MSWin32' && !disabled("shared"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_protect_test", + data_file("server.pem"), +diff -up openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t.ec-curves openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t +--- openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t.ec-curves 2021-04-11 21:45:25.414194574 +0200 ++++ openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t 2021-04-11 21:44:40.786658440 +0200 +@@ -7,7 +7,6 @@ + # this file except in compliance with the License. You can obtain a copy + # in the file LICENSE in the source distribution or at + # https://www.openssl.org/source/license.html +- + use strict; + use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; + use OpenSSL::Test::Utils; +@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a no-ec build" + if disabled("ec"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_vfy_test", + data_file("server.crt"), data_file("client.crt"), +diff -up openssl-3.0.0-alpha15/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-alpha15/crypto/evp/ec_support.c +--- openssl-3.0.0-alpha15/crypto/evp/ec_support.c.ec-curves 2021-04-23 18:15:12.571691284 +0200 ++++ openssl-3.0.0-alpha15/crypto/evp/ec_support.c 2021-04-23 18:16:00.803087403 +0200 +@@ -28,7 +28,6 @@ static const EC_NAME2NID curve_list[] = + static const EC_NAME2NID curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {"secp224k1", NID_secp224k1 }, + {"secp224r1", NID_secp224r1 }, + {"secp256k1", NID_secp256k1 }, + {"secp384r1", NID_secp384r1 }, +diff -up openssl-3.0.0-alpha15/apps/speed.c.ec-curves openssl-3.0.0-alpha15/apps/speed.c +--- openssl-3.0.0-alpha15/apps/speed.c.ec-curves 2021-04-26 14:25:44.049991942 +0200 ++++ openssl-3.0.0-alpha15/apps/speed.c 2021-04-26 14:36:10.643570273 +0200 +@@ -1439,8 +1439,8 @@ int speed_main(int argc, char **argv) + OPENSSL_assert(ec_curves[EC_NUM - 1].nid == NID_X448); + OPENSSL_assert(strcmp(ecdh_choices[EC_NUM - 1].name, "ecdhx448") == 0); + +- OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1); +- OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0); ++ OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_secp521r1); ++ OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsap521") == 0); + + #ifndef OPENSSL_NO_SM2 + OPENSSL_assert(sm2_curves[SM2_NUM - 1].nid == NID_sm2); +diff -up openssl-3.0.0-alpha16/test/evp_extra_test.c.ec-curves openssl-3.0.0-alpha16/test/evp_extra_test.c +--- openssl-3.0.0-alpha16/test/evp_extra_test.c.ec-curves 2021-05-10 14:44:28.932751551 +0200 ++++ openssl-3.0.0-alpha16/test/evp_extra_test.c 2021-05-10 14:45:21.537238883 +0200 +@@ -2701,13 +2701,12 @@ err: + + #ifndef OPENSSL_NO_EC + static int ecpub_nids[] = { +- NID_brainpoolP256r1, NID_X9_62_prime256v1, ++ NID_X9_62_prime256v1, + NID_secp384r1, NID_secp521r1, + # ifndef OPENSSL_NO_EC2M + NID_sect233k1, NID_sect233r1, NID_sect283r1, + NID_sect409k1, NID_sect409r1, NID_sect571k1, NID_sect571r1, + # endif +- NID_brainpoolP384r1, NID_brainpoolP512r1 + }; + + static int test_ecpub(int idx) +diff -up openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt.ec-curves openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt +--- openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt.ec-curves 2021-05-17 10:45:03.968368782 +0200 ++++ openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt 2021-05-17 10:45:54.211747865 +0200 +@@ -31,12 +31,6 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUP + x/iUJAcsJxl9eLM7kg6VzbZk6ZDc8M/qDZTiqOavnQ5YBW5lMQSSW5/myQ== + -----END PUBLIC KEY----- + +-PublicKey=KAS-ECC-CDH_K-163_C0-PUBLIC +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBx+LKHfWAn2cGt5CRPLeoSaS7yPVBcFe +-53YiHHK4SzR844PzgGe4nD6a +------END PUBLIC KEY----- +- + PrivateKey = RSA-2048 + -----BEGIN PRIVATE KEY----- + MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNAIHqeyrh6gbV +@@ -77,9 +71,3 @@ Result = KEYPAIR_TYPE_MISMATCH + + PrivPubKeyPair = RSA-2048:P-256-PUBLIC + Result = KEYPAIR_TYPE_MISMATCH +- +-PrivPubKeyPair = RSA-2048:KAS-ECC-CDH_K-163_C0-PUBLIC +-Result = KEYPAIR_TYPE_MISMATCH +- +-PrivPubKeyPair = Alice-25519:KAS-ECC-CDH_K-163_C0-PUBLIC +-Result = KEYPAIR_TYPE_MISMATCH +diff -up openssl-3.0.0-alpha16/test/recipes/30-test_evp.t.ec-curves openssl-3.0.0-alpha16/test/recipes/30-test_evp.t +--- openssl-3.0.0-alpha16/test/recipes/30-test_evp.t.ec-curves 2021-05-17 10:49:28.050844977 +0200 ++++ openssl-3.0.0-alpha16/test/recipes/30-test_evp.t 2021-05-17 10:53:53.480444576 +0200 +@@ -111,7 +111,6 @@ my @defltfiles = qw( + evppkey_kdf_tls1_prf.txt + evppkey_rsa.txt + ); +-push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + + plan tests => +diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt +--- openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec 2021-06-29 16:24:56.863303499 +0200 ++++ openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt 2021-06-29 16:38:04.189996425 +0200 +@@ -11,1949 +11,6 @@ + # PrivPubKeyPair Sign Verify VerifyRecover + # and continue until a blank line. Lines starting with a pound sign are ignored. + +-Title=c2pnb163v1 curve tests +- +-PrivateKey=ALICE_cf_c2pnb163v1 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAEEHDAaAgEBBBUD1JfG8cLNP9418YW+hVhriqH6O5Y= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2pnb163v1_PUB +------BEGIN PUBLIC KEY----- +-MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAEDLAAEBXgoOgVlWTLQnrQZXgQuSBcIS3bQAlXQ+yJhS03B +-4G8rKQXbrc0mvWsF +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2pnb163v1:ALICE_cf_c2pnb163v1_PUB +- +-PrivateKey=BOB_cf_c2pnb163v1 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAEEHDAaAgEBBBUAc3EaoMmMORTzQhMkhPIXY+/jUSI= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2pnb163v1_PUB +------BEGIN PUBLIC KEY----- +-MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAEDLAAEBn9J0jo39aFVZqhBsAKZ6bViAu6zBC8WaFGExnpZ +-KuBh8tP8VSTHPCHF +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2pnb163v1:BOB_cf_c2pnb163v1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb163v1 +-PeerKey=BOB_cf_c2pnb163v1_PUB +-SharedSecret=065dd38fb6de7f394778e1bf65d840a2c0e7219acd +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb163v1 +-PeerKey=ALICE_cf_c2pnb163v1_PUB +-SharedSecret=065dd38fb6de7f394778e1bf65d840a2c0e7219acd +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb163v1 +-PeerKey=BOB_cf_c2pnb163v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=066fc46e8cc4327634dd127748020f2de6aab67585 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb163v1 +-PeerKey=ALICE_cf_c2pnb163v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=066fc46e8cc4327634dd127748020f2de6aab67585 +- +-PublicKey=MALICE_cf_c2pnb163v1_PUB +------BEGIN PUBLIC KEY----- +-MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAEDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8JxepS05nN +-/piKdhDD3dDKXUih +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2pnb163v1 +-PeerKey=MALICE_cf_c2pnb163v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2pnb163v1 +-PeerKey=MALICE_cf_c2pnb163v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2pnb163v2 curve tests +- +-PrivateKey=ALICE_cf_c2pnb163v2 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAIEHDAaAgEBBBUA4KFv7c1dygtVbdp/g2z2TqLAHkI= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2pnb163v2_PUB +------BEGIN PUBLIC KEY----- +-MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAIDLAAEAVnlL7lMBaASwCIJaf9x2LgNPVmEAb43huHQlo3Q +-4PzawHXQoYm/qgDd +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2pnb163v2:ALICE_cf_c2pnb163v2_PUB +- +-PrivateKey=BOB_cf_c2pnb163v2 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAIEHDAaAgEBBBUCEdYqClRWIl2m+X34e+DB2iZSxmQ= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2pnb163v2_PUB +------BEGIN PUBLIC KEY----- +-MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAIDLAAEAVWNIKn7/WMfzuNnd5ws9J0DI2CfBkEJizZHAFqy +-kBF3juAQuARgxuT6 +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2pnb163v2:BOB_cf_c2pnb163v2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb163v2 +-PeerKey=BOB_cf_c2pnb163v2_PUB +-SharedSecret=0078ebb986d4f9b0aa0bc4af99e82c2bd24130f3f4 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb163v2 +-PeerKey=ALICE_cf_c2pnb163v2_PUB +-SharedSecret=0078ebb986d4f9b0aa0bc4af99e82c2bd24130f3f4 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb163v2 +-PeerKey=BOB_cf_c2pnb163v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=069a80bcd45987fd1c874cd9dc5453207a09b61d41 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb163v2 +-PeerKey=ALICE_cf_c2pnb163v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=069a80bcd45987fd1c874cd9dc5453207a09b61d41 +- +-PublicKey=MALICE_cf_c2pnb163v2_PUB +------BEGIN PUBLIC KEY----- +-MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAIDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAABuVBl1V5uysY +-n6HANPEoMoK+7Sv0 +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2pnb163v2 +-PeerKey=MALICE_cf_c2pnb163v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2pnb163v2 +-PeerKey=MALICE_cf_c2pnb163v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2pnb163v3 curve tests +- +-PrivateKey=ALICE_cf_c2pnb163v3 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAMEHDAaAgEBBBUBItB0y/QeJ+cCh9yoHf0zqLVyMZc= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2pnb163v3_PUB +------BEGIN PUBLIC KEY----- +-MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAMDLAAEBx1HRyjuBMjt+vlbWaQbKOpNvWKFAslzEbPv6MpK +-YnObLnq34LRuWznb +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2pnb163v3:ALICE_cf_c2pnb163v3_PUB +- +-PrivateKey=BOB_cf_c2pnb163v3 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAMEHDAaAgEBBBUAXVHUHeP8Ioz7IqXOWbjaUXEHE5M= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2pnb163v3_PUB +------BEGIN PUBLIC KEY----- +-MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAMDLAAEAqXF7rsAZ40Z1PT4TeeC45RKTxP4AJBAdfuknJ/J +-DZnBLhxBwtqnfUpA +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2pnb163v3:BOB_cf_c2pnb163v3_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb163v3 +-PeerKey=BOB_cf_c2pnb163v3_PUB +-SharedSecret=07fd2ffe9b18973c51caeadbc2154b97a9a0390be9 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb163v3 +-PeerKey=ALICE_cf_c2pnb163v3_PUB +-SharedSecret=07fd2ffe9b18973c51caeadbc2154b97a9a0390be9 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb163v3 +-PeerKey=BOB_cf_c2pnb163v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=06f7daf1c963594e1a13f9f17b62aaab2934872c16 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb163v3 +-PeerKey=ALICE_cf_c2pnb163v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=06f7daf1c963594e1a13f9f17b62aaab2934872c16 +- +-PublicKey=MALICE_cf_c2pnb163v3_PUB +------BEGIN PUBLIC KEY----- +-MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAMDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7jRlUg9oaLK +-LwAuHF8g5Y0JjJnI +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2pnb163v3 +-PeerKey=MALICE_cf_c2pnb163v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2pnb163v3 +-PeerKey=MALICE_cf_c2pnb163v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2pnb176v1 curve tests +- +-PrivateKey=ALICE_cf_c2pnb176v1 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAQEHDAaAgEBBBUAaZ1jV1jM9meV5iiNGPU/WMSfWOM= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2pnb176v1_PUB +------BEGIN PUBLIC KEY----- +-MEUwEwYHKoZIzj0CAQYIKoZIzj0DAAQDLgAEPjME7IV6Tuz2P++wIT60hRxTkk0M0PNgvqYcUoCI +-iw3girDLhNzOu3IQ8Ac= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2pnb176v1:ALICE_cf_c2pnb176v1_PUB +- +-PrivateKey=BOB_cf_c2pnb176v1 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAQEHDAaAgEBBBUAreyYbcF+ONIf64KmeSzV82OI/50= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2pnb176v1_PUB +------BEGIN PUBLIC KEY----- +-MEUwEwYHKoZIzj0CAQYIKoZIzj0DAAQDLgAEpJn1IDmFj5LceLGfY2wlhI1VHq5vJ+qNIAOXVZhX +-uMtp6pzy63rCEK53bgs= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2pnb176v1:BOB_cf_c2pnb176v1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb176v1 +-PeerKey=BOB_cf_c2pnb176v1_PUB +-SharedSecret=3a8021848ee0b2c1c377404267a515225781c181e6ab +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb176v1 +-PeerKey=ALICE_cf_c2pnb176v1_PUB +-SharedSecret=3a8021848ee0b2c1c377404267a515225781c181e6ab +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb176v1 +-PeerKey=BOB_cf_c2pnb176v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=b06cdc633b56e813d63326c69d2cfa335352279540ac +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb176v1 +-PeerKey=ALICE_cf_c2pnb176v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=b06cdc633b56e813d63326c69d2cfa335352279540ac +- +-PublicKey=MALICE_cf_c2pnb176v1_PUB +------BEGIN PUBLIC KEY----- +-MEUwEwYHKoZIzj0CAQYIKoZIzj0DAAQDLgAE4ePri2opCoAUJIUQnaQlvDaxZd9bsdKnjWSvh+FL +-zXV3l5j8K3pow+GJBE4= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2pnb176v1 +-PeerKey=MALICE_cf_c2pnb176v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2pnb176v1 +-PeerKey=MALICE_cf_c2pnb176v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2pnb208w1 curve tests +- +-PrivateKey=ALICE_cf_c2pnb208w1 +------BEGIN PRIVATE KEY----- +-MDoCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAoEIDAeAgEBBBkAiENroXMYNbK/7DQQwCpbXk00gnVd +-XF2k +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2pnb208w1_PUB +------BEGIN PUBLIC KEY----- +-ME0wEwYHKoZIzj0CAQYIKoZIzj0DAAoDNgAEL+IHOL2IfeLRiE6Wqsc0Frqjq7t/JnBmhN1lMB9Y +-Yj3+Btcne4CPWf8KvfGjAdMs6JKP4A== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2pnb208w1:ALICE_cf_c2pnb208w1_PUB +- +-PrivateKey=BOB_cf_c2pnb208w1 +------BEGIN PRIVATE KEY----- +-MDoCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAoEIDAeAgEBBBkAY1GZLynO/IDWwOOjEWUE7k+I/MkP +-cJot +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2pnb208w1_PUB +------BEGIN PUBLIC KEY----- +-ME0wEwYHKoZIzj0CAQYIKoZIzj0DAAoDNgAENBvdzCDOIvu9zo7reJq1ummhR+0jaDc+EoSlW984 +-cl9FTi/JJznwC+RNgwVfJ1WKJun1YA== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2pnb208w1:BOB_cf_c2pnb208w1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb208w1 +-PeerKey=BOB_cf_c2pnb208w1_PUB +-SharedSecret=ba32bf80c0f7ab53cb083f267a902a1ad6396eb283237fad91cd +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb208w1 +-PeerKey=ALICE_cf_c2pnb208w1_PUB +-SharedSecret=ba32bf80c0f7ab53cb083f267a902a1ad6396eb283237fad91cd +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb208w1 +-PeerKey=BOB_cf_c2pnb208w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=f09f5fc8bf20677558bc65939bf1b7fbbbe2579702729304258b +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb208w1 +-PeerKey=ALICE_cf_c2pnb208w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=f09f5fc8bf20677558bc65939bf1b7fbbbe2579702729304258b +- +-PublicKey=MALICE_cf_c2pnb208w1_PUB +------BEGIN PUBLIC KEY----- +-ME0wEwYHKoZIzj0CAQYIKoZIzj0DAAoDNgAEfuWB9pBZQin+VnmqgYVpbUpKxSQsnXxNqiDtVwqJ +-oPkHxRWnu5e7qI2idMcqaKDeeniUaA== +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2pnb208w1 +-PeerKey=MALICE_cf_c2pnb208w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2pnb208w1 +-PeerKey=MALICE_cf_c2pnb208w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2pnb272w1 curve tests +- +-PrivateKey=ALICE_cf_c2pnb272w1 +------BEGIN PRIVATE KEY----- +-MEICAQAwEwYHKoZIzj0CAQYIKoZIzj0DABAEKDAmAgEBBCEA0SoHwKAgKb7WQ+s0w1iNBemDZ3+f +-StHU67fpP7YoF8U= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2pnb272w1_PUB +------BEGIN PUBLIC KEY----- +-MF0wEwYHKoZIzj0CAQYIKoZIzj0DABADRgAE0IH60bGi46FDzEprGZ8EBK5uMMcVke/txeBRNGHQ +-DzG68r3EMLZkOfE1+g04MN7HgY7zt3jMYb8ImyLRmvqR2abjs6c= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2pnb272w1:ALICE_cf_c2pnb272w1_PUB +- +-PrivateKey=BOB_cf_c2pnb272w1 +------BEGIN PRIVATE KEY----- +-MEICAQAwEwYHKoZIzj0CAQYIKoZIzj0DABAEKDAmAgEBBCEAFqB5GbPJ4d+X7ye7m05l/OirDqfn +-MOsOJ6xObBph3zQ= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2pnb272w1_PUB +------BEGIN PUBLIC KEY----- +-MF0wEwYHKoZIzj0CAQYIKoZIzj0DABADRgAEIeIkcMHAuOgvHt2Wp52vVe0DYPNnUX79t/mLSx03 +-cUlDmcxL7vIXdx9hB4OmQBYbm+YLDNfTFGAIlDfr2tELpVVPWPo= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2pnb272w1:BOB_cf_c2pnb272w1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb272w1 +-PeerKey=BOB_cf_c2pnb272w1_PUB +-SharedSecret=cfebd65006520a40f081d8940edf0ebb8e54491ba1499d9f3c63deecee84ddc07142 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb272w1 +-PeerKey=ALICE_cf_c2pnb272w1_PUB +-SharedSecret=cfebd65006520a40f081d8940edf0ebb8e54491ba1499d9f3c63deecee84ddc07142 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb272w1 +-PeerKey=BOB_cf_c2pnb272w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=756fc20b27352ac74e5135359c63d375d2732c6d02f25cd526155bac0882a9211dd4 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb272w1 +-PeerKey=ALICE_cf_c2pnb272w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=756fc20b27352ac74e5135359c63d375d2732c6d02f25cd526155bac0882a9211dd4 +- +-PublicKey=MALICE_cf_c2pnb272w1_PUB +------BEGIN PUBLIC KEY----- +-MF0wEwYHKoZIzj0CAQYIKoZIzj0DABADRgAEvID3AM7qzpKDnOLFY00+E7EKZz/vS/pXgsUA3bWN +-oJF8ElXFXv59s/SykQBCTHPqzmUbVmrXmtD44Kt1wUBRJfuwxy4= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2pnb272w1 +-PeerKey=MALICE_cf_c2pnb272w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2pnb272w1 +-PeerKey=MALICE_cf_c2pnb272w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2pnb304w1 curve tests +- +-PrivateKey=ALICE_cf_c2pnb304w1 +------BEGIN PRIVATE KEY----- +-MEYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABEELDAqAgEBBCUAqJxh50ZIUXOJ1HE3cVkech9OTTPJ +-8jy/v5cFcO0X6dykHgnZ +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2pnb304w1_PUB +------BEGIN PUBLIC KEY----- +-MGUwEwYHKoZIzj0CAQYIKoZIzj0DABEDTgAEvoaqRX6qiNQiFH1BhgLCPTpYszoRhmlLirkvlw/Q +-iXBlfQ7U4g+iRR/kmu2RlwwOHgNNL+mWcvLkFfS8Kr4jzv1EY1Ecx96n21l0YQ== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2pnb304w1:ALICE_cf_c2pnb304w1_PUB +- +-PrivateKey=BOB_cf_c2pnb304w1 +------BEGIN PRIVATE KEY----- +-MEYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABEELDAqAgEBBCUAOScHepX+IwqC8TjyAJI1bkR3cYYt +-X9BbqYM9GQfVNSLHntTg +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2pnb304w1_PUB +------BEGIN PUBLIC KEY----- +-MGUwEwYHKoZIzj0CAQYIKoZIzj0DABEDTgAEYuAq/6Yw5HxMeMohlWmwl+ZK4ZQucfr1tWDKwhDb +-kAOUO2P/Q/H+uelM3VVwxeu6A1kaX7K0UZpNa96NRBwI4aevc+vOxCgYkGt9BA== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2pnb304w1:BOB_cf_c2pnb304w1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb304w1 +-PeerKey=BOB_cf_c2pnb304w1_PUB +-SharedSecret=bfddf9f923210e8231a702e3a1c987cf27661de1bc243c1890e437d67d9f49c6ccfadc035d9d +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb304w1 +-PeerKey=ALICE_cf_c2pnb304w1_PUB +-SharedSecret=bfddf9f923210e8231a702e3a1c987cf27661de1bc243c1890e437d67d9f49c6ccfadc035d9d +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb304w1 +-PeerKey=BOB_cf_c2pnb304w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0c7afb3143f93ef2166c05437a1757a62c916ff1751c6d456dd7f2356dcbc75df48015eb5ce8 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb304w1 +-PeerKey=ALICE_cf_c2pnb304w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0c7afb3143f93ef2166c05437a1757a62c916ff1751c6d456dd7f2356dcbc75df48015eb5ce8 +- +-PublicKey=MALICE_cf_c2pnb304w1_PUB +------BEGIN PUBLIC KEY----- +-MGUwEwYHKoZIzj0CAQYIKoZIzj0DABEDTgAEBZ5FuthQt0mxTJ8NQWN2J37kYT8ySD893IXEmXYP +-fMTr+CSNkf/sfF/13GEdVGnHmBgCH61sPWG69RgzdjRPprZFZxXjubIWYkp0DQ== +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2pnb304w1 +-PeerKey=MALICE_cf_c2pnb304w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2pnb304w1 +-PeerKey=MALICE_cf_c2pnb304w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2pnb368w1 curve tests +- +-PrivateKey=ALICE_cf_c2pnb368w1 +------BEGIN PRIVATE KEY----- +-ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABMENDAyAgEBBC0AXeSTXsHb2PEH12tZL8w2q6evA2mi +-KfLLIa1c29BTmM//oWdKpqeuvwMIBto= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2pnb368w1_PUB +------BEGIN PUBLIC KEY----- +-MHUwEwYHKoZIzj0CAQYIKoZIzj0DABMDXgAEmEBXcvMgnHwJW7wAKM4cqboco6zF01J9ntUwoACI +-euvf3cpPXBvxUawJXfO9FwFRQabDRagGP99Walidd2JW8nWDWZgZMKj15Wh+4bp2dZHc2tPIIHHd +-3makbwQ= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2pnb368w1:ALICE_cf_c2pnb368w1_PUB +- +-PrivateKey=BOB_cf_c2pnb368w1 +------BEGIN PRIVATE KEY----- +-ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABMENDAyAgEBBC0Aq1R9M/mCMbJMj6VBUpBkS4HXywEz +-Qun6d6uXgyU4LZRszA7Dz9+eKbXEMsk= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2pnb368w1_PUB +------BEGIN PUBLIC KEY----- +-MHUwEwYHKoZIzj0CAQYIKoZIzj0DABMDXgAEJOSnsaXA9wb5p8CGLPvYI47Yf3IdZSbWQ3Sn6G2v +-At+zYlpzGax1oJ1CW8fGA0Gu0RnvAfDeW9vgrtzshH1Vy/Ni6a7LPho99PtUP2nzUBnv+hfhFSra +-gqfRaOs= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2pnb368w1:BOB_cf_c2pnb368w1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb368w1 +-PeerKey=BOB_cf_c2pnb368w1_PUB +-SharedSecret=008d20ede3961be3b01051d6fdae63db43865664804d432293a2edb13dcc8be0fe5b0c655297a84b9067a29c2a6f +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb368w1 +-PeerKey=ALICE_cf_c2pnb368w1_PUB +-SharedSecret=008d20ede3961be3b01051d6fdae63db43865664804d432293a2edb13dcc8be0fe5b0c655297a84b9067a29c2a6f +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2pnb368w1 +-PeerKey=BOB_cf_c2pnb368w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=df32ddeeffa029aeadabad000a79c3154a0ddd0aeacf4e3de426f5c10096eff8912038c64d4c899131dcd4df2561 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2pnb368w1 +-PeerKey=ALICE_cf_c2pnb368w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=df32ddeeffa029aeadabad000a79c3154a0ddd0aeacf4e3de426f5c10096eff8912038c64d4c899131dcd4df2561 +- +-PublicKey=MALICE_cf_c2pnb368w1_PUB +------BEGIN PUBLIC KEY----- +-MHUwEwYHKoZIzj0CAQYIKoZIzj0DABMDXgAEWDn/U9rymClM/a0Q1mawHjQjvpxSehRWstSE+2Sd +-ubcZowJ+rw5LsEZteQyeVrCpKYUiIBmIVuFb2LDjtNLIJD1lr8C+vdco24ciLS9RzF/Dc9X+tcIj +-726e1BE= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2pnb368w1 +-PeerKey=MALICE_cf_c2pnb368w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2pnb368w1 +-PeerKey=MALICE_cf_c2pnb368w1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2tnb191v1 curve tests +- +-PrivateKey=ALICE_cf_c2tnb191v1 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAUEHzAdAgEBBBgXyG7A4BvSmjKEl3aU+FQUt02p9U7x +-Jk4= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2tnb191v1_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAUDMgAEG9iuZmnhz2H/YQKmVUaO//fm7hvV+CP5c2iszpR3 +-7lRimqLWHPyvKgcP+PRCIUom +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2tnb191v1:ALICE_cf_c2tnb191v1_PUB +- +-PrivateKey=BOB_cf_c2tnb191v1 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAUEHzAdAgEBBBg4+2hv9x9HxFy0c2c1XESDdgOamHu0 +-MTU= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2tnb191v1_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAUDMgAEdO/4ii8gi8eQfBrv3XmsOETwIfT8OIpBW/kUoHD+ +-adqalcB6SIWOfoJReDLcpxAD +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2tnb191v1:BOB_cf_c2tnb191v1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb191v1 +-PeerKey=BOB_cf_c2tnb191v1_PUB +-SharedSecret=2ee8a85151c397600984285307c14f0ea0e4c2071d753a99 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb191v1 +-PeerKey=ALICE_cf_c2tnb191v1_PUB +-SharedSecret=2ee8a85151c397600984285307c14f0ea0e4c2071d753a99 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb191v1 +-PeerKey=BOB_cf_c2tnb191v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=334051dfd62237e69e280ce2fab979bd77260f8dfe4df989 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb191v1 +-PeerKey=ALICE_cf_c2tnb191v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=334051dfd62237e69e280ce2fab979bd77260f8dfe4df989 +- +-PublicKey=MALICE_cf_c2tnb191v1_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAUDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcPEwZ1wj +-iNoFyzyANZl8IDB0fF1RmZD6 +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2tnb191v1 +-PeerKey=MALICE_cf_c2tnb191v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2tnb191v1 +-PeerKey=MALICE_cf_c2tnb191v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2tnb191v2 curve tests +- +-PrivateKey=ALICE_cf_c2tnb191v2 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAYEHzAdAgEBBBgQZHIQIPrAsbJqq4ZX3JdMrZAkaIGP +-jbo= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2tnb191v2_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAYDMgAEAyQdwZYRIiv7O4/WRLDKJ249TM8dr2Y+Oz8rSxCI +-UVvJT/Jv9m462J6Iz1XOohhP +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2tnb191v2:ALICE_cf_c2tnb191v2_PUB +- +-PrivateKey=BOB_cf_c2tnb191v2 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAYEHzAdAgEBBBgThhW6d5QDaqM8yhm16q6Pu/VFBpf7 +-wcs= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2tnb191v2_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAYDMgAEBVkB4O6fFvGzMHv4BF51muFA0npOGKoOdKbIIMQY +-JBIoz1RNNXTcgdpguLcrvcPJ +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2tnb191v2:BOB_cf_c2tnb191v2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb191v2 +-PeerKey=BOB_cf_c2tnb191v2_PUB +-SharedSecret=711f90cb2aaea65e939065cbd1896affe1d490ba14571400 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb191v2 +-PeerKey=ALICE_cf_c2tnb191v2_PUB +-SharedSecret=711f90cb2aaea65e939065cbd1896affe1d490ba14571400 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb191v2 +-PeerKey=BOB_cf_c2tnb191v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=1740db5b771fa2889d3ec7c1ba8eeffa7741f0ee62433dce +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb191v2 +-PeerKey=ALICE_cf_c2tnb191v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=1740db5b771fa2889d3ec7c1ba8eeffa7741f0ee62433dce +- +-PublicKey=MALICE_cf_c2tnb191v2_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAYDMgAEA3yPV6Ilx7PU7dWIDzgKzFV07LNsn1EhMyLQaa5U +-2vqunpWef+/CaO2pFBcwwW+x +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2tnb191v2 +-PeerKey=MALICE_cf_c2tnb191v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2tnb191v2 +-PeerKey=MALICE_cf_c2tnb191v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2tnb191v3 curve tests +- +-PrivateKey=ALICE_cf_c2tnb191v3 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAcEHzAdAgEBBBgTPjf06B01Jq59qU1iczNuA29WfW+b +-erU= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2tnb191v3_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAcDMgAEL4NGEUX2CXY18MyoH1inKq5kde9RGr25ODm/0BEX +-HWsGvDE2HC+6pL2BMl3MRCty +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2tnb191v3:ALICE_cf_c2tnb191v3_PUB +- +-PrivateKey=BOB_cf_c2tnb191v3 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAcEHzAdAgEBBBgUC2bC465JTXYLUaaET/r5n7X85gRH +-iSQ= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2tnb191v3_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAcDMgAEPKekNkT9mQ8KRCTR2RwCFkhNvsjL+/mLHYzbMrYe +-QFIb5QwXAdbg2tEOl7yj9qkk +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2tnb191v3:BOB_cf_c2tnb191v3_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb191v3 +-PeerKey=BOB_cf_c2tnb191v3_PUB +-SharedSecret=196200f7ea06c43c35516b995cf4a4dd4151dbd0ed998561 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb191v3 +-PeerKey=ALICE_cf_c2tnb191v3_PUB +-SharedSecret=196200f7ea06c43c35516b995cf4a4dd4151dbd0ed998561 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb191v3 +-PeerKey=BOB_cf_c2tnb191v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=311939377670a8a1ed1ee17f9dd182167da00c5a19e2e109 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb191v3 +-PeerKey=ALICE_cf_c2tnb191v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=311939377670a8a1ed1ee17f9dd182167da00c5a19e2e109 +- +-PublicKey=MALICE_cf_c2tnb191v3_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAcDMgAESvPjWlLnANK2j38hHZ0uqueaniovkhwwdJZjrmUk +-n5vQBTxUzkIkMjL33v6Lr3z7 +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2tnb191v3 +-PeerKey=MALICE_cf_c2tnb191v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2tnb191v3 +-PeerKey=MALICE_cf_c2tnb191v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2tnb239v1 curve tests +- +-PrivateKey=ALICE_cf_c2tnb239v1 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAsEJTAjAgEBBB4fMJDhCEiuEf/RF6oGjHVcNwN+wCYG +-rJMnJLIXiCI= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2tnb239v1_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAsDPgAEUgG/uMWy4k0R/kbVJEapF6r5ik4Q9WPsDXAd0856 +-dVL8PvBXgixk2tKfyY1xUVebcEVlgdZP1pN1Xyvi +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2tnb239v1:ALICE_cf_c2tnb239v1_PUB +- +-PrivateKey=BOB_cf_c2tnb239v1 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAsEJTAjAgEBBB4JLDwVJQw3+00FiZBDWFErd7PXnchH +-sfpZeV3i5FM= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2tnb239v1_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAsDPgAEcwKt31cWaoFUd7QxYSdwgMDOqEhjPbD3Z9AfR3tc +-G77/MY5z1oQegqImBog645vtPWI8lZd1zcl6QYRS +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2tnb239v1:BOB_cf_c2tnb239v1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb239v1 +-PeerKey=BOB_cf_c2tnb239v1_PUB +-SharedSecret=413ea943cdf40c45795c77aeea7099b81cc42566067924d1fdbae42ddf99 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb239v1 +-PeerKey=ALICE_cf_c2tnb239v1_PUB +-SharedSecret=413ea943cdf40c45795c77aeea7099b81cc42566067924d1fdbae42ddf99 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb239v1 +-PeerKey=BOB_cf_c2tnb239v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=1f1e5a6084492e895c35d76a5d2b4a3fafbd96c4b2230ea71cc1c711fa38 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb239v1 +-PeerKey=ALICE_cf_c2tnb239v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=1f1e5a6084492e895c35d76a5d2b4a3fafbd96c4b2230ea71cc1c711fa38 +- +-PublicKey=MALICE_cf_c2tnb239v1_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAsDPgAEJFn89FF7xaa5m+XGxWKFwCH+Mu4rbxwi6lvhuEuT +-Itl/OAosALFh8xpt+N5gmKtUdhpjyok2udC4B/mY +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2tnb239v1 +-PeerKey=MALICE_cf_c2tnb239v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2tnb239v1 +-PeerKey=MALICE_cf_c2tnb239v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2tnb239v2 curve tests +- +-PrivateKey=ALICE_cf_c2tnb239v2 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAwEJTAjAgEBBB4KU4YKdzFOkl6M1biHkxtVGD2uNXr6 +-GbEcp4PbJKU= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2tnb239v2_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAwDPgAEKzpycflUrsyqVV/+fzvC2+AuX3r0b0Syn8acvn78 +-VnKA9mZKwPLWhnMJcLyzarIzc/6/UcfYGNmTyUlG +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2tnb239v2:ALICE_cf_c2tnb239v2_PUB +- +-PrivateKey=BOB_cf_c2tnb239v2 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAwEJTAjAgEBBB4HZQLKGKBpIKiyTq6XYZWQNph1oGP+ +-JLwCwn7lYx0= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2tnb239v2_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAwDPgAETPSkhMs3JW3BG66FSfCov76JKdcRiBhMCW453Wku +-N7yBxBmWjeclHhnXIzfc4qM4qf9n3KzMSXejPVYg +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2tnb239v2:BOB_cf_c2tnb239v2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb239v2 +-PeerKey=BOB_cf_c2tnb239v2_PUB +-SharedSecret=2e738f14795b2e19ee791c1bf30c5e462ca6c6ed0ec5c6c6402d0730cf4c +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb239v2 +-PeerKey=ALICE_cf_c2tnb239v2_PUB +-SharedSecret=2e738f14795b2e19ee791c1bf30c5e462ca6c6ed0ec5c6c6402d0730cf4c +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb239v2 +-PeerKey=BOB_cf_c2tnb239v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=7662d8b94d3f0d20eb8e112ca8b7d5699d81f35902df5b77561977df3946 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb239v2 +-PeerKey=ALICE_cf_c2tnb239v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=7662d8b94d3f0d20eb8e112ca8b7d5699d81f35902df5b77561977df3946 +- +-PublicKey=MALICE_cf_c2tnb239v2_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAwDPgAES8fLc5mtVI0HqgKRJ7mN8MU1B0FBkiim6jCHYJf3 +-JYUX3Gn3Ai11cHie+nVb3z51jSkpDQENHESTv5K2 +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2tnb239v2 +-PeerKey=MALICE_cf_c2tnb239v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2tnb239v2 +-PeerKey=MALICE_cf_c2tnb239v2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2tnb239v3 curve tests +- +-PrivateKey=ALICE_cf_c2tnb239v3 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAA0EJTAjAgEBBB4BZZXtcMw5GrpgHJLx4D8z7M6ocWdv +-rDl2fV9ObC8= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2tnb239v3_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAEOu2HIAUX+r6IbRlrPUJUBDL814dR++maVAAkUIjD +-H33ewqcI9ZLtpvuR8P8hgRNUTXlh1GWgrB6F21Eo +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2tnb239v3:ALICE_cf_c2tnb239v3_PUB +- +-PrivateKey=BOB_cf_c2tnb239v3 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAA0EJTAjAgEBBB4BDxw3SA54y6uYOW1n4yZaUK22J9ef +-XG3HcQX+4i0= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2tnb239v3_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAEVaEi76wyzlpzkkSElf4SmGZ7kf1ghHMP82HkGk7K +-BC10zUyppoSOAr0eX4pHAkDUF1m/KGoJa7QcJJww +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2tnb239v3:BOB_cf_c2tnb239v3_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb239v3 +-PeerKey=BOB_cf_c2tnb239v3_PUB +-SharedSecret=6a756022ec2ea89b0fa757824909707102acf3b7da39dc625c6252eb4c48 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb239v3 +-PeerKey=ALICE_cf_c2tnb239v3_PUB +-SharedSecret=6a756022ec2ea89b0fa757824909707102acf3b7da39dc625c6252eb4c48 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb239v3 +-PeerKey=BOB_cf_c2tnb239v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=3240e19dd8c290e5e1749df60ad0166dd9dbfad645e518b4948e14f774ce +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb239v3 +-PeerKey=ALICE_cf_c2tnb239v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=3240e19dd8c290e5e1749df60ad0166dd9dbfad645e518b4948e14f774ce +- +-PublicKey=MALICE_cf_c2tnb239v3_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAELe/znC87/2ucKX7mXUUyiUvg67slWRdH+WHDct9d +-LcXDyB342ZN1nm0NCAmBMcLjohX0Zza0ji3YNjT1 +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2tnb239v3 +-PeerKey=MALICE_cf_c2tnb239v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2tnb239v3 +-PeerKey=MALICE_cf_c2tnb239v3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2tnb359v1 curve tests +- +-PrivateKey=ALICE_cf_c2tnb359v1 +------BEGIN PRIVATE KEY----- +-ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABIENDAyAgEBBC0Afea/a1NrRf6rRRr/UDsI559ADTFP +-Bd5HaS33laTZkCdNLITw1UUrESUIOiU= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2tnb359v1_PUB +------BEGIN PUBLIC KEY----- +-MHMwEwYHKoZIzj0CAQYIKoZIzj0DABIDXAAEZMJU3QF9UJJp2m6qyCnhPuVlPKPHtav3DCgH27SY +-RLMN7C4rRmqiJakD11QtOforOgbPW5r/v7t4TUWIlq8jV7kapJNtxQtg/S87L0NQGgHBq/lnJL8x +-fN3Y +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2tnb359v1:ALICE_cf_c2tnb359v1_PUB +- +-PrivateKey=BOB_cf_c2tnb359v1 +------BEGIN PRIVATE KEY----- +-ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABIENDAyAgEBBC0Aaw+yr7Atz8CXjLsbI5msXLqxFoMr +-esHVfU53i6ucCsnPTWSDWSb5CePtI9g= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2tnb359v1_PUB +------BEGIN PUBLIC KEY----- +-MHMwEwYHKoZIzj0CAQYIKoZIzj0DABIDXAAEUQde0iyDHbsFJZ459d4zUhsrJYAkqndmEBRwSlg5 +-ZNX8SSS79Zf2HsQl+LWIZyzeYzoHobKXufChw9/H4ThS58VwV5/0hoE929PIgJ1MSEqr5LvJXi+b +-R8fe +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2tnb359v1:BOB_cf_c2tnb359v1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb359v1 +-PeerKey=BOB_cf_c2tnb359v1_PUB +-SharedSecret=623a71122b5acad467d40d97ef8d8fd46541d8c41d7de6ba181c24e2714c1bc35bcefcf089af69c406eedecc12 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb359v1 +-PeerKey=ALICE_cf_c2tnb359v1_PUB +-SharedSecret=623a71122b5acad467d40d97ef8d8fd46541d8c41d7de6ba181c24e2714c1bc35bcefcf089af69c406eedecc12 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb359v1 +-PeerKey=BOB_cf_c2tnb359v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=1c9c4cea3251dace2cb763eabf60f106cc1b03f2491e6f20d7bea78e062f8f14c4e82e4d43786eefa44d33f7e9 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb359v1 +-PeerKey=ALICE_cf_c2tnb359v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=1c9c4cea3251dace2cb763eabf60f106cc1b03f2491e6f20d7bea78e062f8f14c4e82e4d43786eefa44d33f7e9 +- +-PublicKey=MALICE_cf_c2tnb359v1_PUB +------BEGIN PUBLIC KEY----- +-MHMwEwYHKoZIzj0CAQYIKoZIzj0DABIDXAAEDW1DxeJfyPPnxX4WiLM5ZnX9AypqqeKj7FTHxanl +-++A6FgVFjUCatt8Sr4xnSc3zDE0kh6f/wS9SbtCAi74i8HAX5SJiccCMPRkw6kBuHZgiG8EmFJ53 +-OEQw +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2tnb359v1 +-PeerKey=MALICE_cf_c2tnb359v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2tnb359v1 +-PeerKey=MALICE_cf_c2tnb359v1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=c2tnb431r1 curve tests +- +-PrivateKey=ALICE_cf_c2tnb431r1 +------BEGIN PRIVATE KEY----- +-MFYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABQEPDA6AgEBBDUAG1rgUnH3+PSxqlzt9+QTWv7PrYxz +-Qgqj5A2Mqi0LbdixVDciVSSgrU6keVu72oCmHVP+OQ== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_c2tnb431r1_PUB +------BEGIN PUBLIC KEY----- +-MIGFMBMGByqGSM49AgEGCCqGSM49AwAUA24ABFcQEDic9pYxtxStk/oBxafqyUux1kvEOOwR4FxJ +-pGEMTh8B+YfkWuq+IDY5zSqNKtg7cRlAFX2dlHhRSvNxrN3DJCrhe/TQq8SIYawcqEQnM39F8hHM +-7VQJLEsBpJ/WUonwMJXknjgfONP7GA== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_c2tnb431r1:ALICE_cf_c2tnb431r1_PUB +- +-PrivateKey=BOB_cf_c2tnb431r1 +------BEGIN PRIVATE KEY----- +-MFYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABQEPDA6AgEBBDUBOsZrpI6hTgImR8DBhKOOrh2SvcT/ +-VwmzYnbuCRrtr/zwIQcqKKI1ztlrl+kxFxJfk5L7UQ== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_c2tnb431r1_PUB +------BEGIN PUBLIC KEY----- +-MIGFMBMGByqGSM49AgEGCCqGSM49AwAUA24ABHeTG6xjbsKKxn4oYQt9qUM9LrSPZfY11XsBmROc +-fb9kEbBLU+QixSbYZOrqPasesDV9dApDXF+w6EfIeNyJEK5Lk+aXamrn7fRMUAQ2m7+Odp87GgA+ +-8Cg6YpgbK314SK5STziqoZwzEISJ9w== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_c2tnb431r1:BOB_cf_c2tnb431r1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb431r1 +-PeerKey=BOB_cf_c2tnb431r1_PUB +-SharedSecret=1c9a64de0b706f0e562d5144ceeb4806ce8782865dc0e3fab694967955bd40afc79bf9241ef4a173fbf9baeac0d416392fb13bdc6978 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb431r1 +-PeerKey=ALICE_cf_c2tnb431r1_PUB +-SharedSecret=1c9a64de0b706f0e562d5144ceeb4806ce8782865dc0e3fab694967955bd40afc79bf9241ef4a173fbf9baeac0d416392fb13bdc6978 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_c2tnb431r1 +-PeerKey=BOB_cf_c2tnb431r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=059e2ea2d0d8bad5005a9401196ebb1633377c7ded8ec58a0398cf1d0f42ea82614f68cb836ecfc33612b8a705b4c3b7b4ed12eb6e22 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_c2tnb431r1 +-PeerKey=ALICE_cf_c2tnb431r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=059e2ea2d0d8bad5005a9401196ebb1633377c7ded8ec58a0398cf1d0f42ea82614f68cb836ecfc33612b8a705b4c3b7b4ed12eb6e22 +- +-PublicKey=MALICE_cf_c2tnb431r1_PUB +------BEGIN PUBLIC KEY----- +-MIGFMBMGByqGSM49AgEGCCqGSM49AwAUA24ABA/cHJ1bNJ2l3GcrT67WEoU0w/Ajy28T9X4XLv8a +-5EpnkembeFlRG8ILplDcZimE8kjNQWynAk+NbJRsIU/XLzcm7VXkkqEkx/yCQ/TOcbeB3qrpzWYr +-F3Cls9x60wuFYNc9d6eIe4B+puz9IQ== +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_c2tnb431r1 +-PeerKey=MALICE_cf_c2tnb431r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_c2tnb431r1 +-PeerKey=MALICE_cf_c2tnb431r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=prime192v2 curve tests +- +-PrivateKey=ALICE_cf_prime192v2 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBh6rcgPFDmA2P4CGSrC7ii9DAjepljX +-sMM= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_prime192v2_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAET6wOPoDU3BeU7VKozsGEvDeJs//9Z/aNEcbbLQ0d +-g5IzsS/XMJzifjCJZgNsb7mi +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_prime192v2:ALICE_cf_prime192v2_PUB +- +-PrivateKey=BOB_cf_prime192v2 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBja4R9iZuiu95XEuM1558ArTwNnAl7M +-xqI= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_prime192v2_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEcgWNAOL4pZCmouZl+be+rC0yLAJkm2YuPWs+FX2u +-Y6OU1aHkkspZTC1uUVWjchy5 +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_prime192v2:BOB_cf_prime192v2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_prime192v2 +-PeerKey=BOB_cf_prime192v2_PUB +-SharedSecret=ae2ff9f1f9f24e6d281dc78993d9f71913e1e105965000a1 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_prime192v2 +-PeerKey=ALICE_cf_prime192v2_PUB +-SharedSecret=ae2ff9f1f9f24e6d281dc78993d9f71913e1e105965000a1 +- +-Title=prime192v3 curve tests +- +-PrivateKey=ALICE_cf_prime192v3 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBij5blPQRKM1/9c57YDZXIIue80MDqx +-Igw= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_prime192v3_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAE1+mLeiT/jjHO71IL/C/ZcnF6+yj9FV6eqfuPdHAi +-MsDRFCB6/h8TcCUFuospu5l0 +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_prime192v3:ALICE_cf_prime192v3_PUB +- +-PrivateKey=BOB_cf_prime192v3 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBhgFP4fFLtm/yk5tsosBUBKTg370FOu +-92g= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_prime192v3_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAEv35bOz0xqLeJqpZdZ8LyiUgsJMBEtN2UMJm8blX2 +-vMWAgEeLhzar86BUlS7dZwS7 +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_prime192v3:BOB_cf_prime192v3_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_prime192v3 +-PeerKey=BOB_cf_prime192v3_PUB +-SharedSecret=9e562ecbe29c510a13b0daea822ec864c2a9684d2a382812 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_prime192v3 +-PeerKey=ALICE_cf_prime192v3_PUB +-SharedSecret=9e562ecbe29c510a13b0daea822ec864c2a9684d2a382812 +- +-Title=prime239v1 curve tests +- +-PrivateKey=ALICE_cf_prime239v1 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5nH2mt/GUx+I/60NlcuQlrdupDXwMY +-SF/w+SUTNqY= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_prime239v1_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEMqQLCgDR9njkq9QELuOu+J/9YGcxJHULdvxHImLW +-RXqBUM5Xea+Qk2SKIpWcogxr2zFeQyeLj2bQysuo +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_prime239v1:ALICE_cf_prime239v1_PUB +- +-PrivateKey=BOB_cf_prime239v1 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5RZgYV+j+zhwI12zCzB+mdPofMx0kB +-jZ9gplgXxzk= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_prime239v1_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEBR5m/kllh025oO4GvqALkjRliVv7q4x8ro/tkYnT +-L2U4hkT6xUeRu9QC4KOz7KUVH+nBbQASL4XQg/3C +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_prime239v1:BOB_cf_prime239v1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_prime239v1 +-PeerKey=BOB_cf_prime239v1_PUB +-SharedSecret=196b1d0206d4f87c313c266bfb12c90dd1f1f64b89bfc16518086b9801b8 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_prime239v1 +-PeerKey=ALICE_cf_prime239v1_PUB +-SharedSecret=196b1d0206d4f87c313c266bfb12c90dd1f1f64b89bfc16518086b9801b8 +- +-Title=prime239v2 curve tests +- +-PrivateKey=ALICE_cf_prime239v2 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5uLCwofbD2Suc/iIRhXJsPqZ4me87h +-+tFevsg1pPE= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_prime239v2_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAETH77jXHBItV673gTNK/HTFldo4VxPiscbideUgKd +-CWjdVsXebgAZbqQwf0h9QWcIgM7K7ODdW5kCuZ1G +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_prime239v2:ALICE_cf_prime239v2_PUB +- +-PrivateKey=BOB_cf_prime239v2 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5nlF+ouuw3Ljkgy3pHkCN+/JoHAMyT +-KY0wlvJdo/w= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_prime239v2_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAELUQYo0UH8HbK/RMD2jVphBU+iB4OTOfvaaTlHq06 +-dcJ8a9a+mAQKhb1OZVEq1n4nQsgRiI1rPxugVERM +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_prime239v2:BOB_cf_prime239v2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_prime239v2 +-PeerKey=BOB_cf_prime239v2_PUB +-SharedSecret=1d18ca6366bceba3c1477daa0e08202088abcf14fc2b8fbf98ba95858fcf +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_prime239v2 +-PeerKey=ALICE_cf_prime239v2_PUB +-SharedSecret=1d18ca6366bceba3c1477daa0e08202088abcf14fc2b8fbf98ba95858fcf +- +-Title=prime239v3 curve tests +- +-PrivateKey=ALICE_cf_prime239v3 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5J95JRhBDTzlyAPAfu6T2Pb9vK0NKu +-Y9AfhA2G+mI= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_prime239v3_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEZEN48pqgLF08Yjj/8BLM2Nr5ZhpYxyBurbzKRuBb +-GLpzZLteJN9vZjN7ouNpMxLVUFQxTOwpsvUw86Lk +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_prime239v3:ALICE_cf_prime239v3_PUB +- +-PrivateKey=BOB_cf_prime239v3 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5Z7rMZML1xeryBaYYr+QuMiQxHT44I +-d9bmIVvG3dM= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_prime239v3_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEQUWKqohAPAoIYEZOvc1QwSlcB+gW0febaNxGOy47 +-LaIWdsNM7GJVP9xpdSwm/L+Dip/oH4E59f3SiOAd +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_prime239v3:BOB_cf_prime239v3_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_prime239v3 +-PeerKey=BOB_cf_prime239v3_PUB +-SharedSecret=4dcc2c67c5993162ed71ebb33077bbb85395b0d3eec2311aa404e45901a0 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_prime239v3 +-PeerKey=ALICE_cf_prime239v3_PUB +-SharedSecret=4dcc2c67c5993162ed71ebb33077bbb85395b0d3eec2311aa404e45901a0 +- +-Title=secp112r1 curve tests +- +-PrivateKey=ALICE_cf_secp112r1 +------BEGIN PRIVATE KEY----- +-MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAYEFTATAgEBBA6zC5ZzEIIdvY4Q7DS0uw== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_secp112r1_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFK4EEAAYDHgAEYIawfjH3qRrJJWwuG3Ys5ZhDJsmdWi34aHgKAA== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_secp112r1:ALICE_cf_secp112r1_PUB +- +-PrivateKey=BOB_cf_secp112r1 +------BEGIN PRIVATE KEY----- +-MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAYEFTATAgEBBA6WPx4YxBODium8BKDw0A== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_secp112r1_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFK4EEAAYDHgAEchh3iQdPN1rrzrpdZRQ95G6tvdwEBQ+gfu1tvA== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_secp112r1:BOB_cf_secp112r1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp112r1 +-PeerKey=BOB_cf_secp112r1_PUB +-SharedSecret=4ddd1d504b444d4be67ba2e4610a +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp112r1 +-PeerKey=ALICE_cf_secp112r1_PUB +-SharedSecret=4ddd1d504b444d4be67ba2e4610a +- +-Title=secp112r2 curve tests +- +-PrivateKey=ALICE_cf_secp112r2 +------BEGIN PRIVATE KEY----- +-MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4GcvIx97ePHdAiH0Z9EA== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_secp112r2_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEHK9uNAILHBmPZdKKh79/nzYE0HbvC//rA7i0Xw== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_secp112r2:ALICE_cf_secp112r2_PUB +- +-PrivateKey=BOB_cf_secp112r2 +------BEGIN PRIVATE KEY----- +-MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4WzpVFZnZv9mvtpnYNyw== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_secp112r2_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEUzBLNQupqUpGgmZl9JVjKBpwusl52rFg5OVFJA== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_secp112r2:BOB_cf_secp112r2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp112r2 +-PeerKey=BOB_cf_secp112r2_PUB +-SharedSecret=a6d05c7ba5128a9685c705b5030b +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp112r2 +-PeerKey=ALICE_cf_secp112r2_PUB +-SharedSecret=a6d05c7ba5128a9685c705b5030b +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp112r2 +-PeerKey=BOB_cf_secp112r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=04f3280e92c269d794aa779efcef +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp112r2 +-PeerKey=ALICE_cf_secp112r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=04f3280e92c269d794aa779efcef +- +-PublicKey=MALICE_cf_secp112r2_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEsf2N4SfUZWtXPrUTmEyr71I/JSn8VtzQsFHuqQ== +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_secp112r2 +-PeerKey=MALICE_cf_secp112r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_secp112r2 +-PeerKey=MALICE_cf_secp112r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=secp128r1 curve tests +- +-PrivateKey=ALICE_cf_secp128r1 +------BEGIN PRIVATE KEY----- +-MC4CAQAwEAYHKoZIzj0CAQYFK4EEABwEFzAVAgEBBBB+RX18d0+gKpdcKbJJTrEZ +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_secp128r1_PUB +------BEGIN PUBLIC KEY----- +-MDYwEAYHKoZIzj0CAQYFK4EEABwDIgAEG0XMAdrAZOPUW6L9ADU8XK8sZr7dtIcDinSWU1zSV9s= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_secp128r1:ALICE_cf_secp128r1_PUB +- +-PrivateKey=BOB_cf_secp128r1 +------BEGIN PRIVATE KEY----- +-MC4CAQAwEAYHKoZIzj0CAQYFK4EEABwEFzAVAgEBBBB/J9/eClt9mimGwOcOsjJF +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_secp128r1_PUB +------BEGIN PUBLIC KEY----- +-MDYwEAYHKoZIzj0CAQYFK4EEABwDIgAE82nknsOS+u8mybP0KJqQhvm83gbPNTZOcvm0ZDVR5sU= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_secp128r1:BOB_cf_secp128r1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp128r1 +-PeerKey=BOB_cf_secp128r1_PUB +-SharedSecret=5020f1b759da1f737a61a29a268d7669 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp128r1 +-PeerKey=ALICE_cf_secp128r1_PUB +-SharedSecret=5020f1b759da1f737a61a29a268d7669 +- +-Title=secp128r2 curve tests +- +-PrivateKey=ALICE_cf_secp128r2 +------BEGIN PRIVATE KEY----- +-MC4CAQAwEAYHKoZIzj0CAQYFK4EEAB0EFzAVAgEBBBALPaUYCnPgNiLhez93Z1Gi +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_secp128r2_PUB +------BEGIN PUBLIC KEY----- +-MDYwEAYHKoZIzj0CAQYFK4EEAB0DIgAEOKiPRGtZXwxmvTr35NmUkNsAGGk9RKNA4D5BE9ZrjZQ= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_secp128r2:ALICE_cf_secp128r2_PUB +- +-PrivateKey=BOB_cf_secp128r2 +------BEGIN PRIVATE KEY----- +-MC4CAQAwEAYHKoZIzj0CAQYFK4EEAB0EFzAVAgEBBBARg3vb436QgyHdyt6l/b6G +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_secp128r2_PUB +------BEGIN PUBLIC KEY----- +-MDYwEAYHKoZIzj0CAQYFK4EEAB0DIgAELph7h27BYjIINC2EddcpIOxKbdz8Xe7h3Az1ZuR9bAI= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_secp128r2:BOB_cf_secp128r2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp128r2 +-PeerKey=BOB_cf_secp128r2_PUB +-SharedSecret=8f4d8c75141e9b084328222440eb5dfa +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp128r2 +-PeerKey=ALICE_cf_secp128r2_PUB +-SharedSecret=8f4d8c75141e9b084328222440eb5dfa +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp128r2 +-PeerKey=BOB_cf_secp128r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=baaa0c16e16eef291001475d638e4830 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp128r2 +-PeerKey=ALICE_cf_secp128r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=baaa0c16e16eef291001475d638e4830 +- +-PublicKey=MALICE_cf_secp128r2_PUB +------BEGIN PUBLIC KEY----- +-MDYwEAYHKoZIzj0CAQYFK4EEAB0DIgAE6h6RzJIp6HLR6RDOPtyzGDurkuE9aAaZqHosPTnkLxQ= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_secp128r2 +-PeerKey=MALICE_cf_secp128r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_secp128r2 +-PeerKey=MALICE_cf_secp128r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=secp160k1 curve tests +- +-PrivateKey=ALICE_cf_secp160k1 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAkEHDAaAgEBBBUAlxTBO50KwFwWKPtk1rutu68m+zI= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_secp160k1_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFK4EEAAkDKgAEcVWIjtPZn1cHckclpn5jKDCphQUVHxFN5tSeFG9wsJZT +-EvqPyLS64w== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_secp160k1:ALICE_cf_secp160k1_PUB +- +-PrivateKey=BOB_cf_secp160k1 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAkEHDAaAgEBBBUAdrPkoNkRVUloiuwzruQszSUuwpY= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_secp160k1_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFK4EEAAkDKgAESGN41cAj8Fg4pAJM7FUKHiawbCR0b9unMpZWxqOKeW1/ +-bxT/CqEkyw== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_secp160k1:BOB_cf_secp160k1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp160k1 +-PeerKey=BOB_cf_secp160k1_PUB +-SharedSecret=b738a0bf17f3271a9a155bfdfe2f0f1d51494d42 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp160k1 +-PeerKey=ALICE_cf_secp160k1_PUB +-SharedSecret=b738a0bf17f3271a9a155bfdfe2f0f1d51494d42 +- +-Title=secp160r1 curve tests +- +-PrivateKey=ALICE_cf_secp160r1 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAgEHDAaAgEBBBUAR6m1+jIBuJnSKx9fHmyAYhsnYe8= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_secp160r1_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFK4EEAAgDKgAEO78GZuBaCfJjHK97c9N21z+4mm37b5x7/Hr3Xc4pUbtb +-OoNj/A+W9w== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_secp160r1:ALICE_cf_secp160r1_PUB +- +-PrivateKey=BOB_cf_secp160r1 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAgEHDAaAgEBBBUATqvd54Jj7TbnrLAd2dMYCpExLws= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_secp160r1_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFK4EEAAgDKgAEBKDbBSPTwmb00MFvMtJMxQ2YDmcPOZHE8YbVr5hp8s5J +-Jwy17FaNNg== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_secp160r1:BOB_cf_secp160r1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp160r1 +-PeerKey=BOB_cf_secp160r1_PUB +-SharedSecret=1912ea7b9bb1de5b8d3cef83e7a6e7a917816541 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp160r1 +-PeerKey=ALICE_cf_secp160r1_PUB +-SharedSecret=1912ea7b9bb1de5b8d3cef83e7a6e7a917816541 +- +-Title=secp160r2 curve tests +- +-PrivateKey=ALICE_cf_secp160r2 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAB4EHDAaAgEBBBUA3IsVg4R4paXaPATDHvzfnvM+vjQ= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_secp160r2_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFK4EEAB4DKgAE4V+25YCpVkKF6NF/UPc1SYxohYWcf3qT3JDoPRhnm/rj +-mSqCCA6gUw== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_secp160r2:ALICE_cf_secp160r2_PUB +- +-PrivateKey=BOB_cf_secp160r2 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAB4EHDAaAgEBBBUAYT/5C7UpD17DnZm4ObswmGFMI1Q= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_secp160r2_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFK4EEAB4DKgAEB7YVzBmzhnIdouvN/nb8VMXCqO8dkhmebyVzoD0oAzuH +-nN+SfWr6aQ== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_secp160r2:BOB_cf_secp160r2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp160r2 +-PeerKey=BOB_cf_secp160r2_PUB +-SharedSecret=ccb9cae5c9487ff60c487bd1b39a62eb4680e9b6 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp160r2 +-PeerKey=ALICE_cf_secp160r2_PUB +-SharedSecret=ccb9cae5c9487ff60c487bd1b39a62eb4680e9b6 +- +-Title=secp192k1 curve tests +- +-PrivateKey=ALICE_cf_secp192k1 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEAYHKoZIzj0CAQYFK4EEAB8EHzAdAgEBBBikVZrCZQB7ZtkhNfQYpjKHZ9KxXgooJ90= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_secp192k1_PUB +------BEGIN PUBLIC KEY----- +-MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEyV4EzMZglBXtYdn38hNTrCGflAsJprMkxkOlw58chZ25 +-6EAu7gVvYDTpnRkymKyH +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_secp192k1:ALICE_cf_secp192k1_PUB +- +-PrivateKey=BOB_cf_secp192k1 +------BEGIN PRIVATE KEY----- +-MDYCAQAwEAYHKoZIzj0CAQYFK4EEAB8EHzAdAgEBBBiJQ/PunKGk9QPUyqIBGMgHKKg+yxJr5io= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_secp192k1_PUB +------BEGIN PUBLIC KEY----- +-MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAE990Tnmh9QQQHVHuLpfrAsgjvB9R2MJXzhBZN1WvtxLqF +-OZ2oFMP0Kfcr7HbI7a5j +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_secp192k1:BOB_cf_secp192k1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp192k1 +-PeerKey=BOB_cf_secp192k1_PUB +-SharedSecret=a46a6bfb279d4dc30cffac585d1fbec905dbe46aca5e3c9d +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp192k1 +-PeerKey=ALICE_cf_secp192k1_PUB +-SharedSecret=a46a6bfb279d4dc30cffac585d1fbec905dbe46aca5e3c9d +- +-Title=secp224k1 curve tests +- +-PrivateKey=ALICE_cf_secp224k1 +------BEGIN PRIVATE KEY----- +-MDsCAQAwEAYHKoZIzj0CAQYFK4EEACAEJDAiAgEBBB0AZPk3TzxGhX7TljBBhJDLBfulAMp6Bh3W +-w40Qyg== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_secp224k1_PUB +------BEGIN PUBLIC KEY----- +-ME4wEAYHKoZIzj0CAQYFK4EEACADOgAE4o7LGdJDixqJZ5imnqaX4IeE55NG4W0HEe72LVC7pmn2 +-e3m7uC92ZQhduF9lJli4dXD5en/1wkE= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_secp224k1:ALICE_cf_secp224k1_PUB +- +-PrivateKey=BOB_cf_secp224k1 +------BEGIN PRIVATE KEY----- +-MDsCAQAwEAYHKoZIzj0CAQYFK4EEACAEJDAiAgEBBB0AdQ02GguRy3yHOjLkpoWb27QA/L1abfWe +-q2xUfA== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_secp224k1_PUB +------BEGIN PUBLIC KEY----- +-ME4wEAYHKoZIzj0CAQYFK4EEACADOgAEzp00m0DaADn1mGiDCT7K1LZnoj/vCxHPowUDC9yQd17K +-KpJM5sGILrTkkgxqtt5pBeYE1NC1QUQ= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_secp224k1:BOB_cf_secp224k1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_secp224k1 +-PeerKey=BOB_cf_secp224k1_PUB +-SharedSecret=6f7b9d16c9c1d3a5c84b6028f2a4fed9ae8e02455e678a27243bcc48 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_secp224k1 +-PeerKey=ALICE_cf_secp224k1_PUB +-SharedSecret=6f7b9d16c9c1d3a5c84b6028f2a4fed9ae8e02455e678a27243bcc48 +- + Title=secp256k1 curve tests + + PrivateKey=ALICE_cf_secp256k1 +@@ -1998,1323 +55,6 @@ Derive=BOB_cf_secp256k1 + PeerKey=ALICE_cf_secp256k1_PUB + SharedSecret=a4745cc4d19cabb9e5cb0abdd5c604cab2846a4638ad844ed9175f3cadda2da1 + +-Title=sect113r1 curve tests +- +-PrivateKey=ALICE_cf_sect113r1 +------BEGIN PRIVATE KEY----- +-MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAQEFjAUAgEBBA8ALw9CgsuNBkkhhUHE8bQ= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect113r1_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFK4EEAAQDIAAEASO9jcamlg1pRE7JffrTAe9kyRZO2xrymHXoGdnA +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_sect113r1:ALICE_cf_sect113r1_PUB +- +-PrivateKey=BOB_cf_sect113r1 +------BEGIN PRIVATE KEY----- +-MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAQEFjAUAgEBBA8A/9qbs8sTFNkjS9/4CuM= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect113r1_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFK4EEAAQDIAAEATykaf/cvJzLOUto1EbbAEz/3++nut6q0dcJOQeV +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_sect113r1:BOB_cf_sect113r1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect113r1 +-PeerKey=BOB_cf_sect113r1_PUB +-SharedSecret=01ed16f1948dcb368a54004237842d +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect113r1 +-PeerKey=ALICE_cf_sect113r1_PUB +-SharedSecret=01ed16f1948dcb368a54004237842d +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect113r1 +-PeerKey=BOB_cf_sect113r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=012e5f3e348c2a8a88d9590a639219 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect113r1 +-PeerKey=ALICE_cf_sect113r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=012e5f3e348c2a8a88d9590a639219 +- +-PublicKey=MALICE_cf_sect113r1_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFK4EEAAQDIAAEAAAAAAAAAAAAAAAAAAAAAd+TqiBXnTd/lyA/OFsR +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect113r1 +-PeerKey=MALICE_cf_sect113r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect113r1 +-PeerKey=MALICE_cf_sect113r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect113r2 curve tests +- +-PrivateKey=ALICE_cf_sect113r2 +------BEGIN PRIVATE KEY----- +-MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAUEFjAUAgEBBA8AvovirHrqTxoKJ3l+7y0= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect113r2_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFK4EEAAUDIAAEAFvQ4JgQTS8kjGeVfuITAS81qNcOQvt3PYa1HuCk +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_sect113r2:ALICE_cf_sect113r2_PUB +- +-PrivateKey=BOB_cf_sect113r2 +------BEGIN PRIVATE KEY----- +-MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAUEFjAUAgEBBA8ArUjgvp/goxRYb4WuQ80= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect113r2_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFK4EEAAUDIAAEAUoS3of8y28meYu/NoI5AVdhJZCuDjMqFHTriWY4 +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_sect113r2:BOB_cf_sect113r2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect113r2 +-PeerKey=BOB_cf_sect113r2_PUB +-SharedSecret=0057a287ba1ea05cb4735e673647e1 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect113r2 +-PeerKey=ALICE_cf_sect113r2_PUB +-SharedSecret=0057a287ba1ea05cb4735e673647e1 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect113r2 +-PeerKey=BOB_cf_sect113r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00fec2454e46732aca42b22b6d4f13 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect113r2 +-PeerKey=ALICE_cf_sect113r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00fec2454e46732aca42b22b6d4f13 +- +-PublicKey=MALICE_cf_sect113r2_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFK4EEAAUDIAAEAAAAAAAAAAAAAAAAAAAAAR3dbPHrhFekzJ7Azskr +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect113r2 +-PeerKey=MALICE_cf_sect113r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect113r2 +-PeerKey=MALICE_cf_sect113r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect131r1 curve tests +- +-PrivateKey=ALICE_cf_sect131r1 +------BEGIN PRIVATE KEY----- +-MC8CAQAwEAYHKoZIzj0CAQYFK4EEABYEGDAWAgEBBBEA5C6zHMQM7pXPZ6cJz72Niw== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect131r1_PUB +------BEGIN PUBLIC KEY----- +-MDgwEAYHKoZIzj0CAQYFK4EEABYDJAAEBXCuXD6wOOif91GUlJNKXf8FBNw8crgqi5aEJEZbCdBJ +-Ag== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_sect131r1:ALICE_cf_sect131r1_PUB +- +-PrivateKey=BOB_cf_sect131r1 +------BEGIN PRIVATE KEY----- +-MC8CAQAwEAYHKoZIzj0CAQYFK4EEABYEGDAWAgEBBBEDYZmjiokBJ/SnTv8sskBR3A== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect131r1_PUB +------BEGIN PUBLIC KEY----- +-MDgwEAYHKoZIzj0CAQYFK4EEABYDJAAEB8vGy3OQXwWKcJUSSJbCtpMBjFgJeZxzAaI420+B1B+1 +-5A== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_sect131r1:BOB_cf_sect131r1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect131r1 +-PeerKey=BOB_cf_sect131r1_PUB +-SharedSecret=05346248f77f81fff50cc656e119976871 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect131r1 +-PeerKey=ALICE_cf_sect131r1_PUB +-SharedSecret=05346248f77f81fff50cc656e119976871 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect131r1 +-PeerKey=BOB_cf_sect131r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=01f151ae26efa507acc2597356baf7e8ab +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect131r1 +-PeerKey=ALICE_cf_sect131r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=01f151ae26efa507acc2597356baf7e8ab +- +-PublicKey=MALICE_cf_sect131r1_PUB +------BEGIN PUBLIC KEY----- +-MDgwEAYHKoZIzj0CAQYFK4EEABYDJAAEAAAAAAAAAAAAAAAAAAAAAAABfiJEFG0vRzEGxk2BxjmK +-zw== +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect131r1 +-PeerKey=MALICE_cf_sect131r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect131r1 +-PeerKey=MALICE_cf_sect131r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect131r2 curve tests +- +-PrivateKey=ALICE_cf_sect131r2 +------BEGIN PRIVATE KEY----- +-MC8CAQAwEAYHKoZIzj0CAQYFK4EEABcEGDAWAgEBBBEBnZRUKAQetk5kyUwhIaAyxg== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect131r2_PUB +------BEGIN PUBLIC KEY----- +-MDgwEAYHKoZIzj0CAQYFK4EEABcDJAAEA5+Y20L8q989I4jnKknZ7hcGlQ6RUIGni9RahT88kB/d +-dw== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_sect131r2:ALICE_cf_sect131r2_PUB +- +-PrivateKey=BOB_cf_sect131r2 +------BEGIN PRIVATE KEY----- +-MC8CAQAwEAYHKoZIzj0CAQYFK4EEABcEGDAWAgEBBBEBnafx9vcMeoCqj/1YNuflzw== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect131r2_PUB +------BEGIN PUBLIC KEY----- +-MDgwEAYHKoZIzj0CAQYFK4EEABcDJAAEB2G2uNkhQNjjl0/Ov6UYpxoFaWNXO+qy7poV6cdrFN7z +-pA== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_sect131r2:BOB_cf_sect131r2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect131r2 +-PeerKey=BOB_cf_sect131r2_PUB +-SharedSecret=058d8a8be33068ed8c1dc9f551ef2c3f3c +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect131r2 +-PeerKey=ALICE_cf_sect131r2_PUB +-SharedSecret=058d8a8be33068ed8c1dc9f551ef2c3f3c +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect131r2 +-PeerKey=BOB_cf_sect131r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=037b16d85f27c2c878ef96c79a536f89a5 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect131r2 +-PeerKey=ALICE_cf_sect131r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=037b16d85f27c2c878ef96c79a536f89a5 +- +-PublicKey=MALICE_cf_sect131r2_PUB +------BEGIN PUBLIC KEY----- +-MDgwEAYHKoZIzj0CAQYFK4EEABcDJAAEAAAAAAAAAAAAAAAAAAAAAAAGG5fiIbgziwBZHVzTYqCY +-1w== +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect131r2 +-PeerKey=MALICE_cf_sect131r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect131r2 +-PeerKey=MALICE_cf_sect131r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect163r1 curve tests +- +-PrivateKey=ALICE_cf_sect163r1 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAIEHDAaAgEBBBUAlbn4x1UGJnAimsXufB/UvUaxU5U= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect163r1_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAAIDLAAEA0f195HCcD4D+7wWyl3QuPkRovG/ATy5l7fpMl4BNIg/ +-sbtEXluCzANF +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_sect163r1:ALICE_cf_sect163r1_PUB +- +-PrivateKey=BOB_cf_sect163r1 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAIEHDAaAgEBBBUAoStq6Fjb7nB2PNL6WrzKKqhCGdE= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect163r1_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAAIDLAAEAul/oBKr9B5MsPHWGF+q07j0JC+WAxj1JzfcIXR98n+r +-9FHWU5LC5pDM +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_sect163r1:BOB_cf_sect163r1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect163r1 +-PeerKey=BOB_cf_sect163r1_PUB +-SharedSecret=06135eef489fe613c0d8bd522a2a640ff7ae6fb73d +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect163r1 +-PeerKey=ALICE_cf_sect163r1_PUB +-SharedSecret=06135eef489fe613c0d8bd522a2a640ff7ae6fb73d +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect163r1 +-PeerKey=BOB_cf_sect163r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0580f5e8efb242a19ae1023acbcab8702c799751e7 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect163r1 +-PeerKey=ALICE_cf_sect163r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0580f5e8efb242a19ae1023acbcab8702c799751e7 +- +-PublicKey=MALICE_cf_sect163r1_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAAIDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJkXolVuGFa8fqmk +-cs0Bv7iJuVg1 +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect163r1 +-PeerKey=MALICE_cf_sect163r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect163r1 +-PeerKey=MALICE_cf_sect163r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect193r1 curve tests +- +-PrivateKey=ALICE_cf_sect193r1 +------BEGIN PRIVATE KEY----- +-MDcCAQAwEAYHKoZIzj0CAQYFK4EEABgEIDAeAgEBBBkACmcvidKWLtPFB2xqg76F8VhM1Njzrkgo +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect193r1_PUB +------BEGIN PUBLIC KEY----- +-MEgwEAYHKoZIzj0CAQYFK4EEABgDNAAEAeqP0VQobenduwtf4MPmlYQVDjUmxKq50QFHnaBfzwXY +-1TYShZZgBr0R6a5dUGCbiF0= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_sect193r1:ALICE_cf_sect193r1_PUB +- +-PrivateKey=BOB_cf_sect193r1 +------BEGIN PRIVATE KEY----- +-MDcCAQAwEAYHKoZIzj0CAQYFK4EEABgEIDAeAgEBBBkAKlSknQ66vpuLjC1mbQyfHOTdJ5Kw5jMh +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect193r1_PUB +------BEGIN PUBLIC KEY----- +-MEgwEAYHKoZIzj0CAQYFK4EEABgDNAAEAaFZVIeqfV9wbPydaBSJKSWJjVyFVSB/QQB5rHonYQmK +-f40zok8PJS6ratIcZwk/n20= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_sect193r1:BOB_cf_sect193r1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect193r1 +-PeerKey=BOB_cf_sect193r1_PUB +-SharedSecret=012b8849991814f8c7ed9d40cf9dc204c3a83e0b10675543a5 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect193r1 +-PeerKey=ALICE_cf_sect193r1_PUB +-SharedSecret=012b8849991814f8c7ed9d40cf9dc204c3a83e0b10675543a5 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect193r1 +-PeerKey=BOB_cf_sect193r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0110180a18844859c52f6f012909522a2d87b5ab143bc80a55 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect193r1 +-PeerKey=ALICE_cf_sect193r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0110180a18844859c52f6f012909522a2d87b5ab143bc80a55 +- +-PublicKey=MALICE_cf_sect193r1_PUB +------BEGIN PUBLIC KEY----- +-MEgwEAYHKoZIzj0CAQYFK4EEABgDNAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHeX7PX3e5n +-zROUg6/STkLp1D+L51L9+wY= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect193r1 +-PeerKey=MALICE_cf_sect193r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect193r1 +-PeerKey=MALICE_cf_sect193r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect193r2 curve tests +- +-PrivateKey=ALICE_cf_sect193r2 +------BEGIN PRIVATE KEY----- +-MDcCAQAwEAYHKoZIzj0CAQYFK4EEABkEIDAeAgEBBBkAhjkv8lXK/nPp3Qc4IwL/29JUKWi2VBMp +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect193r2_PUB +------BEGIN PUBLIC KEY----- +-MEgwEAYHKoZIzj0CAQYFK4EEABkDNAAEAIn7oSu3adu4ChNXniHKkMIv9gT24rpzzwAeCTDPIkUT +-kJ+Tit6e4RpgkB/dph4V+uI= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_sect193r2:ALICE_cf_sect193r2_PUB +- +-PrivateKey=BOB_cf_sect193r2 +------BEGIN PRIVATE KEY----- +-MDcCAQAwEAYHKoZIzj0CAQYFK4EEABkEIDAeAgEBBBkAwGkR3qSQdfh7Q6KbJ4lH5FShGsX8o/jD +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect193r2_PUB +------BEGIN PUBLIC KEY----- +-MEgwEAYHKoZIzj0CAQYFK4EEABkDNAAEAFdSLKI0tlwZDpkndutOLsnHii1aJO8snwEJ0m/AZgMp +-xiDevOQ/xE9SpMX25W7YqkU= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_sect193r2:BOB_cf_sect193r2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect193r2 +-PeerKey=BOB_cf_sect193r2_PUB +-SharedSecret=01e2f66a63c24c1de8a399c484228a5ad5b6d911c6e5e83ae3 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect193r2 +-PeerKey=ALICE_cf_sect193r2_PUB +-SharedSecret=01e2f66a63c24c1de8a399c484228a5ad5b6d911c6e5e83ae3 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect193r2 +-PeerKey=BOB_cf_sect193r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00bc82d393bd74406683aea003977a86a109f444a833652e43 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect193r2 +-PeerKey=ALICE_cf_sect193r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00bc82d393bd74406683aea003977a86a109f444a833652e43 +- +-PublicKey=MALICE_cf_sect193r2_PUB +------BEGIN PUBLIC KEY----- +-MEgwEAYHKoZIzj0CAQYFK4EEABkDNAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFfdLEkrvsO +-Y7+6QpEvOay9A4MJCUZfZmI= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect193r2 +-PeerKey=MALICE_cf_sect193r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect193r2 +-PeerKey=MALICE_cf_sect193r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect239k1 curve tests +- +-PrivateKey=ALICE_cf_sect239k1 +------BEGIN PRIVATE KEY----- +-MDwCAQAwEAYHKoZIzj0CAQYFK4EEAAMEJTAjAgEBBB4G4nbQDUtTnkrPOvDGIlhH9XdjirUSbTI5 +-5z6lf7o= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect239k1_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFK4EEAAMDPgAEf5paOMjzcnpVAPMQnIkikE4K2jne3ubX2TD1P3aedknF +-lUr6tOU4BsiUQJACF90rQ9/KdeR5mYvYHzvI +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_sect239k1:ALICE_cf_sect239k1_PUB +- +-PrivateKey=BOB_cf_sect239k1 +------BEGIN PRIVATE KEY----- +-MDwCAQAwEAYHKoZIzj0CAQYFK4EEAAMEJTAjAgEBBB4e0F0NpepAF+iNrEtoZeo4TrQFspkUNLcx +-Ly4Klfg= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect239k1_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFK4EEAAMDPgAEKnjJ4RHe+EiElXMrF4ou7VGy1pn0ZiO17FouF31Zbvjc +-TcbhfE6ziXM8sekQJBwcwRKQ9+G/Qzq/2A9x +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_sect239k1:BOB_cf_sect239k1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect239k1 +-PeerKey=BOB_cf_sect239k1_PUB +-SharedSecret=0ef54c7b7dbf55d4278e7a6924dc4833c63ec708e820d501cacdfb4935d5 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect239k1 +-PeerKey=ALICE_cf_sect239k1_PUB +-SharedSecret=0ef54c7b7dbf55d4278e7a6924dc4833c63ec708e820d501cacdfb4935d5 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect239k1 +-PeerKey=BOB_cf_sect239k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=592e4b33ac99624fe7f2f879cf52f12a70f189c5d90785db26a12e0a46c0 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect239k1 +-PeerKey=ALICE_cf_sect239k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=592e4b33ac99624fe7f2f879cf52f12a70f189c5d90785db26a12e0a46c0 +- +-PublicKey=MALICE_cf_sect239k1_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFK4EEAAMDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect239k1 +-PeerKey=MALICE_cf_sect239k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect239k1 +-PeerKey=MALICE_cf_sect239k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=wap-wsg-idm-ecid-wtls10 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls10 +------BEGIN PRIVATE KEY----- +-MDsCAQAwEAYHKoZIzj0CAQYFZysBBAoEJDAiAgEBBB1zvDMHGgcytka5KvlvQvJzTA4l2ts2NzBp +-SJiGyw== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFZysBBAoDPgAEAZkrhWBz/Q4GB8DY4Ia114ew6H7Eg7ri2uxwxd3rAZs5 +-/ShvunNyndjCt3Qaq8sulBM0nUyERSDakyD+ +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls10:ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls10 +------BEGIN PRIVATE KEY----- +-MDsCAQAwEAYHKoZIzj0CAQYFZysBBAoEJDAiAgEBBB1SowkHU79PqokOfgllN53rNS8a3h1wFBY0 +-dKPkQg== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls10_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFZysBBAoDPgAEAGavw4ChHCoWplAumMEBwJgJ2aYtw+utu4vhWnscAPIT +-IJ4IiIGj18rCFBap1sgVbpXjhEBLYg6Itwv2 +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls10:BOB_cf_wap-wsg-idm-ecid-wtls10_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls10 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls10_PUB +-SharedSecret=0194ef5d80fdfe9df366b2273b983c3dbd440faf76964fcfc06c509f289d +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls10 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB +-SharedSecret=0194ef5d80fdfe9df366b2273b983c3dbd440faf76964fcfc06c509f289d +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls10 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls10_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=01bedc5cdf63fbf18c3e2bc9765e12f7990c0c0c64f0267ae7c37b9f49f0 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls10 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=01bedc5cdf63fbf18c3e2bc9765e12f7990c0c0c64f0267ae7c37b9f49f0 +- +-PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls10_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFZysBBAoDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls10 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls10_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls10 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls10_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=wap-wsg-idm-ecid-wtls11 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls11 +------BEGIN PRIVATE KEY----- +-MDwCAQAwEAYHKoZIzj0CAQYFZysBBAsEJTAjAgEBBB4AkzS3zoqHNCLug/nwoYMQW3UigmZ9t56k +-5jp+FiY= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFZysBBAsDPgAEABttgKKYeGZRmcH/5UZR56lOSgbU4TH2AuIhvj88AL6H +-zTCX9elzXpck+u22bnmkuvL2A8XKB5+fabMR +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls11:ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls11 +------BEGIN PRIVATE KEY----- +-MDwCAQAwEAYHKoZIzj0CAQYFZysBBAsEJTAjAgEBBB4AWU05mbqPxsB749llNON1//l0w8RJJ3z5 +-h/kzfNM= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls11_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFZysBBAsDPgAEAL6Xj/KCmXAQAAo847t0bl0wqBrteWRg93OvIJsPAAOE +-ehdIgJyruc3KsH0RFlipu5QD8pnGSIXvif19 +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls11:BOB_cf_wap-wsg-idm-ecid-wtls11_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls11 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls11_PUB +-SharedSecret=01ac8a23ddeeafb4d3bb243fe409f2f9c8b1a3fc11d4690da583f2e21637 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls11 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB +-SharedSecret=01ac8a23ddeeafb4d3bb243fe409f2f9c8b1a3fc11d4690da583f2e21637 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls11 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls11_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=01b9992992572d3a59d424f8c9cc195576461ed6c1dadf6fb523717fab19 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls11 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=01b9992992572d3a59d424f8c9cc195576461ed6c1dadf6fb523717fab19 +- +-PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls11_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFZysBBAsDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYf4 +-Vie5eHTnR+4x4G1xyq7qUvISU+X5RtBh2pE4 +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls11 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls11_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls11 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls11_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=wap-wsg-idm-ecid-wtls12 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls12 +------BEGIN PRIVATE KEY----- +-MDoCAQAwEAYHKoZIzj0CAQYFZysBBAwEIzAhAgEBBBxwvll9Eb9mm2Xadq1evIi1zIK+6u0Nv8bP +-LI9a +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls12_PUB +------BEGIN PUBLIC KEY----- +-ME4wEAYHKoZIzj0CAQYFZysBBAwDOgAE0t0WqG/pFsiCt6agmebw3FCEWAzf9BpNLuzoCkPEe0Li +-bqn5udrckL6s3stwCTVFaZUfY2qS9QE= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls12:ALICE_cf_wap-wsg-idm-ecid-wtls12_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls12 +------BEGIN PRIVATE KEY----- +-MDoCAQAwEAYHKoZIzj0CAQYFZysBBAwEIzAhAgEBBBz+5P6gpqXxbeXvvaD5W9Ft69BTxcn7zc6q +-K3Ax +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls12_PUB +------BEGIN PUBLIC KEY----- +-ME4wEAYHKoZIzj0CAQYFZysBBAwDOgAEvyxedqaWkoAOMjaV5W3/tJpheiHAR0zV6BlIeUuGP2mx +-+xsOK9/QB7hzipq9cXx1K/dXu58EoSY= +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls12:BOB_cf_wap-wsg-idm-ecid-wtls12_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls12 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls12_PUB +-SharedSecret=a3b3f20af8c33a0f5c246b4b9d9dda1cd40c294d1f53365d18a8b54b +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls12 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls12_PUB +-SharedSecret=a3b3f20af8c33a0f5c246b4b9d9dda1cd40c294d1f53365d18a8b54b +- +-Title=wap-wsg-idm-ecid-wtls1 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls1 +------BEGIN PRIVATE KEY----- +-MCwCAQAwEAYHKoZIzj0CAQYFZysBBAEEFTATAgEBBA5ZNASTt4/g6XPQwRiQ0Q== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFZysBBAEDIAAEACBNPI48xxsPVQBy07jRAAcWzbIkMo8BQotxpfGJ +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls1:ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls1 +------BEGIN PRIVATE KEY----- +-MCwCAQAwEAYHKoZIzj0CAQYFZysBBAEEFTATAgEBBA6+0x9qk0NIKHSRvlTemQ== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls1_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFZysBBAEDIAAEAEeHMSBTx/EtOu+bjBinALHSkQuJyiP3mg1tu+I2 +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls1:BOB_cf_wap-wsg-idm-ecid-wtls1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls1 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls1_PUB +-SharedSecret=0040ba2fadc1da97c973e5e59ade31 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls1 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB +-SharedSecret=0040ba2fadc1da97c973e5e59ade31 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls1 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=008919696215a89e03d6c4c9265d6b +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls1 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=008919696215a89e03d6c4c9265d6b +- +-PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls1_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFZysBBAEDIAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls1 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls1 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=wap-wsg-idm-ecid-wtls3 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls3 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFZysBBAMEHDAaAgEBBBUDO2cHbqQBUxuJBl6UT9UrasuRVrI= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFZysBBAMDLAAEBRIzvK9o7eO2NGmtPFV/zo9/1mlvBwjG7+e6hbPG1KdI +-01f8oGBuXMQH +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls3:ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls3 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFZysBBAMEHDAaAgEBBBUAhZv9WZ00bDnU9MOaqEegP771nes= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls3_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFZysBBAMDLAAEAYOspjEbzyZw61jCtUrxARr+w66nBH+73QIvlaRVSG/4 +-hlBUf5kmG4Yn +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls3:BOB_cf_wap-wsg-idm-ecid-wtls3_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls3 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls3_PUB +-SharedSecret=0311924428a839b7dcada662722945e62bf1131f4f +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls3 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB +-SharedSecret=0311924428a839b7dcada662722945e62bf1131f4f +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls3 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=047f1aee6a1a1d7c9c1f0e8dce4349429f737aa658 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls3 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=047f1aee6a1a1d7c9c1f0e8dce4349429f737aa658 +- +-PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls3_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFZysBBAMDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAB +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls3 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls3 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls3_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=wap-wsg-idm-ecid-wtls4 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls4 +------BEGIN PRIVATE KEY----- +-MC0CAQAwEAYHKoZIzj0CAQYFZysBBAQEFjAUAgEBBA8ACFOrBbOh5LjNtJQCuEE= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFZysBBAQDIAAEAW3K4Mus5+KAJVGLzEYrAYuCJSEYXFTo17aW0TwN +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls4:ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls4 +------BEGIN PRIVATE KEY----- +-MC0CAQAwEAYHKoZIzj0CAQYFZysBBAQEFjAUAgEBBA8Auz4XRc3Rg0bNcbrray8= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls4_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFZysBBAQDIAAEAI0F7ixGqOhnYpsuR80nAdTdSXM+YbcUbLe/U/xG +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls4:BOB_cf_wap-wsg-idm-ecid-wtls4_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls4 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls4_PUB +-SharedSecret=0077378ddfdadff704a0b6646949e7 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls4 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB +-SharedSecret=0077378ddfdadff704a0b6646949e7 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls4 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls4_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=008f3713fe1ff1fa5d5041899817d1 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls4 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=008f3713fe1ff1fa5d5041899817d1 +- +-PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls4_PUB +------BEGIN PUBLIC KEY----- +-MDQwEAYHKoZIzj0CAQYFZysBBAQDIAAEAAAAAAAAAAAAAAAAAAAAAd+TqiBXnTd/lyA/OFsR +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls4 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls4_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls4 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls4_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=wap-wsg-idm-ecid-wtls5 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls5 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFZysBBAUEHDAaAgEBBBUD9gVh3zbLTA7BuRVVi9T8QKZ1uco= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFZysBBAUDLAAEAH5xyUrvbuN+tWmRhwqrQfFHPHNUBKtAGvJuvSFVwTKk +-uFzn9fPvIDe6 +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls5:ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls5 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFZysBBAUEHDAaAgEBBBUAr9ZlmuO7bNfqB42xUivJXyVHKNI= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls5_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFZysBBAUDLAAEBdXxEk0L2XAVzRNLPcnMxGXXyDfZAoA1Qw2XpOfVWIVR +-jdoMGRgUuJmO +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls5:BOB_cf_wap-wsg-idm-ecid-wtls5_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls5 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls5_PUB +-SharedSecret=0190c68d80e94fbe9f193ae7d9a156bf0b8d097c23 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls5 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB +-SharedSecret=0190c68d80e94fbe9f193ae7d9a156bf0b8d097c23 +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls5 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls5_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00aabc9b45c200e41294aa922ab06da6655731e0ea +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls5 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00aabc9b45c200e41294aa922ab06da6655731e0ea +- +-PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls5_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFZysBBAUDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8JxepS05nN/piK +-dhDD3dDKXUih +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls5 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls5_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls5 +-PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls5_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=wap-wsg-idm-ecid-wtls6 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls6 +------BEGIN PRIVATE KEY----- +-MCwCAQAwEAYHKoZIzj0CAQYFZysBBAYEFTATAgEBBA4ayMbswPbvYMwpwo80jA== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls6_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFZysBBAYDHgAERPw/8Ip/RrXr0gMgLGRQeiQ4Qd6W+Li0ylGKzg== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls6:ALICE_cf_wap-wsg-idm-ecid-wtls6_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls6 +------BEGIN PRIVATE KEY----- +-MCwCAQAwEAYHKoZIzj0CAQYFZysBBAYEFTATAgEBBA6kbCpFt3tX2hYBQHMXbg== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls6_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFZysBBAYDHgAEhJXqpYGxE/l1X/LiBeyRbIcyzqPxUP5Tkv3U3w== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls6:BOB_cf_wap-wsg-idm-ecid-wtls6_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls6 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls6_PUB +-SharedSecret=b4cae255268f11a1e46fecad04c2 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls6 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls6_PUB +-SharedSecret=b4cae255268f11a1e46fecad04c2 +- +-Title=wap-wsg-idm-ecid-wtls7 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls7 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUABcyzh4ot9ck/j4/3ehK0aYngYoM= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls7_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFZysBBAcDKgAEwQLnZ70n45RLqRtAGNzEa3Rl/9nwyjqYUtw2eeHhnNLT +-feGY4CNH0w== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls7:ALICE_cf_wap-wsg-idm-ecid-wtls7_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls7 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUAPyrGRY1SR13hKQswS6yXs8w8PUQ= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls7_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFZysBBAcDKgAEZGN44YbN5r3zcNtOHrvbQLt8/lE7BHp4D/9eKLmwFDn1 +-QneRu3xwPA== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls7:BOB_cf_wap-wsg-idm-ecid-wtls7_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls7 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls7_PUB +-SharedSecret=ae9f5bcc6457c0422866bf855921eabc42b7121a +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls7 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls7_PUB +-SharedSecret=ae9f5bcc6457c0422866bf855921eabc42b7121a +- +-Title=wap-wsg-idm-ecid-wtls8 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls8 +------BEGIN PRIVATE KEY----- +-MC0CAQAwEAYHKoZIzj0CAQYFZysBBAgEFjAUAgEBBA8AnkC18b3pH2O5TIYIqAQ= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls8_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFZysBBAgDHgAEJD0h4HEfchwxqhp9eMHh9gczQKHX4MtWVoAxKQ== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls8:ALICE_cf_wap-wsg-idm-ecid-wtls8_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls8 +------BEGIN PRIVATE KEY----- +-MC0CAQAwEAYHKoZIzj0CAQYFZysBBAgEFjAUAgEBBA8AXxPMnqbl3rOuIM5nsvc= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls8_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFZysBBAgDHgAEZawmRmzr9P+jihImUi6ykOzaSH484JhMKNdrgw== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls8:BOB_cf_wap-wsg-idm-ecid-wtls8_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls8 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls8_PUB +-SharedSecret=48baf4f1f5e8a0eb5dae28ef6290 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls8 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls8_PUB +-SharedSecret=48baf4f1f5e8a0eb5dae28ef6290 +- +-Title=wap-wsg-idm-ecid-wtls9 curve tests +- +-PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls9 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFZysBBAkEHDAaAgEBBBUALwvuKs3RLthMAsChbqKjXw6vTYo= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls9_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFZysBBAkDKgAET0ppOvd9DU4v+tkKDQ5wRBrN1FwD9+F9t5l3Im+mz3rw +-DB/RYdZuUg== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls9:ALICE_cf_wap-wsg-idm-ecid-wtls9_PUB +- +-PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls9 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFZysBBAkEHDAaAgEBBBUAgeb/vqEM7X5AAAxyBu3M+C8pWLM= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls9_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFZysBBAkDKgAEWc37LGt6lt90iF4lhtDYNFdjAqoczebuNgzGff/Uq8ov +-a3EVJ9yK1A== +------END PUBLIC KEY----- +- +-Availablein = default +-PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls9:BOB_cf_wap-wsg-idm-ecid-wtls9_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_wap-wsg-idm-ecid-wtls9 +-PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls9_PUB +-SharedSecret=948d3030e95cead39a1bb3d8a01c2be178517ba7 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_wap-wsg-idm-ecid-wtls9 +-PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls9_PUB +-SharedSecret=948d3030e95cead39a1bb3d8a01c2be178517ba7 +- +-# tests: 484 +- +-Title=zero x-coord regression tests +- +-PrivateKey=ALICE_zero_prime192v1 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhaPNk8jG5hSG6y8tUqUoOaNNsZ3APU +-pps= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime192v1_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAe2hWBe5g +-DLNj216pEvK7XjoKLg5gNg8S +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime192v1 +-PeerKey=BOB_zero_prime192v1_PUB +-SharedSecret=baaffd49a8399d2ad52cbbe24d47b67afb4b3cf436f1cd65 +- +-PrivateKey=ALICE_zero_prime192v2 + -----BEGIN PRIVATE KEY----- + MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBj1AIQMJ7jqYIKCvxYAS+qKMmKmH0to + 41k= +@@ -3422,72 +162,6 @@ Derive=ALICE_zero_prime256v1 + PeerKey=BOB_zero_prime256v1_PUB + SharedSecret=c4f5607deb8501f1a4ba23fce4122a4343a17ada2c86a9c8e0d03d92d4a4c84c + +-PrivateKey=ALICE_zero_secp112r2 +------BEGIN PRIVATE KEY----- +-MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4hh3tRkG3tnA0496ffMw== +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_secp112r2_PUB +------BEGIN PUBLIC KEY----- +-MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEAAAAAAAAAAAAAAAAAAAS5eEOWDV/Wk7w4djyDQ== +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_secp112r2 +-PeerKey=BOB_zero_secp112r2_PUB +-SharedSecret=958cc1cb425713678830a4d7d95e +- +-PrivateKey=ALICE_zero_secp128r1 +------BEGIN PRIVATE KEY----- +-MC4CAQAwEAYHKoZIzj0CAQYFK4EEABwEFzAVAgEBBBCykSzic/h3T2K6SkSP1SGt +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_secp128r1_PUB +------BEGIN PUBLIC KEY----- +-MDYwEAYHKoZIzj0CAQYFK4EEABwDIgAEAAAAAAAAAAAAAAAAAAAAAABya8M5aeOpNG3z799IdHc= +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_secp128r1 +-PeerKey=BOB_zero_secp128r1_PUB +-SharedSecret=5235d452066f126cd7e99eea00fd3068 +- +-PrivateKey=ALICE_zero_secp160r1 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAgEHDAaAgEBBBUACoRnbig69XLlh5VcRexpbbn5zwA= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_secp160r1_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFK4EEAAgDKgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAG/w1po29wYlxlygXs +-MGfbiGg5ng== +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_secp160r1 +-PeerKey=BOB_zero_secp160r1_PUB +-SharedSecret=9ccd0ab8d093b6acdb3fe14c3736a0dfe61a4666 +- +-PrivateKey=ALICE_zero_secp160r2 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAB4EHDAaAgEBBBUAQFGxInSw1eAvd45E9TUdbXtJGnA= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_secp160r2_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFK4EEAB4DKgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAZtSBSZqfmXp47v5z2 +-ZZZl2JFxDg== +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_secp160r2 +-PeerKey=BOB_zero_secp160r2_PUB +-SharedSecret=303e0a282ac86f463fe834cb51b0057be42ed5ab +- + PrivateKey=ALICE_zero_secp384r1 + -----BEGIN PRIVATE KEY----- + ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD6kgzKbg28zbQyVTdC0IdHbm0UCQt2Rdbi +@@ -3526,76 +200,6 @@ Derive=ALICE_zero_secp521r1 + PeerKey=BOB_zero_secp521r1_PUB + SharedSecret=003fc3028f61db94b20c7cd177923b6e73f12f0ab067c9ce8866755e3c82abb39c9863cde74fa80b32520bd7dd0eb156c30c08911503b67b2661f1264d09bb231423 + +-PrivateKey=ALICE_zero_wap-wsg-idm-ecid-wtls7 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUAoGng7WzYr4P9vtdc3BS/UiNWmc0= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_wap-wsg-idm-ecid-wtls7_PUB +------BEGIN PUBLIC KEY----- +-MD4wEAYHKoZIzj0CAQYFZysBBAcDKgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAZtSBSZqfmXp47v5z2 +-ZZZl2JFxDg== +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_wap-wsg-idm-ecid-wtls7 +-PeerKey=BOB_zero_wap-wsg-idm-ecid-wtls7_PUB +-SharedSecret=6582fc03bbb340fcf24a5fe8fcdf722655efa8b9 +- +-# tests: 14 +- +-Title=prime192v1 curve tests +- +-PrivateKey=ALICE_cf_prime192v1 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhQFYLaobJ47BVWWZv/ByY8Ti69m/U9 +-TeI= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_prime192v1_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEHYbt14KzucSpmKMrlDx1IGz/a28nDs21OjKgx3BK +-PZ78UrllIr69kgrYUKsRg4sd +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_prime192v1:ALICE_cf_prime192v1_PUB +- +-PrivateKey=BOB_cf_prime192v1 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhsbmKHAtygIqirkmUXSbniDJOx0/fI +-CWM= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_prime192v1_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEJA+FQcXq5Axzv8pLDslxq1QVt1hjN2i0TgoO6Yxp +-bAekMot69VorE8ibSzgJixXJ +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_prime192v1:BOB_cf_prime192v1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_prime192v1 +-PeerKey=BOB_cf_prime192v1_PUB +-SharedSecret=e36cad3b0f8d00f60f090440a76df47896713ae61421c354 +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_prime192v1 +-PeerKey=ALICE_cf_prime192v1_PUB +-SharedSecret=e36cad3b0f8d00f60f090440a76df47896713ae61421c354 +- +-# ECDH Bob with Alice peer : curves with less than 112 bits of strength cannot +-# be used for Key agreement in fips mode +-Availablein = fips +-Derive=BOB_cf_prime192v1 +-Securitycheck = 1 +-PeerKey=ALICE_cf_prime192v1_PUB +-SharedSecret=e36cad3b0f8d00f60f090440a76df47896713ae61421c354 +-Result = DERIVE_SET_PEER_ERROR +- + Title=prime256v1 curve tests + + PrivateKey=ALICE_cf_prime256v1 +@@ -3759,743 +363,3 @@ SharedSecret=01dd4aa9037bb4ad298b420998d + Derive=BOB_cf_secp521r1 + PeerKey=ALICE_cf_secp521r1_PUB + SharedSecret=01dd4aa9037bb4ad298b420998dcd32b3a9af1cda8b7919e372aeb4e54ccfb4d2409a340ed896bfbc5dd462f8d96b8784bc17b29db3ca04700e6ec752f9bec777695 +- +-Title=sect163k1 curve tests +- +-PrivateKey=ALICE_cf_sect163k1 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAEEHDAaAgEBBBUB905PYfmej8LzbzX6Bg51GJzXQjQ= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect163k1_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBfvs5A1hD8YySP9O2ub8GEUfotVuBpfRx4GIHdAfx8wV +-1UVeTRnyAlWU +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect163k1:ALICE_cf_sect163k1_PUB +- +-PrivateKey=BOB_cf_sect163k1 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAEEHDAaAgEBBBUCHPtCjJ4/K8ylQBcLlb5VE0bkaUE= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect163k1_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBvgfX1mTRlt6Z4TE1D1MNWo4loH4AoeYa6oowK104LKk +-nsdg7isQ8XBD +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect163k1:BOB_cf_sect163k1_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect163k1 +-PeerKey=BOB_cf_sect163k1_PUB +-SharedSecret=04d0e40788c5ce5220818055277cae53eac55c1e6b +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect163k1 +-PeerKey=ALICE_cf_sect163k1_PUB +-SharedSecret=04d0e40788c5ce5220818055277cae53eac55c1e6b +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect163k1 +-PeerKey=BOB_cf_sect163k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=04c902a91110244d89110034dd2b099c49cbab6c77 +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect163k1 +-PeerKey=ALICE_cf_sect163k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=04c902a91110244d89110034dd2b099c49cbab6c77 +- +-PublicKey=MALICE_cf_sect163k1_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAB +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect163k1 +-PeerKey=MALICE_cf_sect163k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect163k1 +-PeerKey=MALICE_cf_sect163k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect163r2 curve tests +- +-PrivateKey=ALICE_cf_sect163r2 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAA8EHDAaAgEBBBUBjCs/M3N31jsAueYrOq21vdETwAI= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect163r2_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEBd8Z1/HpA+89hF4I98EST3svWns3BAEbhWmL/fgxk2uu +-YwVrmqhgqH/C +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect163r2:ALICE_cf_sect163r2_PUB +- +-PrivateKey=BOB_cf_sect163r2 +------BEGIN PRIVATE KEY----- +-MDMCAQAwEAYHKoZIzj0CAQYFK4EEAA8EHDAaAgEBBBUBsiouT9Df+mwHWrpPg1JSrY9nqlI= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect163r2_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEBULqBZ+nhLhDEMYY8NEEzZ126MdxAcFXWv8zmPEH9505 +-8vT5zU3aq6HV +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect163r2:BOB_cf_sect163r2_PUB +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect163r2 +-PeerKey=BOB_cf_sect163r2_PUB +-SharedSecret=019f829a53c4e6544bdec1395a23082169efaf369d +- +-# ECDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect163r2 +-PeerKey=ALICE_cf_sect163r2_PUB +-SharedSecret=019f829a53c4e6544bdec1395a23082169efaf369d +- +-# ECC CDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_cf_sect163r2 +-PeerKey=BOB_cf_sect163r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=048870d39235ecbc16a000ee478833509b9318a53f +- +-# ECC CDH Bob with Alice peer +-Availablein = default +-Derive=BOB_cf_sect163r2 +-PeerKey=ALICE_cf_sect163r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=048870d39235ecbc16a000ee478833509b9318a53f +- +-PublicKey=MALICE_cf_sect163r2_PUB +------BEGIN PUBLIC KEY----- +-MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsJbhbrfiSdZPSHD +-ZtqJwDlp802l +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Availablein = default +-Derive=BOB_cf_sect163r2 +-PeerKey=MALICE_cf_sect163r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Availablein = default +-Derive=ALICE_cf_sect163r2 +-PeerKey=MALICE_cf_sect163r2_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect233k1 curve tests +- +-PrivateKey=ALICE_cf_sect233k1 +------BEGIN PRIVATE KEY----- +-MDsCAQAwEAYHKoZIzj0CAQYFK4EEABoEJDAiAgEBBB0z/3heNFjJL+2sAT/38yRsN3kt2iXz7u+y +-Gua8Kw== +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect233k1_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEALQyn0zJmOrHm4S2EIjxRe899PadBnfpYjLKWGvpAIzf +-MEG861Nv1IYJkmkO1xlfNHeeRtqFgsQVFKZh +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect233k1:ALICE_cf_sect233k1_PUB +- +-PrivateKey=BOB_cf_sect233k1 +------BEGIN PRIVATE KEY----- +-MDsCAQAwEAYHKoZIzj0CAQYFK4EEABoEJDAiAgEBBB1I0ucrC4d9i6Z+0cbar5r7uKpF5iiQkSJA +-DFMTUA== +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect233k1_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEAatdqazxSghJ568CBFyMXhEvVeAiLewOY/jk9H5DAOB4 +-ufNGbdd131KLaKPivB38a6n5Y+2BVSJangow +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect233k1:BOB_cf_sect233k1_PUB +- +-# ECDH Alice with Bob peer +-Derive=ALICE_cf_sect233k1 +-PeerKey=BOB_cf_sect233k1_PUB +-SharedSecret=012145026e8de65973c154e085456fc5539ba9e25663e7f5816abfcab310 +- +-# ECDH Bob with Alice peer +-Derive=BOB_cf_sect233k1 +-PeerKey=ALICE_cf_sect233k1_PUB +-SharedSecret=012145026e8de65973c154e085456fc5539ba9e25663e7f5816abfcab310 +- +-# ECC CDH Alice with Bob peer +-Derive=ALICE_cf_sect233k1 +-PeerKey=BOB_cf_sect233k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00ff7d6c6b80f39d2ae68fbd00adbcd75fa599ed0bc1aac0e3f49c1c164d +- +-# ECC CDH Bob with Alice peer +-Derive=BOB_cf_sect233k1 +-PeerKey=ALICE_cf_sect233k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00ff7d6c6b80f39d2ae68fbd00adbcd75fa599ed0bc1aac0e3f49c1c164d +- +-PublicKey=MALICE_cf_sect233k1_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Derive=BOB_cf_sect233k1 +-PeerKey=MALICE_cf_sect233k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Derive=ALICE_cf_sect233k1 +-PeerKey=MALICE_cf_sect233k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect233r1 curve tests +- +-PrivateKey=ALICE_cf_sect233r1 +------BEGIN PRIVATE KEY----- +-MDwCAQAwEAYHKoZIzj0CAQYFK4EEABsEJTAjAgEBBB4ATcy7zVpIsJ9rl5EIDmzRz5wxjrDIQyDm +-HP3Pt8Y= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect233r1_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAQMQHiJ44LiCnZkEg1zyww1h+idTbsw8E07P33WUAUfD +-NeQ4hWEhTXPnytIbEhFKpnd3j/FbyZnJqxh8 +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect233r1:ALICE_cf_sect233r1_PUB +- +-PrivateKey=BOB_cf_sect233r1 +------BEGIN PRIVATE KEY----- +-MDwCAQAwEAYHKoZIzj0CAQYFK4EEABsEJTAjAgEBBB4ALpOlFn4OfiIAkRAZGOsn7L6W3XoQBSV8 +-mQVC2pw= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect233r1_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAJQw+NWqFJXYw4dVMovzvw76OYnYOTaDaEPNW8ECAQbl +-TzzbBSTp5iqM13mP0/Bo4OO66NS3lA9e/GTO +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect233r1:BOB_cf_sect233r1_PUB +- +-# ECDH Alice with Bob peer +-Derive=ALICE_cf_sect233r1 +-PeerKey=BOB_cf_sect233r1_PUB +-SharedSecret=00209d2995a63f1e8b7a5c33dee5abb602e32e1835ae8bb57eb264d8d795 +- +-# ECDH Bob with Alice peer +-Derive=BOB_cf_sect233r1 +-PeerKey=ALICE_cf_sect233r1_PUB +-SharedSecret=00209d2995a63f1e8b7a5c33dee5abb602e32e1835ae8bb57eb264d8d795 +- +-# ECC CDH Alice with Bob peer +-Derive=ALICE_cf_sect233r1 +-PeerKey=BOB_cf_sect233r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00c3cd1d38a65f5e421399409a76cec1136bc84149f054a7f55e7980c612 +- +-# ECC CDH Bob with Alice peer +-Derive=BOB_cf_sect233r1 +-PeerKey=ALICE_cf_sect233r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=00c3cd1d38a65f5e421399409a76cec1136bc84149f054a7f55e7980c612 +- +-PublicKey=MALICE_cf_sect233r1_PUB +------BEGIN PUBLIC KEY----- +-MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYf4 +-Vie5eHTnR+4x4G1xyq7qUvISU+X5RtBh2pE4 +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Derive=BOB_cf_sect233r1 +-PeerKey=MALICE_cf_sect233r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Derive=ALICE_cf_sect233r1 +-PeerKey=MALICE_cf_sect233r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect283k1 curve tests +- +-PrivateKey=ALICE_cf_sect283k1 +------BEGIN PRIVATE KEY----- +-MEICAQAwEAYHKoZIzj0CAQYFK4EEABAEKzApAgEBBCQAY1Mi9rST7PiP1t03qYRczV/kSZ+VjQu8 +-5EFCgxyvkaLManw= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect283k1_PUB +------BEGIN PUBLIC KEY----- +-MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEBMjBO8WoxHS/vz8po52WZGxS+RK5yolrUe6tfbAMA3Sd +-5/JjBDVjOz95vM4gUnqzUWHN5nKBQtj6HiU9Q/R+zqg98OiQKTyA +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect283k1:ALICE_cf_sect283k1_PUB +- +-PrivateKey=BOB_cf_sect283k1 +------BEGIN PRIVATE KEY----- +-MEICAQAwEAYHKoZIzj0CAQYFK4EEABAEKzApAgEBBCQBCZC8Is+YSjgXJBBDioEl6gu14QpGHllD +-1J6957vBTPSQdH0= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect283k1_PUB +------BEGIN PUBLIC KEY----- +-MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAGEQKZVHYAlvtjHrFyZVm12qUb5j+T5/WNoC962+kwUM +-QkBYA5BpuG8Knlugq1iB31whPAgRCZfdLKHpHRPJSfXvKyUIdeUm +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect283k1:BOB_cf_sect283k1_PUB +- +-# ECDH Alice with Bob peer +-Derive=ALICE_cf_sect283k1 +-PeerKey=BOB_cf_sect283k1_PUB +-SharedSecret=03f67c88bdc230b43773d17fdb4d0a980556d074ceccee726932160e4ed965e3be72803c +- +-# ECDH Bob with Alice peer +-Derive=BOB_cf_sect283k1 +-PeerKey=ALICE_cf_sect283k1_PUB +-SharedSecret=03f67c88bdc230b43773d17fdb4d0a980556d074ceccee726932160e4ed965e3be72803c +- +-# ECC CDH Alice with Bob peer +-Derive=ALICE_cf_sect283k1 +-PeerKey=BOB_cf_sect283k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0677ba01c84d139609ca145cb5b6079fc9ca67f59c9c913e47cad1073f1d1dfaddde0169 +- +-# ECC CDH Bob with Alice peer +-Derive=BOB_cf_sect283k1 +-PeerKey=ALICE_cf_sect283k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0677ba01c84d139609ca145cb5b6079fc9ca67f59c9c913e47cad1073f1d1dfaddde0169 +- +-PublicKey=MALICE_cf_sect283k1_PUB +------BEGIN PUBLIC KEY----- +-MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Derive=BOB_cf_sect283k1 +-PeerKey=MALICE_cf_sect283k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Derive=ALICE_cf_sect283k1 +-PeerKey=MALICE_cf_sect283k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect283r1 curve tests +- +-PrivateKey=ALICE_cf_sect283r1 +------BEGIN PRIVATE KEY----- +-MEICAQAwEAYHKoZIzj0CAQYFK4EEABEEKzApAgEBBCQCQ5pqKvPxDysd1pi2Bv8Z11cFhsRZfuaf +-4Pi0hpGr4ubZcHE= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect283r1_PUB +------BEGIN PUBLIC KEY----- +-MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEBcsrGDgO7pbGybQX/00gRHtQq3+X9XrGb7Uzv9Nabwc/ +-kntnBMF0I2KU+aaTjQx1GVtmNf7CvFwPLEBnfKjJAjekjsGyIqoq +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect283r1:ALICE_cf_sect283r1_PUB +- +-PrivateKey=BOB_cf_sect283r1 +------BEGIN PRIVATE KEY----- +-MEICAQAwEAYHKoZIzj0CAQYFK4EEABEEKzApAgEBBCQDxItnY3cDCrX/jGnVuAKDPaySZCr3E83Q +-UdFnP6YIykt7+Pg= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect283r1_PUB +------BEGIN PUBLIC KEY----- +-MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEBJ2C9BCkX0YRfs2ufgUKvreUXFWp2AGK+iHlZB4N3LqO +-PKpmAkrAeCMty6mw2mEnOR5HA1d4Ee+z7/NJgJJ80Ra9bFnreOW3 +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect283r1:BOB_cf_sect283r1_PUB +- +-# ECDH Alice with Bob peer +-Derive=ALICE_cf_sect283r1 +-PeerKey=BOB_cf_sect283r1_PUB +-SharedSecret=0424259cf09727574fb863cab7c27d8fe3835e96433110a45a951f94347fc81939ec4773 +- +-# ECDH Bob with Alice peer +-Derive=BOB_cf_sect283r1 +-PeerKey=ALICE_cf_sect283r1_PUB +-SharedSecret=0424259cf09727574fb863cab7c27d8fe3835e96433110a45a951f94347fc81939ec4773 +- +-# ECC CDH Alice with Bob peer +-Derive=ALICE_cf_sect283r1 +-PeerKey=BOB_cf_sect283r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=01c2a542654ce85b17456ed75b6bca6b6eb761580913670debc426a3525f236df0e875c8 +- +-# ECC CDH Bob with Alice peer +-Derive=BOB_cf_sect283r1 +-PeerKey=ALICE_cf_sect283r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=01c2a542654ce85b17456ed75b6bca6b6eb761580913670debc426a3525f236df0e875c8 +- +-PublicKey=MALICE_cf_sect283r1_PUB +------BEGIN PUBLIC KEY----- +-MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAByvMnFeSsevoGYMIn7b4NaL9IgowRCTKF8CCrhdEKu3pubP2 +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Derive=BOB_cf_sect283r1 +-PeerKey=MALICE_cf_sect283r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Derive=ALICE_cf_sect283r1 +-PeerKey=MALICE_cf_sect283r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect409k1 curve tests +- +-PrivateKey=ALICE_cf_sect409k1 +------BEGIN PRIVATE KEY----- +-MFECAQAwEAYHKoZIzj0CAQYFK4EEACQEOjA4AgEBBDMOthcLahkXFgM0wjOzm767D1A72sFRGlhb +-bVH+EB7z2WpIcPX4OD+M4Y1pf/a7wSaoSAo= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect409k1_PUB +------BEGIN PUBLIC KEY----- +-MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAbiYYpeFgCMsZFMzQaiwMJDrC+mCMT7KmhYtD5EMMgLW +-5OvhaqYdpRf49A8LOtVcRT7J5gGcMrXQgmQeS3FenA5owWnB2NIgrTNf5d8AAEtrOupsJ4c3kL6e +-aAzayZ1+UCEj8skbC9U= +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect409k1:ALICE_cf_sect409k1_PUB +- +-PrivateKey=BOB_cf_sect409k1 +------BEGIN PRIVATE KEY----- +-MFECAQAwEAYHKoZIzj0CAQYFK4EEACQEOjA4AgEBBDMO43ldQllTewdZwffH4OEXdzBrLwabKsn4 +-6/hjgIAaYda/pt4yCEQLMp18QgtfMey5ENI= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect409k1_PUB +------BEGIN PUBLIC KEY----- +-MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAVTQj6hRizVmOx4Z6vroN/zMkmAY+QhkQ0CnFeJ0AydY +-Fv+f+/420vMC1Mhqsc9VzPMmIAH6ZrgGKDsd4Ce9JUtYE0rVhGeiG2RaN1U5RlhVK4avkWhFlyQ5 +-vuu4aApQiWE3yQd9v/I= +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect409k1:BOB_cf_sect409k1_PUB +- +-# ECDH Alice with Bob peer +-Derive=ALICE_cf_sect409k1 +-PeerKey=BOB_cf_sect409k1_PUB +-SharedSecret=01fbe13188588c9d1ac3a8a2680ea9a009b28e4b7d7fa4efcb1a22553876fb7973616819fd87c75e5b8ce6e3628595e4ce12edb0 +- +-# ECDH Bob with Alice peer +-Derive=BOB_cf_sect409k1 +-PeerKey=ALICE_cf_sect409k1_PUB +-SharedSecret=01fbe13188588c9d1ac3a8a2680ea9a009b28e4b7d7fa4efcb1a22553876fb7973616819fd87c75e5b8ce6e3628595e4ce12edb0 +- +-# ECC CDH Alice with Bob peer +-Derive=ALICE_cf_sect409k1 +-PeerKey=BOB_cf_sect409k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=007e9485f7234bb2255bb40e51f4be867cb0ef31f8e489a697b31b51c4d5346daaee51e96ae6f9636e6e3af56095fe28755325ee +- +-# ECC CDH Bob with Alice peer +-Derive=BOB_cf_sect409k1 +-PeerKey=ALICE_cf_sect409k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=007e9485f7234bb2255bb40e51f4be867cb0ef31f8e489a697b31b51c4d5346daaee51e96ae6f9636e6e3af56095fe28755325ee +- +-PublicKey=MALICE_cf_sect409k1_PUB +------BEGIN PUBLIC KEY----- +-MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAA= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Derive=BOB_cf_sect409k1 +-PeerKey=MALICE_cf_sect409k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Derive=ALICE_cf_sect409k1 +-PeerKey=MALICE_cf_sect409k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect409r1 curve tests +- +-PrivateKey=ALICE_cf_sect409r1 +------BEGIN PRIVATE KEY----- +-MFICAQAwEAYHKoZIzj0CAQYFK4EEACUEOzA5AgEBBDQAxSC9lST5dtfXQI1Ug9VMMoue3GGni5ON +-+gieyXK2KKbd29KAPs4/AOd8kX2wQDsZPO7E +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect409r1_PUB +------BEGIN PUBLIC KEY----- +-MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEASAvXAM15DJerAu1JttpBuMJK1/fEfFohu2iEpt3r7Ui +-iQoER6HUsWiw1hhcJyTv7WzpJQHFWrOlJMe/KjmQa/CygSc65YHDzG27oUL+KGdQUGc79ZRSwl/q +-fGZqa3D+bDVMwrhmZto= +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect409r1:ALICE_cf_sect409r1_PUB +- +-PrivateKey=BOB_cf_sect409r1 +------BEGIN PRIVATE KEY----- +-MFICAQAwEAYHKoZIzj0CAQYFK4EEACUEOzA5AgEBBDQARen+1P3JQzBgOv0pUYwsZTPRVLpqqDAU +-7mKL2lk9eH7zSGmtNoMvP2m1S2dBnXxFY/bV +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect409r1_PUB +------BEGIN PUBLIC KEY----- +-MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEAbDUw066TtdfOpDvrlKosEyqUNEG7rY+AKvDqKw+HOzf +-sUTYee6cEf71oqJ1sCKPQiYzlwCu/HLQeWPxISE6Uo+53kkeJml2xpMBwoE25Gq/DSS61dR7SRTZ +-+sUmumbIuGzbrjtMRmw= +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect409r1:BOB_cf_sect409r1_PUB +- +-# ECDH Alice with Bob peer +-Derive=ALICE_cf_sect409r1 +-PeerKey=BOB_cf_sect409r1_PUB +-SharedSecret=00a751259cdb3b445ce71a40a01a2189dfce70226111190505fc6eabe4e5a05bff7af55f2015e1ffcab6aea7ea9a6e74905da2a1 +- +-# ECDH Bob with Alice peer +-Derive=BOB_cf_sect409r1 +-PeerKey=ALICE_cf_sect409r1_PUB +-SharedSecret=00a751259cdb3b445ce71a40a01a2189dfce70226111190505fc6eabe4e5a05bff7af55f2015e1ffcab6aea7ea9a6e74905da2a1 +- +-# ECC CDH Alice with Bob peer +-Derive=ALICE_cf_sect409r1 +-PeerKey=BOB_cf_sect409r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0115a31aed416c5089d74a263ec300aff13a5329c6ad27de950ae0b0917b40a3464fccf5691ac9633a51e5177a82b15cfc434aad +- +-# ECC CDH Bob with Alice peer +-Derive=BOB_cf_sect409r1 +-PeerKey=ALICE_cf_sect409r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=0115a31aed416c5089d74a263ec300aff13a5329c6ad27de950ae0b0917b40a3464fccf5691ac9633a51e5177a82b15cfc434aad +- +-PublicKey=MALICE_cf_sect409r1_PUB +------BEGIN PUBLIC KEY----- +-MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAACZNffkdo7i7yL5tKKfU8tdk6su0K185XwbJkn96JWVDPZXZ3My +-bFKKSOJ7hyrM8Lwl1e8= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Derive=BOB_cf_sect409r1 +-PeerKey=MALICE_cf_sect409r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Derive=ALICE_cf_sect409r1 +-PeerKey=MALICE_cf_sect409r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect571k1 curve tests +- +-PrivateKey=ALICE_cf_sect571k1 +------BEGIN PRIVATE KEY----- +-MGYCAQAwEAYHKoZIzj0CAQYFK4EEACYETzBNAgEBBEgB4agvk7Qdf9bVb9aMVdtXL0MuVw6dTleB +-zrpPMYty/piI5GWkQEGVp4OJSjF1BGgWmtYSYlV0oI8jJ7hfWTjVGfVWix4ipb8= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect571k1_PUB +------BEGIN PUBLIC KEY----- +-MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQDUZq0ZrgYpTXNpOptjExaur0K9FAYHv1j9cvAptwX +-dcmQf3VqekMkGZCfNdqNeqCajG3QHRkBHe4FZhWr3FXi8whvvr463lUDf+t46un1kE6FTYfhILGa +-sBZm7OdfkarYd9TXBbmnkFA+XkyPlkM1+6daM3/WmnegK+TYghFDXLgwiyF8s0ElllF7z38Gmc4= +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect571k1:ALICE_cf_sect571k1_PUB +- +-PrivateKey=BOB_cf_sect571k1 +------BEGIN PRIVATE KEY----- +-MGYCAQAwEAYHKoZIzj0CAQYFK4EEACYETzBNAgEBBEgA3pINxGOI7L9M+Mil+bm/udPwI4xu7ubJ +-p3aoOepTXW94laf8wjFLcQnRUwH87Vbq9VLQEfCAFvr2vZoBc+5asnNuDhRNNeQ= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect571k1_PUB +------BEGIN PUBLIC KEY----- +-MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQDZRr5GCSq2uzGxmWNB+bED7zye18Rr/KehwXrbn1r +-rKtR8fe+dg2V15FieC3qZe/wCpMtyp79VmEabGi6iGLlAN/rUE81URsA/K7GVpmklslV5gmwryR0 +-3E7jGKPFesun9iNtmpgM18P9y3aJd4Qr4hMlwW2Nyw187l6QB/W2e/i+8vKXFTLHlz5WLAyAcpA= +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect571k1:BOB_cf_sect571k1_PUB +- +-# ECDH Alice with Bob peer +-Derive=ALICE_cf_sect571k1 +-PeerKey=BOB_cf_sect571k1_PUB +-SharedSecret=02b79c92cee50dc5b9fdddce36d4fa2e28d7d178cd74e575961f39429496305b38815c840c2e66327435c044ed885ec964068531251a2112717602532e8b6d5411db2fe05c1ac18c +- +-# ECDH Bob with Alice peer +-Derive=BOB_cf_sect571k1 +-PeerKey=ALICE_cf_sect571k1_PUB +-SharedSecret=02b79c92cee50dc5b9fdddce36d4fa2e28d7d178cd74e575961f39429496305b38815c840c2e66327435c044ed885ec964068531251a2112717602532e8b6d5411db2fe05c1ac18c +- +-# ECC CDH Alice with Bob peer +-Derive=ALICE_cf_sect571k1 +-PeerKey=BOB_cf_sect571k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=063aea789492c9727a5a6b7f24e8d3d377c70ee8e86b13664e191a53b1905e90e78b85960b1881db5160c7c5cacca0d686d9e104140d565eeeec17426f93d3a7ba639ecd716b43d2 +- +-# ECC CDH Bob with Alice peer +-Derive=BOB_cf_sect571k1 +-PeerKey=ALICE_cf_sect571k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=063aea789492c9727a5a6b7f24e8d3d377c70ee8e86b13664e191a53b1905e90e78b85960b1881db5160c7c5cacca0d686d9e104140d565eeeec17426f93d3a7ba639ecd716b43d2 +- +-PublicKey=MALICE_cf_sect571k1_PUB +------BEGIN PUBLIC KEY----- +-MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Derive=BOB_cf_sect571k1 +-PeerKey=MALICE_cf_sect571k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Derive=ALICE_cf_sect571k1 +-PeerKey=MALICE_cf_sect571k1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-Title=sect571r1 curve tests +- +-PrivateKey=ALICE_cf_sect571r1 +------BEGIN PRIVATE KEY----- +-MGYCAQAwEAYHKoZIzj0CAQYFK4EEACcETzBNAgEBBEgAxfL2/gUsmJonvDMR95Azq1ySgXMlKSRk +-+PL+WaS92ZyOo45HaC7RpH5sdkf4b948u6y1BXOxGZuORXy6lgbgZ1Zx2UgL3cI= +------END PRIVATE KEY----- +- +-PublicKey=ALICE_cf_sect571r1_PUB +------BEGIN PUBLIC KEY----- +-MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQBK5L9ccIWacU2A1srZ35opPu6kcbEOsBPmvj/rlMS +-fFrdMOcagOYfcD0/ouYHPhvkHbr9k87IlQJfnV6ZNRA4PmWSp/FjkNwETm/fqTCUQHti/qqnKH7R +-Ed4fYROLFGvz+PX6E20SryOt1vrmoRyC7Z5FVmgMVOQQ1AaBNAHi3+IPtKx41YdXdbqHJxuI5jE= +------END PUBLIC KEY----- +- +-PrivPubKeyPair=ALICE_cf_sect571r1:ALICE_cf_sect571r1_PUB +- +-PrivateKey=BOB_cf_sect571r1 +------BEGIN PRIVATE KEY----- +-MGYCAQAwEAYHKoZIzj0CAQYFK4EEACcETzBNAgEBBEgAzcRvASPpWi0ybpOGlj0Lozz01C2a5oDA +-G5alib1EmZKcpVULxJXn75FQlTKpkUEuWUgA4yk5X5DTiScUuh4LDhaF3AFhsEY= +------END PRIVATE KEY----- +- +-PublicKey=BOB_cf_sect571r1_PUB +------BEGIN PUBLIC KEY----- +-MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQH3dnL22NajtqDWTX6qD14w1BOlpHFBUPTr24VySlh +-kiiBlOF95u7hFr/hSb7gm/3f+IVKyE18Sh2kR4KaxWcPWKY5xKTiqiICT7hCistuzNRt8gR+kNOT +-c1rETMV6ZruZinwzEWWWjwJf6612oy2HG3CX3B8Rm+a3sS0q6IzowEwqmDv6v9bMTFk8bsCv0Fk= +------END PUBLIC KEY----- +- +-PrivPubKeyPair=BOB_cf_sect571r1:BOB_cf_sect571r1_PUB +- +-# ECDH Alice with Bob peer +-Derive=ALICE_cf_sect571r1 +-PeerKey=BOB_cf_sect571r1_PUB +-SharedSecret=0031f9879fa75b8c67ba81ee861be634e2b53aa79f834e9a8ca4df7f4461bcb02f083d9fa5b4767f881a710caa6524b58eb626623ba394961d46535204c26d165089e7d4f7be1827 +- +-# ECDH Bob with Alice peer +-Derive=BOB_cf_sect571r1 +-PeerKey=ALICE_cf_sect571r1_PUB +-SharedSecret=0031f9879fa75b8c67ba81ee861be634e2b53aa79f834e9a8ca4df7f4461bcb02f083d9fa5b4767f881a710caa6524b58eb626623ba394961d46535204c26d165089e7d4f7be1827 +- +-# ECC CDH Alice with Bob peer +-Derive=ALICE_cf_sect571r1 +-PeerKey=BOB_cf_sect571r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=012e8c2c1554988fe20c5ae7d11cdcfe15c7c6e8d2b6f46a43a45d724bfc7b415ea7594d5c16f770a95d6e65bbcb1f34619db95e89f4fecbcb0bc6a3f92d52df6a49b0e7773e0ac0 +- +-# ECC CDH Bob with Alice peer +-Derive=BOB_cf_sect571r1 +-PeerKey=ALICE_cf_sect571r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-SharedSecret=012e8c2c1554988fe20c5ae7d11cdcfe15c7c6e8d2b6f46a43a45d724bfc7b415ea7594d5c16f770a95d6e65bbcb1f34619db95e89f4fecbcb0bc6a3f92d52df6a49b0e7773e0ac0 +- +-PublicKey=MALICE_cf_sect571r1_PUB +------BEGIN PUBLIC KEY----- +-MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHMtVWZAwgtd1zmgWN/9WC +-aNQcWRNUKesEHXqhJVkC5jYsSACodKsLYFNrWEYM0gwG8DQONZSn93G+38EM45tkaZsIRDt2HEM= +------END PUBLIC KEY----- +- +-# ECC CDH Bob with Malice peer +-Derive=BOB_cf_sect571r1 +-PeerKey=MALICE_cf_sect571r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +- +-# ECC CDH Alice with Malice peer +-Derive=ALICE_cf_sect571r1 +-PeerKey=MALICE_cf_sect571r1_PUB +-Ctrl=ecdh_cofactor_mode:1 +-Result=DERIVE_ERROR +-Reason=point at infinity +diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt +--- openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec 2021-06-30 10:51:23.258816802 +0200 ++++ openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt 2021-06-30 11:25:33.504721672 +0200 +@@ -1,3 +1,4 @@ ++ + # + # Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + # +@@ -55,151 +56,6 @@ Derive=BOB_cf_secp256k1 + PeerKey=ALICE_cf_secp256k1_PUB + SharedSecret=a4745cc4d19cabb9e5cb0abdd5c604cab2846a4638ad844ed9175f3cadda2da1 + +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBj1AIQMJ7jqYIKCvxYAS+qKMmKmH0to +-41k= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime192v2_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4Gj7Qqt +-2wx/jwFlKgvE4rnd50LspdMk +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime192v2 +-PeerKey=BOB_zero_prime192v2_PUB +-SharedSecret=b8f200a4b87064f2e8600685ca3e69b8e661a117aabc770b +- +-PrivateKey=ALICE_zero_prime192v3 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBh/maLQMSlea9BfLqGy5NPuK0YAH/cz +-GqI= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime192v3_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZEzb63e2 +-3MKatRLR9Y1M5JEdI9jwMocI +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime192v3 +-PeerKey=BOB_zero_prime192v3_PUB +-SharedSecret=b5de857d355bc5b9e270a4c290ea9728d764d8b243ff5d8d +- +-PrivateKey=ALICE_zero_prime239v1 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5pYWzRYI+c6O7NXCt0H2kw8XRL3rhe +-4MrJT8j++CI= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime239v1_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-Ox02uwNNLFuvDRn5ip8TxvW0W22R7UzJa9Av6/nh +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime239v1 +-PeerKey=BOB_zero_prime239v1_PUB +-SharedSecret=6b6206408bd05d42daa2cd224c401a1230b44e184f17b82f385f22dac215 +- +-PrivateKey=ALICE_zero_prime239v2 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5l8bB7Cpmr7vyx9FiOT2wEF3YOFbDG +-bmRr3Vi/xr4= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime239v2_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-IOg3VJGQ89d1GWg4Igxcj5xpDmJiP8tv+e4mxt5U +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime239v2 +-PeerKey=BOB_zero_prime239v2_PUB +-SharedSecret=772c2819c960c78f28f21f6542b7409294fad1f84567c44c4b7678dc0e42 +- +-PrivateKey=ALICE_zero_prime239v3 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5HF5FABzUOTYMZg9UdZTx/oRERm/fU +-M/+otKzpLjA= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime239v3_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AsZ4u6r3qQI78EYBpiSgWjqNpoeShjr5piecMBWj +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime239v3 +-PeerKey=BOB_zero_prime239v3_PUB +-SharedSecret=56a71f5dd1611e8032c3e2d8224d86e5e8c2fc6480d74c0e282282decd43 +- +-PrivateKey=ALICE_zero_prime256v1 +------BEGIN PRIVATE KEY----- +-MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDXhMb6aR4JR2+l2tmgYqP0r8S4jtym +-yH++awvF2nGhhg== +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime256v1_PUB +------BEGIN PUBLIC KEY----- +-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AABmSFx4Di+D1yQzvV2EoGu2VBwq8x2uhxcov4VqF0+T9A== +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime256v1 +-PeerKey=BOB_zero_prime256v1_PUB +-SharedSecret=c4f5607deb8501f1a4ba23fce4122a4343a17ada2c86a9c8e0d03d92d4a4c84c +- +-PrivateKey=ALICE_zero_secp384r1 +------BEGIN PRIVATE KEY----- +-ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD6kgzKbg28zbQyVTdC0IdHbm0UCQt2Rdbi +-VVHJeYRSnNpFOiFLaOsGOmwoeZzj6jc= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_secp384r1_PUB +------BEGIN PUBLIC KEY----- +-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAAAPPme8E9RpepjC6P5+WDdWToUyb45/SvSFdO0sIqq+Gu/kn8sRuUqsG+3 +-QriFDlIe +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_secp384r1 +-PeerKey=BOB_zero_secp384r1_PUB +-SharedSecret=b1cfeaeef51dfd487d3a8b2849f1592e04d63f2d2c88b310a6290ebfe5399f5ffe954eabd0619231393e56c35b242986 +- +-PrivateKey=ALICE_zero_secp521r1 +------BEGIN PRIVATE KEY----- +-MGACAQAwEAYHKoZIzj0CAQYFK4EEACMESTBHAgEBBEIAbddDLMUWbAsY7l3vbNDmntXuAUcDYPg5 +-w/cgUwSCIvrV9MBeSG8AWqT16riHmHlsn+XI5PAJM6eij3JDahnu9Mo= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_secp521r1_PUB +------BEGIN PUBLIC KEY----- +-MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0g7J/qa1d8ENJsobtEb0CymeZIsa +-1Qiq0GiJb+4/jmFLxjBU1Xcr8Bpl1BLgvKqOll0vXTMtfzn4RtRArgAfT4c= +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_secp521r1 +-PeerKey=BOB_zero_secp521r1_PUB +-SharedSecret=003fc3028f61db94b20c7cd177923b6e73f12f0ab067c9ce8866755e3c82abb39c9863cde74fa80b32520bd7dd0eb156c30c08911503b67b2661f1264d09bb231423 +- + Title=prime256v1 curve tests + + PrivateKey=ALICE_cf_prime256v1 +diff -up openssl-3.0.7/test/recipes/15-test_ec.t.skipshort openssl-3.0.7/test/recipes/15-test_ec.t +--- openssl-3.0.7/test/recipes/15-test_ec.t.skipshort 2022-11-23 12:40:55.324395782 +0100 ++++ openssl-3.0.7/test/recipes/15-test_ec.t 2022-11-23 12:42:12.478094387 +0100 +@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key + + subtest 'Check loading of fips and non-fips keys' => sub { + plan skip_all => "FIPS is disabled" +- if $no_fips; ++ if 1; #Red Hat specific, original value is $no_fips; + + plan tests => 2; + diff --git a/SOURCES/0012-Disable-explicit-ec.patch b/SOURCES/0012-Disable-explicit-ec.patch new file mode 100644 index 0000000..550cdf4 --- /dev/null +++ b/SOURCES/0012-Disable-explicit-ec.patch @@ -0,0 +1,122 @@ +diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_asn1.c +--- openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec 2022-03-22 13:10:45.718077845 +0100 ++++ openssl-3.0.1/crypto/ec/ec_asn1.c 2022-03-22 13:12:46.626599016 +0100 +@@ -895,6 +895,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP ** + if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT) + group->decoded_from_explicit_params = 1; + ++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { ++ EC_GROUP_free(group); ++ ECPKPARAMETERS_free(params); ++ return NULL; ++ } ++ + if (a) { + EC_GROUP_free(*a); + *a = group; +@@ -954,6 +959,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con + goto err; + } + ++ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) { ++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); ++ goto err; ++ } ++ + ret->version = priv_key->version; + + if (priv_key->privateKey) { +diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c +--- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100 ++++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100 +@@ -57,7 +57,7 @@ static BN_CTX *bnctx = NULL; + static OSSL_PARAM_BLD *bld_prime_nc = NULL; + static OSSL_PARAM_BLD *bld_prime = NULL; + static OSSL_PARAM *ec_explicit_prime_params_nc = NULL; +-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL; ++/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/ + + # ifndef OPENSSL_NO_EC2M + static OSSL_PARAM_BLD *bld_tri_nc = NULL; +@@ -990,9 +990,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") + DOMAIN_KEYS(ECExplicitPrimeNamedCurve); + IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1) + IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC") +-DOMAIN_KEYS(ECExplicitPrime2G); +-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0) +-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC") ++/*DOMAIN_KEYS(ECExplicitPrime2G);*/ ++/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/ ++/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/ + # ifndef OPENSSL_NO_EC2M + DOMAIN_KEYS(ECExplicitTriNamedCurve); + IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1) +@@ -1318,7 +1318,7 @@ int setup_tests(void) + || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc) + || !create_ec_explicit_prime_params(bld_prime) + || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc)) +- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime)) ++/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/ + # ifndef OPENSSL_NO_EC2M + || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new()) + || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new()) +@@ -1346,7 +1346,7 @@ int setup_tests(void) + TEST_info("Generating EC keys..."); + MAKE_DOMAIN_KEYS(EC, "EC", EC_params); + MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc); +- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit); ++/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/ + # ifndef OPENSSL_NO_EC2M + MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc); + MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit); +@@ -1389,8 +1389,8 @@ int setup_tests(void) + ADD_TEST_SUITE_LEGACY(EC); + ADD_TEST_SUITE(ECExplicitPrimeNamedCurve); + ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve); +- ADD_TEST_SUITE(ECExplicitPrime2G); +- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G); ++/* ADD_TEST_SUITE(ECExplicitPrime2G);*/ ++/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/ + # ifndef OPENSSL_NO_EC2M + ADD_TEST_SUITE(ECExplicitTriNamedCurve); + ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve); +@@ -1427,7 +1427,7 @@ void cleanup_tests(void) + { + #ifndef OPENSSL_NO_EC + OSSL_PARAM_free(ec_explicit_prime_params_nc); +- OSSL_PARAM_free(ec_explicit_prime_params_explicit); ++/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/ + OSSL_PARAM_BLD_free(bld_prime_nc); + OSSL_PARAM_BLD_free(bld_prime); + # ifndef OPENSSL_NO_EC2M +@@ -1449,7 +1449,7 @@ void cleanup_tests(void) + #ifndef OPENSSL_NO_EC + FREE_DOMAIN_KEYS(EC); + FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve); +- FREE_DOMAIN_KEYS(ECExplicitPrime2G); ++/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/ + # ifndef OPENSSL_NO_EC2M + FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve); + FREE_DOMAIN_KEYS(ECExplicitTri2G); +diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec 2022-03-25 11:20:50.920949208 +0100 ++++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2022-03-25 11:21:13.177147598 +0100 +@@ -121,18 +121,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB + 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl + -----END PRIVATE KEY----- + +-PrivateKey = EC_EXPLICIT +------BEGIN PRIVATE KEY----- +-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB +-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA +-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV +-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG +-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A +-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk +-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL +-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg +------END PRIVATE KEY----- +- + PrivateKey = B-163 + -----BEGIN PRIVATE KEY----- + MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K diff --git a/SOURCES/0024-load-legacy-prov.patch b/SOURCES/0024-load-legacy-prov.patch new file mode 100644 index 0000000..c7d2958 --- /dev/null +++ b/SOURCES/0024-load-legacy-prov.patch @@ -0,0 +1,75 @@ +diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf +--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 ++++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 +@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1 + tsa_policy2 = 1.2.3.4.5.6 + tsa_policy3 = 1.2.3.4.5.7 + +-# For FIPS +-# Optionally include a file that is generated by the OpenSSL fipsinstall +-# application. This file contains configuration data required by the OpenSSL +-# fips provider. It contains a named section e.g. [fips_sect] which is +-# referenced from the [provider_sect] below. +-# Refer to the OpenSSL security policy for more information. +-# .include fipsmodule.cnf +- + [openssl_init] + providers = provider_sect + # Load default TLS policy configuration + ssl_conf = ssl_module + +-# List of providers to load +-[provider_sect] +-default = default_sect +-# The fips section name should match the section name inside the +-# included fipsmodule.cnf. +-# fips = fips_sect ++# Uncomment the sections that start with ## below to enable the legacy provider. ++# Loading the legacy provider enables support for the following algorithms: ++# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 ++# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED ++# Key Derivation Function (KDF): PBKDF1 ++# In general it is not recommended to use the above mentioned algorithms for ++# security critical operations, as they are cryptographically weak or vulnerable ++# to side-channel attacks and as such have been deprecated. + +-# If no providers are activated explicitly, the default one is activated implicitly. +-# See man 7 OSSL_PROVIDER-default for more details. +-# +-# If you add a section explicitly activating any other provider(s), you most +-# probably need to explicitly activate the default provider, otherwise it +-# becomes unavailable in openssl. As a consequence applications depending on +-# OpenSSL may not work correctly which could lead to significant system +-# problems including inability to remotely access the system. +-[default_sect] +-# activate = 1 ++[provider_sect] ++default = default_sect ++##legacy = legacy_sect ++## ++[default_sect] ++activate = 1 ++ ++##[legacy_sect] ++##activate = 1 + + [ ssl_module ] + +diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod +--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200 ++++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200 +@@ -273,6 +273,14 @@ significant. + All parameters in the section as well as sub-sections are made + available to the provider. + ++=head3 Loading the legacy provider ++ ++Uncomment the sections that start with ## in openssl.cnf ++to enable the legacy provider. ++Note: In general it is not recommended to use the above mentioned algorithms for ++security critical operations, as they are cryptographically weak or vulnerable ++to side-channel attacks and as such have been deprecated. ++ + =head3 Default provider and its activation + + If no providers are activated explicitly, the default one is activated implicitly. diff --git a/SOURCES/0025-for-tests.patch b/SOURCES/0025-for-tests.patch new file mode 100644 index 0000000..aef200b --- /dev/null +++ b/SOURCES/0025-for-tests.patch @@ -0,0 +1,18 @@ +diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf +--- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100 ++++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100 +@@ -55,11 +55,11 @@ providers = provider_sect + # to side-channel attacks and as such have been deprecated. + + [provider_sect] +-default = default_sect ++##default = default_sect + ##legacy = legacy_sect + ## +-[default_sect] +-activate = 1 ++##[default_sect] ++##activate = 1 + + ##[legacy_sect] + ##activate = 1 diff --git a/SOURCES/0031-tmp-Fix-test-names.patch b/SOURCES/0031-tmp-Fix-test-names.patch new file mode 100644 index 0000000..42b3c0a --- /dev/null +++ b/SOURCES/0031-tmp-Fix-test-names.patch @@ -0,0 +1,40 @@ +diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/recipes/90-test_sslapi.t +--- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit 2021-09-22 11:56:49.452507975 +0200 ++++ openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-09-22 11:57:19.371764742 +0200 +@@ -40,7 +40,7 @@ unless ($no_fips) { + "recipes", + "90-test_sslapi_data", + "dhparams.pem")])), +- "running sslapitest"); ++ "running sslapitest - FIPS"); + } + + unlink $tmpfilename; +diff --git a/test/sslapitest.c b/test/sslapitest.c +index e95d2657f46c..7af0eab3fce0 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, + goto end; + } + ++ if (is_fips && strstr(cipher, "CHACHA") != NULL) { ++ testresult = TEST_skip("CHACHA is not supported in FIPS"); ++ goto end; ++ } ++ + /* Create a session based on SHA-256 */ + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), +@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher) + goto end; + } + ++ if (is_fips && strstr(cipher, "CHACHA") != NULL) { ++ testresult = TEST_skip("CHACHA is not supported in FIPS"); ++ goto end; ++ } ++ + /* Create a session based on SHA-256 */ + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), diff --git a/SOURCES/0032-Force-fips.patch b/SOURCES/0032-Force-fips.patch new file mode 100644 index 0000000..5f82475 --- /dev/null +++ b/SOURCES/0032-Force-fips.patch @@ -0,0 +1,184 @@ +#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite +#(partial) of the function provider_conf_load() under the 'if (activate) section. +#If there is any change to this section, after deleting it in provider_conf_load() +#ensure that you also add those changes to the provider_conf_activate() function. +#additionally please add this check for cnf explicitly as shown below. +#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;' +diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c +--- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200 ++++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200 +@@ -36,6 +36,7 @@ static int prov_already_activated(const + #include + #include + #include ++#include + #include + #include + #include +@@ -136,58 +136,18 @@ static int prov_already_activated(const + return 0; + } + +-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, +- const char *value, const CONF *cnf) ++static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name, ++ const char *value, const char *path, ++ int soft, const CONF *cnf) + { +- int i; +- STACK_OF(CONF_VALUE) *ecmds; +- int soft = 0; +- OSSL_PROVIDER *prov = NULL, *actual = NULL; +- const char *path = NULL; +- long activate = 0; + int ok = 0; +- +- name = skip_dot(name); +- OSSL_TRACE1(CONF, "Configuring provider %s\n", name); +- /* Value is a section containing PROVIDER commands */ +- ecmds = NCONF_get_section(cnf, value); +- +- if (!ecmds) { +- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, +- "section=%s not found", value); +- return 0; +- } +- +- /* Find the needed data first */ +- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { +- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); +- const char *confname = skip_dot(ecmd->name); +- const char *confvalue = ecmd->value; +- +- OSSL_TRACE2(CONF, "Provider command: %s = %s\n", +- confname, confvalue); +- +- /* First handle some special pseudo confs */ +- +- /* Override provider name to use */ +- if (strcmp(confname, "identity") == 0) +- name = confvalue; +- else if (strcmp(confname, "soft_load") == 0) +- soft = 1; +- /* Load a dynamic PROVIDER */ +- else if (strcmp(confname, "module") == 0) +- path = confvalue; +- else if (strcmp(confname, "activate") == 0) +- activate = 1; +- } +- +- if (activate) { +- PROVIDER_CONF_GLOBAL *pcgbl +- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, +- &provider_conf_ossl_ctx_method); ++ OSSL_PROVIDER *prov = NULL, *actual = NULL; ++ PROVIDER_CONF_GLOBAL *pcgbl ++ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, ++ &provider_conf_ossl_ctx_method); + + if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { +- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); ++ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + return 0; + } + if (!prov_already_activated(name, pcgbl->activated_providers)) { +@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C + if (path != NULL) + ossl_provider_set_module_path(prov, path); + +- ok = provider_conf_params(prov, NULL, NULL, value, cnf); ++ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; + + if (ok) { + if (!ossl_provider_activate(prov, 1, 0)) { +@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C + } + if (!ok) + ossl_provider_free(prov); ++ } else { /* No reason to activate the provider twice, returning OK */ ++ ok = 1; + } + CRYPTO_THREAD_unlock(pcgbl->lock); ++ return ok; ++} ++ ++static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, ++ const char *value, const CONF *cnf) ++{ ++ int i; ++ STACK_OF(CONF_VALUE) *ecmds; ++ int soft = 0; ++ const char *path = NULL; ++ long activate = 0; ++ int ok = 0; ++ ++ name = skip_dot(name); ++ OSSL_TRACE1(CONF, "Configuring provider %s\n", name); ++ /* Value is a section containing PROVIDER commands */ ++ ecmds = NCONF_get_section(cnf, value); ++ ++ if (!ecmds) { ++ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, ++ "section=%s not found", value); ++ return 0; ++ } ++ ++ /* Find the needed data first */ ++ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { ++ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); ++ const char *confname = skip_dot(ecmd->name); ++ const char *confvalue = ecmd->value; ++ ++ OSSL_TRACE2(CONF, "Provider command: %s = %s\n", ++ confname, confvalue); ++ ++ /* First handle some special pseudo confs */ ++ ++ /* Override provider name to use */ ++ if (strcmp(confname, "identity") == 0) ++ name = confvalue; ++ else if (strcmp(confname, "soft_load") == 0) ++ soft = 1; ++ /* Load a dynamic PROVIDER */ ++ else if (strcmp(confname, "module") == 0) ++ path = confvalue; ++ else if (strcmp(confname, "activate") == 0) ++ activate = 1; ++ } ++ ++ if (activate) { ++ ok = provider_conf_activate(libctx, name, value, path, soft, cnf); + } else { + OSSL_PROVIDER_INFO entry; + +@@ -306,6 +317,30 @@ static int provider_conf_init(CONF_IMODU + return 0; + } + ++ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */ ++ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf); ++# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf" ++ ++ if (access(FIPS_LOCAL_CONF, R_OK) == 0) { ++ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default()); ++ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0) ++ return 0; ++ ++ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) { ++ NCONF_free(fips_conf); ++ return 0; ++ } ++ NCONF_free(fips_conf); ++ } else { ++ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ } ++ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ if (EVP_default_properties_enable_fips(libctx, 1) != 1) ++ return 0; ++ } ++ + return 1; + } + diff --git a/SOURCES/0033-FIPS-embed-hmac.patch b/SOURCES/0033-FIPS-embed-hmac.patch new file mode 100644 index 0000000..484a75e --- /dev/null +++ b/SOURCES/0033-FIPS-embed-hmac.patch @@ -0,0 +1,204 @@ +diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/providers/fips/self_test.c +--- openssl-3.0.7/providers/fips/self_test.c.embed-hmac 2023-01-05 10:03:44.864869710 +0100 ++++ openssl-3.0.7/providers/fips/self_test.c 2023-01-05 10:15:17.041606472 +0100 +@@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void) + } + #endif + ++#define HMAC_LEN 32 ++/* ++ * The __attribute__ ensures we've created the .rodata1 section ++ * static ensures it's zero filled ++*/ ++static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0}; ++ + /* + * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify + * the result matches the expected value. + * Return 1 if verified, or 0 if it fails. + */ ++#ifndef __USE_GNU ++#define __USE_GNU ++#include ++#undef __USE_GNU ++#else ++#include ++#endif ++#include ++ + static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, + unsigned char *expected, size_t expected_len, + OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, +@@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI + EVP_MAC *mac = NULL; + EVP_MAC_CTX *ctx = NULL; + OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; + + OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); + ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ + mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); + if (mac == NULL) + goto err; +@@ -205,13 +233,42 @@ static int verify_integrity(OSSL_CORE_BI + if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) + goto err; + +- while (1) { +- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); + if (status != 1) + break; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; ++ off += bytes_read; + } ++ ++ if (off + INTEGRITY_BUF_SIZE > paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ memset(buf, 0, HMAC_LEN); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ + if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) + goto err; + +@@ -285,8 +342,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + CRYPTO_THREAD_unlock(fips_state_lock); + } + +- if (st == NULL +- || st->module_checksum_data == NULL) { ++ if (st == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); + goto end; + } +@@ -305,8 +361,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + if (ev == NULL) + goto end; + +- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, +- &checksum_len); ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ + if (module_checksum == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); + goto end; +@@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + ok = 1; + end: + OSSL_SELF_TEST_free(ev); +- OPENSSL_free(module_checksum); + OPENSSL_free(indicator_checksum); + + if (st != NULL) { +diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t +--- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200 ++++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t 2021-11-18 09:39:53.386817874 +0100 +@@ -20,7 +20,7 @@ + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "FIPS module config file only supported in a fips build" + if $no_check; + +diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t +--- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200 ++++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t 2021-11-18 09:59:02.315619486 +0100 +@@ -23,7 +23,7 @@ + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "Test only supported in a fips build" + if $no_check; + plan tests => 1; +diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t +--- openssl-3.0.0/test/recipes/03-test_fipsinstall.t 2021-09-07 13:46:32.000000000 +0200 ++++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t 2021-11-18 09:59:55.365072074 +0100 +@@ -22,7 +22,7 @@ + use lib bldtop_dir('.'); + use platform; + +-plan skip_all => "Test only supported in a fips build" if disabled("fips"); ++plan skip_all => "Test only supported in a fips build" if 1; + + plan tests => 29; + +diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t +--- openssl-3.0.0/test/recipes/30-test_defltfips.t 2021-09-07 13:46:32.000000000 +0200 ++++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t 2021-11-18 10:22:54.179659682 +0100 +@@ -21,7 +21,7 @@ + use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + plan tests => + ($no_fips ? 1 : 5); +diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t +--- openssl-3.0.0/test/recipes/80-test_ssl_new.t 2021-09-07 13:46:32.000000000 +0200 ++++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t 2021-11-18 10:18:53.391721164 +0100 +@@ -23,7 +23,7 @@ + use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); + +diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t +--- openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-11-18 10:32:17.734196705 +0100 ++++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t 2021-11-18 10:18:30.695538445 +0100 +@@ -18,7 +18,7 @@ + use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" + if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); +--- /dev/null 2021-11-16 15:27:32.915000000 +0100 ++++ openssl-3.0.0/test/fipsmodule.cnf 2021-11-18 11:15:34.538060408 +0100 +@@ -0,0 +1,2 @@ ++[fips_sect] ++activate = 1 diff --git a/SOURCES/0034.fipsinstall_disable.patch b/SOURCES/0034.fipsinstall_disable.patch new file mode 100644 index 0000000..c4f9efd --- /dev/null +++ b/SOURCES/0034.fipsinstall_disable.patch @@ -0,0 +1,406 @@ +diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c +--- openssl-3.0.0/apps/fipsinstall.c.xxx 2021-11-22 13:09:28.232560235 +0100 ++++ openssl-3.0.0/apps/fipsinstall.c 2021-11-22 13:12:22.272058910 +0100 +@@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar + EVP_MAC *mac = NULL; + CONF *conf = NULL; + ++ BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n"); ++ return 1; ++ + if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + +diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod +--- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100 ++++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100 +@@ -158,10 +158,6 @@ Engine (loadable module) information and + + Error Number to Error String Conversion. + +-=item B +- +-FIPS configuration installation. +- + =item B + + Generation of DSA Private Key from Parameters. Superseded by +diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod +--- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100 ++++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100 +@@ -573,7 +573,6 @@ configuration files using that syntax wi + =head1 SEE ALSO + + L, L, L, +-L, + L, + L, + L, +diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod +--- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100 ++++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100 +@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration + + =head1 DESCRIPTION + +-A separate configuration file, using the OpenSSL L syntax, +-is used to hold information about the FIPS module. This includes a digest +-of the shared library file, and status about the self-testing. +-This data is used automatically by the module itself for two +-purposes: +- +-=over 4 +- +-=item - Run the startup FIPS self-test known answer tests (KATS). +- +-This is normally done once, at installation time, but may also be set up to +-run each time the module is used. +- +-=item - Verify the module's checksum. +- +-This is done each time the module is used. +- +-=back +- +-This file is generated by the L program, and +-used internally by the FIPS module during its initialization. +- +-The following options are supported. They should all appear in a section +-whose name is identified by the B option in the B +-section, as described in L. +- +-=over 4 +- +-=item B +- +-If present, the module is activated. The value assigned to this name is not +-significant. +- +-=item B +- +-A version number for the fips install process. Should be 1. +- +-=item B +- +-The FIPS module normally enters an internal error mode if any self test fails. +-Once this error mode is active, no services or cryptographic algorithms are +-accessible from this point on. +-Continuous tests are a subset of the self tests (e.g., a key pair test during key +-generation, or the CRNG output test). +-Setting this value to C<0> allows the error mode to not be triggered if any +-continuous test fails. The default value of C<1> will trigger the error mode. +-Regardless of the value, the operation (e.g., key generation) that called the +-continuous test will return an error code if its continuous test fails. The +-operation may then be retried if the error mode has not been triggered. +- +-=item B +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-A value of '1' will perform the checks, otherwise if the value is '0' the checks +-are not performed and FIPS compliance must be done by procedures documented in +-the relevant Security Policy. +- +-=item B +- +-The calculated MAC of the FIPS provider file. +- +-=item B +- +-An indicator that the self-tests were successfully run. +-This should only be written after the module has +-successfully passed its self tests during installation. +-If this field is not present, then the self tests will run when the module +-loads. +- +-=item B +- +-A MAC of the value of the B option, to prevent accidental +-changes to that value. +-It is written-to at the same time as B is updated. +- +-=back +- +-For example: +- +- [fips_sect] +- activate = 1 +- install-version = 1 +- conditional-errors = 1 +- security-checks = 1 +- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC +- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C +- install-status = INSTALL_SELF_TEST_KATS_RUN +- +-=head1 NOTES +- +-When using the FIPS provider, it is recommended that the +-B option is enabled to prevent accidental use of +-non-FIPS validated algorithms via broken or mistaken configuration. +-See L. +- +-=head1 SEE ALSO +- +-L +-L ++This command is disabled in Red Hat Enterprise Linux. The FIPS provider is ++automatically loaded when the system is booted in FIPS mode, or when the ++environment variable B is set. See the documentation ++for more information. + + =head1 COPYRIGHT + +diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod +--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100 ++++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100 +@@ -388,7 +388,6 @@ A simple self test callback is shown bel + + =head1 SEE ALSO + +-L, + L, + L, + L, +diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in +--- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100 ++++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100 +@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi + =head1 SYNOPSIS + + B +-[B<-help>] +-[B<-in> I] +-[B<-out> I] +-[B<-module> I] +-[B<-provider_name> I] +-[B<-section_name> I] +-[B<-verify>] +-[B<-mac_name> I] +-[B<-macopt> I:I] +-[B<-noout>] +-[B<-quiet>] +-[B<-no_conditional_errors>] +-[B<-no_security_checks>] +-[B<-self_test_onload>] +-[B<-corrupt_desc> I] +-[B<-corrupt_type> I] +-[B<-config> I] + + =head1 DESCRIPTION +- +-This command is used to generate a FIPS module configuration file. +-This configuration file can be used each time a FIPS module is loaded +-in order to pass data to the FIPS module self tests. The FIPS module always +-verifies its MAC, but optionally only needs to run the KAT's once, +-at installation. +- +-The generated configuration file consists of: +- +-=over 4 +- +-=item - A MAC of the FIPS module file. +- +-=item - A test status indicator. +- +-This indicates if the Known Answer Self Tests (KAT's) have successfully run. +- +-=item - A MAC of the status indicator. +- +-=item - A control for conditional self tests errors. +- +-By default if a continuous test (e.g a key pair test) fails then the FIPS module +-will enter an error state, and no services or cryptographic algorithms will be +-able to be accessed after this point. +-The default value of '1' will cause the fips module error state to be entered. +-If the value is '0' then the module error state will not be entered. +-Regardless of whether the error state is entered or not, the current operation +-(e.g. key generation) will return an error. The user is responsible for retrying +-the operation if the module error state is not entered. +- +-=item - A control to indicate whether run-time security checks are done. +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-The default value of '1' will perform the checks. +-If the value is '0' the checks are not performed and FIPS compliance must +-be done by procedures documented in the relevant Security Policy. +- +-=back +- +-This file is described in L. +- +-=head1 OPTIONS +- +-=over 4 +- +-=item B<-help> +- +-Print a usage message. +- +-=item B<-module> I +- +-Filename of the FIPS module to perform an integrity check on. +-The path provided in the filename is used to load the module when it is +-activated, and this overrides the environment variable B. +- +-=item B<-out> I +- +-Filename to output the configuration data to; the default is standard output. +- +-=item B<-in> I +- +-Input filename to load configuration data from. +-Must be used if the B<-verify> option is specified. +- +-=item B<-verify> +- +-Verify that the input configuration file contains the correct information. +- +-=item B<-provider_name> I +- +-Name of the provider inside the configuration file. +-The default value is C. +- +-=item B<-section_name> I +- +-Name of the section inside the configuration file. +-The default value is C. +- +-=item B<-mac_name> I +- +-Specifies the name of a supported MAC algorithm which will be used. +-The MAC mechanisms that are available will depend on the options +-used when building OpenSSL. +-To see the list of supported MAC's use the command +-C. The default is B. +- +-=item B<-macopt> I:I +- +-Passes options to the MAC algorithm. +-A comprehensive list of controls can be found in the EVP_MAC implementation +-documentation. +-Common control strings used for this command are: +- +-=over 4 +- +-=item B:I +- +-Specifies the MAC key as an alphanumeric string (use if the key contains +-printable characters only). +-The string length must conform to any restrictions of the MAC algorithm. +-A key must be specified for every MAC algorithm. +-If no key is provided, the default that was specified when OpenSSL was +-configured is used. +- +-=item B:I +- +-Specifies the MAC key in hexadecimal form (two hex digits per byte). +-The key length must conform to any restrictions of the MAC algorithm. +-A key must be specified for every MAC algorithm. +-If no key is provided, the default that was specified when OpenSSL was +-configured is used. +- +-=item B:I +- +-Used by HMAC as an alphanumeric string (use if the key contains printable +-characters only). +-The string length must conform to any restrictions of the MAC algorithm. +-To see the list of supported digests, use the command +-C. +-The default digest is SHA-256. +- +-=back +- +-=item B<-noout> +- +-Disable logging of the self tests. +- +-=item B<-no_conditional_errors> +- +-Configure the module to not enter an error state if a conditional self test +-fails as described above. +- +-=item B<-no_security_checks> +- +-Configure the module to not perform run-time security checks as described above. +- +-=item B<-self_test_onload> +- +-Do not write the two fields related to the "test status indicator" and +-"MAC status indicator" to the output configuration file. Without these fields +-the self tests KATS will run each time the module is loaded. This option could be +-used for cross compiling, since the self tests need to run at least once on each +-target machine. Once the self tests have run on the target machine the user +-could possibly then add the 2 fields into the configuration using some other +-mechanism. +- +-=item B<-quiet> +- +-Do not output pass/fail messages. Implies B<-noout>. +- +-=item B<-corrupt_desc> I, +-B<-corrupt_type> I +- +-The corrupt options can be used to test failure of one or more self tests by +-name. +-Either option or both may be used to select the tests to corrupt. +-Refer to the entries for B and B in L for +-values that can be used. +- +-=item B<-config> I +- +-Test that a FIPS provider can be loaded from the specified configuration file. +-A previous call to this application needs to generate the extra configuration +-data that is included by the base C configuration file. +-See L for further information on how to set up a provider section. +-All other options are ignored if '-config' is used. +- +-=back +- +-=head1 NOTES +- +-Self tests results are logged by default if the options B<-quiet> and B<-noout> +-are not specified, or if either of the options B<-corrupt_desc> or +-B<-corrupt_type> are used. +-If the base configuration file is set up to autoload the fips module, then the +-fips module will be loaded and self tested BEFORE the fipsinstall application +-has a chance to set up its own self test callback. As a result of this the self +-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored. +-For normal usage the base configuration file should use the default provider +-when generating the fips configuration file. +- +-=head1 EXAMPLES +- +-Calculate the mac of a FIPS module F and run a FIPS self test +-for the module, and save the F configuration file: +- +- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips +- +-Verify that the configuration file F contains the correct info: +- +- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify +- +-Corrupt any self tests which have the description C: +- +- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \ +- -corrupt_desc 'SHA1' +- +-Validate that the fips module can be loaded from a base configuration file: +- +- export OPENSSL_CONF_INCLUDE= +- export OPENSSL_MODULES= +- openssl fipsinstall -config' 'default.cnf' +- +- +-=head1 SEE ALSO +- +-L, +-L, +-L, +-L ++This command is disabled. ++Please consult Red Hat Enterprise Linux documentation to learn how to correctly ++enable FIPS mode on Red Hat Enterprise + + =head1 COPYRIGHT + diff --git a/SOURCES/0035-speed-skip-unavailable-dgst.patch b/SOURCES/0035-speed-skip-unavailable-dgst.patch new file mode 100644 index 0000000..9256f7f --- /dev/null +++ b/SOURCES/0035-speed-skip-unavailable-dgst.patch @@ -0,0 +1,13 @@ +diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c +--- openssl-3.0.0/apps/speed.c.beldmit 2021-12-21 15:14:04.210431584 +0100 ++++ openssl-3.0.0/apps/speed.c 2021-12-21 15:46:05.554085125 +0100 +@@ -547,6 +547,9 @@ static int EVP_MAC_loop(int algindex, vo + for (count = 0; COND(c[algindex][testnum]); count++) { + size_t outl; + ++ if (mctx == NULL) ++ return -1; ++ + if (!EVP_MAC_init(mctx, NULL, 0, NULL) + || !EVP_MAC_update(mctx, buf, lengths[testnum]) + || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac))) diff --git a/SOURCES/0044-FIPS-140-3-keychecks.patch b/SOURCES/0044-FIPS-140-3-keychecks.patch new file mode 100644 index 0000000..67cbd6d --- /dev/null +++ b/SOURCES/0044-FIPS-140-3-keychecks.patch @@ -0,0 +1,390 @@ +diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c +--- openssl-3.0.1/crypto/dh/dh_key.c.fips3 2022-07-18 16:01:41.159543735 +0200 ++++ openssl-3.0.1/crypto/dh/dh_key.c 2022-07-18 16:24:30.251388248 +0200 +@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *k + BN_MONT_CTX *mont = NULL; + BIGNUM *z = NULL, *pminus1; + int ret = -1; ++#ifdef FIPS_MODULE ++ int validate = 0; ++#endif + + if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); +@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *k + return 0; + } + ++#ifdef FIPS_MODULE ++ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { ++ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); ++ return 0; ++ } ++#endif ++ + ctx = BN_CTX_new_ex(dh->libctx); + if (ctx == NULL) + goto err; +@@ -262,6 +272,9 @@ static int generate_key(DH *dh) + #endif + BN_CTX *ctx = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; ++#ifdef FIPS_MODULE ++ int validate = 0; ++#endif + + if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); +@@ -354,8 +367,21 @@ static int generate_key(DH *dh) + if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) + goto err; + ++#ifdef FIPS_MODULE ++ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { ++ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); ++ goto err; ++ } ++#endif ++ + dh->pub_key = pub_key; + dh->priv_key = priv_key; ++#ifdef FIPS_MODULE ++ if (ossl_dh_check_pairwise(dh) <= 0) { ++ abort(); ++ } ++#endif ++ + dh->dirty_cnt++; + ok = 1; + err: +diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c +--- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100 ++++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100 +@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey + eckey->dirty_cnt++; + + #ifdef FIPS_MODULE ++ if (ossl_ec_key_public_check(eckey, ctx) <= 0) { ++ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY); ++ goto err; ++ } ++ + pairwise_test = 1; + #endif /* FIPS_MODULE */ + +diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c +--- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200 ++++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200 +@@ -488,6 +488,25 @@ int ecdh_plain_derive(void *vpecdhctx, u + } + + ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); ++#ifdef FIPS_MODULE ++ { ++ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk)); ++ int check = 0; ++ ++ if (bn_ctx == NULL) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ++ goto end; ++ } ++ ++ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx); ++ BN_CTX_free(bn_ctx); ++ ++ if (check <= 0) { ++ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY); ++ goto end; ++ } ++ } ++#endif + + retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); + +diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c +--- openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise 2023-02-20 11:44:18.451884117 +0100 ++++ openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c 2023-02-20 12:39:46.037063842 +0100 +@@ -982,8 +982,17 @@ struct ec_gen_ctx { + int selection; + int ecdh_mode; + EC_GROUP *gen_group; ++#ifdef FIPS_MODULE ++ void *ecdsa_sig_ctx; ++#endif + }; + ++#ifdef FIPS_MODULE ++void *ecdsa_newctx(void *provctx, const char *propq); ++void ecdsa_freectx(void *vctx); ++int do_ec_pct(void *, const char *, void *); ++#endif ++ + static void *ec_gen_init(void *provctx, int selection, + const OSSL_PARAM params[]) + { +@@ -1002,6 +1011,10 @@ static void *ec_gen_init(void *provctx, + OPENSSL_free(gctx); + gctx = NULL; + } ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL); ++#endif + return gctx; + } + +@@ -1272,6 +1285,12 @@ static void *ec_gen(void *genctx, OSSL_C + + if (gctx->ecdh_mode != -1) + ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 ++ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1) ++ abort(); ++#endif + + if (gctx->group_check != NULL) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); +@@ -1341,7 +1359,10 @@ static void ec_gen_cleanup(void *genctx) + + if (gctx == NULL) + return; +- ++#ifdef FIPS_MODULE ++ ecdsa_freectx(gctx->ecdsa_sig_ctx); ++ gctx->ecdsa_sig_ctx = NULL; ++#endif + EC_GROUP_free(gctx->gen_group); + BN_free(gctx->p); + BN_free(gctx->a); +diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c +--- openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise 2023-02-20 11:50:23.035194347 +0100 ++++ openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c 2023-02-20 12:19:10.809768979 +0100 +@@ -32,7 +32,7 @@ + #include "crypto/ec.h" + #include "prov/der_ec.h" + +-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx; ++OSSL_FUNC_signature_newctx_fn ecdsa_newctx; + static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; + static OSSL_FUNC_signature_sign_fn ecdsa_sign; +@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_f + static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx; ++OSSL_FUNC_signature_freectx_fn ecdsa_freectx; + static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; +@@ -104,7 +104,7 @@ typedef struct { + #endif + } PROV_ECDSA_CTX; + +-static void *ecdsa_newctx(void *provctx, const char *propq) ++void *ecdsa_newctx(void *provctx, const char *propq) + { + PROV_ECDSA_CTX *ctx; + +@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx + return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); + } + +-static void ecdsa_freectx(void *vctx) ++void ecdsa_freectx(void *vctx) + { + PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; + +@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ + return EVP_MD_settable_ctx_params(ctx->md); + } + ++#ifdef FIPS_MODULE ++int do_ec_pct(void *vctx, const char *mdname, void *ec) ++{ ++ static const unsigned char data[32]; ++ unsigned char sigbuf[256]; ++ size_t siglen = sizeof(sigbuf); ++ ++ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ return 0; ++ ++ return 1; ++} ++#endif ++ + const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, +diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c +--- openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise 2023-02-20 16:04:27.103364713 +0100 ++++ openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c 2023-02-20 16:14:13.848119419 +0100 +@@ -434,6 +434,7 @@ struct rsa_gen_ctx { + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + /* ACVP test parameters */ + OSSL_PARAM *acvp_test_params; ++ void *prov_rsa_ctx; + #endif + }; + +@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GE + return gctx->cb(params, gctx->cbarg); + } + ++#ifdef FIPS_MODULE ++void *rsa_newctx(void *provctx, const char *propq); ++void rsa_freectx(void *vctx); ++int do_rsa_pct(void *, const char *, void *); ++#endif ++ + static void *gen_init(void *provctx, int selection, int rsa_type, + const OSSL_PARAM params[]) + { +@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int + + if (!rsa_gen_set_params(gctx, params)) + goto err; ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); ++#endif + return gctx; + + err: +@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_ + + rsa = rsa_tmp; + rsa_tmp = NULL; ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) ++ abort(); ++#endif + err: + BN_GENCB_free(gencb); + RSA_free(rsa_tmp); +@@ -645,6 +662,8 @@ static void rsa_gen_cleanup(void *genctx + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); + gctx->acvp_test_params = NULL; ++ rsa_freectx(gctx->prov_rsa_ctx); ++ gctx->prov_rsa_ctx = NULL; + #endif + BN_clear_free(gctx->pub_exp); + OPENSSL_free(gctx); +diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/rsa_sig.c +--- openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise 2023-02-20 16:04:22.548327811 +0100 ++++ openssl-3.0.7/providers/implementations/signature/rsa_sig.c 2023-02-20 16:17:50.064871695 +0100 +@@ -36,7 +36,7 @@ + + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 + +-static OSSL_FUNC_signature_newctx_fn rsa_newctx; ++OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; + static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; +@@ -49,7 +49,7 @@ static OSSL_FUNC_signature_digest_sign_f + static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn rsa_freectx; ++OSSL_FUNC_signature_freectx_fn rsa_freectx; + static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; +@@ -172,7 +172,7 @@ static int rsa_check_parameters(PROV_RSA + return 1; + } + +-static void *rsa_newctx(void *provctx, const char *propq) ++void *rsa_newctx(void *provctx, const char *propq) + { + PROV_RSA_CTX *prsactx = NULL; + char *propq_copy = NULL; +@@ -990,7 +990,7 @@ int rsa_digest_verify_final(void *vprsac + return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); + } + +-static void rsa_freectx(void *vprsactx) ++void rsa_freectx(void *vprsactx) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + +@@ -1504,6 +1504,45 @@ static const OSSL_PARAM *rsa_settable_ct + return EVP_MD_settable_ctx_params(prsactx->md); + } + ++#ifdef FIPS_MODULE ++int do_rsa_pct(void *vctx, const char *mdname, void *rsa) ++{ ++ static const unsigned char data[32]; ++ unsigned char *sigbuf = NULL; ++ size_t siglen = 0; ++ int ret = 0; ++ ++ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) ++ return 0; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) ++ return 0; ++ ++ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) ++ goto err; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ goto err; ++ ret = 1; ++ ++ err: ++ OPENSSL_free(sigbuf); ++ return ret; ++} ++#endif ++ + const OSSL_DISPATCH ossl_rsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index e0d139d..35f23b2 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, + rsa->dmp1 = NULL; + rsa->dmq1 = NULL; + rsa->iqmp = NULL; ++#ifdef FIPS_MODULE ++ abort(); ++#endif /* defined(FIPS_MODULE) */ + } + } + return ok; diff --git a/SOURCES/0045-FIPS-services-minimize.patch b/SOURCES/0045-FIPS-services-minimize.patch new file mode 100644 index 0000000..d2bea7f --- /dev/null +++ b/SOURCES/0045-FIPS-services-minimize.patch @@ -0,0 +1,739 @@ +diff -up openssl-3.0.1/providers/common/capabilities.c.fipsmin3 openssl-3.0.1/providers/common/capabilities.c +--- openssl-3.0.1/providers/common/capabilities.c.fipsmin3 2022-05-05 17:11:36.146638536 +0200 ++++ openssl-3.0.1/providers/common/capabilities.c 2022-05-05 17:12:00.138848787 +0200 +@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list + TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), + TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), + TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), +-# endif + TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), + TLS_GROUP_ENTRY("x448", "X448", "X448", 29), ++# endif + # endif /* OPENSSL_NO_EC */ + # ifndef OPENSSL_NO_DH + /* Security bit values for FFDHE groups are as per RFC 7919 */ +diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/providers/fips/fipsprov.c +--- openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 2022-05-05 11:42:58.596848856 +0200 ++++ openssl-3.0.1/providers/fips/fipsprov.c 2022-05-05 11:55:42.997562712 +0200 +@@ -54,7 +54,6 @@ static void fips_deinit_casecmp(void); + + #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } + #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) +- + extern OSSL_FUNC_core_thread_start_fn *c_thread_start; + int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); + +@@ -191,13 +190,13 @@ static int fips_get_params(void *provctx + &fips_prov_ossl_ctx_method); + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider")) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); + if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) +@@ -281,10 +280,11 @@ static const OSSL_ALGORITHM fips_digests + * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for + * KMAC128 and KMAC256. + */ +- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, ++ /* We don't certify KECCAK in our FIPS provider */ ++ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, + ossl_keccak_kmac_128_functions }, + { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, +- ossl_keccak_kmac_256_functions }, ++ ossl_keccak_kmac_256_functions }, */ + { NULL, NULL, NULL } + }; + +@@ -343,8 +343,9 @@ static const OSSL_ALGORITHM_CAPABLE fips + ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, + ossl_cipher_capable_aes_cbc_hmac_sha256), + #ifndef OPENSSL_NO_DES +- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), +- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), ++ /* We don't certify 3DES in our FIPS provider */ ++ /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), ++ ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ + #endif /* OPENSSL_NO_DES */ + { { NULL, NULL, NULL }, NULL } + }; +@@ -356,8 +357,9 @@ static const OSSL_ALGORITHM fips_macs[] + #endif + { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, +- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, +- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, ++ /* We don't certify KMAC in our FIPS provider */ ++ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, ++ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */ + { NULL, NULL, NULL } + }; + +@@ -392,8 +394,9 @@ static const OSSL_ALGORITHM fips_keyexch + #endif + #ifndef OPENSSL_NO_EC + { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, +- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, ++ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/ + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, + ossl_kdf_tls1_prf_keyexch_functions }, +@@ -403,12 +406,14 @@ static const OSSL_ALGORITHM fips_keyexch + + static const OSSL_ALGORITHM fips_signature[] = { + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */ + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, + #ifndef OPENSSL_NO_EC +- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, +- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, ++ { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */ + { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, + #endif + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, +@@ -438,8 +443,9 @@ static const OSSL_ALGORITHM fips_keymgmt + PROV_DESCS_DHX }, + #endif + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, +- PROV_DESCS_DSA }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, ++ PROV_DESCS_DSA }, */ + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, + PROV_DESCS_RSA }, +@@ -448,14 +454,15 @@ static const OSSL_ALGORITHM fips_keymgmt + #ifndef OPENSSL_NO_EC + { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, + PROV_DESCS_EC }, +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, + PROV_DESCS_X25519 }, + { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, + PROV_DESCS_X448 }, + { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions, + PROV_DESCS_ED25519 }, + { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions, +- PROV_DESCS_ED448 }, ++ PROV_DESCS_ED448 }, */ + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, + PROV_DESCS_TLS1_PRF_SIGN }, +diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/providers/fips/self_test_data.inc +--- openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 2022-05-05 12:36:32.335069046 +0200 ++++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-05 12:40:02.427966128 +0200 +@@ -171,6 +171,7 @@ static const ST_KAT_DIGEST st_kat_digest + /*- CIPHER TEST DATA */ + + /* DES3 test data */ ++#if 0 + static const unsigned char des_ede3_cbc_pt[] = { + 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, + 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, +@@ -191,7 +192,7 @@ static const unsigned char des_ede3_cbc_ + 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, + 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 + }; +- ++#endif + /* AES-256 GCM test data */ + static const unsigned char aes_256_gcm_key[] = { + 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, +@@ -235,6 +236,7 @@ static const unsigned char aes_128_ecb_c + }; + + static const ST_KAT_CIPHER st_kat_cipher_tests[] = { ++#if 0 + #ifndef OPENSSL_NO_DES + { + { +@@ -248,6 +250,7 @@ static const ST_KAT_CIPHER st_kat_cipher + ITM(des_ede3_cbc_iv), + }, + #endif ++#endif + { + { + OSSL_SELF_TEST_DESC_CIPHER_AES_GCM, +@@ -1424,8 +1427,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[ + # endif /* OPENSSL_NO_EC2M */ + #endif /* OPENSSL_NO_EC */ + +-#ifndef OPENSSL_NO_DSA + /* dsa 2048 */ ++#if 0 ++#ifndef OPENSSL_NO_DSA + static const unsigned char dsa_p[] = { + 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, + 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, +@@ -1549,8 +1553,8 @@ static const ST_KAT_PARAM dsa_key[] = { + ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, dsa_priv), + ST_KAT_PARAM_END() + }; +-#endif /* OPENSSL_NO_DSA */ +- ++#endif ++#endif + static const ST_KAT_SIGN st_kat_sign_tests[] = { + { + OSSL_SELF_TEST_DESC_SIGN_RSA, +@@ -1583,6 +1587,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + }, + # endif + #endif /* OPENSSL_NO_EC */ ++#if 0 + #ifndef OPENSSL_NO_DSA + { + OSSL_SELF_TEST_DESC_SIGN_DSA, +@@ -1595,6 +1600,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + */ + }, + #endif /* OPENSSL_NO_DSA */ ++#endif + }; + + static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { +diff -up openssl-3.0.1/test/acvp_test.c.fipsmin2 openssl-3.0.1/test/acvp_test.c +--- openssl-3.0.1/test/acvp_test.c.fipsmin2 2022-05-05 11:42:58.597848865 +0200 ++++ openssl-3.0.1/test/acvp_test.c 2022-05-05 11:43:30.141126336 +0200 +@@ -1476,6 +1476,7 @@ int setup_tests(void) + OSSL_NELEM(dh_safe_prime_keyver_data)); + #endif /* OPENSSL_NO_DH */ + ++#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */ + #ifndef OPENSSL_NO_DSA + ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); + ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); +@@ -1483,6 +1484,7 @@ int setup_tests(void) + ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); + ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); +diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_libctx_test.c +--- openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 2022-05-05 14:18:46.370911817 +0200 ++++ openssl-3.0.1/test/evp_libctx_test.c 2022-05-05 14:30:02.117911993 +0200 +@@ -21,6 +21,7 @@ + */ + #include "internal/deprecated.h" + #include ++#include + #include + #include + #include +@@ -725,8 +726,10 @@ int setup_tests(void) + if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name)) + return 0; + + #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) +- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ } + #endif + #ifndef OPENSSL_NO_DH + ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); +@@ -746,7 +750,9 @@ int setup_tests(void) + ADD_TEST(kem_invalid_keytype); + #endif + #ifndef OPENSSL_NO_DES +- ADD_TEST(test_cipher_tdes_randkey); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_TEST(test_cipher_tdes_randkey); ++ } + #endif + return 1; + } +diff -up openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 openssl-3.0.1/test/recipes/15-test_gendsa.t +--- openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 2022-05-05 13:46:00.631590335 +0200 ++++ openssl-3.0.1/test/recipes/15-test_gendsa.t 2022-05-05 13:46:06.999644496 +0200 +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "This test is unsupported in a no-dsa build" + if disabled("dsa"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; + + plan tests => + ($no_fips ? 0 : 2) # FIPS related tests +diff -up openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 openssl-3.0.1/test/recipes/20-test_cli_fips.t +--- openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 2022-05-05 13:47:55.217564900 +0200 ++++ openssl-3.0.1/test/recipes/20-test_cli_fips.t 2022-05-05 13:48:02.824629600 +0200 +@@ -207,8 +207,7 @@ SKIP: { + } + + SKIP : { +- skip "FIPS DSA tests because of no dsa in this build", 1 +- if disabled("dsa"); ++ skip "FIPS DSA tests because of no dsa in this build", 1; + + subtest DSA => sub { + my $testtext_prefix = 'DSA'; +diff -up openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_cms.t +--- openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 2022-05-05 13:55:05.257292637 +0200 ++++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-05 13:58:35.307150750 +0200 +@@ -95,7 +95,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content DER format, DSA key", ++ [ "signed content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -103,7 +103,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, DSA key", ++ [ "signed detached content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -112,7 +112,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, add RSA signer (with DSA existing)", ++ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", +@@ -123,7 +123,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, DSA key", ++ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], +@@ -132,7 +132,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -145,7 +145,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-noattr", "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -175,7 +175,7 @@ my @smime_pkcs7_tests = ( + \&zero_compare + ], + +- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -247,7 +247,7 @@ my @smime_pkcs7_tests = ( + + my @smime_cms_tests = ( + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-keyid", + "-signer", $smrsa1, +@@ -260,7 +260,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -370,7 +370,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "encrypted content test streaming PEM format, triple DES key", ++ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "{output}.cms" ], +diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp.t +--- openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 2022-05-05 14:43:04.276857033 +0200 ++++ openssl-3.0.1/test/recipes/30-test_evp.t 2022-05-05 14:43:35.975138234 +0200 +@@ -43,7 +43,6 @@ my @files = qw( + evpciph_aes_cts.txt + evpciph_aes_wrap.txt + evpciph_aes_stitched.txt +- evpciph_des3_common.txt + evpkdf_hkdf.txt + evpkdf_pbkdf1.txt + evpkdf_pbkdf2.txt +@@ -66,12 +65,6 @@ push @files, qw( + evppkey_dh.txt + ) unless $no_dh; + push @files, qw( +- evpkdf_x942_des.txt +- evpmac_cmac_des.txt +- ) unless $no_des; +-push @files, qw(evppkey_dsa.txt) unless $no_dsa; +-push @files, qw(evppkey_ecx.txt) unless $no_ec; +-push @files, qw( + evppkey_ecc.txt + evppkey_ecdh.txt + evppkey_ecdsa.txt +@@ -91,6 +84,7 @@ my @defltfiles = qw( + evpciph_cast5.txt + evpciph_chacha.txt + evpciph_des.txt ++ evpciph_des3_common.txt + evpciph_idea.txt + evpciph_rc2.txt + evpciph_rc4.txt +@@ -117,6 +111,12 @@ my @defltfiles = qw( + evppkey_kdf_tls1_prf.txt + evppkey_rsa.txt + ); ++push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa; ++push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec; ++push @defltfiles, qw( ++ evpkdf_x942_des.txt ++ evpmac_cmac_des.txt ++ ) unless $no_des; + push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + + plan tests => +diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt +--- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 2022-05-05 14:46:32.721700697 +0200 ++++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt 2022-05-05 14:51:40.205418897 +0200 +@@ -328,6 +328,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E54100 + Output = 00BDA1B7E87608BCBF470F12157F4C07 + + ++Availablein = default + Title = KMAC Tests (From NIST) + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +@@ -338,12 +339,14 @@ Ctrl = xof:0 + OutputSize = 32 + BlockSize = 168 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Custom = "My Tagged Application" + Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -351,6 +354,7 @@ Custom = "My Tagged Application" + Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -359,12 +363,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6 + OutputSize = 64 + BlockSize = 136 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 + Custom = "" + Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -374,12 +380,14 @@ Ctrl = size:64 + + Title = KMAC XOF Tests (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -387,6 +395,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -395,6 +404,7 @@ Output = 47026C7CD793084AA0283C253EF6584 + XOF = 1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -402,6 +412,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -409,6 +420,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -419,6 +431,7 @@ XOF = 1 + + Title = KMAC long customisation string (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -429,12 +442,14 @@ XOF = 1 + + Title = KMAC XOF Tests via ctrl (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -442,6 +457,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -450,6 +466,7 @@ Output = 47026C7CD793084AA0283C253EF6584 + Ctrl = xof:1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -457,6 +474,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -464,6 +482,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -474,6 +493,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string via ctrl (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -484,6 +504,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string negative test + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -492,6 +513,7 @@ Result = MAC_INIT_ERROR + + Title = KMAC output is too large + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_ssl_old.t +--- openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 2022-05-05 16:02:59.745500635 +0200 ++++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-05 16:10:24.071348890 +0200 +@@ -426,7 +426,7 @@ sub testssl { + my @exkeys = (); + my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; + +- if (!$no_dsa) { ++ if (!$no_dsa && $provider ne "fips") { + push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; + } + +diff -up openssl-3.0.1/test/endecode_test.c.fipsmin3 openssl-3.0.1/test/endecode_test.c +--- openssl-3.0.1/test/endecode_test.c.fipsmin3 2022-05-06 16:25:57.296926271 +0200 ++++ openssl-3.0.1/test/endecode_test.c 2022-05-06 16:27:42.712850840 +0200 +@@ -1387,6 +1387,7 @@ int setup_tests(void) + * so no legacy tests. + */ + #endif ++ if (is_fips == 0) { + #ifndef OPENSSL_NO_DSA + ADD_TEST_SUITE(DSA); + ADD_TEST_SUITE_PARAMS(DSA); +@@ -1397,6 +1398,7 @@ int setup_tests(void) + ADD_TEST_SUITE_PROTECTED_PVK(DSA); + # endif + #endif ++ } + #ifndef OPENSSL_NO_EC + ADD_TEST_SUITE(EC); + ADD_TEST_SUITE_PARAMS(EC); +@@ -1411,10 +1413,12 @@ int setup_tests(void) + ADD_TEST_SUITE(ECExplicitTri2G); + ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); + # endif ++ if (is_fips == 0) { + ADD_TEST_SUITE(ED25519); + ADD_TEST_SUITE(ED448); + ADD_TEST_SUITE(X25519); + ADD_TEST_SUITE(X448); ++ } + /* + * ED25519, ED448, X25519 and X448 have no support for + * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. +diff -up openssl-3.0.1/apps/req.c.dfc openssl-3.0.1/apps/req.c +--- openssl-3.0.1/apps/req.c.dfc 2022-05-12 13:31:21.957638329 +0200 ++++ openssl-3.0.1/apps/req.c 2022-05-12 13:31:49.587984867 +0200 +@@ -266,7 +266,7 @@ int req_main(int argc, char **argv) + unsigned long chtype = MBSTRING_ASC, reqflag = 0; + + #ifndef OPENSSL_NO_DES +- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); ++ cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); + #endif + + prog = opt_init(argc, argv, req_options); +diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecparam.c +--- openssl-3.0.1/apps/ecparam.c.fips_list_curves 2022-05-19 11:46:22.682519422 +0200 ++++ openssl-3.0.1/apps/ecparam.c 2022-05-19 11:50:44.559828701 +0200 +@@ -79,6 +79,9 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + ++ if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL)) ++ continue; ++ + if (comment == NULL) + comment = "CURVE DESCRIPTION NOT AVAILABLE"; + if (sname == NULL) +diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c +--- openssl-3.0.1/ssl/ssl_ciph.c.nokrsa 2022-05-19 13:32:32.536708638 +0200 ++++ openssl-3.0.1/ssl/ssl_ciph.c 2022-05-19 13:42:29.734002959 +0200 +@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) + ctx->disabled_mkey_mask = 0; + ctx->disabled_auth_mask = 0; + ++ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) ++ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; ++ + /* + * We ignore any errors from the fetches below. They are expected to fail + * if theose algorithms are not available. +diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c +--- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200 ++++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200 +@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; +@@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + size_t rslen; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; diff --git a/SOURCES/0047-FIPS-early-KATS.patch b/SOURCES/0047-FIPS-early-KATS.patch new file mode 100644 index 0000000..ef2d081 --- /dev/null +++ b/SOURCES/0047-FIPS-early-KATS.patch @@ -0,0 +1,39 @@ +diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c +--- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100 ++++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100 +@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + if (ev == NULL) + goto end; + ++ /* ++ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements ++ */ ++ if (kats_already_passed == 0) { ++ if (!SELF_TEST_kats(ev, st->libctx)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); ++ goto end; ++ } ++ } ++ + module_checksum = fips_hmac_container; + checksum_len = sizeof(fips_hmac_container); + +@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + kats_already_passed = 1; + } + } +- +- /* +- * Only runs the KAT's during installation OR on_demand(). +- * NOTE: If the installation option 'self_test_onload' is chosen then this +- * path will always be run, since kats_already_passed will always be 0. +- */ +- if (on_demand_test || kats_already_passed == 0) { +- if (!SELF_TEST_kats(ev, st->libctx)) { +- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); +- goto end; +- } +- } + ok = 1; + end: + OSSL_SELF_TEST_free(ev); diff --git a/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch new file mode 100644 index 0000000..d453f97 --- /dev/null +++ b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch @@ -0,0 +1,489 @@ +From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 21 Feb 2022 17:24:44 +0100 +Subject: Selectively disallow SHA1 signatures + +For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is +disabling SHA1 signatures. Introduce a new configuration option in the +alg_section named 'rh-allow-sha1-signatures'. This option defaults to +false. If set to false (or unset), any signature creation or +verification operations that involve SHA1 as digest will fail. + +This also affects TLS, where the signature_algorithms extension of any +ClientHello message sent by OpenSSL will no longer include signatures +with the SHA1 digest if rh-allow-sha1-signatures is false. For servers +that request a client certificate, the same also applies for +CertificateRequest messages sent by them. + +For signatures created using the EVP_PKEY API, this is a best-effort +check that will deny signatures in cases where the digest algorithm is +known. This means, for example, that that following steps will still +work: + + $> openssl dgst -sha1 -binary -out sha1 infile + $> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig + $> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1 + +whereas these will not: + + $> openssl dgst -sha1 -binary -out sha1 infile + $> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1 + $> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1 + +This happens because in the first case, OpenSSL's signature +implementation does not know that it is signing a SHA1 hash (it could be +signing arbitrary data). + +Resolves: rhbz#2031742 +--- + crypto/evp/evp_cnf.c | 13 ++++ + crypto/evp/m_sigver.c | 77 +++++++++++++++++++ + crypto/evp/pmeth_lib.c | 15 ++++ + doc/man5/config.pod | 11 +++ + include/internal/cryptlib.h | 3 +- + include/internal/sslconf.h | 4 + + providers/common/securitycheck.c | 20 +++++ + providers/common/securitycheck_default.c | 9 ++- + providers/implementations/signature/dsa_sig.c | 11 ++- + .../implementations/signature/ecdsa_sig.c | 4 + + providers/implementations/signature/rsa_sig.c | 20 ++++- + ssl/t1_lib.c | 8 ++ + util/libcrypto.num | 2 + + 13 files changed, 188 insertions(+), 9 deletions(-) + +diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c +index 0e7fe64cf9..b9d3b6d226 100644 +--- a/crypto/evp/evp_cnf.c ++++ b/crypto/evp/evp_cnf.c +@@ -10,6 +10,7 @@ + #include + #include + #include "internal/cryptlib.h" ++#include "internal/sslconf.h" + #include + #include + #include +@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) + ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); + return 0; + } ++ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) { ++ int m; ++ ++ /* Detailed error already reported. */ ++ if (!X509V3_get_value_bool(oval, &m)) ++ return 0; ++ ++ if (!ossl_ctx_legacy_digest_signatures_allowed_set( ++ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); ++ return 0; ++ } + } else { + ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, + "name=%s, value=%s", oval->name, oval->value); +diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c +index 9188edbc21..db1a1d7bc3 100644 +--- a/crypto/evp/m_sigver.c ++++ b/crypto/evp/m_sigver.c +@@ -16,6 +16,71 @@ + #include "internal/numbers.h" /* includes SIZE_MAX */ + #include "evp_local.h" + ++typedef struct ossl_legacy_digest_signatures_st { ++ int allowed; ++} OSSL_LEGACY_DIGEST_SIGNATURES; ++ ++static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; ++ ++ if (ldsigs != NULL) { ++ OPENSSL_free(ldsigs); ++ } ++} ++ ++static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) ++{ ++ return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); ++} ++ ++static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = { ++ OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, ++ ossl_ctx_legacy_digest_signatures_new, ++ ossl_ctx_legacy_digest_signatures_free, ++}; ++ ++static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( ++ OSSL_LIB_CTX *libctx, int loadconfig) ++{ ++#ifndef FIPS_MODULE ++ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) ++ return 0; ++#endif ++ ++ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES, ++ &ossl_ctx_legacy_digest_signatures_method); ++} ++ ++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs ++ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); ++ ++#ifndef FIPS_MODULE ++ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) ++ /* used in tests */ ++ return 1; ++#endif ++ ++ return ldsigs != NULL ? ldsigs->allowed : 0; ++} ++ ++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, ++ int loadconfig) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs ++ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); ++ ++ if (ldsigs == NULL) { ++ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ ++ ldsigs->allowed = allow; ++ return 1; ++} ++ + #ifndef FIPS_MODULE + + static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) +@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + } + } + ++ if (ctx->reqdigest != NULL ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) { ++ int mdnid = EVP_MD_nid(ctx->reqdigest); ++ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0) ++ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); ++ goto err; ++ } ++ } ++ + if (ver) { + if (signature->digest_verify_init == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c +index 2b9c6c2351..3c5a1e6f5d 100644 +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -33,6 +33,7 @@ + #include "internal/ffc.h" + #include "internal/numbers.h" + #include "internal/provider.h" ++#include "internal/sslconf.h" + #include "evp_local.h" + + #ifndef FIPS_MODULE +@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, + return -2; + } + ++ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) ++ && md != NULL ++ && ctx->pkey != NULL ++ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac) ++ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf) ++ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) { ++ int mdnid = EVP_MD_nid(md); ++ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) ++ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); ++ return -1; ++ } ++ } ++ + if (fallback) + return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); + +diff --git a/doc/man5/config.pod b/doc/man5/config.pod +index 77a8055e81..aa1be5ca7f 100644 +--- a/doc/man5/config.pod ++++ b/doc/man5/config.pod +@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning: + The value may be anything that is acceptable as a property query + string for EVP_set_default_properties(). + ++=item B ++ ++The value is a boolean that can be B or B. If the value is not set, ++it behaves as if it was set to B. ++ ++When set to B, any attempt to create or verify a signature with a SHA1 ++digest will fail. For compatibility with older versions of OpenSSL, set this ++option to B. This setting also affects TLS, where signature algorithms ++that use SHA1 as digest will no longer be supported if this option is set to ++B. ++ + =item B (deprecated) + + The value is a boolean that can be B or B. If the value is +diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h +index 1291299b6e..e234341e6a 100644 +--- a/include/internal/cryptlib.h ++++ b/include/internal/cryptlib.h +@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st { + # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16 + # define OSSL_LIB_CTX_BIO_CORE_INDEX 17 + # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 +-# define OSSL_LIB_CTX_MAX_INDEXES 19 ++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19 ++# define OSSL_LIB_CTX_MAX_INDEXES 20 + + # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1 + # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0 +diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h +index fd7f7e3331..05464b0655 100644 +--- a/include/internal/sslconf.h ++++ b/include/internal/sslconf.h +@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx); + void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, + char **arg); + ++/* Methods to support disabling all signatures with legacy digests */ ++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig); ++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, ++ int loadconfig); + #endif +diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c +index 699ada7c52..e534ad0a5f 100644 +--- a/providers/common/securitycheck.c ++++ b/providers/common/securitycheck.c +@@ -19,6 +19,7 @@ + #include + #include + #include "prov/securitycheck.h" ++#include "internal/sslconf.h" + + /* + * FIPS requires a minimum security strength of 112 bits (for encryption or +@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, + mdnid = -1; /* disallowed by security checks */ + } + # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ ++ ++#ifndef FIPS_MODULE ++ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) ++ /* SHA1 is globally disabled, check whether we want to locally allow ++ * it. */ ++ if (mdnid == NID_sha1 && !sha1_allowed) ++ mdnid = -1; ++#endif ++ + return mdnid; + } + +@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) + if (ossl_securitycheck_enabled(ctx)) + return ossl_digest_get_approved_nid(md) != NID_undef; + # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ ++ ++#ifndef FIPS_MODULE ++ { ++ int mdnid = EVP_MD_nid(md); ++ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) ++ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) ++ return 0; ++ } ++#endif ++ + return 1; + } +diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c +index de7f0d3a0a..ce54a94fbc 100644 +--- a/providers/common/securitycheck_default.c ++++ b/providers/common/securitycheck_default.c +@@ -15,6 +15,7 @@ + #include + #include "prov/securitycheck.h" + #include "internal/nelem.h" ++#include "internal/sslconf.h" + + /* Disable the security checks in the default provider */ + int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) +@@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + } + + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, +- ossl_unused int sha1_allowed) ++ int sha1_allowed) + { + int mdnid; ++ int ldsigs_allowed; + + static const OSSL_ITEM name_to_nid[] = { + { NID_md5, OSSL_DIGEST_NAME_MD5 }, +@@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, + }; + +- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1); ++ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0); ++ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed); + if (mdnid == NID_undef) + mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); ++ if (mdnid == NID_md5_sha1 && !ldsigs_allowed) ++ mdnid = -1; + return mdnid; + } +diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c +index 28fd7c498e..fa3822f39f 100644 +--- a/providers/implementations/signature/dsa_sig.c ++++ b/providers/implementations/signature/dsa_sig.c +@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, + mdprops = ctx->propq; + + if (mdname != NULL) { +- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); + WPACKET pkt; + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); +- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, +- sha1_allowed); ++ int md_nid; + size_t mdname_len = strlen(mdname); ++#ifdef FIPS_MODULE ++ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); ++#else ++ int sha1_allowed = 0; ++#endif ++ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, ++ sha1_allowed); + + if (md == NULL || md_nid < 0) { + if (md == NULL) +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index 865d49d100..99b228e82c 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c +@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, + "%s could not be fetched", mdname); + return 0; + } ++#ifdef FIPS_MODULE + sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); ++#else ++ sha1_allowed = 0; ++#endif + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); + if (md_nid < 0) { +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index 325e855333..bea397f0c1 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -26,6 +26,7 @@ + #include "internal/cryptlib.h" + #include "internal/nelem.h" + #include "internal/sizes.h" ++#include "internal/sslconf.h" + #include "crypto/rsa.h" + #include "prov/providercommon.h" + #include "prov/implementations.h" +@@ -34,6 +35,7 @@ + #include "prov/securitycheck.h" + + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 ++#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256 + + OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; +@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, + + if (mdname != NULL) { + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); ++ int md_nid; ++ size_t mdname_len = strlen(mdname); ++#ifdef FIPS_MODULE + int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, ++#else ++ int sha1_allowed = 0; ++#endif ++ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, + sha1_allowed); +- size_t mdname_len = strlen(mdname); + + if (md == NULL + || md_nid <= 0 +@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + prsactx->pad_mode = pad_mode; + + if (prsactx->md == NULL && pmdname == NULL +- && pad_mode == RSA_PKCS1_PSS_PADDING) ++ && pad_mode == RSA_PKCS1_PSS_PADDING) { + pmdname = RSA_DEFAULT_DIGEST_NAME; ++#ifndef FIPS_MODULE ++ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { ++ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; ++ } ++#endif ++ } ++ + + if (pmgf1mdname != NULL + && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fc32bb3556..4b74ee1a34 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include "internal/sslconf.h" + #include "internal/nelem.h" + #include "internal/sizes.h" + #include "internal/tlsgroups.h" +@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) + = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); + EVP_PKEY *tmpkey = EVP_PKEY_new(); + int ret = 0; ++ int ldsigs_allowed; + + if (cache == NULL || tmpkey == NULL) + goto err; + + ERR_set_mark(); ++ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0); + for (i = 0, lu = sigalg_lookup_tbl; + i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { + EVP_PKEY_CTX *pctx; +@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) + cache[i].enabled = 0; + continue; + } ++ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) ++ && !ldsigs_allowed) { ++ cache[i].enabled = 0; ++ continue; ++ } + + if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { + cache[i].enabled = 0; +diff --git a/util/libcrypto.num b/util/libcrypto.num +index 10b4e57d79..2d3c363bb0 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: + ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: ++ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: ++ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: +-- +2.35.1 + diff --git a/SOURCES/0050-FIPS-enable-pkcs12-mac.patch b/SOURCES/0050-FIPS-enable-pkcs12-mac.patch new file mode 100644 index 0000000..1496bb2 --- /dev/null +++ b/SOURCES/0050-FIPS-enable-pkcs12-mac.patch @@ -0,0 +1,95 @@ +diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c +--- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips 2022-02-21 12:35:24.829893907 +0100 ++++ openssl-3.0.1/crypto/pkcs12/p12_key.c 2022-02-21 13:01:22.711622967 +0100 +@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char + EVP_KDF *kdf; + EVP_KDF_CTX *ctx; + OSSL_PARAM params[6], *p = params; ++ char *adjusted_propq = NULL; + + if (n <= 0) + return 0; + +- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq); +- if (kdf == NULL) ++ if (ossl_get_kernel_fips_flag()) { ++ const char *nofips = "-fips"; ++ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 : ++ strlen(nofips) + 1; ++ char *ptr = NULL; ++ ++ adjusted_propq = OPENSSL_zalloc(len); ++ if (adjusted_propq != NULL) { ++ ptr = adjusted_propq; ++ if (propq) { ++ memcpy(ptr, propq, strlen(propq)); ++ ptr += strlen(propq); ++ *ptr = ','; ++ ptr++; ++ } ++ memcpy(ptr, nofips, strlen(nofips)); ++ } ++ } ++ ++ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq); ++ if (kdf == NULL) { ++ OPENSSL_free(adjusted_propq); + return 0; ++ } + ctx = EVP_KDF_CTX_new(kdf); + EVP_KDF_free(kdf); +- if (ctx == NULL) ++ if (ctx == NULL) { ++ OPENSSL_free(adjusted_propq); + return 0; ++ } + + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + (char *)EVP_MD_get0_name(md_type), +@@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char + } OSSL_TRACE_END(PKCS12_KEYGEN); + } + EVP_KDF_CTX_free(ctx); ++ OPENSSL_free(adjusted_propq); + return res; + } + +diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c +--- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100 ++++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100 +@@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv) + } + if (macver) { + EVP_KDF *pkcs12kdf; ++ char *adjusted_propq = NULL; ++ const char *nofips = "-fips"; ++ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 : ++ strlen(nofips) + 1; ++ char *ptr = NULL; ++ ++ adjusted_propq = OPENSSL_zalloc(len); ++ if (adjusted_propq != NULL) { ++ ptr = adjusted_propq; ++ if (app_get0_propq()) { ++ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq())); ++ ptr += strlen(app_get0_propq()); ++ *ptr = ','; ++ ptr++; ++ } ++ memcpy(ptr, nofips, strlen(nofips)); ++ } + + pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF", +- app_get0_propq()); ++ adjusted_propq ? adjusted_propq : app_get0_propq()); + if (pkcs12kdf == NULL) { + BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n"); + BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n"); ++ OPENSSL_free(adjusted_propq); + goto end; + } + EVP_KDF_free(pkcs12kdf); ++ OPENSSL_free(adjusted_propq); + /* If we enter empty password try no password first */ + if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { + /* If mac and crypto pass the same set it to NULL too */ diff --git a/SOURCES/0051-Support-different-R_BITS-lengths-for-KBKDF.patch b/SOURCES/0051-Support-different-R_BITS-lengths-for-KBKDF.patch new file mode 100644 index 0000000..c240628 --- /dev/null +++ b/SOURCES/0051-Support-different-R_BITS-lengths-for-KBKDF.patch @@ -0,0 +1,2151 @@ +From 0e9a265e42890699dfce82f1ff6905de6aafbd41 Mon Sep 17 00:00:00 2001 +From: Patrick Uiterwijk +Date: Thu, 18 Nov 2021 10:47:14 +0100 +Subject: [PATCH] Support different R_BITS lengths for KBKDF + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/17063) +--- + doc/man7/EVP_KDF-KB.pod | 7 + + include/openssl/core_names.h | 1 + + providers/implementations/kdfs/kbkdf.c | 30 +- + test/evp_kdf_test.c | 47 +- + test/evp_test.c | 6 + + test/recipes/30-test_evp.t | 1 + + .../30-test_evp_data/evpkdf_kbkdf_counter.txt | 1843 +++++++++++++++++ + 7 files changed, 1924 insertions(+), 11 deletions(-) + create mode 100644 test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt + +diff --git a/doc/man7/EVP_KDF-KB.pod b/doc/man7/EVP_KDF-KB.pod +index d4fad66f7654..a67268afa7d5 100644 +--- a/doc/man7/EVP_KDF-KB.pod ++++ b/doc/man7/EVP_KDF-KB.pod +@@ -58,6 +58,13 @@ Set to B<0> to disable use of the optional Fixed Input data 'zero separator' + (see SP800-108) that is placed between the Label and Context. + The default value of B<1> will be used if unspecified. + ++=item "r" (B) ++ ++Set the fixed value 'r', indicating the length of the counter in bits. ++ ++Supported values are B<8>, B<16>, B<24>, and B<32>. ++The default value of B<32> will be used if unspecified. ++ + =back + + Depending on whether mac is CMAC or HMAC, either digest or cipher is required +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index b549dae9167c..78418dc6e0a2 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -217,6 +217,7 @@ extern "C" { + #define OSSL_KDF_PARAM_PKCS12_ID "id" /* int */ + #define OSSL_KDF_PARAM_KBKDF_USE_L "use-l" /* int */ + #define OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR "use-separator" /* int */ ++#define OSSL_KDF_PARAM_KBKDF_R "r" /* int */ + #define OSSL_KDF_PARAM_X942_ACVPINFO "acvp-info" + #define OSSL_KDF_PARAM_X942_PARTYUINFO "partyu-info" + #define OSSL_KDF_PARAM_X942_PARTYVINFO "partyv-info" +diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c +index 01f7f0d4fd2e..a81cc6e0c0d6 100644 +--- a/providers/implementations/kdfs/kbkdf.c ++++ b/providers/implementations/kdfs/kbkdf.c +@@ -60,6 +60,7 @@ typedef struct { + EVP_MAC_CTX *ctx_init; + + /* Names are lowercased versions of those found in SP800-108. */ ++ int r; + unsigned char *ki; + size_t ki_len; + unsigned char *label; +@@ -100,6 +101,7 @@ static uint32_t be32(uint32_t host) + + static void init(KBKDF *ctx) + { ++ ctx->r = 32; + ctx->use_l = 1; + ctx->use_separator = 1; + } +@@ -152,7 +154,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, + size_t iv_len, unsigned char *label, size_t label_len, + unsigned char *context, size_t context_len, + unsigned char *k_i, size_t h, uint32_t l, int has_separator, +- unsigned char *ko, size_t ko_len) ++ unsigned char *ko, size_t ko_len, int r) + { + int ret = 0; + EVP_MAC_CTX *ctx = NULL; +@@ -186,7 +188,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, + if (mode == FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len)) + goto done; + +- if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4) ++ if (!EVP_MAC_update(ctx, 4 - (r / 8) + (unsigned char *)&i, r / 8) + || !EVP_MAC_update(ctx, label, label_len) + || (has_separator && !EVP_MAC_update(ctx, &zero, 1)) + || !EVP_MAC_update(ctx, context, context_len) +@@ -217,6 +219,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, + unsigned char *k_i = NULL; + uint32_t l = 0; + size_t h = 0; ++ uint64_t counter_max; + + if (!ossl_prov_is_running() || !kbkdf_set_ctx_params(ctx, params)) + return 0; +@@ -248,6 +251,15 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, + goto done; + } + ++ if (ctx->mode == COUNTER) { ++ /* Fail if keylen is too large for r */ ++ counter_max = (uint64_t)1 << (uint64_t)ctx->r; ++ if ((uint64_t)(keylen / h) >= counter_max) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ goto done; ++ } ++ } ++ + if (ctx->use_l != 0) + l = be32(keylen * 8); + +@@ -257,7 +269,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, + + ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label, + ctx->label_len, ctx->context, ctx->context_len, k_i, h, l, +- ctx->use_separator, key, keylen); ++ ctx->use_separator, key, keylen, ctx->r); + done: + if (ret != 1) + OPENSSL_cleanse(key, keylen); +@@ -328,6 +340,17 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_l)) + return 0; + ++ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_R); ++ if (p != NULL) { ++ int new_r = 0; ++ ++ if (!OSSL_PARAM_get_int(p, &new_r)) ++ return 0; ++ if (new_r != 8 && new_r != 16 && new_r != 24 && new_r != 32) ++ return 0; ++ ctx->r = new_r; ++ } ++ + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR); + if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_separator)) + return 0; +@@ -354,6 +377,7 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), + OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_L, NULL), + OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR, NULL), ++ OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_R, NULL), + OSSL_PARAM_END, + }; + return known_settable_ctx_params; +diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c +index 7fde5ea4111c..173d8cb8b87b 100644 +--- a/test/evp_kdf_test.c ++++ b/test/evp_kdf_test.c +@@ -1068,9 +1068,9 @@ static int test_kdf_kbkdf_6803_256(void) + #endif + + static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key, +- size_t keylen, char *salt, char *info) ++ size_t keylen, char *salt, char *info, int *r) + { +- OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 7); ++ OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 8); + OSSL_PARAM *p = params; + + if (params == NULL) +@@ -1088,6 +1088,8 @@ static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char + OSSL_KDF_PARAM_SALT, salt, strlen(salt)); + *p++ = OSSL_PARAM_construct_octet_string( + OSSL_KDF_PARAM_INFO, info, strlen(info)); ++ *p++ = OSSL_PARAM_construct_int( ++ OSSL_KDF_PARAM_KBKDF_R, r); + *p = OSSL_PARAM_construct_end(); + + return params; +@@ -1100,8 +1102,9 @@ static int test_kdf_kbkdf_invalid_digest(void) + OSSL_PARAM *params; + + static unsigned char key[] = {0x01}; ++ int r = 32; + +- params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test"); ++ params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test", &r); + if (!TEST_ptr(params)) + return 0; + +@@ -1122,8 +1125,9 @@ static int test_kdf_kbkdf_invalid_mac(void) + OSSL_PARAM *params; + + static unsigned char key[] = {0x01}; ++ int r = 32; + +- params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test"); ++ params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test", &r); + if (!TEST_ptr(params)) + return 0; + +@@ -1137,6 +1141,30 @@ static int test_kdf_kbkdf_invalid_mac(void) + return ret; + } + ++static int test_kdf_kbkdf_invalid_r(void) ++{ ++ int ret; ++ EVP_KDF_CTX *kctx; ++ OSSL_PARAM *params; ++ ++ static unsigned char key[] = {0x01}; ++ int r = 31; ++ ++ params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r); ++ if (!TEST_ptr(params)) ++ return 0; ++ ++ /* Negative test case - derive should fail */ ++ kctx = get_kdfbyname("KBKDF"); ++ ret = TEST_ptr(kctx) ++ && TEST_false(EVP_KDF_CTX_set_params(kctx, params)); ++ ++ EVP_KDF_CTX_free(kctx); ++ OPENSSL_free(params); ++ return ret; ++} ++ ++ + static int test_kdf_kbkdf_empty_key(void) + { + int ret; +@@ -1145,8 +1173,9 @@ static int test_kdf_kbkdf_empty_key(void) + + static unsigned char key[] = {0x01}; + unsigned char result[32] = { 0 }; ++ int r = 32; + +- params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test"); ++ params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test", &r); + if (!TEST_ptr(params)) + return 0; + +@@ -1169,8 +1198,9 @@ static int test_kdf_kbkdf_1byte_key(void) + + static unsigned char key[] = {0x01}; + unsigned char result[32] = { 0 }; ++ int r = 32; + +- params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test"); ++ params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r); + if (!TEST_ptr(params)) + return 0; + +@@ -1191,8 +1221,9 @@ static int test_kdf_kbkdf_zero_output_size(void) + + static unsigned char key[] = {0x01}; + unsigned char result[32] = { 0 }; ++ int r = 32; + +- params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test"); ++ params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r); + if (!TEST_ptr(params)) + return 0; + +@@ -1298,7 +1329,6 @@ static int test_kdf_kbkdf_8009_prf2(void) + * Test vector taken from + * https://csrc.nist.gov/CSRC/media/Projects/ + * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip +- * Note: Only 32 bit counter is supported ([RLEN=32_BITS]) + */ + static int test_kdf_kbkdf_fixedinfo(void) + { +@@ -1628,6 +1658,7 @@ int setup_tests(void) + #endif + ADD_TEST(test_kdf_kbkdf_invalid_digest); + ADD_TEST(test_kdf_kbkdf_invalid_mac); ++ ADD_TEST(test_kdf_kbkdf_invalid_r); + ADD_TEST(test_kdf_kbkdf_zero_output_size); + ADD_TEST(test_kdf_kbkdf_empty_key); + ADD_TEST(test_kdf_kbkdf_1byte_key); +diff --git a/test/evp_test.c b/test/evp_test.c +index 70996195f0cb..6ae862b04403 100644 +--- a/test/evp_test.c ++++ b/test/evp_test.c +@@ -2639,6 +2639,12 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, + TEST_info("skipping, '%s' is disabled", p); + t->skip = 1; + } ++ if (p != NULL ++ && (strcmp(name, "mac") == 0) ++ && is_mac_disabled(p)) { ++ TEST_info("skipping, '%s' is disabled", p); ++ t->skip = 1; ++ } + OPENSSL_free(name); + return 1; + } +diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t +index 7ae546e1d70c..7b976c0a1b5e 100644 +--- a/test/recipes/30-test_evp.t ++++ b/test/recipes/30-test_evp.t +@@ -45,6 +45,7 @@ my @files = qw( + evpciph_aes_wrap.txt + evpciph_aes_stitched.txt + evpkdf_hkdf.txt ++ evpkdf_kbkdf_counter.txt + evpkdf_pbkdf1.txt + evpkdf_pbkdf2.txt + evpkdf_ss.txt +diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt +new file mode 100644 +index 000000000000..04ab8ff0fad7 +--- /dev/null ++++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt +@@ -0,0 +1,1843 @@ ++# ++# Copyright 2021-2021 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++# Tests start with one of these keywords ++# Cipher Decrypt Derive Digest Encoding KDF MAC PBE ++# PrivPubKeyPair Sign Verify VerifyRecover ++# and continue until a blank line. Lines starting with a pound sign are ignored. ++ ++Title = KBKDF tests ++ ++# Test vectors taken from ++# https://csrc.nist.gov/CSRC/media/Projects/ ++# Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip ++ ++ ++# [PRF=CMAC_AES128] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=8_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:dff1e50ac0b69dc40f1051d46c2b069c ++Ctrl.hexinfo = hexinfo:c16e6e02c5a3dcc8d78b9ac1306877761310455b4e41469951d9e6c2245a064b33fd8c3b01203a7824485bf0a64060c4648b707d2607935699316ea5 ++Output = 8be8f0869b3c0ba97b71863d1b9f7813 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:682e814d872397eba71170a693514904 ++Ctrl.hexinfo = hexinfo:e323cdfa7873a0d72cd86ffb4468744f097db60498f7d0e3a43bafd2d1af675e4a88338723b1236199705357c47bf1d89b2f4617a340980e6331625c ++Output = dac9b6ca405749cfb065a0f1e42c7c4224d3d5db32fdafe9dee6ca193316f2c7 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:7aa9973481d560f3be217ac3341144d8 ++Ctrl.hexinfo = hexinfo:46f88b5af7fb9e29262dd4e010143a0a9c465c627450ec74ab7251889529193e995c4b56ff55bc2fc8992a0df1ee8056f6816b7614fba4c12d3be1a5 ++Output = 1746ae4f09903f74bfbe1b8ae2b79d74576a3b09 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:e91e0d06ab23a4e495bbcc430efddcaf ++Ctrl.hexinfo = hexinfo:24acb8e9227b180f2ccebea48051cbdbcd1be2bf94400d1e92945fe9b887585a295f46c469036107697813a3e12c45ae2ffde9a940f8f8c181018a93 ++Output = e81ef2483729d4165aaa4866c17f26496e6c6924e2fe34f608efef0c35835f86df29a1e19ce166a8 ++ ++ ++# [PRF=CMAC_AES128] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=16_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:30ec5f6fa1def33cff008178c4454211 ++Ctrl.hexinfo = hexinfo:c95e7b1d4f2570259abfc05bb00730f0284c3bb9a61d07259848a1cb57c81d8a6c3382c500bf801dfc8f70726b082cf4c3fa34386c1e7bf0e5471438 ++Output = 00018fff9574994f5c4457f461c7a67e ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:145c9e9365041f075ebde8ce26aa2149 ++Ctrl.hexinfo = hexinfo:0d39b1c9c34d95b5b521971828c81d9f2dbdbc4af2ddd14f628721117e5c39faa030522b93cc07beb8f142fe36f674942453ec5518ca46c3e6842a73 ++Output = 8a204ce7eab882fae3e2b8317fe431dba16dabb8fe5235525e7b61135e1b3c16 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:6f3f8cbf40d2a694274cfa2eb2f265a3 ++Ctrl.hexinfo = hexinfo:e7b88baa4a2c22b3d78f41d509996c95468c8cb834b035dd5e09e0a455da254b8b5687a1433861751d2dd603f69b2d4ba4ae47776335d37c98b44b4b ++Output = d147f1c78121c583cbcb9d4b0d3767a357bd7232 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:5e534bea459e54c58a6942abfd4df8ab ++Ctrl.hexinfo = hexinfo:e9a5cc15d223aaa74abd122983b2a10512199b9cc87663fd8a62d417cef53770264fc51f683890fe42da2df7be0f60898c5b09d5c4932137b6b1e06e ++Output = 92480eb4860123ceda76f1e6bf2668520bea49ed72bb900ae50725bb8cfcdb733af1a9de71fe1af5 ++ ++ ++# [PRF=CMAC_AES128] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=24_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:ca1cf43e5ccd512cc719a2f9de41734c ++Ctrl.hexinfo = hexinfo:e3884ac963196f02ddd09fc04c20c88b60faa775b5ef6feb1faf8c5e098b5210e2b4e45d62cc0bf907fd68022ee7b15631b5c8daf903d99642c5b831 ++Output = 1cb2b12326cc5ec1eba248167f0efd58 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:1bfaf4cd6efd25a132e2a1d41b124465 ++Ctrl.hexinfo = hexinfo:b933cfbb223ea65ed0e8db822f83be64ee21d3b9ca1eb0bc32f9d77f145a3e4ed4e2cc72cb3d93ea44824ab81eefdf71bbdb62067e0eb34a79914e4f ++Output = 75f4d20c558d71646ec062d2ca75369a218cedb7104be3abf27026af003e98f3 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:80168f187848a68b0b82a7ef43b4eedc ++Ctrl.hexinfo = hexinfo:9357281df7665ae5ae961fe5f93a3124416cab3deb11583429c5e529af3fc71094aad560cbc279168fe1c3327787f91a414acfff063832bcd78ed1b5 ++Output = be4517c9e6de96929e655a08f5b6d5bb77364f85 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:26fa0e32e7e08f9b157ebae9f579710f ++Ctrl.hexinfo = hexinfo:ceab805efbe0c50a8aef62e59d95e7a54daa74ed86aa9b1ae8abf68b985b5af4b0ee150e83e6c063b59c7bf813ede9826af149237aed85b415898fa8 ++Output = f1d9138afcc3db6001eb54c4da567a5db3659fc0ed48e664a0408946bcee0742127c17cabf348c7a ++ ++ ++# [PRF=CMAC_AES128] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=32_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:c10b152e8c97b77e18704e0f0bd38305 ++Ctrl.hexinfo = hexinfo:98cd4cbbbebe15d17dc86e6dbad800a2dcbd64f7c7ad0e78e9cf94ffdba89d03e97eadf6c4f7b806caf52aa38f09d0eb71d71f497bcc6906b48d36c4 ++Output = 26faf61908ad9ee881b8305c221db53f ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:695f1b1a16c949cea51cdf2554ec9d42 ++Ctrl.hexinfo = hexinfo:4fce5942832a390aa1cbe8a0bf9d202cb799e986c9d6b51f45e4d597a6b57f06a4ebfec6467335d116b7f5f9c5b954062f661820f5db2a5bbb3e0625 ++Output = d34b601ec18c34dfa0f9e0b7523e218bdddb9befe8d08b6c0202d75ace0dba89 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:b523ae21fc36bc58cc46e5a3cda97493 ++Ctrl.hexinfo = hexinfo:8dbe6d4d9b09b2eabd165b6e6e97e3bc782f8335cb1ea04ad0403affd88a5071db5f36ce2e84ab296261730b2226a9189d867991fbd4ff86f43a3cfb ++Output = 530211df01975dd6c08064c34105f88a6007f2b2 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES128 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:b2fcf854b1029888aeb0274ca09bb21a ++Ctrl.hexinfo = hexinfo:a6b84baae7a6ceb1d63ed704757500c510c0a8bdc22d2f42af09f79c815f37f33b67dad0b30f428fc1e2d355f7f91f65acbedd2fdd5b8c38dd890407 ++Output = fe4c2c0242c5a295c008aeb87ae0815171de6173773292347f4f5ec07185c3f860b5667c199aad55 ++ ++ ++# [PRF=CMAC_AES192] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=8_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:53d1705caab7b06886e2dbb53eea349aa7419a034e2d92b9 ++Ctrl.hexinfo = hexinfo:b120f7ce30235784664deae3c40723ca0539b4521b9aece43501366cc5df1d9ea163c602702d0974665277c8a7f6a057733d66f928eb7548cf43e374 ++Output = eae32661a323f6d06d0116bb739bd76a ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:d10046bb18c3f363e87f4e57b961b294d4edf2ca91dc3e38 ++Ctrl.hexinfo = hexinfo:2d043069de979bffb1be38a3cef2869dc07d5d3e99bde2e2204f10138081743f423f0c0b1aec0735a25bc61a8e2936dec6a25bb0ae105ab46caf8a2a ++Output = 8991a58882a0488bb5478996f2893989adb66d08d5030ad90f6ce5fdfca7754b ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:bf0abb70098d6c203074f1bce3d7468116cd1e5e8e618f20 ++Ctrl.hexinfo = hexinfo:d9ce030a48668ada6c67a2ac163515ec22383c4b5332e18d06901bacbb63dd649c683cfd4fee2f33346817b23cb4c734060a1c727b0c72c12448f4f9 ++Output = ecd1eef152b5835376f1a4324cd968bcb0cf850a ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:8725918ca07ad8e108473e5ffdf43eb1cf5c44baf0bd1cec ++Ctrl.hexinfo = hexinfo:f4a57b84a881cf282aac5402cfa8fc4ede0db6f8e902d5c0c41c4712077306484e626e3ffc4129d9b43b46cbb6c53d2838a811dc8aedad7253cf94d4 ++Output = 5a795fd0d7661968c478860b526cca40eb8702083fdbff3ff8adfa697e795398ca7106bc950fbb45 ++ ++ ++# [PRF=CMAC_AES192] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=16_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:d7e8eefc503a39e70d931f16645958ad06fb789f0cbc518b ++Ctrl.hexinfo = hexinfo:b10ea2d67904a8b3b7ce5eef7d9ee49768e8deb3506ee74a2ad8dd8661146fde74137a8f6dfc69a370945d15335e0d6403fa029da19d34140c7e3da0 ++Output = 95278b8883852f6676c587507b0aa162 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:5e6695d7c3f5b156c7b457c8c2b801ba2ae30c9c8a36ee61 ++Ctrl.hexinfo = hexinfo:1406756f40efb8e29d5455d2da4bf1993b3c3901d67ec90934895f5de7845f573ae8a0dc8a6ad77d80da29e81329440d61d63dda8eaa7851bc7a172d ++Output = 72046d5eed909f6ab25810ead446ace7422fd87e6bd496ff2e84b115b8e0d27e ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:e3b88f40c9974410955820a8f8392701e9c67cc6efd3b0ff ++Ctrl.hexinfo = hexinfo:a520f36b6b60dfce34dc1d1f6b16132efa82566efa49f3140113fbc59e309c40db42962c06123721f122f433fa417ce3319bca9c58b4184fd8c7be8f ++Output = 134b6236a80c257591cc1437ab007b3fa4bd7191 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:51574d47f2f1d202a30252823b52ba7858b729d5ed4c92f7 ++Ctrl.hexinfo = hexinfo:0819c17dd3f9a68493a958c46152d04ba450043908a0016b99cc124d5e75b0d11e7c26f27365609c110eee7f8baa88a7d99fecc690e617150f93bd6c ++Output = c46db4cd822e9841408fba79932d6c748bc7ab17421ed1ad188aed327c2a0d694e380c0cade8b37f ++ ++ ++# [PRF=CMAC_AES192] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=24_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:f7c1e0682a12f1f17d23dc8af5c463b8aa28f87ed82fad22 ++Ctrl.hexinfo = hexinfo:890ec4966a8ac3fd635bd264a4c726c87341611c6e282766b7ffe621080d0c00ac9cf8e2784a80166303505f820b2a309e9c3a463d2e3fd4814e3af5 ++Output = a71b0cbe30331fdbb63f8d51249ae50b ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:3eeed1560e17aaffe9f6ca9d81815b89a6879a56ebe4182a ++Ctrl.hexinfo = hexinfo:a643378a557af69ce2c606bc623a04b568a848207534d25bfa22664f9148997a6b4c00f4624b5100b4eb01857240b119876c3a86c1e8b02335475939 ++Output = 8a1dc0f616353bf3ecf5553d7a7651e9ea6d884a32172d3391ad342bfaf60785 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:c984c3f65cdc32e7503678764a9e84292a1f50e335167a36 ++Ctrl.hexinfo = hexinfo:0061cd40f9eef84d6c8b04e0142d70aa50d4690e0a1de8e3ff5f5cea10cd2d28281eb1df90c519b8b51f7aa0d63a313ebbf80538b54dd11a66115be6 ++Output = afe93ae91930261344e30ef9e1718e76f74225d9 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:993305e59f34a94f62931fd7662bb5b73c77d8d4bc6a33ba ++Ctrl.hexinfo = hexinfo:fcceb2d7ac6a68717c2490ec95bebea484c4930d156683c43164dc53bff0bafcbfb31e920109927ef08e12f66f258b6f8ba284908faee7d3376e1bac ++Output = 40e358cfdeee0286d152fcb4626ff22e67eea3b65d8750a273001b67645804cbf613832201b0a9ba ++ ++ ++# [PRF=CMAC_AES192] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=32_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:f4267280cb8667c2cf82bb37f389da6391f58cc74deba0cc ++Ctrl.hexinfo = hexinfo:34abbc9f7b12622309a827de5abfdd51fb5bb824838fcde88ca7bc5f3953abdcb445147f13e809e294f75e6d4e3f13b66e47f2dfc881ed392e3a1bf6 ++Output = 2d1b4b5694b6741b2ed9c02c05474225 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:dc866a038c4f78f22d46caca65892bcdb15c1eb49b275827 ++Ctrl.hexinfo = hexinfo:b4a123bad4890c7a791f5e192bd8b6e9c8c3620329f99249f11e1eb517a5b27b9e5b047a6591b45f6fff53e6d04b32d82e052af2eb8519bd21c10f93 ++Output = 731a2e23ab2e58551490254041ee8fabd9c5a1918d76307f1048535be0763b20 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:dd5e0f1a30b0b722b00626ee663df29601af58082708e18c ++Ctrl.hexinfo = hexinfo:b7c6eb48c80b071080fd07a827d0bfdc781599862084f7ffd968a4cbff0be9a6adef5ea206aa8af4d8a85705953e33cd7c4cbb69969c73698f54c6b8 ++Output = 84e1ca286776cda0784c4fc48b054384ca565d17 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES192 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:d64c598436507f4d05d7ebe780092996f281901dc9c8612f ++Ctrl.hexinfo = hexinfo:0ea737cfca2560856917f3a2ff5e2175930d0719bba85a9c8d8cb311a0a1b8caf8ffe03e9a86ab17046670011c9fec5c5cd697d9cd931f615cdfe649 ++Output = 3c26968bd3997c653f79bb725c36d784b590d18a64678cf312abe8a57b2891c27282e37b6a49cd73 ++ ++ ++# [PRF=CMAC_AES256] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=8_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:aeb7201d055f754212b3e497bd0b25789a49e51da9f363df414a0f80e6f4e42c ++Ctrl.hexinfo = hexinfo:11ec30761780d4c44acb1f26ca1eb770f87c0e74505e15b7e456b019ce0c38103c4d14afa1de71d340db51410596627512cf199fffa20ef8c5f4841e ++Output = 2a9e2fe078bd4f5d3076d14d46f39fb2 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:5402c978955128558789bee7b571465174a60582a7640037387f99ac16683173 ++Ctrl.hexinfo = hexinfo:5c7eb447481c2884a5398449eaecbb8b55f1f1981ba0fd187818d8b3581b430c3da52ab83d444e003625ff36fcbd160c67b18d85b6c9d00da1a15d15 ++Output = f22a4686abe599c2194d21fc9071ffceb023dd9b24c13f05a3d44cfc77fec44a ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:cac968a8ffd81c73948bdfb48bf8a29c1378517d3be294df9a8a80724075bdbd ++Ctrl.hexinfo = hexinfo:08817bcd560edf810aa004194c817e455fb66bbc3b84fef1d66df2d1cebb3403c24231fa822f130c5d8fe886217122dcab15cb725197bbcbeb8010f5 ++Output = 651c43e113b32026b204119af394301f0cb9831c ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:9debd1762a9643e967dbc174f2040e177b8053afb0829189a81fed94f8c365ee ++Ctrl.hexinfo = hexinfo:6c4e1e3fdd7f5c97d58bcdda792642cbd271d6968f6a8e368013d88763d0b306c832b7ab46b84d099596972d12220a4e9c81f82d6f5003d18b93c595 ++Output = 2518a44ea347e924b03a7b4c966ec4e4bd76c1456d09096be9387638c2737faeebba4e2b921b19db ++ ++ ++# [PRF=CMAC_AES256] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=16_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:4df60800bf8e2f6055c5ad6be43ee3deb54e2a445bc88a576e111b9f7f66756f ++Ctrl.hexinfo = hexinfo:962adcaf12764c87dad298dbd9ae234b1ff37fed24baee0649562d466a80c0dcf0a65f04fe5b477fd00db6767199fa4d1b26c68158c8e656e740ab4d ++Output = eca99d4894cdda31fe355b82059a845c ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:4c30b96d9beff5cc3c37527694eeec8207fae2c13ef295556919a7a46e5b90c1 ++Ctrl.hexinfo = hexinfo:86e1ad34bd7a998281a822129a23102f799812864cf5349f3f21cec7729f83ad8c8aa6517fafcc9521cde887686629048159ed3f15c01408984f547e ++Output = 815fe232e0e89f7eeaa87c3ba5007694a43c1577657ccb3018076c5a5c035d95 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:e508ce78aca2cc50c80a6cbdb2b178f8ee5e315dad71ddfa700eb6cf503239b3 ++Ctrl.hexinfo = hexinfo:28c47ddd23d349e3b30bf97975c5fa591f2158e001dae3faa154d93c615c89fc7449c901a2585e618f68a0b2cbd3f35f53424d5ea015cbf7e8e09f68 ++Output = 6bc69b4c11aa7c04ac3c03baa44daeac4a047992 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:ee0a0f88b3b441826264de7a31b890a66edf7c2a28d0286eab285846b586fb8e ++Ctrl.hexinfo = hexinfo:1ea9771ab763056260d885073e80e835e20e5d7ca9659fdf5dd3b7f2ae6286608f8bc7a6728e41346c55544942b1bf06642fb6a6738fb5b7f0128f9c ++Output = 5484f170b6602b505e9e6ccffccf2262b55c3554728244bba94daff0adbc619400b33f38013a2293 ++ ++ ++# [PRF=CMAC_AES256] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=24_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:1612a40daa7fce6c6788b3b71311188ffb850613fd81d0e87a891831348e2f28 ++Ctrl.hexinfo = hexinfo:1696438fcdf9a85284759b2604b64d7ea76199514709e711ecde5a505b5f27ae38d154aba14322481ddc9fd9169364b991460a0c9a05c7fcb2d099c9 ++Output = d101f4f2b5e239bae881cb488995bd52 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:77b50e24b859725d1cab531c885a6e60e7d5b0432f37408185ae688dffa5f6a5 ++Ctrl.hexinfo = hexinfo:0b2c907499cddaa1fcfb02002ab8b9756c5f1f9fea482d79b8a6aa9fa2fb48e69df94dca4cb6f2e90a462678279ddaacc482fdd76581996b43974a22 ++Output = c2a02b3743d506cdc1a41d4c2ae4c67610c5d607df0c26cbf7f4fe2198cb35f1 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:18a5c3e669967b42e9a29bad8fe86699f2b5d496ff767cd3171d1c7195ecef59 ++Ctrl.hexinfo = hexinfo:33231c50326592c25ec3eee2c61a3ad4c8a23c098dd83eafe5db411d0948eb122bb6eb7a1d04d2dbcd0b98d0b70b7ff305bb3ef6ac9d4e8e3f7ecd4f ++Output = e80afb5cd274cb5fa4952aa95177ae83337f4c8f ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:0b589e556b7583f0fa9144868603b59262f457dee1e887ffc0e39968218959b9 ++Ctrl.hexinfo = hexinfo:1b95b940e0b950a58f09ea09941b80852cb29838940bb146dc3db0ddcd87f72ee28813c09fcef773e95438c0ed3dbcf29e78de0c78377561c5869d5f ++Output = 260aef65eefd58816fe1a77120d047548b00c475c25178a2a33d4c801d49e8a0fb830513d0b3ff17 ++ ++ ++# [PRF=CMAC_AES256] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=32_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:d0b1b3b70b2393c48ca05159e7e28cbeadea93f28a7cdae964e5136070c45d5c ++Ctrl.hexinfo = hexinfo:dd2f151a3f173492a6fbbb602189d51ddf8ef79fc8e96b8fcbe6dabe73a35b48104f9dff2d63d48786d2b3af177091d646a9efae005bdfacb61a1214 ++Output = 8c449fb474d1c1d4d2a33827103b656a ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:d54b6fd94f7cf98fd955517f937e9927f9536caebe148fba1818c1ba46bba3a4 ++Ctrl.hexinfo = hexinfo:94c4a0c69526196c1377cebf0a2ae0fb4b57797c61bea8eeb0518ca08652d14a5e1bd1b116b1794ac8a476acbdbbcd4f6142d7b8515bad09ec72f7af ++Output = 2e1efed4aef3fdd324e098c0a07c0d97f8fd2c748a996ce29861ca042474daea ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:99f212241a343c1c8c2104ca6d28062413d985c21e6bba27fde0c622e2e4e6b7 ++Ctrl.hexinfo = hexinfo:af8dc1cb7d1f82ca834628c20f0fc81920eb3ff3f75d3f4e3000593e9c15872479711d99d1b7be794f58d80a31bb112219dc16e6354111ab1161e21d ++Output = 7f778c625bf0d083169a51584f6683f24af7c35e ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.cipher = cipher:AES256 ++Ctrl.mac = mac:CMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:dabde95d751ff1c132bd49f80f4ee347bf39218cf8bfec61bc3ad865d9aa1182 ++Ctrl.hexinfo = hexinfo:55da554307ed756764d4e97febb77ce85391b53225ee09417ad57def48ead090e3d1e7c2ed04f02462a6324ea0163b18f86201c69db27fd50b4c42c5 ++Output = 5cc29221cfa6f3a4ded7afeef5a59c05bac787fc5e98a35ee0c96ba582b05c42f758966566084f69 ++ ++ ++# [PRF=HMAC_SHA1] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=8_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:00a39bd547fb88b2d98727cf64c195c61e1cad6c ++Ctrl.hexinfo = hexinfo:98132c1ffaf59ae5cbc0a3133d84c551bb97e0c75ecaddfc30056f6876f59803009bffc7d75c4ed46f40b8f80426750d15bc1ddb14ac5dcb69a68242 ++Output = 0611e1903609b47ad7a5fc2c82e47702 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:1ee222f5cdd60b0ae956eeeaa838c51bd767672c ++Ctrl.hexinfo = hexinfo:4b10500ba5c9391da83d2ef78d01bcdccda32ff6f242960323324474b9d0685d99dc9143ac6d667a5b46dcc89784b3a4af7a7684b01efee41b144f48 ++Output = 806e342013853083a3f7294c63a9ec9a6dba75b256c62fac1e480ef26276cd4b ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:0e71d9e9c9e951978ada75c831d627dd5d3b4c59 ++Ctrl.hexinfo = hexinfo:08b6f69698e8eb6c8c63953abd3538531d722cc4e9ca7ffcb68abba4dd4b027b3787efa107902ace8abb54549bede4ffdadabec3f282865b2166d46e ++Output = 86137b96ec15b7954fdc5df8d371ee2d8016e97a ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:f0e5ad280b3465e719afdf86377bbcda59f5c59b ++Ctrl.hexinfo = hexinfo:231b6d83f0194499f27848108fd1fcdcf9520e67522cf54486fb919a839532d165019388242ce373a89ce644d7818e7415f5730a0b743595ab19add4 ++Output = 9a9ddd19818bb085d24e48ee99d6e628235a422fb2ae383282b7bbbf0e5f5edf42d7237b8ed6aa1d ++ ++ ++# [PRF=HMAC_SHA1] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=16_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:a510fe5ad1640d345a6dbba65d629c2a2fedd1ae ++Ctrl.hexinfo = hexinfo:9953de43418a85aa8db2278a1e380e83fb1e47744d902e8f0d1b3053f185bbcc734d12f219576e75477d7f7b799b7afed1a4847730be8fd2ef3f342e ++Output = c00707a18c57acdb84f17ef05a322da2 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:abec6c894ae9df32e5afdf5d06a0434e8940ca71 ++Ctrl.hexinfo = hexinfo:9a6574a0ea1123ab9580906f8a2c4a0ecba9a8a84079c37a6e283ad4d4e957c3d16db66ae4be99e688b221c359a8dd2505868beb6a49fd7ce6c35df4 ++Output = 5b37675aec199c7d08435ef6321cf6235c12453a4530072d4a73ba0ad34634a5 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:df4e835a2f201a3d0f840eab38a18adf72adf9eb ++Ctrl.hexinfo = hexinfo:84c6ca541d24a8b419037b9657ee4e0d5ef96d8b198355940a30b09bf8784e81d3b93558de21c46f04aec4afd610c3b230d17473c80b47b5004955e7 ++Output = 1202915544844b1f913caab512c582735bf76fed ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:cbe1d2895640dcd1545e60e04ce9d995707ec539 ++Ctrl.hexinfo = hexinfo:c80d735ec5fd0bf811a4a71c55e99373f83f4111194ec24a8e9fe24ef03f56ed15b4e135e02488d96dba8c0d60c26592df55a492691cf3b7eced40d1 ++Output = 1fd5a183be95c2d909deed31d686417d5c08bb88e6f75b150df330c8e7703bb8ccdffacb3e9ee3ff ++ ++ ++# [PRF=HMAC_SHA1] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=24_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:928c170199473291bf719a1985a13673afb8f298 ++Ctrl.hexinfo = hexinfo:f54388503cde2bf544db4c9510ff7a2759ba9b4e66da3baf41c90ce796d5ea7045bc27424afb03e137abfafe95158954c832090abdba02d86bab569d ++Output = 8c01160c72c925178d616a5c953df0a7 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:df7ecebec20e14be6db5d46af2769fe4e4ed689c ++Ctrl.hexinfo = hexinfo:308ec6953d4945f075d37932d5dd335c7de0d2e7899a8321724a50b52240191fcdf991520c47a25b04ce6eecc835e4265b623c68d687afc615f74ae5 ++Output = c2129eeb33ee6783b6b187e5ae884f8f5bd78ca224e5e01c04a68ecef376ea38 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:2539c58bba8ae61be8b867b767ad698eb1f52a0b ++Ctrl.hexinfo = hexinfo:9f6de21c93176f8814e9290a40149f749f946d376eb65f888eddcc4a24a58dbdbb3222fb53487e0abb08efff6d6a43511b18c40f489abe4013647273 ++Output = 20bc5ab8c27dd3f6f6fa5485f2eed8bd8b8b3d35 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:66002f224106971edc62a7c6957931b2097aabc3 ++Ctrl.hexinfo = hexinfo:f5fe599fac3bac5b10a4296b0783e2fc78cb498347ff3f74e2d9d230dfb6653e1a274e7bc37f0319eac2b0b48533b7be9d3633eed32101837ee460ff ++Output = c195b9139fee020eda70b8a161aef28474977412c0612afafe23b16b1594871548b5889b38e0cf2a ++ ++ ++# [PRF=HMAC_SHA1] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=32_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:f7591733c856593565130975351954d0155abf3c ++Ctrl.hexinfo = hexinfo:8e347ef55d5f5e99eab6de706b51de7ce004f3882889e259ff4e5cff102167a5a4bd711578d4ce17dd9abe56e51c1f2df950e2fc812ec1b217ca08d6 ++Output = 34fe44b0d8c41b93f5fa64fb96f00e5b ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:c1efb8d25affc61ed060d994fcd5017c2adfc388 ++Ctrl.hexinfo = hexinfo:b92fc055057fec71b9c53e7c44872423a57ed186d6ba66d980fecd1253bf71479320b7bf38d505ef79ca4d62d78ca662642cdcedb99503ea04c1dbe8 ++Output = 8db784cf90b573b06f9b7c7dca63a1ea16d93ee7d70ff9d87fa2558e83dc4eaa ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:e02ba5d5c410e855bbd13f840124273e6b864237 ++Ctrl.hexinfo = hexinfo:b14e227b4438f973d671141c6246acdc794eee91bc7efd1d5ff02a7b8fb044009fb6f1f0f64f35365fb1098e1995a34f8b70a71ed0265ed17ae7ae40 ++Output = f077c2d5d36a658031c74ef5a66aa48b4456530a ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA1 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:693adb9037184627ad300f176985bd379f388a95 ++Ctrl.hexinfo = hexinfo:7f09570c2d9304ec743ab845a8761c126c18f5cf72358eada2b5d1deb43dc6a0f4ff8f933bef7af0bcfacb33fa07f8ca04a06afe231835d5075996be ++Output = 52f55f51010e9bd78e4f58cab274ecafa561bd4e0f20da84f0303a1e5ff9bebc514361ec6df5c77e ++ ++ ++# [PRF=HMAC_SHA224] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=8_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:7e2f7a5ab3e82ef927a005308456823da473787bf33d18a864aca63f ++Ctrl.hexinfo = hexinfo:b35695a6e23a765105b87756468d442a53a60cd4225186dc94221c06c5d6f1e98462135656ebca90468a939f29112b811413567d498df9867914d94c ++Output = 10ba5c6ea609da8fa8abe8be552c97a1 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:667f72fc660e32943de386af9670c78e975c838cae91dca97f4f8508 ++Ctrl.hexinfo = hexinfo:e713e8c38e92c8ba0f0791cc4a0d00c98d8dda8f3137a775104e7aa65b5f04fed12ee78a88262b2931717b7ac5624162fd5f0307f4faef038dcc210c ++Output = 835b343242a489249eec3cd56384ea2a5b295e29a4430fec2aae0c8b9fa36d20 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:3344fb80fd655b16f08c78150516cbbc009fbdf1b510905f9113d275 ++Ctrl.hexinfo = hexinfo:dc2aa42084d645baeb822c0c1d9b8e200737e9a2c7dcd922d8f056d6c02552295d95a488758919724207eebb4c21887f71b51a2a7ce98827cf7af4bb ++Output = e281d09a31c57d053f0c2f902792c8bbb9a0f443 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:eb9386450d7b2da5492da5b139cf4b0b951a5b0c7d40c22ae2c20677 ++Ctrl.hexinfo = hexinfo:bd8b73969e3e2d7a943b937c3bffe3a9199d1cf27e289bb10c3b88696a5ae36b3b868b4fc6a20ca93dd0b328f3351f71ce656bb558fa33c74741398d ++Output = bc902dfba79fb4084339b6666c7f72b9f47675229dc24ec61068bb05082717eead35647ff147d7de ++ ++ ++# [PRF=HMAC_SHA224] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=16_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:093b2ce84c6175d1723fbe94b9ee963b6251d018fcf8c05c2e3e9b0b ++Ctrl.hexinfo = hexinfo:083e114aca1f97166551b03f27b135c0c802294aa4845a46170b26ec0549cb59c70a85557a3fc3a37d23eed6947d50f10c15baf5c52a7b918ca80bf5 ++Output = 94ced61c3665616d4a368f83a7283648 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:ffb5c9d920522477cb2ecf16ae1e075587b7598348e019df85ca3d43 ++Ctrl.hexinfo = hexinfo:252743519ab4e03f8bb0ed137e2d315aac5010b951645c7626c6f5a77c4a6c4e0b0b4030abf937141f7142bcd702678b15d2d4e8850e0570ec782c79 ++Output = 3d1813da0322201ed45ac2aaf3542843913bb32fd832a33a5dc94bad964bfe56 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:7f0ea811340cddbbf261d0260b0c98dec790133cffd2b04b8f8be2b1 ++Ctrl.hexinfo = hexinfo:0a744543acddf7d8c0a205372a0450e32631a33bb89ad2e3bb2d9766c248ab755fec152a6da866ef50baeab607d88e5177042056970013aa18f9fb1e ++Output = e55120e7848cf61254159e79c2ac47a9a906a73c ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:6e237178c4884e13470b6b4848b40389d9856311735da4eefa2f6f38 ++Ctrl.hexinfo = hexinfo:9cd9f9ad88471668f3b25515851fff63d3a886b8c6cf371eae159bab58f997b83eda5815567a142c4264978d8f24d24fe2d513c0eeaff983b86fdbd8 ++Output = 1e6638ea717338cfeb7dea373785c3c763bd5e509358e4940e9a4e4fd0a3e0347973858bc20243b8 ++ ++ ++# [PRF=HMAC_SHA224] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=24_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:f09e65e8de7500847b43bd95e6c3506e01aadd484e9699b027897542 ++Ctrl.hexinfo = hexinfo:c20f6188517b2ca10086b9f7f8d6f2d38d66f24193c037008d035f361c6bd74db26aef588a87aa8a1c3cdad2ba0207f7e7b39def0df797c4cb3bf614 ++Output = 73d30c2af54744eb1efb70429f8e303a ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:6079eafeba179a915e194b14e12ffee1e2bad56a62077897a4654e4b ++Ctrl.hexinfo = hexinfo:87686603814d619107aabfab85b4c4fe38ae1a5c2a4d78df12119871b8a4f85d583e7d842ee15e7fe03f61dd02b10784838ed163dc67cca43586d628 ++Output = d888a21e1a698654fa46288509ae7a28dc7b05e6fc696a909451c2437097056b ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:2efe2905a1b7e1993da0316f2a747be1e91415ca1e6ad14d04341fee ++Ctrl.hexinfo = hexinfo:4d283c0f6d209379facd8a26aa889780863cf6a81893dc3bd2c928a7f8d922ced9c829bf627d2c556441d0d41a1eb00c0deea78349429de56a275f04 ++Output = ec162b6ff6413f5eae9336fd489fab538d042db8 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:0b15638489d3ac7729a7db82797754e7a7c8d52da0cf3638a27a1a9c ++Ctrl.hexinfo = hexinfo:90988848764dacc6eeba817e0b74086b1233bca9d573717b8e3dd3bd23a532aac7db8b196e4c4702f54cc71bb8882dc776b0317457803a632b429776 ++Output = 481293e1e621ad8bab5c9f5090594bb2507a1456ee8ffc30db159cb5b02d69110c3e5270880bf4a7 ++ ++ ++# [PRF=HMAC_SHA224] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=32_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:f5cb7cc6207f5920dd60155ddb68c3fbbdf5104365305d2c1abcd311 ++Ctrl.hexinfo = hexinfo:4e5ac7539803da89581ee088c7d10235a10536360054b72b8e9f18f77c25af01019b290656b60428024ce01fccf49022d831941407e6bd27ff9e2d28 ++Output = 0adbaab43edd532b560a322c84ac540e ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:992815121d88ffb26c337606723c02ef317713086e2cfbbd37e1a167 ++Ctrl.hexinfo = hexinfo:152d974eb2719b9027d32054a327312361125959df9d96a1832e2056c2571d4f1cf45f6e8f6544c87f15861cef627d2f16e9b0b4ab799bb3362f4aae ++Output = 475eda3a32d569932e043db64dbf0e9bb0945b54dcdfa203be1a28524c147075 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:2eabb6b922c24326ef9ae3c192dfd341caf57efe15dd649772a2ac3b ++Ctrl.hexinfo = hexinfo:c75f6f5a1561aab39ea0e22702a6cf7dba3ca4dd9f046bb0abea2d3284168fd9fb39ff725523a660d21f8c2ade03d18d4273c52fb6f22c9e39d6bc2e ++Output = ae50acebe308a1cf1747b9b178a0720748fa5fe5 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA224 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:9b75e7fa216c884037c7d6953092ed335c4efd88ca57a742d6ac3221 ++Ctrl.hexinfo = hexinfo:12bea97865df99315259ff620302432ecafc9dce2619e87dfb4979410456a524434315dd3920e2b1aa1c79d5e07132a758a7b7b71ef10bcf1bb877f3 ++Output = 60071bd0ceea0fe0f879223b940d3de7dde02ca6858f8450fb9c0032e49f968ef9cd9b5703163dbc ++ ++ ++# [PRF=HMAC_SHA256] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=8_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:3edc6b5b8f7aadbd713732b482b8f979286e1ea3b8f8f99c30c884cfe3349b83 ++Ctrl.hexinfo = hexinfo:98e9988bb4cc8b34d7922e1c68ad692ba2a1d9ae15149571675f17a77ad49e80c8d2a85e831a26445b1f0ff44d7084a17206b4896c8112daad18605a ++Output = 6c037652990674a07844732d0ad985f9 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:f109513435d72f14863660dfc027118e47e13995ad44a02415c9c8f63d38675c ++Ctrl.hexinfo = hexinfo:53696208d6f42909136a575010e135e142e31f631d72386a631cc704e5ad4049a889422cd6da7f1805e59a273c6f4fa986bc3082952fca658979f1b0 ++Output = 1aaf080fd51b37585ea464a9c617bc3ab859cc78cbe1f2d5d557148ee36821a0 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:6ed1b41a1fc2ca8c7e09d5bccc410661683ec29d41a0fd01dd820a2e824ff672 ++Ctrl.hexinfo = hexinfo:f6dc72adbd8ad4ea91259b61237a042a02546f37d58d933d3efadc54a5e1936a8faf70c33e707c473125bd5006b7dfa6883c04bf27cf53010e1d10bc ++Output = 4090ee711fa361f03267a6ff2a5ace977c8c1db5 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:63a657fb6c5bacb9a124d3e7db8bbb7d42bfdfaf8f04cb6359cd888c70669652 ++Ctrl.hexinfo = hexinfo:2697b6ec112cab4d6f1714c991c17d44fb36a0b6ef0b0f5451619ab248950f56f403215c78711aa563683ced05be7246f32574fa294f162dbbeb3dee ++Output = 1992e75756fa64734d5caecc5f6420fcb28b8b90421eee97dc8b6140ce18518405688bea489d2aaa ++ ++ ++# [PRF=HMAC_SHA256] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=16_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:743434c930fe923c350ec202bef28b768cd6062cf233324e21a86c31f9406583 ++Ctrl.hexinfo = hexinfo:9bdb8a454bd55ab30ced3fd420fde6d946252c875bfe986ed34927c7f7f0b106dab9cc85b4c702804965eb24c37ad883a8f695587a7b6094d3335bbc ++Output = 19c8a56db1d2a9afb793dc96fbde4c31 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:365592398d23d31f2cac8bf6211f1ad5f52608efcdc5997b144ea6ded3866cf6 ++Ctrl.hexinfo = hexinfo:07dce524556d3f68d2d91d4c15c9c6212635e0df1aef54938490db46f98737064d6a5624d7f938c263af01e632c45d9fe7a871b67f7d4bf110796eb4 ++Output = 5624c6911dc1b08e090c8c95347adf17895b696aae211932cde3ec8227fcbea8 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:c104e187e344668997b7bd9c8cdf097320518dd7dbcb541c414418b55b58cbb2 ++Ctrl.hexinfo = hexinfo:32f6bd59840c61909f2f92f98f54bd238083577e33c3d071c1abe4c694bd87c1ad235eb9a2d272b3dc67c955574d5e6cad84615120476d6e7e04f51f ++Output = 1b5d9e60aa909aeb973e76d9bf6be208327bb096 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:d4349c26108719debacc04e166a09063ffb5e17bcbaf8738dc2618aa7d1e97ae ++Ctrl.hexinfo = hexinfo:da1f5ed45ead428689b0ecca9dbc2569e76953cda0df085499cca6d5949d8995e1e42bbdc94b0dd78c164867c364a64c894de85294ad89d267ff443d ++Output = 00550ae0f29a2373269af175e7f829ec32c3d05099a39f8c0e02caa00b68afb7457669334383ffb2 ++ ++ ++# [PRF=HMAC_SHA256] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=24_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:388e93e0273e62f086f52f6f5369d9e4626d143dce3b6afc7caf2c6e7344276b ++Ctrl.hexinfo = hexinfo:697bb34b3fbe6853864cac3e1bc6c8c44a4335565479403d949fcbb5e2c1795f9a3849df743389d1a99fe75ef566e6227c591104122a6477dd8e8c8e ++Output = d697442b3dd51f96cae949586357b9a6 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:f5207566ad012002ae6f2b501f0c24180228345889c20616d043b868a76d015a ++Ctrl.hexinfo = hexinfo:f36dbc8d1dfda60d4ba05214f8773aaa9f01944150bca68812d0d8deb5492f3f68f09809ba5e8b89e9dca86c70f6f353b3d5f49ef27e2fd01cfa911d ++Output = 0faed440796a0685a24a1c5e1cacde566c7a1a4189885229251c6308a53c3f6e ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:e2758918edcf15d957a556055602d283dbdf9c95b6025a3cddf1eeac1e0ac889 ++Ctrl.hexinfo = hexinfo:eda2f792580d6129b43e7b89c661786a29ab502ec6198f4a2bec6d0ffca1a75b8807d4313e7bf769a94fbf4b41c4cc309358a211105312c05818d8f3 ++Output = 67e3273b2cfa4c663377f5841606679aee420dce ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:c9063598d6cf8660300073b5c25603baf3ade910c182deea15d8107d6f6be295 ++Ctrl.hexinfo = hexinfo:22d27eec90c2dd4ae5cf4a705abecfd781b9051ba512b048ea9499364b791e9cdf63215db43680dacffe6f19d77fc93f8a46d84dd52146389d9ec308 ++Output = f3a5b521b435a8c83eaf2d264b5b1a6dcc32c21b4897511203f97f01f2a691eef080b4cd7ca4fc38 ++ ++ ++# [PRF=HMAC_SHA256] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=32_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:dd1d91b7d90b2bd3138533ce92b272fbf8a369316aefe242e659cc0ae238afe0 ++Ctrl.hexinfo = hexinfo:01322b96b30acd197979444e468e1c5c6859bf1b1cf951b7e725303e237e46b864a145fab25e517b08f8683d0315bb2911d80a0e8aba17f3b413faac ++Output = 10621342bfb0fd40046c0e29f2cfdbf0 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:e204d6d466aad507ffaf6d6dab0a5b26152c9e21e764370464e360c8fbc765c6 ++Ctrl.hexinfo = hexinfo:7b03b98d9f94b899e591f3ef264b71b193fba7043c7e953cde23bc5384bc1a6293580115fae3495fd845dadbd02bd6455cf48d0f62b33e62364a3a80 ++Output = 770dfab6a6a4a4bee0257ff335213f78d8287b4fd537d5c1fffa956910e7c779 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:dc60338d884eecb72975c603c27b360605011756c697c4fc388f5176ef81efb1 ++Ctrl.hexinfo = hexinfo:44d7aa08feba26093c14979c122c2437c3117b63b78841cd10a4bc5ed55c56586ad8986d55307dca1d198edcffbc516a8fbe6152aa428cdd800c062d ++Output = 29ac07dccf1f28d506cd623e6e3fc2fa255bd60b ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA256 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:c4bedbddb66493e7c7259a3bbbc25f8c7e0ca7fe284d92d431d9cd99a0d214ac ++Ctrl.hexinfo = hexinfo:1c69c54766791e315c2cc5c47ecd3ffab87d0d273dd920e70955814c220eacace6a5946542da3dfe24ff626b4897898cafb7db83bdff3c14fa46fd4b ++Output = 1da47638d6c9c4d04d74d4640bbd42ab814d9e8cc22f4326695239f96b0693f12d0dd1152cf44430 ++ ++ ++# [PRF=HMAC_SHA384] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=8_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:0be1999848a7a14a555649048fcadf2f644304d163190dc9b23a21b80e3c8c373515d6267d9c5cfd31b560ffd6a2cd5c ++Ctrl.hexinfo = hexinfo:11340cfbdb40f20f84cac4b8455bdd76c730adcecd0484af9011bacd46e22ff2d87755dfb4d5ba7217c37cb83259bdbe0983cc716adc2e6c826ed53c ++Output = c2ea7454de25afb27065f4676a392385 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:218f47301a3adf39a4e1ddc25a1df2b7db53d7780c207f47ab4cefcaa960ed82cb6cbc34b97b4c332d52ca81cc40cb9a ++Ctrl.hexinfo = hexinfo:60dcb116d7cfd3cca7315c9dc7e9650f886b67d9fbcd98c226239a0f66eff075da23c6cb750a2129ae71b9582934f57423a815249cac2c61f958b35d ++Output = 26b01d94c4dd51a9c8b54f78647257f9e937a8d67dffa78f85749cdfb22db620 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:426c4facbacecb654555bc9843f9864a53e14c9a5e19600abf57b03cf8b6f825f71191eaaf3cfd70961314acbf1e6e29 ++Ctrl.hexinfo = hexinfo:d224dc52dd16bde3391fab24fa875b695d63215e182efa970537904f4cd1d7f929f87c17fa97bd490f10cfc3bb80353ea4a4bb403f79e18677c39d29 ++Output = 431c73810e9fe4f4982202f55eb5f0212f302142 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:522a72c006a6b77911915c78952dd61848725a4b0789b2cfce3b29d947d9faa145417740c0365bd81a860a600012543b ++Ctrl.hexinfo = hexinfo:4a3cd102c4b95fe193660c4c174f02c725207449b785edb8fa8c4404f01a25bef3238637d3bae370758332c678deb578322e031ec3970876600196d2 ++Output = 2f5d52226949aecfe6359561a5fdd87a843457019e24faacacedd34177cda6cba18cc78cc8c78cef ++ ++ ++# [PRF=HMAC_SHA384] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=16_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:26ef897e4b617b597f766ec8d8ccf44c543e790a7d218f029dcb4a3695ae2caccce9d3e935f6741581f2f53e49cd46f8 ++Ctrl.hexinfo = hexinfo:bc2c728f9dc6db426dd4e85fdb493826a31fec0607644209f9bf2264b6401b5db3004c1a76aa08d93f08d3d9e2ba434b682e480004fb0d9271a8e8cd ++Output = a43d31f07f0ee484455ae11805803f60 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:269cce234dd4783067ceaa04a70deb1c9700acf705548495767c22f78493851ca9c699077a002874caacb760106016c6 ++Ctrl.hexinfo = hexinfo:f64bfb4bdaac81b5801d2f9f08bc2e4d009990b67290fd49b3730c3a145696447aceae6a82f7508a19c396a548c9c33d943dab82b2538c18b8eee871 ++Output = ab4182261c5d9c0d23a26477f14a507dd7f5e9550d04f48de29e644ed55f3406 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:ec71de96c9520386f9d11bebe474bae0c0549e2b2e8fda6b2336050ee3acbec38bc57d56e6422d3cd493ead69772a059 ++Ctrl.hexinfo = hexinfo:4313d1efba21dded84ce12bf80b1be54400619d3bb1987f18bf85400e335103969e77c819a5360cf1dd3f4addb6b8eec0199508c75adfe2cfc067dc8 ++Output = 8e37ecc86dcb5ee7cf48d8a07f06c47cdce624cc ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:afe2d3a4746792908aca8ece67ba8562382000b4e26122414b3ef2e120511bae68448955cf186be87caf69eaced47e87 ++Ctrl.hexinfo = hexinfo:1f6dd0b17fed7f479c4f62927291a95292a4e232441c30ffcaa1d347543e50db939360bb37976eacb911f76c38ad8cce12a0c263875bbcd7f6011ffd ++Output = 17b671ca433cea81384b03b69c26a55257085cdfa48e6d8529431464bd439a881de560294afb0073 ++ ++ ++# [PRF=HMAC_SHA384] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=24_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:4fab4f1e3512b5f443ec31d2f6425d5f0fc13a5f82c83f72788a48a1bd499495ff18fb7acc0d4c1666c99db12e28f725 ++Ctrl.hexinfo = hexinfo:f0f010f99fbd8ec1bd0f23cd12bb41b2b8acb8713bb031f927e439f616e6ae27aed3f5582f8206893deea1204df125cedce35ce2b01b32bcefb388fd ++Output = c3c263b5aa6d0cfe5304a7c9d21a44ba ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:af3cd100d14dcb5e63f8915eced4b59477936c48e0e2b9232449a97d53d3eddf9e00bf44a8f2370c38a13434c13e0977 ++Ctrl.hexinfo = hexinfo:81f178f11615309844af84e163ff694f1936f7528aba6f0e60d41b4afac87e9dd48fbb5aebe534733f576950484aab15b386b468a055a1e0be8982c0 ++Output = 0b52be4ebd8b2116df895a42317ac78808993673c99da6391f0eee13cc8470fa ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:fc3ba84439d8b7ead37ac6c825e088fc80152788bbc9c68569213dd6189d5fd552c37ab73b3d53ee9809a485194fb3cd ++Ctrl.hexinfo = hexinfo:df5728d5d146898b68d8713aa8053d03db52b7227d502d3effcd51a22d52ecd9175a4b01d2f27ecfc8abf02c1dd80f5c90a5e01396c1107dddb02226 ++Output = 87ff36ca26778fcaf4f9209d38095c55c40f5e22 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:08d867a61b13cd8c79d3a1cbec3493925ece900e06993063bc0dfe0247cd059ba50a5fb6afc65ac469793817a1f2dfee ++Ctrl.hexinfo = hexinfo:af0c83a659267869bd7cde387bf1c29c9c0ff3c6cabf512c73fd671748e4e9e49218de9350fc0dde27839eb1e2878f900689abeb7b540c70203e5a95 ++Output = 3fef69d875b9b6047c33f295619f6e7c7125c875d55409500100f71bee6551d511327fbde607ac41 ++ ++ ++# [PRF=HMAC_SHA384] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=32_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:216ed044769c4c3908188ece61601af8819c30f501d12995df608e06f5e0e607ab54f542ee2da41906dfdb4971f20f9d ++Ctrl.hexinfo = hexinfo:638e9506a2c7be69ea346b84629a010c0e225b7548f508162c89f29c1ddbfd70472c2b58e7dc8aa6a5b06602f1c8ed4948cda79c62708218e26ac0e2 ++Output = d4b144bb40c7cabed13963d7d4318e72 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:8fca201473433f2dc8f6ae51e48de1a5654ce687e711d2d65f0dc5da6fee9a6a3db9d8535d3e4455ab53d35850c88272 ++Ctrl.hexinfo = hexinfo:195bd88aa2d4211912334fe2fd9bd24522f7d9fb08e04747609bc34f2538089a9d28bbc70b2e1336c3643753cec6e5cd3f246caa915e3c3a6b94d3b6 ++Output = f51ac86b0f462388d189ed0197ef99c2ff3a65816d8442e5ea304397b98dd11f ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:bc3157b8932e88d1b1cf8e4622137010a242d3527b1d23d6d9c0db9cc9edfc20e5135de823977bf4defafae44d6cdab6 ++Ctrl.hexinfo = hexinfo:b42a8e43cc2d4e5c69ee5e4f6b19ff6b8071d26bab4dfe45650b92b1f47652d25162d4b61441d8448c54918ae568ae2fb53091c624dbfffacee51d88 ++Output = 91314bdf542162031643247d6507838eaba50f1a ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA384 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:582f968a54b8797b9ea8c655b42e397adb73d773b1984b1e1c429cd597b8015d2f91d59e4136a9d523bf6491a4733c7a ++Ctrl.hexinfo = hexinfo:e6d3c193eff34e34f8b7b00e66565aeb01f63206bb27e27aa281592afc06ae1ec5b7eb97a39684ce773d7c3528f2667c1f5d428406e78ce4cf39f652 ++Output = 691726c111e5030b5f9657069107861ecc18bc5835a814c3d2e5092c901cb1fb6c1a7cd3eb0be2a7 ++ ++ ++# [PRF=HMAC_SHA512] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=8_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:6ea2c385bb3e7bbafc2225cee1d3ee103ce300c1fdf033d0c1e99c57e6a596e037020838e857c0434040b58a5ca5410be672b888ef9955bdd54eb6a67416ff6a ++Ctrl.hexinfo = hexinfo:be119901ed8679b243508b97663f35da322774d7d2012d6557da6657c1176a115ebc73b0f1bfa1dba6b8c3b124f0a47cff2998b230c955b0ea809784 ++Output = e0755fa6f116ef7a8e8361f47fd57511 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:0ef984d7b4ee76f5c9e080b27f45ccab4ac2362c4cafa68198786b18e239d0f69ee62148373643ad9aa42474700348ef651fee9973130a42e76b7e7633eba1e9 ++Ctrl.hexinfo = hexinfo:56ece7c14c1fc5467f8316f3a931a7ddfa490969f442d7a132f3755809f6ca11dbc9c6493a541c244c32be6656e13ef2868cb79415b807b3882f00d2 ++Output = 19aa765affdd3cc7294b2c97e1bd5adc368523a3283c387d0719761e938f83db ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:a35728d4ec0d7e94019a45d52264e5cd63c7540c21e30a9882d8d531cbb510edaa78e42c03994c18d8efcf7f826a1a9fdbbbacc55c640e7b532cc08e0615a093 ++Ctrl.hexinfo = hexinfo:f501cc527bad6fe5d8e4f1f0f53d416ab17235f380f7e0d1c90dca18206af1fb1d977551e2e0e25c1fe41a8f825fbae2c07c94b768e98ad5ab8ddb2e ++Output = 54cf238101418ce050eee03aae0c39c4602ab838 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:8 ++Ctrl.hexkey = hexkey:baed493b0294c9a5dbbe4547a30f0602c6124cedb549b45cff0ee4f3689a7ae5b695e5ecdfebf611bba1174e5e3a8824383e555daef396dc58c2842f77d5a674 ++Ctrl.hexinfo = hexinfo:1371182cb0725416b1eccf4ac9fb20cf4e0f77e7d006a531e0ab2b2b46e0859473dad9dcae65ba5eb902228787dae19e735d002c919a4b74012f8904 ++Output = 09bb55c9f3cee604f4bc5544a802be8b02b34b99f7928ceee696221975f947905f1b5979d9d4c2a1 ++ ++ ++# [PRF=HMAC_SHA512] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=16_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:bb0c55c7201ceb2e1369a6c49e2cdc1ae5e4cd1d64638105072c3a9172b2fa6a127c4d6d55132585fb2644b5ae3cf9d347875e0d0bf80945eaabef3b4319605e ++Ctrl.hexinfo = hexinfo:89bf925033f00635c100e2c88a98ad9f08cd6a002b934617d4ebfffc0fe9bca1d19bd942da3704da127c7493cc62c67f507c415e4cb67d7d0be70005 ++Output = 05efd62522beb9bfff6492ecd24501a7 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:393eb889e9c2f251b95aa147d53e4cd029fd0391110be9c6b2f8ba32857864847c448a9a591686de88da7486d0a0f0f8c927560fa8f79c30e66a7efaacaa638f ++Ctrl.hexinfo = hexinfo:116bf7f9e5eb884c86cd0d3a2b33d41de7735677e6bd727e83fbde5c8113de56bf84c9f80610db760ae2df73f4f0db9df0cc1655ea9bc98bb06beeda ++Output = 212e4e4057a6871e166e7563205833bc7f01e86c724b6a61166d9311c55b5044 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:eeec4383a808fae57f24a7a5eb6157cca66483a613590c89ed39f59617ea97fcfa7cdfc83ba8140fa0d8542263d6423a9bcca70e11addb7a646f194ff0878cac ++Ctrl.hexinfo = hexinfo:b2565a20171eef1eaa04728e6c369405b251062bbd0a2b9171c8c6fedf0ff783691db787f153bbf5167301808f768a03df0deec99f2b9efb90cab571 ++Output = 4f31b7bcd54c74d8a7d31aca187b8736f0a59db7 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:16 ++Ctrl.hexkey = hexkey:62690d8ef259d175911d8eb52a331af29a8e3b797c4b315a67fa5cd1b00e585b2f7d97341284d0fcaa15a080732f7958e3b33e938e730623d1e651dbea9b2233 ++Ctrl.hexinfo = hexinfo:266535b58de26ed62f936bc7147c8c3b31ee0c1bb92c5ef63699ac7225e01cec5afd2e6e39cf095882324c7dc94b0daa2befc50f790da0547d7c6184 ++Output = 9336a88737d9ae01b5c43be5789c8545689557aad295ea3c03d2a2e0143603365fea1656175c20bf ++ ++ ++# [PRF=HMAC_SHA512] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=24_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:d10933b0683f6787c33eccea1c311b8444270504fb3980bfd56443ba4068722184c31541d9174f71068b7789440bc34cec456e115067f9c65a5f2883c6868204 ++Ctrl.hexinfo = hexinfo:dcb2ea8d715821d6393bd49a3e35f69a6c2519edb614f80fbc3f7ae1d65ff4a04c499e75d08819a09092ddaadba510e03cb2ac898804590dbd61fb7e ++Output = 876d73040d03d569e2fcae33b241d98e ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:44e6e9abd8572a19ba127dfa2ca6a1b53beaef8c19a1ec5b67f1f6f7919671cd80ade7ded7c0f096525936ef427b152339de915f024964ca9ea908a120e2553a ++Ctrl.hexinfo = hexinfo:c2884a0c3ea2ff5b0bc848698f49f2c59eff511d77caddba897dec7714a0984e54f330dd9e9fdca9c033dfbc36d3293eca0ce7601e316463966ad4fd ++Output = b294537440bec490953bf6e9a77c4510536916b84a5a2f45b5bf9f76666d8f12 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:a39131ca2f8df817ea2f155aac72d58a696d915b66b7cbe172a0f48a407aa8af0edbaea051eb027fe8fcc435cc7f160feeb57bd39a39d94104fe35167dac1aae ++Ctrl.hexinfo = hexinfo:52b6d1f6381fc3dd44baf1c9d36f0c313e58bf4fdb936b78103afdb90373079de90e4bb7d7089e65e0aef23f2a34df5198b8392aac705eb998c1f8cd ++Output = e707c910b4db3a648815fcad5ca7af18e5354c2e ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:24 ++Ctrl.hexkey = hexkey:af5a39f0303b11bca55584ce24162dabd1625aed14ce54f9e407866e03efb24b12a36e164f96faf36bc92a08acd194285107173fb84caef787672d6471028459 ++Ctrl.hexinfo = hexinfo:1cd84829b89d3149948967494aece985f1df3d7ec7735e8cc468bb3e6fdb50964d32dcde5521a82402577371047bf77e34714437e9d213561055b9db ++Output = a0e81b336a6f4ab395aada28314d8ba96b9216ae389b01aaec158e166239e554a217e69f603988fb ++ ++ ++# [PRF=HMAC_SHA512] ++# [CTRLOCATION=BEFORE_FIXED] ++# [RLEN=32_BITS] ++ ++# COUNT=0 ++# L = 128 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:dd5dbd45593ee2ac139748e7645b450f223d2ff297b73fd71cbcebe71d41653c950b88500de5322d99ef18dfdd30428294c4b3094f4c954334e593bd982ec614 ++Ctrl.hexinfo = hexinfo:b50b0c963c6b3034b8cf19cd3f5c4ebe4f4985af0c03e575db62e6fdf1ecfe4f28b95d7ce16df85843246e1557ce95bb26cc9a21974bbd2eb69e8355 ++Output = e5993bf9bd2aa1c45746042e12598155 ++ ++# COUNT=10 ++# L = 256 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:5be2bf7f5e2527e15fe65cde4507d98ba55457006867de9e4f36645bcff4ca38754f92898b1c5544718102593b8c26d45d1fceaea27d97ede9de8b9ebfe88093 ++Ctrl.hexinfo = hexinfo:004b13c1f628cb7a00d9498937bf437b71fe196cc916c47d298fa296c6b86188073543bbc66b7535eb17b5cf43c37944b6ca1225298a9e563413e5bb ++Output = cee0c11be2d8110b808f738523e718447d785878bbb783fb081a055160590072 ++ ++# COUNT=20 ++# L = 160 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:9dd03864a31aa4156ca7a12000f541680ce0a5f4775eef1088ac13368200b447a78d0bf14416a1d583c54b0f11200ff4a8983dd775ce9c0302d262483e300ae6 ++Ctrl.hexinfo = hexinfo:037369f142d669fca9e87e9f37ae8f2c8d506b753fdfe8a3b72f75cac1c50fa1f8620883b8dcb8dcc67adcc95e70aa624adb9fe1b2cb396692b0d2e8 ++Output = 96e8d1bc01dc95c0bf42c3c38fc54c090373ced4 ++ ++# COUNT=30 ++# L = 320 ++KDF = KBKDF ++Ctrl.mode = mode:COUNTER ++Ctrl.digest = digest:SHA512 ++Ctrl.mac = mac:HMAC ++Ctrl.use-l = use-l:0 ++Ctrl.use-separator = use-separator:0 ++Ctrl.r = r:32 ++Ctrl.hexkey = hexkey:a9f4a2c5af839867f5db5a1e520ab3cca72a166ca60de512fd7fe7e64cf94f92cf1d8b636175f293e003275e021018c3f0ede495997a505ec9a2afeb0495be57 ++Ctrl.hexinfo = hexinfo:8e9db3335779db688bcfe096668d9c3bc64e193e3529c430e68d09d56c837dd6c0f94678f121a68ee1feea4735da85a49d34a5290aa39f7b40de435f ++Output = 6db880daac98b078ee389a2164252ded61322d661e2b49247ea921e544675d8f17af2bf66dd40d81 ++ diff --git a/SOURCES/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/SOURCES/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch new file mode 100644 index 0000000..5208f40 --- /dev/null +++ b/SOURCES/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch @@ -0,0 +1,206 @@ +From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Tue, 1 Mar 2022 15:44:18 +0100 +Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes + +References: rhbz#2055796 +--- + crypto/x509/x509_vfy.c | 19 ++++++++++- + doc/man5/config.pod | 7 +++- + ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++------- + test/recipes/25-test_verify.t | 7 ++-- + 4 files changed, 79 insertions(+), 18 deletions(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index ff3ca83de6..a549c1c111 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -25,6 +25,7 @@ + #include + #include + #include "internal/dane.h" ++#include "internal/sslconf.h" + #include "crypto/x509.h" + #include "x509_local.h" + +@@ -3440,14 +3441,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) + { + int secbits = -1; + int level = ctx->param->auth_level; ++ int nid; ++ OSSL_LIB_CTX *libctx = NULL; + + if (level <= 0) + return 1; + if (level > NUM_AUTH_LEVELS) + level = NUM_AUTH_LEVELS; + +- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) ++ if (ctx->libctx) ++ libctx = ctx->libctx; ++ else if (cert->libctx) ++ libctx = cert->libctx; ++ else ++ libctx = OSSL_LIB_CTX_get0_global_default(); ++ ++ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) + return 0; + ++ if (nid == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) ++ && ctx->param->auth_level < 3) ++ /* When rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility. */ ++ return 1; ++ + return secbits >= minbits_table[level - 1]; + } +diff --git a/doc/man5/config.pod b/doc/man5/config.pod +index aa1be5ca7f..aa69e2b844 100644 +--- a/doc/man5/config.pod ++++ b/doc/man5/config.pod +@@ -305,7 +305,12 @@ When set to B, any attempt to create or verify a signature with a SHA1 + digest will fail. For compatibility with older versions of OpenSSL, set this + option to B. This setting also affects TLS, where signature algorithms + that use SHA1 as digest will no longer be supported if this option is set to +-B. ++B. Note that enabling B will allow TLS signature ++algorithms that use SHA1 in security level 2, despite the definition of ++security level 2 of 112 bits of security, which SHA1 does not meet. Because ++TLS 1.1 or lower use MD5-SHA1 as pseudorandom function (PRF) to derive key ++material, disabling B requires the use of TLS 1.2 or ++newer. + + =item B (deprecated) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 4b74ee1a34..5f089de107 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include "crypto/x509.h" + #include "internal/sslconf.h" + #include "internal/nelem.h" + #include "internal/sizes.h" +@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); + return 0; + } +- /* +- * Make sure security callback allows algorithm. For historical +- * reasons we have to pass the sigalg as a two byte char array. +- */ +- sigalgstr[0] = (sig >> 8) & 0xff; +- sigalgstr[1] = sig & 0xff; +- secbits = sigalg_security_bits(s->ctx, lu); +- if (secbits == 0 || +- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, +- md != NULL ? EVP_MD_get_type(md) : NID_undef, +- (void *)sigalgstr)) { +- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); +- return 0; ++ ++ if (lu->hash == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) ++ && SSL_get_security_level(s) < 3) { ++ /* when rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility */ ++ } else { ++ /* ++ * Make sure security callback allows algorithm. For historical ++ * reasons we have to pass the sigalg as a two byte char array. ++ */ ++ sigalgstr[0] = (sig >> 8) & 0xff; ++ sigalgstr[1] = sig & 0xff; ++ secbits = sigalg_security_bits(s->ctx, lu); ++ if (secbits == 0 || ++ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, ++ md != NULL ? EVP_MD_get_type(md) : NID_undef, ++ (void *)sigalgstr)) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); ++ return 0; ++ } + } + /* Store the sigalg the peer uses */ + s->s3.tmp.peer_sigalg = lu; +@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) + } + } + ++ if (lu->hash == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) ++ && SSL_get_security_level(s) < 3) { ++ /* when rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility */ ++ return 1; ++ } ++ + /* Finally see if security callback allows it */ + secbits = sigalg_security_bits(s->ctx, lu); + sigalgstr[0] = (lu->sigalg >> 8) & 0xff; +@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) + { + /* Lookup signature algorithm digest */ + int secbits, nid, pknid; ++ OSSL_LIB_CTX *libctx = NULL; ++ + /* Don't check signature if self signed */ + if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) + return 1; +@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) + /* If digest NID not defined use signature NID */ + if (nid == NID_undef) + nid = pknid; ++ ++ if (x && x->libctx) ++ libctx = x->libctx; ++ else if (ctx && ctx->libctx) ++ libctx = ctx->libctx; ++ else if (s && s->ctx && s->ctx->libctx) ++ libctx = s->ctx->libctx; ++ else ++ libctx = OSSL_LIB_CTX_get0_global_default(); ++ ++ if (nid == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) ++ && ((s != NULL && SSL_get_security_level(s) < 3) ++ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3) ++ )) ++ /* When rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility. */ ++ return 1; ++ + if (s) + return ssl_security(s, op, secbits, nid, x); + else +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index 700bbd849c..2de1d76b5e 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -29,7 +29,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 163; ++plan tests => 162; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0" + ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), + "CA with PSS signature using SHA256"); + +-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), +- "Reject PSS signature using SHA1 and auth level 1"); ++## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1 ++#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), ++# "Reject PSS signature using SHA1 and auth level 1"); + + ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), + "PSS signature using SHA256 and auth level 2"); +-- +2.35.1 + diff --git a/SOURCES/0056-strcasecmp.patch b/SOURCES/0056-strcasecmp.patch new file mode 100644 index 0000000..8a005e6 --- /dev/null +++ b/SOURCES/0056-strcasecmp.patch @@ -0,0 +1,54 @@ +diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num +--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200 ++++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200 +@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex + EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: ++OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION: ++OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: + ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: +diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c +--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100 ++++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100 +@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char + #endif + } + +-int OPENSSL_strcasecmp(const char *s1, const char *s2) ++int ++#ifndef FIPS_MODULE ++__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strcasecmp(const char *s1, const char *s2) + { + int t; + +@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c + return t; + } + +-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) ++int ++#ifndef FIPS_MODULE ++__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) + { + int t; + size_t i; +diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t +--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100 ++++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100 +@@ -77,6 +80,7 @@ foreach my $libname (@libnames) { + s| .*||; + # Drop OpenSSL dynamic version information if there is any + s|\@\@.+$||; ++ s|\@.+$||; + # Return the result + $_ + } diff --git a/SOURCES/0058-FIPS-limit-rsa-encrypt.patch b/SOURCES/0058-FIPS-limit-rsa-encrypt.patch new file mode 100644 index 0000000..b9cc3aa --- /dev/null +++ b/SOURCES/0058-FIPS-limit-rsa-encrypt.patch @@ -0,0 +1,540 @@ +diff -up openssl-3.0.1/providers/common/securitycheck.c.rsaenc openssl-3.0.1/providers/common/securitycheck.c +--- openssl-3.0.1/providers/common/securitycheck.c.rsaenc 2022-06-24 17:14:33.634692729 +0200 ++++ openssl-3.0.1/providers/common/securitycheck.c 2022-06-24 17:16:08.966540605 +0200 +@@ -27,6 +27,7 @@ + * Set protect = 1 for encryption or signing operations, or 0 otherwise. See + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. + */ ++/* Red Hat build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */ + int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) + { + int protect = 0; +diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c +--- openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad 2022-05-02 16:04:47.000091901 +0200 ++++ openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c 2022-05-02 16:14:50.922443581 +0200 +@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsac + return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT); + } + ++# ifdef FIPS_MODULE ++static int fips_padding_allowed(const PROV_RSA_CTX *prsactx) ++{ ++ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING ++ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) ++ return 0; ++ ++ return 1; ++} ++# endif ++ + static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, + size_t outsize, const unsigned char *in, size_t inlen) + { +@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, u + if (!ossl_prov_is_running()) + return 0; + ++# ifdef FIPS_MODULE ++ if (fips_padding_allowed(prsactx) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ return 0; ++ } ++ ++ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++# endif ++ + if (out == NULL) { + size_t len = RSA_size(prsactx->rsa); + +@@ -202,6 +220,18 @@ static int rsa_decrypt(void *vprsactx, u + if (!ossl_prov_is_running()) + return 0; + ++# ifdef FIPS_MODULE ++ if (fips_padding_allowed(prsactx) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ return 0; ++ } ++ ++ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++# endif ++ + if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) { + if (out == NULL) { + *outlen = SSL_MAX_MASTER_KEY_LENGTH; +diff -up openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_cms.t +--- openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad 2022-05-02 17:04:07.610782138 +0200 ++++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-02 17:06:03.595814620 +0200 +@@ -232,7 +232,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", ++ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS", + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-aes256", "-stream", "-out", "{output}.cms", + $smrsa1, +@@ -865,5 +865,8 @@ sub check_availability { + return "$tnam: skipped, DSA disabled\n" + if ($no_dsa && $tnam =~ / DSA/); + ++ return "$tnam: skipped, Red Hat FIPS\n" ++ if ($tnam =~ /no Red Hat FIPS/); ++ + return ""; + } +diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_ssl_old.t +--- openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad 2022-05-02 17:26:37.962838053 +0200 ++++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-02 17:34:20.297950449 +0200 +@@ -483,6 +483,18 @@ sub testssl { + # the default choice if TLSv1.3 enabled + my $flag = $protocol eq "-tls1_3" ? "" : $protocol; + my $ciphersuites = ""; ++ my %redhat_skip_cipher = map {$_ => 1} qw( ++AES256-GCM-SHA384:@SECLEVEL=0 ++AES256-CCM8:@SECLEVEL=0 ++AES256-CCM:@SECLEVEL=0 ++AES128-GCM-SHA256:@SECLEVEL=0 ++AES128-CCM8:@SECLEVEL=0 ++AES128-CCM:@SECLEVEL=0 ++AES256-SHA256:@SECLEVEL=0 ++AES128-SHA256:@SECLEVEL=0 ++AES256-SHA:@SECLEVEL=0 ++AES128-SHA:@SECLEVEL=0 ++ ); + foreach my $cipher (@{$ciphersuites{$protocol}}) { + if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { + note "*****SKIPPING $protocol $cipher"; +@@ -494,11 +506,16 @@ sub testssl { + } else { + $cipher = $cipher.':@SECLEVEL=0'; + } +- ok(run(test([@ssltest, @exkeys, "-cipher", +- $cipher, +- "-ciphersuites", $ciphersuites, +- $flag || ()])), +- "Testing $cipher"); ++ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) { ++ note "*****SKIPPING $cipher in Red Hat FIPS mode"; ++ ok(1); ++ } else { ++ ok(run(test([@ssltest, @exkeys, "-cipher", ++ $cipher, ++ "-ciphersuites", $ciphersuites, ++ $flag || ()])), ++ "Testing $cipher"); ++ } + } + } + next if $protocol eq "-tls1_3"; +diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen 2022-06-16 14:26:19.383530498 +0200 ++++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2022-06-16 14:39:53.637777701 +0200 +@@ -263,12 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974 + Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + + # RSA decrypt +- ++Availablein = default + Decrypt = RSA-2048 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 + Output = "Hello World" + + # Corrupted ciphertext ++Availablein = default + Decrypt = RSA-2048 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 + Output = "Hello World" +@@ -665,36 +666,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN + h90qjKHS9PvY4Q== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a + Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44 + Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb + Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755 + Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439 + Output=8da89fd9e5f974a29feffb462b49180f6cf9e802 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -719,36 +726,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64 + eG2e4XlBcKjI6A== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e + Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7 + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245 + Output=2d + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053 + Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641 + Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec + Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -773,36 +786,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W + Ya4qnqZe1onjY5o= + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80 + Output=087820b569e8fa8d + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5 + Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a + Output=d94cd0e08fa404ed89 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0 + Output=6cc641b6b61e6f963974dad23a9013284ef1 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60 + Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -827,36 +846,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/ + aD0x7TDrmEvkEro= + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8 + Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e + Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065 + Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4 + Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2 + Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -881,36 +906,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/ + MSwGUGLx60i3nRyDyw== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5 + Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad + Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967 + Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf + Output=15c5b9ee1185 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723 + Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -935,36 +966,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq + Yejn5Ly8mU2q+jBcRQ== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3 + Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f + Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65 + Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8 + Output=684e3038c5c041f7 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab + Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -989,36 +1026,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4 + FMlxv0gq65dqc3DC + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1 + Output=47aae909 + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6 + Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7 + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b + Output=d976fc + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac + Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478 + Output=bb47231ca5ea1d3ad46c99345d9a8a61 + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1043,36 +1086,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E + 2MiPa249Z+lh3Luj0A== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61 + Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967 + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d + Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f + Output=8604ac56328c1ab5ad917861 + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0 + Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2 + Output=4a5f4914bee25de3c69341de07 + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1103,36 +1152,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc + tKo5Eb69iFQvBb4= + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72 + Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6 + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8 + Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659 + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3 + Output=fd326429df9b890e09b54b18b8f34f1e24 + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858 + Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e + Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 diff --git a/SOURCES/0060-FIPS-KAT-signature-tests.patch b/SOURCES/0060-FIPS-KAT-signature-tests.patch new file mode 100644 index 0000000..184b150 --- /dev/null +++ b/SOURCES/0060-FIPS-KAT-signature-tests.patch @@ -0,0 +1,420 @@ +diff -up openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_backend.c +--- openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature 2022-04-04 15:49:24.786455707 +0200 ++++ openssl-3.0.1/crypto/ec/ec_backend.c 2022-04-04 16:06:13.250271963 +0200 +@@ -393,6 +393,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con + const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL; + BN_CTX *ctx = NULL; + BIGNUM *priv_key = NULL; ++#ifdef FIPS_MODULE ++ const OSSL_PARAM *param_sign_kat_k = NULL; ++ BIGNUM *sign_kat_k = NULL; ++#endif + unsigned char *pub_key = NULL; + size_t pub_key_len; + const EC_GROUP *ecg = NULL; +@@ -408,7 +412,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con + if (include_private) + param_priv_key = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); +- ++#ifdef FIPS_MODULE ++ param_sign_kat_k = ++ OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K); ++#endif + ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec)); + if (ctx == NULL) + goto err; +@@ -481,6 +489,17 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con + && !EC_KEY_set_public_key(ec, pub_point)) + goto err; + ++#ifdef FIPS_MODULE ++ if (param_sign_kat_k) { ++ if ((sign_kat_k = BN_secure_new()) == NULL) ++ goto err; ++ BN_set_flags(sign_kat_k, BN_FLG_CONSTTIME); ++ ++ if (!OSSL_PARAM_get_BN(param_sign_kat_k, &sign_kat_k)) ++ goto err; ++ ec->sign_kat_k = sign_kat_k; ++ } ++#endif + ok = 1; + + err: +diff -up openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature openssl-3.0.1/crypto/ec/ecdsa_ossl.c +--- openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature 2022-04-04 17:01:35.725323127 +0200 ++++ openssl-3.0.1/crypto/ec/ecdsa_ossl.c 2022-04-04 17:03:42.000427050 +0200 +@@ -20,6 +20,10 @@ + #include "crypto/bn.h" + #include "ec_local.h" + ++#ifdef FIPS_MODULE ++extern int REDHAT_FIPS_signature_st; ++#endif ++ + int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp) + { +@@ -126,6 +130,11 @@ static int ecdsa_sign_setup(EC_KEY *ecke + goto err; + + do { ++#ifdef FIPS_MODULE ++ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) { ++ BN_copy(k, eckey->sign_kat_k); ++ } else { ++#endif + /* get random k */ + do { + if (dgst != NULL) { +@@ -141,7 +150,9 @@ static int ecdsa_sign_setup(EC_KEY *ecke + } + } + } while (BN_is_zero(k)); +- ++#ifdef FIPS_MODULE ++ } ++#endif + /* compute r the x-coordinate of generator * k */ + if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); +diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_key.c +--- openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature 2022-04-04 13:48:52.231172299 +0200 ++++ openssl-3.0.1/crypto/ec/ec_key.c 2022-04-04 14:00:35.077368605 +0200 +@@ -97,6 +97,9 @@ void EC_KEY_free(EC_KEY *r) + EC_GROUP_free(r->group); + EC_POINT_free(r->pub_key); + BN_clear_free(r->priv_key); ++#ifdef FIPS_MODULE ++ BN_clear_free(r->sign_kat_k); ++#endif + OPENSSL_free(r->propq); + + OPENSSL_clear_free((void *)r, sizeof(EC_KEY)); +diff -up openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature openssl-3.0.1/crypto/ec/ec_local.h +--- openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature 2022-04-04 13:46:57.576161867 +0200 ++++ openssl-3.0.1/crypto/ec/ec_local.h 2022-04-04 13:48:07.827780835 +0200 +@@ -298,6 +298,9 @@ struct ec_key_st { + #ifndef FIPS_MODULE + CRYPTO_EX_DATA ex_data; + #endif ++#ifdef FIPS_MODULE ++ BIGNUM *sign_kat_k; ++#endif + CRYPTO_RWLOCK *lock; + OSSL_LIB_CTX *libctx; + char *propq; +diff -up openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature openssl-3.0.1/include/openssl/core_names.h +--- openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature 2022-04-04 14:06:15.717370014 +0200 ++++ openssl-3.0.1/include/openssl/core_names.h 2022-04-04 14:07:35.376071229 +0200 +@@ -293,6 +293,7 @@ extern "C" { + #define OSSL_PKEY_PARAM_DIST_ID "distid" + #define OSSL_PKEY_PARAM_PUB_KEY "pub" + #define OSSL_PKEY_PARAM_PRIV_KEY "priv" ++#define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k" + + /* Diffie-Hellman/DSA Parameters */ + #define OSSL_PKEY_PARAM_FFC_P "p" +diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c +--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature 2022-04-04 14:21:03.043180906 +0200 ++++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-04-04 14:38:33.949406645 +0200 +@@ -530,7 +530,8 @@ end: + # define EC_IMEXPORTABLE_PUBLIC_KEY \ + OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0) + # define EC_IMEXPORTABLE_PRIVATE_KEY \ +- OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0) ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), \ ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, NULL, 0) + # define EC_IMEXPORTABLE_OTHER_PARAMETERS \ + OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL), \ + OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, NULL) +diff -up openssl-3.0.1/providers/fips/self_test_kats.c.kat openssl-3.0.1/providers/fips/self_test_kats.c +--- openssl-3.0.1/providers/fips/self_test_kats.c.kat 2022-05-10 15:10:32.502185265 +0200 ++++ openssl-3.0.1/providers/fips/self_test_kats.c 2022-05-10 15:13:21.465653720 +0200 +@@ -17,6 +17,8 @@ + #include "self_test.h" + #include "self_test_data.inc" + ++int REDHAT_FIPS_signature_st = 0; ++ + static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st, + OSSL_LIB_CTX *libctx) + { +@@ -446,6 +448,7 @@ static int self_test_sign(const ST_KAT_S + EVP_PKEY *pkey = NULL; + unsigned char sig[256]; + BN_CTX *bnctx = NULL; ++ BIGNUM *K = NULL; + size_t siglen = sizeof(sig); + static const unsigned char dgst[] = { + 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, +@@ -462,6 +465,9 @@ static int self_test_sign(const ST_KAT_S + bnctx = BN_CTX_new_ex(libctx); + if (bnctx == NULL) + goto err; ++ K = BN_CTX_get(bnctx); ++ if (K == NULL || BN_bin2bn(dgst, sizeof(dgst), K) == NULL) ++ goto err; + + bld = OSSL_PARAM_BLD_new(); + if (bld == NULL) +@@ -469,6 +475,9 @@ static int self_test_sign(const ST_KAT_S + + if (!add_params(bld, t->key, bnctx)) + goto err; ++ /* set K for ECDSA KAT tests */ ++ if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, K)) ++ goto err; + params = OSSL_PARAM_BLD_to_param(bld); + + /* Create a EVP_PKEY_CTX to load the DSA key into */ +@@ -689,11 +698,13 @@ static int self_test_kas(OSSL_SELF_TEST + static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + { + int i, ret = 1; ++ REDHAT_FIPS_signature_st = 1; + + for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) { + if (!self_test_sign(&st_kat_sign_tests[i], st, libctx)) + ret = 0; + } ++ REDHAT_FIPS_signature_st = 0; + return ret; + } + +diff -up openssl-3.0.1/providers/fips/self_test_data.inc.kat openssl-3.0.1/providers/fips/self_test_data.inc +--- openssl-3.0.1/providers/fips/self_test_data.inc.kat 2022-05-16 17:37:34.962807400 +0200 ++++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-16 17:48:10.709376779 +0200 +@@ -1399,7 +1399,151 @@ static const ST_KAT_PARAM ecdsa_prime_ke + ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv), + ST_KAT_PARAM_END() + }; ++static const unsigned char ec224r1_kat_sig[] = { ++0x30, 0x3c, 0x02, 0x1c, 0x2f, 0x24, 0x30, 0x96, 0x3b, 0x39, 0xe0, 0xab, 0xe2, 0x5a, 0x6f, 0xe0, ++0x40, 0x7e, 0x19, 0x30, 0x6e, 0x6a, 0xfd, 0x7a, 0x2b, 0x5d, 0xaa, 0xc2, 0x34, 0x6c, 0xc8, 0xce, ++0x02, 0x1c, 0x47, 0xe1, 0xac, 0xfd, 0xb4, 0xb8, 0x2b, 0x8c, 0x49, 0xb6, 0x36, 0xcd, 0xdd, 0x22, ++0x2a, 0x2d, 0x29, 0x64, 0x70, 0x61, 0xc3, 0x3e, 0x18, 0x51, 0xec, 0xf2, 0xad, 0x3c ++}; + ++static const char ecd_prime_curve_name384[] = "secp384r1"; ++/* ++priv: ++ 58:12:2b:94:be:29:23:13:83:f5:c4:20:e8:22:34: ++ 54:73:49:91:10:05:e9:10:e9:d7:2d:72:9c:5e:6a: ++ ba:8f:6d:d6:e4:a7:eb:e0:ae:e3:d4:c9:aa:33:87: ++ 4c:91:87 ++pub: ++ 04:d1:86:8b:f5:c4:a2:f7:a5:92:e6:85:2a:d2:92: ++ 81:97:0a:8d:fa:09:3f:84:6c:17:43:03:43:49:23: ++ 77:c4:31:f4:0a:a4:de:87:ac:5c:c0:d1:bc:e4:43: ++ 7f:8d:44:e1:3b:5f:bc:27:c8:79:0f:d0:31:9f:a7: ++ 6d:de:fb:f7:da:19:40:fd:aa:83:dc:69:ce:a6:f3: ++ 4d:65:20:1c:66:82:80:03:f7:7b:2e:f3:b3:7c:1f: ++ 11:f2:a3:bf:e8:0e:88 ++*/ ++static const unsigned char ecd_prime_priv384[] = { ++ 0x58, 0x12, 0x2b, 0x94, 0xbe, 0x29, 0x23, 0x13, 0x83, 0xf5, 0xc4, 0x20, 0xe8, 0x22, 0x34, ++ 0x54, 0x73, 0x49, 0x91, 0x10, 0x05, 0xe9, 0x10, 0xe9, 0xd7, 0x2d, 0x72, 0x9c, 0x5e, 0x6a, ++ 0xba, 0x8f, 0x6d, 0xd6, 0xe4, 0xa7, 0xeb, 0xe0, 0xae, 0xe3, 0xd4, 0xc9, 0xaa, 0x33, 0x87, ++ 0x4c, 0x91, 0x87 ++}; ++static const unsigned char ecd_prime_pub384[] = { ++ 0x04, 0xd1, 0x86, 0x8b, 0xf5, 0xc4, 0xa2, 0xf7, 0xa5, 0x92, 0xe6, 0x85, 0x2a, 0xd2, 0x92, ++ 0x81, 0x97, 0x0a, 0x8d, 0xfa, 0x09, 0x3f, 0x84, 0x6c, 0x17, 0x43, 0x03, 0x43, 0x49, 0x23, ++ 0x77, 0xc4, 0x31, 0xf4, 0x0a, 0xa4, 0xde, 0x87, 0xac, 0x5c, 0xc0, 0xd1, 0xbc, 0xe4, 0x43, ++ 0x7f, 0x8d, 0x44, 0xe1, 0x3b, 0x5f, 0xbc, 0x27, 0xc8, 0x79, 0x0f, 0xd0, 0x31, 0x9f, 0xa7, ++ 0x6d, 0xde, 0xfb, 0xf7, 0xda, 0x19, 0x40, 0xfd, 0xaa, 0x83, 0xdc, 0x69, 0xce, 0xa6, 0xf3, ++ 0x4d, 0x65, 0x20, 0x1c, 0x66, 0x82, 0x80, 0x03, 0xf7, 0x7b, 0x2e, 0xf3, 0xb3, 0x7c, 0x1f, ++ 0x11, 0xf2, 0xa3, 0xbf, 0xe8, 0x0e, 0x88 ++}; ++static const ST_KAT_PARAM ecdsa_prime_key384[] = { ++ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name384), ++ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub384), ++ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv384), ++ ST_KAT_PARAM_END() ++}; ++static const unsigned char ec384r1_kat_sig[] = { ++0x30, 0x65, 0x02, 0x30, 0x1a, 0xd5, 0x57, 0x1b, 0x28, 0x0f, 0xf1, 0x68, 0x66, 0x68, 0x8a, 0x98, ++0xe3, 0x9c, 0xce, 0x7f, 0xa7, 0x68, 0xdc, 0x84, 0x5a, 0x65, 0xdc, 0x2b, 0x5d, 0x7e, 0xf3, 0x9b, ++0xa0, 0x40, 0xe8, 0x7a, 0x02, 0xc7, 0x82, 0xe0, 0x0c, 0x81, 0xa5, 0xda, 0x55, 0x27, 0xbf, 0x79, ++0xee, 0x72, 0xc2, 0x14, 0x02, 0x31, 0x00, 0xd1, 0x9d, 0x67, 0xda, 0x5a, 0xd2, 0x58, 0x68, 0xe7, ++0x71, 0x08, 0xb2, 0xa4, 0xe4, 0xe8, 0x74, 0xb4, 0x0a, 0x3d, 0x76, 0x49, 0x31, 0x17, 0x6e, 0x33, ++0x16, 0xf0, 0x00, 0x1f, 0x3c, 0x1f, 0xf9, 0x7c, 0xdb, 0x93, 0x49, 0x9c, 0x7d, 0xb3, 0xd3, 0x30, ++0x98, 0x81, 0x6f, 0xb0, 0xc9, 0x30, 0x2f ++}; ++static const char ecd_prime_curve_name521[] = "secp521r1"; ++/* ++priv: ++ 00:44:0f:96:31:a9:87:f2:5f:be:a0:bc:ef:0c:ae: ++ 58:cc:5f:f8:44:9e:89:86:7e:bf:db:ce:cb:0e:20: ++ 10:4a:11:ec:0b:51:1d:e4:91:ca:c6:40:fb:c6:69: ++ ad:68:33:9e:c8:f5:c4:c6:a5:93:a8:4d:a9:a9:a2: ++ af:fe:6d:cb:c2:3b ++pub: ++ 04:01:5f:58:a9:40:0c:ee:9b:ed:4a:f4:7a:3c:a3: ++ 89:c2:f3:7e:2c:f4:b5:53:80:ae:33:7d:36:d1:b5: ++ 18:bd:ef:a9:48:00:ea:88:ee:00:5c:ca:07:08:b5: ++ 67:4a:c3:2b:10:c6:07:b0:c2:45:37:b7:1d:e3:6c: ++ e1:bf:2c:44:18:4a:aa:01:af:75:40:6a:e3:f5:b2: ++ 7f:d1:9d:1b:8b:29:1f:91:4d:db:93:bf:bd:8c:b7: ++ 6a:8d:4b:2c:36:2a:6b:ab:54:9d:7b:31:99:a4:de: ++ c9:10:c4:f4:a3:f4:6d:94:97:62:16:a5:34:65:1f: ++ 42:cd:8b:9e:e6:db:14:5d:a9:8d:19:95:8d ++*/ ++static const unsigned char ecd_prime_priv521[] = { ++ 0x00, 0x44, 0x0f, 0x96, 0x31, 0xa9, 0x87, 0xf2, 0x5f, 0xbe, 0xa0, 0xbc, 0xef, 0x0c, 0xae, ++ 0x58, 0xcc, 0x5f, 0xf8, 0x44, 0x9e, 0x89, 0x86, 0x7e, 0xbf, 0xdb, 0xce, 0xcb, 0x0e, 0x20, ++ 0x10, 0x4a, 0x11, 0xec, 0x0b, 0x51, 0x1d, 0xe4, 0x91, 0xca, 0xc6, 0x40, 0xfb, 0xc6, 0x69, ++ 0xad, 0x68, 0x33, 0x9e, 0xc8, 0xf5, 0xc4, 0xc6, 0xa5, 0x93, 0xa8, 0x4d, 0xa9, 0xa9, 0xa2, ++ 0xaf, 0xfe, 0x6d, 0xcb, 0xc2, 0x3b ++}; ++static const unsigned char ecd_prime_pub521[] = { ++ 0x04, 0x01, 0x5f, 0x58, 0xa9, 0x40, 0x0c, 0xee, 0x9b, 0xed, 0x4a, 0xf4, 0x7a, 0x3c, 0xa3, ++ 0x89, 0xc2, 0xf3, 0x7e, 0x2c, 0xf4, 0xb5, 0x53, 0x80, 0xae, 0x33, 0x7d, 0x36, 0xd1, 0xb5, ++ 0x18, 0xbd, 0xef, 0xa9, 0x48, 0x00, 0xea, 0x88, 0xee, 0x00, 0x5c, 0xca, 0x07, 0x08, 0xb5, ++ 0x67, 0x4a, 0xc3, 0x2b, 0x10, 0xc6, 0x07, 0xb0, 0xc2, 0x45, 0x37, 0xb7, 0x1d, 0xe3, 0x6c, ++ 0xe1, 0xbf, 0x2c, 0x44, 0x18, 0x4a, 0xaa, 0x01, 0xaf, 0x75, 0x40, 0x6a, 0xe3, 0xf5, 0xb2, ++ 0x7f, 0xd1, 0x9d, 0x1b, 0x8b, 0x29, 0x1f, 0x91, 0x4d, 0xdb, 0x93, 0xbf, 0xbd, 0x8c, 0xb7, ++ 0x6a, 0x8d, 0x4b, 0x2c, 0x36, 0x2a, 0x6b, 0xab, 0x54, 0x9d, 0x7b, 0x31, 0x99, 0xa4, 0xde, ++ 0xc9, 0x10, 0xc4, 0xf4, 0xa3, 0xf4, 0x6d, 0x94, 0x97, 0x62, 0x16, 0xa5, 0x34, 0x65, 0x1f, ++ 0x42, 0xcd, 0x8b, 0x9e, 0xe6, 0xdb, 0x14, 0x5d, 0xa9, 0x8d, 0x19, 0x95, 0x8d ++}; ++static const ST_KAT_PARAM ecdsa_prime_key521[] = { ++ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name521), ++ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub521), ++ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv521), ++ ST_KAT_PARAM_END() ++}; ++static const unsigned char ec521r1_kat_sig[] = { ++0x30, 0x81, 0x88, 0x02, 0x42, 0x00, 0xdf, 0x64, 0x9c, 0xc8, 0x5b, 0xdd, 0x0b, 0x7f, 0x69, 0x7e, ++0xdb, 0x83, 0x58, 0x67, 0x63, 0x43, 0xb7, 0xfa, 0x40, 0x29, 0xde, 0xb9, 0xde, 0xe9, 0x96, 0x65, ++0xe6, 0x8e, 0xf4, 0xeb, 0xd0, 0xe9, 0x6a, 0xd3, 0x27, 0x6c, 0x4d, 0x60, 0x47, 0x9c, 0x62, 0xb8, ++0x6c, 0xc1, 0x36, 0x19, 0x65, 0xff, 0xab, 0xcf, 0x24, 0xa3, 0xde, 0xd1, 0x4b, 0x1b, 0xdd, 0x89, ++0xcf, 0xf8, 0x72, 0x7b, 0x92, 0xbc, 0x02, 0x02, 0x42, 0x01, 0xf8, 0x07, 0x77, 0xb8, 0xcb, 0xa2, ++0xe2, 0x1f, 0x53, 0x9a, 0x7c, 0x16, 0xb5, 0x8e, 0xad, 0xe3, 0xc3, 0xac, 0xb7, 0xb2, 0x51, 0x8f, ++0xf9, 0x09, 0x65, 0x43, 0xf8, 0xd8, 0x3c, 0xe3, 0x5c, 0x4a, 0x5e, 0x3d, 0x6f, 0xb7, 0xbb, 0x5a, ++0x92, 0x69, 0xec, 0x71, 0xa2, 0x35, 0xe5, 0x29, 0x17, 0xaf, 0xc9, 0x69, 0xa7, 0xaa, 0x94, 0xf9, ++0xf9, 0x50, 0x87, 0x7b, 0x5d, 0x87, 0xe3, 0xd6, 0x3f, 0xb6, 0x6e ++}; ++static const char ecd_prime_curve_name256[] = "prime256v1"; ++/* ++priv: ++ 84:88:11:3f:a9:c9:9e:23:72:8b:40:cb:a2:b1:88: ++ 01:1e:92:48:af:13:2d:9b:33:8e:6d:43:40:30:c7: ++ 30:fa ++pub: ++ 04:22:58:b6:f9:01:3b:8c:a6:9b:9f:ae:75:fc:73: ++ cf:1b:f0:81:dc:55:a3:cc:5d:81:46:85:06:32:34: ++ 99:0d:c5:7e:a1:95:bb:21:73:33:40:4b:35:17:f6: ++ 8e:26:61:46:94:2c:4c:ac:9b:20:f8:08:72:25:74: ++ 98:66:c4:63:a6 ++*/ ++static const unsigned char ecd_prime_priv256[] = { ++ 0x84, 0x88, 0x11, 0x3f, 0xa9, 0xc9, 0x9e, 0x23, 0x72, 0x8b, 0x40, 0xcb, 0xa2, 0xb1, 0x88, ++ 0x01, 0x1e, 0x92, 0x48, 0xaf, 0x13, 0x2d, 0x9b, 0x33, 0x8e, 0x6d, 0x43, 0x40, 0x30, 0xc7, ++ 0x30, 0xfa ++}; ++static const unsigned char ecd_prime_pub256[] = { ++ 0x04, 0x22, 0x58, 0xb6, 0xf9, 0x01, 0x3b, 0x8c, 0xa6, 0x9b, 0x9f, 0xae, 0x75, 0xfc, 0x73, ++ 0xcf, 0x1b, 0xf0, 0x81, 0xdc, 0x55, 0xa3, 0xcc, 0x5d, 0x81, 0x46, 0x85, 0x06, 0x32, 0x34, ++ 0x99, 0x0d, 0xc5, 0x7e, 0xa1, 0x95, 0xbb, 0x21, 0x73, 0x33, 0x40, 0x4b, 0x35, 0x17, 0xf6, ++ 0x8e, 0x26, 0x61, 0x46, 0x94, 0x2c, 0x4c, 0xac, 0x9b, 0x20, 0xf8, 0x08, 0x72, 0x25, 0x74, ++ 0x98, 0x66, 0xc4, 0x63, 0xa6 ++}; ++static const ST_KAT_PARAM ecdsa_prime_key256[] = { ++ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name256), ++ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub256), ++ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv256), ++ ST_KAT_PARAM_END() ++}; ++static const unsigned char ec256v1_kat_sig[] = { ++0x30, 0x46, 0x02, 0x21, 0x00, 0xc9, 0x11, 0x27, 0x06, 0x51, 0x2b, 0x50, 0x8c, 0x6b, 0xc0, 0xa6, ++0x85, 0xaa, 0xf4, 0x66, 0x0d, 0xe4, 0x54, 0x0a, 0x10, 0xb6, 0x9f, 0x87, 0xfc, 0xa2, 0xbc, 0x8f, ++0x3c, 0x58, 0xb4, 0xe9, 0x41, 0x02, 0x21, 0x00, 0xc9, 0x72, 0x94, 0xa9, 0xdd, 0x52, 0xca, 0x21, ++0x82, 0x66, 0x7a, 0x68, 0xcb, 0x1e, 0x3b, 0x12, 0x71, 0x4d, 0x56, 0xb5, 0xb7, 0xdd, 0xca, 0x2b, ++0x18, 0xa3, 0xa7, 0x08, 0x0d, 0xfa, 0x9c, 0x66 ++}; + # ifndef OPENSSL_NO_EC2M + static const char ecd_bin_curve_name[] = "sect233r1"; + static const unsigned char ecd_bin_priv[] = { +@@ -1571,8 +1715,42 @@ static const ST_KAT_SIGN st_kat_sign_tes + ecdsa_prime_key, + /* + * The ECDSA signature changes each time due to it using a random k. +- * So there is no expected KAT for this case. ++ * We provide this value in our build ++ */ ++ ITM(ec224r1_kat_sig) ++ }, ++ { ++ OSSL_SELF_TEST_DESC_SIGN_ECDSA, ++ "EC", ++ "SHA-256", ++ ecdsa_prime_key384, ++ /* ++ * The ECDSA signature changes each time due to it using a random k. ++ * We provide this value in our build ++ */ ++ ITM(ec384r1_kat_sig) ++ }, ++ { ++ OSSL_SELF_TEST_DESC_SIGN_ECDSA, ++ "EC", ++ "SHA-256", ++ ecdsa_prime_key521, ++ /* ++ * The ECDSA signature changes each time due to it using a random k. ++ * We provide this value in our build ++ */ ++ ITM(ec521r1_kat_sig) ++ }, ++ { ++ OSSL_SELF_TEST_DESC_SIGN_ECDSA, ++ "EC", ++ "SHA-256", ++ ecdsa_prime_key256, ++ /* ++ * The ECDSA signature changes each time due to it using a random k. ++ * We provide this value in our build + */ ++ ITM(ec256v1_kat_sig) + }, + # ifndef OPENSSL_NO_EC2M + { +diff -up openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c +--- openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat 2022-05-30 14:48:53.180999124 +0200 ++++ openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c 2022-05-30 14:58:52.841286228 +0200 +@@ -44,6 +44,10 @@ + #define S390X_OFF_RN(n) (4 * n) + #define S390X_OFF_Y(n) (4 * n) + ++#ifdef FIPS_MODULE ++extern int REDHAT_FIPS_signature_st; ++#endif ++ + static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, + size_t num, const EC_POINT *points[], +@@ -183,11 +187,21 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign + * because kdsa instruction constructs an in-range, invertible nonce + * internally implementing counter-measures for RNG weakness. + */ ++#ifdef FIPS_MODULE ++ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) { ++ BN_bn2binpad(eckey->sign_kat_k, param + S390X_OFF_RN(len), len); ++ /* Turns KDSA internal nonce-generation off. */ ++ fc |= S390X_KDSA_D; ++ } else { ++#endif + if (RAND_priv_bytes_ex(eckey->libctx, param + S390X_OFF_RN(len), + (size_t)len, 0) != 1) { + ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED); + goto ret; + } ++#ifdef FIPS_MODULE ++ } ++#endif + } else { + /* Reconstruct k = (k^-1)^-1. */ + if (ossl_ec_group_do_inverse_ord(group, k, kinv, NULL) == 0 diff --git a/SOURCES/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch b/SOURCES/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch new file mode 100644 index 0000000..9991c5c --- /dev/null +++ b/SOURCES/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch @@ -0,0 +1,570 @@ +From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Wed, 18 May 2022 17:25:59 +0200 +Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider + +For RHEL, we already disable SHA-1 signatures by default in the default +provider, so it is unexpected that the FIPS provider would have a more +lenient configuration in this regard. Additionally, we do not think +continuing to accept SHA-1 signatures is a good idea due to the +published chosen-prefix collision attacks. + +As a consequence, disable verification of SHA-1 signatures in the FIPS +provider. + +This requires adjusting a few tests that would otherwise fail: +- 30-test_acvp: Remove the test vectors that use SHA-1. +- 30-test_evp: Mark tests in evppkey_rsa_common.txt and + evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default", + which will not run them when the FIPS provider is enabled. +- 80-test_cms: Re-create all certificates in test/smime-certificates + with SHA256 signatures while keeping the same private keys. These + certificates were signed with SHA-1 and thus fail verification in the + FIPS provider. + Fix some other tests by explicitly running them in the default + provider, where SHA-1 is available. +- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with + the FIPS provider. + +Signed-off-by: Clemens Lang +--- + providers/implementations/signature/dsa_sig.c | 4 -- + .../implementations/signature/ecdsa_sig.c | 4 -- + providers/implementations/signature/rsa_sig.c | 8 +-- + test/acvp_test.inc | 20 ------- + .../30-test_evp_data/evppkey_ecdsa.txt | 7 +++ + .../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++- + test/recipes/80-test_cms.t | 4 +- + test/recipes/80-test_ssl_old.t | 4 ++ + test/smime-certs/smdh.pem | 18 +++--- + test/smime-certs/smdsa1.pem | 60 +++++++++---------- + test/smime-certs/smdsa2.pem | 60 +++++++++---------- + test/smime-certs/smdsa3.pem | 60 +++++++++---------- + test/smime-certs/smec1.pem | 30 +++++----- + test/smime-certs/smec2.pem | 30 +++++----- + test/smime-certs/smec3.pem | 30 +++++----- + test/smime-certs/smroot.pem | 38 ++++++------ + test/smime-certs/smrsa1.pem | 38 ++++++------ + test/smime-certs/smrsa2.pem | 38 ++++++------ + test/smime-certs/smrsa3.pem | 38 ++++++------ + 19 files changed, 286 insertions(+), 256 deletions(-) + +diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c +index fa3822f39f..c365d7b13a 100644 +--- a/providers/implementations/signature/dsa_sig.c ++++ b/providers/implementations/signature/dsa_sig.c +@@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); + int md_nid; + size_t mdname_len = strlen(mdname); +-#ifdef FIPS_MODULE +- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +-#else + int sha1_allowed = 0; +-#endif + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); + +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index 99b228e82c..44a22832ec 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c +@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, + "%s could not be fetched", mdname); + return 0; + } +-#ifdef FIPS_MODULE +- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +-#else + sha1_allowed = 0; +-#endif + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); + if (md_nid < 0) { +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index f66d7705c3..34f45175e8 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); + int md_nid; + size_t mdname_len = strlen(mdname); +-#ifdef FIPS_MODULE +- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +-#else + int sha1_allowed = 0; +-#endif + md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, + sha1_allowed); + +@@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + + if (prsactx->md == NULL && pmdname == NULL + && pad_mode == RSA_PKCS1_PSS_PADDING) { ++#ifdef FIPS_MODULE ++ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; ++#else + pmdname = RSA_DEFAULT_DIGEST_NAME; +-#ifndef FIPS_MODULE + if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; + } +diff --git a/test/acvp_test.inc b/test/acvp_test.inc +index ad11d3ae1e..73b24bdb0c 100644 +--- a/test/acvp_test.inc ++++ b/test/acvp_test.inc +@@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = { + NO_PSS_SALT_LEN, + FAIL + }, +- { +- "x931", +- 3072, +- "SHA1", +- ITM(rsa_sigverx931_0_msg), +- ITM(rsa_sigverx931_0_n), +- ITM(rsa_sigverx931_0_e), +- ITM(rsa_sigverx931_0_sig), +- NO_PSS_SALT_LEN, +- PASS +- }, + { + "x931", + 3072, +diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +index f36982845d..51e507a61c 100644 +--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC + + Title = ECDSA tests + ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + + # Digest too long ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF12345" +@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e + Result = VERIFY_ERROR + + # Digest too short ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF123" +@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e + Result = VERIFY_ERROR + + # Digest invalid ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1235" +@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e + Result = VERIFY_ERROR + + # Invalid signature ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e + Result = VERIFY_ERROR + + # BER signature ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 + Result = VERIFY_ERROR + ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +index b8d8bb2993..8dd566067b 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -96,6 +96,7 @@ NDL6WCBbets= + + Title = RSA tests + ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224 + Input = "0123456789ABCDEF123456789ABC" + Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17 + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:SHA1 + Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Output = "0123456789ABCDEF1234" + + # Leading zero in the signature ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:SHA1 + Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Result = KEYOP_ERROR + + # Mismatched digest ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1233" +@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2 + Result = VERIFY_ERROR + + # Corrupted signature ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1233" +@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2 + Result = VERIFY_ERROR + + # parameter is not NULLt ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" +@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e7 + Result = VERIFY_ERROR + + # embedded digest too long ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = KEYOP_ERROR + + # embedded digest too short ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = KEYOP_ERROR + + # Garbage after DigestInfo ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 + Result = KEYOP_ERROR + + # invalid tag for parameter ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" +@@ -195,6 +209,7 @@ Result = VERIFY_ERROR + + # Verify using public key + ++Availablein = default + Verify = RSA-2048-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" + Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A + + # Verify using salt length auto detect ++# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256 ++Availablein = default + Verify = RSA-2048-PUBLIC + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:auto +@@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD + Result = VERIFY_ERROR + + # Verify using default parameters, explicitly setting parameters ++# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which ++# RHEL-9 does not support in FIPS mode; all these tests are thus marked ++# Availablein = default. ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:20 +@@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF + + # Verify explicitly setting parameters "digest" salt length ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:digest +@@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF + + # Verify using salt length larger than minimum ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:30 + Input="0123456789ABCDEF0123" + Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B + + # Verify using maximum salt length ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:max + Input="0123456789ABCDEF0123" + Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6 + + # Attempt to change salt length below minimum ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:0 + Result = PKEY_CTRL_ERROR +@@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR + # Attempt to change padding mode + # Note this used to return PKEY_CTRL_INVALID + # but it is limited because setparams only returns 0 or 1. ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pkcs1 + Result = PKEY_CTRL_ERROR + + # Attempt to change digest ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = digest:sha256 + Result = PKEY_CTRL_ERROR + + # Invalid key: rejected when we try to init ++Availablein = default + Verify = RSA-PSS-BAD + Result = KEYOP_INIT_ERROR + Reason = invalid salt length + + # Invalid key: rejected when we try to init ++Availablein = default + Verify = RSA-PSS-BAD2 + Result = KEYOP_INIT_ERROR + Reason = invalid salt length +@@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh + 4fINDOjP+yJJvZohNwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e + Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd + Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0652ec67bcee30f9d2699122b91c19abdba89f91 + Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=39c21c4cceda9c1adf839c744e1212a6437575ec + Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=36dae913b77bd17cae6e7b09453d24544cebb33c + Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh + 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ== + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0 + Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=2dac956d53964748ac364d06595827c6b4f143cd + Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958 + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298 + Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e + Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a + Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu + BQIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4 + Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666 + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=b503319399277fd6c1c8f1033cbf04199ea21716 + Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3 + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=50aaede8536b2c307208b275a67ae2df196c7628 + Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294 + Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=fad3902c9750622a2bc672622c48270cc57d3ea8 + Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -1329,11 +1376,13 @@ Title = RSA FIPS tests + + # FIPS tests + +-# Verifying with SHA1 is permitted in fips mode for older applications ++# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode ++Availablein = fips + DigestVerify = SHA1 + Key = RSA-2048 + Input = "Hello " + Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859 ++Result = DIGESTVERIFYINIT_ERROR + + # Verifying with a 1024 bit key is permitted in fips mode for older applications + DigestVerify = SHA256 +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 48a92f735d..34afe91b88 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -162,7 +162,7 @@ my @smime_pkcs7_tests = ( + [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", + "-certfile", $smroot, + "-signer", $smrsa1, "-out", "{output}.cms" ], +- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", ++ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ], +@@ -170,7 +170,7 @@ my @smime_pkcs7_tests = ( + [ "signed zero-length content S/MIME format, RSA key SHA1", + [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1", + "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], +- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", ++ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&zero_compare + ], +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 8c52b637fc..ff75c5b6ec 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -394,6 +394,9 @@ sub testssl { + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + } + ++ SKIP: { ++ skip "SSLv3 is not supported by the FIPS provider", 4 ++ if $provider eq "fips"; + ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), + 'test sslv2/sslv3 with server authentication'); + ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), +@@ -402,6 +405,7 @@ sub testssl { + 'test sslv2/sslv3 with both client and server authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), + 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); ++ } + + SKIP: { + skip "No IPv4 available on this machine", 4 diff --git a/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch b/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch new file mode 100644 index 0000000..d2e9b0a --- /dev/null +++ b/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch @@ -0,0 +1,466 @@ +From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Tue, 7 Jun 2022 12:02:49 +0200 +Subject: [PATCH] fips: Expose a FIPS indicator + +FIPS 140-3 requires us to indicate whether an operation was using +approved services or not. The FIPS 140-3 implementation guidelines +provide two basic approaches to doing this: implicit indicators, and +explicit indicators. + +Implicit indicators are basically the concept of "if the operation +passes, it was approved". We were originally aiming for implicit +indicators in our copy of OpenSSL. However, this proved to be a problem, +because we wanted to certify a signature service, and FIPS 140-3 +requires that a signature service computes the digest to be signed +within the boundaries of the FIPS module. Since we were planning to +certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify +would have to be blocked. Unfortunately, EVP_SignFinal uses +EVP_PKEY_sign internally, but outside of fips.so and thus outside of the +FIPS module boundary. This means that using implicit indicators in +combination with certifying only fips.so would require us to block both +EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used +by most users of OpenSSL for signatures. + +EVP_DigestSign would be acceptable, but has only been added in 3.0 and +is thus not yet widely used. + +As a consequence, we've decided to introduce explicit indicators so that +EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but +FIPS-aware applications can query the explicit indicator to check +whether the operation was approved. + +To avoid affecting the ABI and public API too much, this is implemented +as an exported symbol in fips.so and a private header, so applications +that wish to use this will have to dlopen(3) fips.so, locate the +function using dlsym(3), and then call it. These applications will have +to build against the private header in order to use the returned +pointer. + +Modify util/mkdef.pl to support exposing a symbol only for a specific +provider identified by its name and path. + +Signed-off-by: Clemens Lang +--- + doc/build.info | 6 ++ + doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++ + providers/fips/fipsprov.c | 71 +++++++++++++ + providers/fips/indicator.h | 66 ++++++++++++ + util/mkdef.pl | 25 ++++- + util/providers.num | 1 + + 6 files changed, 322 insertions(+), 1 deletion(-) + create mode 100644 doc/man7/fips_module_indicators.pod + create mode 100644 providers/fips/indicator.h + +diff --git a/doc/build.info b/doc/build.info +index b0aa4297a4..af235113bb 100644 +--- a/doc/build.info ++++ b/doc/build.info +@@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod + GENERATE[html/man7/fips_module.html]=man7/fips_module.pod + DEPEND[man/man7/fips_module.7]=man7/fips_module.pod + GENERATE[man/man7/fips_module.7]=man7/fips_module.pod ++DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod ++GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod ++DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod ++GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod + DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod + GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod + DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod +@@ -4631,6 +4635,7 @@ html/man7/ct.html \ + html/man7/des_modes.html \ + html/man7/evp.html \ + html/man7/fips_module.html \ ++html/man7/fips_module_indicators.html \ + html/man7/life_cycle-cipher.html \ + html/man7/life_cycle-digest.html \ + html/man7/life_cycle-kdf.html \ +@@ -4754,6 +4759,7 @@ man/man7/ct.7 \ + man/man7/des_modes.7 \ + man/man7/evp.7 \ + man/man7/fips_module.7 \ ++man/man7/fips_module_indicators.7 \ + man/man7/life_cycle-cipher.7 \ + man/man7/life_cycle-digest.7 \ + man/man7/life_cycle-kdf.7 \ +diff --git a/doc/man7/fips_module_indicators.pod b/doc/man7/fips_module_indicators.pod +new file mode 100644 +index 0000000000..23db2b395c +--- /dev/null ++++ b/doc/man7/fips_module_indicators.pod +@@ -0,0 +1,154 @@ ++=pod ++ ++=head1 NAME ++ ++fips_module_indicators - Red Hat OpenSSL FIPS module indicators guide ++ ++=head1 DESCRIPTION ++ ++This guide documents how the Red Hat Enterprise Linux 9 OpenSSL FIPS provider ++implements Approved Security Service Indicators according to the FIPS 140-3 ++Implementation Guidelines, section 2.4.C. See ++L ++for the FIPS 140-3 Implementation Guidelines. ++ ++For all approved services except signatures, the Red Hat OpenSSL FIPS provider ++uses the return code as the indicator as understood by FIPS 140-3. That means ++that every operation that succeeds denotes use of an approved security service. ++Operations that do not succeed may not have been approved security services, or ++may have been used incorrectly. ++ ++For signatures, an explicit indicator API is available to determine whether ++a selected operation is an approved security service, in combination with the ++return code of the operation. For a signature operation to be approved, the ++explicit indicator must claim it as approved, and it must succeed. ++ ++=head2 Querying the explicit indicator ++ ++The Red Hat OpenSSL FIPS provider exports a symbol named ++I that provides information on which signature ++operations are approved security functions. To use this function, either link ++against I directly, or load it at runtime using dlopen(3) and ++dlsym(3). ++ ++ #include ++ #include "providers/fips/indicator.h" ++ ++ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY); ++ if (provider == NULL) { ++ fprintf(stderr, "%s\n", dlerror()); ++ // handle error ++ } ++ ++ const OSSL_RH_FIPSINDICATOR_ALORITHM *(*redhat_ossl_query_fipsindicator)(int) \ ++ = dlsym(provider, "redhat_ossl_query_fipsindicator"); ++ if (redhat_ossl_query_fipsindicator == NULL) { ++ fprintf(stderr, "%s\n", dlerror()); ++ fprintf(stderr, "Does your copy of fips.so have the required Red Hat" ++ " patches?\n"); ++ // handle error ++ } ++ ++Note that this uses the I header, which is not ++public. Install the I package from the I ++repository using I and include ++I in the compiler's include path. ++ ++I expects an operation ID as its only ++argument. Currently, the only supported operation ID is I to ++obtain the indicators for signature operations. On success, the return value is ++a pointer to an array of Is. On failure, NULL is ++returned. The last entry in the array is indicated by I being ++NULL. ++ ++ typedef struct ossl_rh_fipsindicator_algorithm_st { ++ const char *algorithm_names; /* key */ ++ const char *property_definition; /* key */ ++ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators; ++ } OSSL_RH_FIPSINDICATOR_ALGORITHM; ++ ++ typedef struct ossl_rh_fipsindicator_dispatch_st { ++ int function_id; ++ int approved; ++ } OSSL_RH_FIPSINDICATOR_DISPATCH; ++ ++The I field is a colon-separated list of algorithm names from ++one of the I constants, e.g., I. strtok(3) can ++be used to locate the appropriate entry. See the example below, where ++I contains the algorithm name to search for: ++ ++ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL; ++ const OSSL_RH_FIPSINDICATOR_ALGORITHM *indicator = ++ redhat_ossl_query_fipsindicator(operation_id); ++ if (indicator == NULL) { ++ fprintf(stderr, "No indicator for operation, probably using implicit" ++ " indicators.\n"); ++ // handle error ++ } ++ ++ for (; indicator->algorithm_names != NULL; ++indicator) { ++ char *algorithm_names = strdup(indicator->algorithm_names); ++ if (algorithm_names == NULL) { ++ perror("strdup(3)"); ++ // handle error ++ } ++ ++ const char *algorithm_name = strtok(algorithm_names, ":"); ++ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) { ++ if (strcasecmp(algorithm_name, algorithm) == 0) { ++ indicator_dispatch = indicator->indicators; ++ free(algorithm_names); ++ algorithm_names = NULL; ++ break; ++ } ++ } ++ free(algorithm_names); ++ } ++ if (indicator_dispatch == NULL) { ++ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm); ++ // handle error ++ } ++ ++If an appropriate I array is available for the ++given algorithm name, it maps function IDs to their approval status. The last ++entry is indicated by a zero I. I is ++I if the operation is an approved security ++service, or part of an approved security service, or ++I otherwise. Any other value is invalid. ++Function IDs are I constants from I, ++e.g., I or I. ++ ++Assuming I is the function in question, the following code can be ++used to query the approval status: ++ ++ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) { ++ if (indicator_dispatch->function_id == function_id) { ++ switch (indicator_dispatch->approved) { ++ case OSSL_RH_FIPSINDICATOR_APPROVED: ++ // approved security service ++ break; ++ case OSSL_RH_FIPSINDICATOR_UNAPPROVED: ++ // unapproved security service ++ break; ++ default: ++ // invalid result ++ break; ++ } ++ break; ++ } ++ } ++ ++=head1 SEE ALSO ++ ++L, L ++ ++=head1 COPYRIGHT ++ ++Copyright 2022 Red Hat, Inc. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index de391ce067..1cfd71c5cf 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -23,6 +23,7 @@ + #include "prov/seeding.h" + #include "self_test.h" + #include "internal/core.h" ++#include "indicator.h" + + static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; + static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no"; +@@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = { + { NULL, NULL, NULL } + }; + ++static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_rsa_signature_indicators[] = { ++ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED } ++}; ++ ++static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_ecdsa_signature_indicators[] = { ++ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED } ++}; ++ ++static const OSSL_RH_FIPSINDICATOR_ALGORITHM redhat_indicator_fips_signature[] = { ++ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ++ redhat_rsa_signature_indicators }, ++#ifndef OPENSSL_NO_EC ++ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ++ redhat_ecdsa_signature_indicators }, ++#endif ++ { NULL, NULL, NULL } ++}; ++ + static const OSSL_ALGORITHM fips_asym_cipher[] = { + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions }, + { NULL, NULL, NULL } +@@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) { + return NULL; + } + ++const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) { ++ switch (operation_id) { ++ case OSSL_OP_SIGNATURE: ++ return redhat_indicator_fips_signature; ++ } ++ return NULL; ++} ++ + static void fips_teardown(void *provctx) + { + OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx)); +diff --git a/providers/fips/indicator.h b/providers/fips/indicator.h +new file mode 100644 +index 0000000000..b323efe44c +--- /dev/null ++++ b/providers/fips/indicator.h +@@ -0,0 +1,66 @@ ++/* ++ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef OPENSSL_FIPS_INDICATOR_H ++# define OPENSSL_FIPS_INDICATOR_H ++# pragma once ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++# define OSSL_RH_FIPSINDICATOR_UNAPPROVED (0) ++# define OSSL_RH_FIPSINDICATOR_APPROVED (1) ++ ++/* ++ * FIPS indicator dispatch table element. function_id numbers and the ++ * functions are defined in core_dispatch.h, see macros with ++ * 'OSSL_CORE_MAKE_FUNC' in their names. ++ * ++ * An array of these is always terminated by function_id == 0 ++ */ ++typedef struct ossl_rh_fipsindicator_dispatch_st { ++ int function_id; ++ int approved; ++} OSSL_RH_FIPSINDICATOR_DISPATCH; ++ ++/* ++ * Type to tie together algorithm names, property definition string and the ++ * algorithm implementation's FIPS indicator status in the form of a FIPS ++ * indicator dispatch table. ++ * ++ * An array of these is always terminated by algorithm_names == NULL ++ */ ++typedef struct ossl_rh_fipsindicator_algorithm_st { ++ const char *algorithm_names; /* key */ ++ const char *property_definition; /* key */ ++ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators; ++} OSSL_RH_FIPSINDICATOR_ALGORITHM; ++ ++/** ++ * Query FIPS indicator status for the given operation. Possible values for ++ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms ++ * use implicit indicators. The return value is an array of ++ * OSSL_RH_FIPSINDICATOR_ALGORITHMs, terminated by an entry with ++ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of ++ * algorithm names, 'property_definition' a comma-separated list of properties, ++ * and 'indicators' is a list of OSSL_RH_FIPSINDICATOR_DISPATCH structs. This ++ * list is terminated by function_id == 0. 'function_id' is one of the ++ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL. ++ * ++ * If there is no entry in the returned struct for the given operation_id, ++ * algorithm name, or function_id, the algorithm is unapproved. ++ */ ++const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id); ++ ++# ifdef __cplusplus ++} ++# endif ++ ++#endif +diff --git a/util/mkdef.pl b/util/mkdef.pl +index a1c76f7c97..eda39b71ee 100755 +--- a/util/mkdef.pl ++++ b/util/mkdef.pl +@@ -149,7 +149,8 @@ $ordinal_opts{filter} = + return + $item->exists() + && platform_filter($item) +- && feature_filter($item); ++ && feature_filter($item) ++ && fips_filter($item, $name); + }; + my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file); + +@@ -205,6 +206,28 @@ sub feature_filter { + return $verdict; + } + ++sub fips_filter { ++ my $item = shift; ++ my $name = uc(shift); ++ my @features = ( $item->features() ); ++ ++ # True if no features are defined ++ return 1 if scalar @features == 0; ++ ++ my @matches = grep(/^ONLY_.*$/, @features); ++ if (@matches) { ++ # There is at least one only_* flag on this symbol, check if any of ++ # them match the name ++ for (@matches) { ++ if ($_ eq "ONLY_${name}") { ++ return 1; ++ } ++ } ++ return 0; ++ } ++ return 1; ++} ++ + sub sorter_unix { + my $by_name = OpenSSL::Ordinals::by_name(); + my %weight = ( +diff --git a/util/providers.num b/util/providers.num +index 4e2fa81b98..77879d0e5f 100644 +--- a/util/providers.num ++++ b/util/providers.num +@@ -1 +1,2 @@ + OSSL_provider_init 1 * EXIST::FUNCTION: ++redhat_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS +-- +2.35.3 + diff --git a/SOURCES/0067-ppc64le-Montgomery-multiply.patch b/SOURCES/0067-ppc64le-Montgomery-multiply.patch new file mode 100644 index 0000000..36c0222 --- /dev/null +++ b/SOURCES/0067-ppc64le-Montgomery-multiply.patch @@ -0,0 +1,703 @@ +From 33ffd36afa7594aeb958a925f521cb287ca850c8 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Mon, 27 Jun 2022 12:14:55 +1000 +Subject: [PATCH 1/2] Revert "Revert "bn: Add fixed length (n=6), unrolled PPC + Montgomery Multiplication"" + +This reverts commit 712d9cc90e355b2c98a959d4e9398610d2269c9e. +--- + crypto/bn/asm/ppc64-mont-fixed.pl | 581 ++++++++++++++++++++++++++++++ + crypto/bn/bn_ppc.c | 15 + + crypto/bn/build.info | 3 +- + 3 files changed, 598 insertions(+), 1 deletion(-) + +diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl +index e69de29bb2d1..0fb397bc5f12 100755 +--- a/crypto/bn/asm/ppc64-mont-fixed.pl ++++ b/crypto/bn/asm/ppc64-mont-fixed.pl +@@ -0,0 +1,581 @@ ++#! /usr/bin/env perl ++# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++# ==================================================================== ++# Written by Amitay Isaacs , Martin Schwenke ++# & Alastair D'Silva for ++# the OpenSSL project. ++# ==================================================================== ++ ++# ++# Fixed length (n=6), unrolled PPC Montgomery Multiplication ++# ++ ++# 2021 ++# ++# Although this is a generic implementation for unrolling Montgomery ++# Multiplication for arbitrary values of n, this is currently only ++# used for n = 6 to improve the performance of ECC p384. ++# ++# Unrolling allows intermediate results to be stored in registers, ++# rather than on the stack, improving performance by ~7% compared to ++# the existing PPC assembly code. ++# ++# The ISA 3.0 implementation uses combination multiply/add ++# instructions (maddld, maddhdu) to improve performance by an ++# additional ~10% on Power 9. ++# ++# Finally, saving non-volatile registers into volatile vector ++# registers instead of onto the stack saves a little more. ++# ++# On a Power 9 machine we see an overall improvement of ~18%. ++# ++ ++use strict; ++use warnings; ++ ++my ($flavour, $output, $dir, $xlate); ++ ++# $output is the last argument if it looks like a file (it has an extension) ++# $flavour is the first argument if it doesn't look like a file ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open STDOUT,"| $^X $xlate $flavour \"$output\"" ++ or die "can't call $xlate: $!"; ++ ++if ($flavour !~ /64/) { ++ die "bad flavour ($flavour) - only ppc64 permitted"; ++} ++ ++my $SIZE_T= 8; ++ ++# Registers are global so the code is remotely readable ++ ++# Parameters for Montgomery multiplication ++my $sp = "r1"; ++my $toc = "r2"; ++my $rp = "r3"; ++my $ap = "r4"; ++my $bp = "r5"; ++my $np = "r6"; ++my $n0 = "r7"; ++my $num = "r8"; ++ ++my $i = "r9"; ++my $c0 = "r10"; ++my $bp0 = "r11"; ++my $bpi = "r11"; ++my $bpj = "r11"; ++my $tj = "r12"; ++my $apj = "r12"; ++my $npj = "r12"; ++my $lo = "r14"; ++my $c1 = "r14"; ++ ++# Non-volatile registers used for tp[i] ++# ++# 12 registers are available but the limit on unrolling is 10, ++# since registers from $tp[0] to $tp[$n+1] are used. ++my @tp = ("r20" .. "r31"); ++ ++# volatile VSRs for saving non-volatile GPRs - faster than stack ++my @vsrs = ("v32" .. "v46"); ++ ++package Mont; ++ ++sub new($$) ++{ ++ my ($class, $n) = @_; ++ ++ if ($n > 10) { ++ die "Can't unroll for BN length ${n} (maximum 10)" ++ } ++ ++ my $self = { ++ code => "", ++ n => $n, ++ }; ++ bless $self, $class; ++ ++ return $self; ++} ++ ++sub add_code($$) ++{ ++ my ($self, $c) = @_; ++ ++ $self->{code} .= $c; ++} ++ ++sub get_code($) ++{ ++ my ($self) = @_; ++ ++ return $self->{code}; ++} ++ ++sub get_function_name($) ++{ ++ my ($self) = @_; ++ ++ return "bn_mul_mont_fixed_n" . $self->{n}; ++} ++ ++sub get_label($$) ++{ ++ my ($self, $l) = @_; ++ ++ return "L" . $l . "_" . $self->{n}; ++} ++ ++sub get_labels($@) ++{ ++ my ($self, @labels) = @_; ++ ++ my %out = (); ++ ++ foreach my $l (@labels) { ++ $out{"$l"} = $self->get_label("$l"); ++ } ++ ++ return \%out; ++} ++ ++sub nl($) ++{ ++ my ($self) = @_; ++ ++ $self->add_code("\n"); ++} ++ ++sub copy_result($) ++{ ++ my ($self) = @_; ++ ++ my ($n) = $self->{n}; ++ ++ for (my $j = 0; $j < $n; $j++) { ++ $self->add_code(<<___); ++ std $tp[$j],`$j*$SIZE_T`($rp) ++___ ++ } ++ ++} ++ ++sub mul_mont_fixed($) ++{ ++ my ($self) = @_; ++ ++ my ($n) = $self->{n}; ++ my $fname = $self->get_function_name(); ++ my $label = $self->get_labels("outer", "enter", "sub", "copy", "end"); ++ ++ $self->add_code(<<___); ++ ++.globl .${fname} ++.align 5 ++.${fname}: ++ ++___ ++ ++ $self->save_registers(); ++ ++ $self->add_code(<<___); ++ ld $n0,0($n0) ++ ++ ld $bp0,0($bp) ++ ++ ld $apj,0($ap) ++___ ++ ++ $self->mul_c_0($tp[0], $apj, $bp0, $c0); ++ ++ for (my $j = 1; $j < $n - 1; $j++) { ++ $self->add_code(<<___); ++ ld $apj,`$j*$SIZE_T`($ap) ++___ ++ $self->mul($tp[$j], $apj, $bp0, $c0); ++ } ++ ++ $self->add_code(<<___); ++ ld $apj,`($n-1)*$SIZE_T`($ap) ++___ ++ ++ $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0); ++ ++ $self->add_code(<<___); ++ li $tp[$n+1],0 ++ ++___ ++ ++ $self->add_code(<<___); ++ li $i,0 ++ mtctr $num ++ b $label->{"enter"} ++ ++.align 4 ++$label->{"outer"}: ++ ldx $bpi,$bp,$i ++ ++ ld $apj,0($ap) ++___ ++ ++ $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0); ++ ++ for (my $j = 1; $j < $n; $j++) { ++ $self->add_code(<<___); ++ ld $apj,`$j*$SIZE_T`($ap) ++___ ++ $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0); ++ } ++ ++ $self->add_code(<<___); ++ addc $tp[$n],$tp[$n],$c0 ++ addze $tp[$n+1],$tp[$n+1] ++___ ++ ++ $self->add_code(<<___); ++.align 4 ++$label->{"enter"}: ++ mulld $bpi,$tp[0],$n0 ++ ++ ld $npj,0($np) ++___ ++ ++ $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0); ++ ++ for (my $j = 1; $j < $n; $j++) { ++ $self->add_code(<<___); ++ ld $npj,`$j*$SIZE_T`($np) ++___ ++ $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0); ++ } ++ ++ $self->add_code(<<___); ++ addc $tp[$n-1],$tp[$n],$c0 ++ addze $tp[$n],$tp[$n+1] ++ ++ addi $i,$i,$SIZE_T ++ bdnz $label->{"outer"} ++ ++ and. $tp[$n],$tp[$n],$tp[$n] ++ bne $label->{"sub"} ++ ++ cmpld $tp[$n-1],$npj ++ blt $label->{"copy"} ++ ++$label->{"sub"}: ++___ ++ ++ # ++ # Reduction ++ # ++ ++ $self->add_code(<<___); ++ ld $bpj,`0*$SIZE_T`($np) ++ subfc $c1,$bpj,$tp[0] ++ std $c1,`0*$SIZE_T`($rp) ++ ++___ ++ for (my $j = 1; $j < $n - 1; $j++) { ++ $self->add_code(<<___); ++ ld $bpj,`$j*$SIZE_T`($np) ++ subfe $c1,$bpj,$tp[$j] ++ std $c1,`$j*$SIZE_T`($rp) ++ ++___ ++ } ++ ++ $self->add_code(<<___); ++ subfe $c1,$npj,$tp[$n-1] ++ std $c1,`($n-1)*$SIZE_T`($rp) ++ ++___ ++ ++ $self->add_code(<<___); ++ addme. $tp[$n],$tp[$n] ++ beq $label->{"end"} ++ ++$label->{"copy"}: ++___ ++ ++ $self->copy_result(); ++ ++ $self->add_code(<<___); ++ ++$label->{"end"}: ++___ ++ ++ $self->restore_registers(); ++ ++ $self->add_code(<<___); ++ li r3,1 ++ blr ++.size .${fname},.-.${fname} ++___ ++ ++} ++ ++package Mont::GPR; ++ ++our @ISA = ('Mont'); ++ ++sub new($$) ++{ ++ my ($class, $n) = @_; ++ ++ return $class->SUPER::new($n); ++} ++ ++sub save_registers($) ++{ ++ my ($self) = @_; ++ ++ my $n = $self->{n}; ++ ++ $self->add_code(<<___); ++ std $lo,-8($sp) ++___ ++ ++ for (my $j = 0; $j <= $n+1; $j++) { ++ $self->{code}.=<<___; ++ std $tp[$j],-`($j+2)*8`($sp) ++___ ++ } ++ ++ $self->add_code(<<___); ++ ++___ ++} ++ ++sub restore_registers($) ++{ ++ my ($self) = @_; ++ ++ my $n = $self->{n}; ++ ++ $self->add_code(<<___); ++ ld $lo,-8($sp) ++___ ++ ++ for (my $j = 0; $j <= $n+1; $j++) { ++ $self->{code}.=<<___; ++ ld $tp[$j],-`($j+2)*8`($sp) ++___ ++ } ++ ++ $self->{code} .=<<___; ++ ++___ ++} ++ ++# Direct translation of C mul() ++sub mul($$$$$) ++{ ++ my ($self, $r, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $r,$lo,$c ++ mulhdu $c,$a,$w ++ addze $c,$c ++ ++___ ++} ++ ++# Like mul() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_c_0($$$$$) ++{ ++ my ($self, $r, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $r,$a,$w ++ mulhdu $c,$a,$w ++ ++___ ++} ++ ++# Like mul() but does not to the final addition of CA into $c - an ++# optimisation to save an instruction ++sub mul_last($$$$$$) ++{ ++ my ($self, $r1, $r2, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $r1,$lo,$c ++ mulhdu $c,$a,$w ++ ++ addze $r2,$c ++___ ++} ++ ++# Like C mul_add() but allow $r_out and $r_in to be different ++sub mul_add($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $lo,$lo,$c ++ mulhdu $c,$a,$w ++ addze $c,$c ++ addc $r_out,$r_in,$lo ++ addze $c,$c ++ ++___ ++} ++ ++# Like mul_add() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_add_c_0($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $r_out,$r_in,$lo ++ mulhdu $c,$a,$w ++ addze $c,$c ++ ++___ ++} ++ ++package Mont::GPR_300; ++ ++our @ISA = ('Mont::GPR'); ++ ++sub new($$) ++{ ++ my ($class, $n) = @_; ++ ++ my $mont = $class->SUPER::new($n); ++ ++ return $mont; ++} ++ ++sub get_function_name($) ++{ ++ my ($self) = @_; ++ ++ return "bn_mul_mont_300_fixed_n" . $self->{n}; ++} ++ ++sub get_label($$) ++{ ++ my ($self, $l) = @_; ++ ++ return "L" . $l . "_300_" . $self->{n}; ++} ++ ++# Direct translation of C mul() ++sub mul($$$$$) ++{ ++ my ($self, $r, $a, $w, $c, $last) = @_; ++ ++ $self->add_code(<<___); ++ maddld $r,$a,$w,$c ++ maddhdu $c,$a,$w,$c ++ ++___ ++} ++ ++# Save the last carry as the final entry ++sub mul_last($$$$$) ++{ ++ my ($self, $r1, $r2, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ maddld $r1,$a,$w,$c ++ maddhdu $r2,$a,$w,$c ++ ++___ ++} ++ ++# Like mul() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_c_0($$$$$) ++{ ++ my ($self, $r, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $r,$a,$w ++ mulhdu $c,$a,$w ++ ++___ ++} ++ ++# Like C mul_add() but allow $r_out and $r_in to be different ++sub mul_add($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ maddld $lo,$a,$w,$c ++ maddhdu $c,$a,$w,$c ++ addc $r_out,$r_in,$lo ++ addze $c,$c ++ ++___ ++} ++ ++# Like mul_add() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_add_c_0($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ maddld $lo,$a,$w,$r_in ++ maddhdu $c,$a,$w,$r_in ++___ ++ ++ if ($r_out ne $lo) { ++ $self->add_code(<<___); ++ mr $r_out,$lo ++___ ++ } ++ ++ $self->nl(); ++} ++ ++ ++package main; ++ ++my $code; ++ ++$code.=<<___; ++.machine "any" ++.text ++___ ++ ++my $mont; ++ ++$mont = new Mont::GPR(6); ++$mont->mul_mont_fixed(); ++$code .= $mont->get_code(); ++ ++$mont = new Mont::GPR_300(6); ++$mont->mul_mont_fixed(); ++$code .= $mont->get_code(); ++ ++$code =~ s/\`([^\`]*)\`/eval $1/gem; ++ ++$code.=<<___; ++.asciz "Montgomery Multiplication for PPC by , " ++___ ++ ++print $code; ++close STDOUT or die "error closing STDOUT: $!"; +diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c +index 3ee76ea96574..1e9421bee213 100644 +--- a/crypto/bn/bn_ppc.c ++++ b/crypto/bn/bn_ppc.c +@@ -19,6 +19,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); + int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); ++ int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, ++ const BN_ULONG *bp, const BN_ULONG *np, ++ const BN_ULONG *n0, int num); ++ int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, ++ const BN_ULONG *bp, const BN_ULONG *np, ++ const BN_ULONG *n0, int num); + + if (num < 4) + return 0; +@@ -34,5 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + * no opportunity to figure it out... + */ + ++#if defined(_ARCH_PPC64) && !defined(__ILP32__) ++ if (num == 6) { ++ if (OPENSSL_ppccap_P & PPC_MADD300) ++ return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); ++ else ++ return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num); ++ } ++#endif ++ + return bn_mul_mont_int(rp, ap, bp, np, n0, num); + } +diff --git a/crypto/bn/build.info b/crypto/bn/build.info +index 4f8d0689b5ea..987a70ae263b 100644 +--- a/crypto/bn/build.info ++++ b/crypto/bn/build.info +@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}] + + $BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s + $BNDEF_ppc32=OPENSSL_BN_ASM_MONT +- $BNASM_ppc64=$BNASM_ppc32 ++ $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s + $BNDEF_ppc64=$BNDEF_ppc32 + + $BNASM_c64xplus=asm/bn-c64xplus.asm +@@ -173,6 +173,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl + GENERATE[bn-ppc.s]=asm/ppc.pl + GENERATE[ppc-mont.s]=asm/ppc-mont.pl + GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl ++GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl + + GENERATE[alpha-mont.S]=asm/alpha-mont.pl + + +From 01ebad0d6e3a09bc9e32350b402901471610a3dc Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Thu, 30 Jun 2022 16:21:06 +1000 +Subject: [PATCH 2/2] Fix unrolled montgomery multiplication for POWER9 + +In the reference C implementation in bn_asm.c, tp[num + 1] contains the +carry bit for accumulations into tp[num]. tp[num + 1] is only ever +assigned, never itself incremented. +--- + crypto/bn/asm/ppc64-mont-fixed.pl | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl +index 0fb397bc5f12..e27d0ad93d85 100755 +--- a/crypto/bn/asm/ppc64-mont-fixed.pl ++++ b/crypto/bn/asm/ppc64-mont-fixed.pl +@@ -63,6 +63,7 @@ + # Registers are global so the code is remotely readable + + # Parameters for Montgomery multiplication ++my $ze = "r0"; + my $sp = "r1"; + my $toc = "r2"; + my $rp = "r3"; +@@ -192,6 +193,7 @@ ($) + $self->save_registers(); + + $self->add_code(<<___); ++ li $ze,0 + ld $n0,0($n0) + + ld $bp0,0($bp) +@@ -242,7 +244,7 @@ ($) + + $self->add_code(<<___); + addc $tp[$n],$tp[$n],$c0 +- addze $tp[$n+1],$tp[$n+1] ++ addze $tp[$n+1],$ze + ___ + + $self->add_code(<<___); +@@ -272,7 +274,7 @@ ($) + and. $tp[$n],$tp[$n],$tp[$n] + bne $label->{"sub"} + +- cmpld $tp[$n-1],$npj ++ cmpld $tp[$n-1],$npj + blt $label->{"copy"} + + $label->{"sub"}: diff --git a/SOURCES/0071-AES-GCM-performance-optimization.patch b/SOURCES/0071-AES-GCM-performance-optimization.patch new file mode 100644 index 0000000..edf40ec --- /dev/null +++ b/SOURCES/0071-AES-GCM-performance-optimization.patch @@ -0,0 +1,1635 @@ +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c, https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd] +diff --git a/crypto/modes/asm/aes-gcm-ppc.pl b/crypto/modes/asm/aes-gcm-ppc.pl +new file mode 100644 +index 0000000..6624e6c +--- /dev/null ++++ b/crypto/modes/asm/aes-gcm-ppc.pl +@@ -0,0 +1,1438 @@ ++#! /usr/bin/env perl ++# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 2021- IBM Inc. All rights reserved ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++# ++#=================================================================================== ++# Written by Danny Tsen for OpenSSL Project, ++# ++# GHASH is based on the Karatsuba multiplication method. ++# ++# Xi xor X1 ++# ++# X1 * H^4 + X2 * H^3 + x3 * H^2 + X4 * H = ++# (X1.h * H4.h + xX.l * H4.l + X1 * H4) + ++# (X2.h * H3.h + X2.l * H3.l + X2 * H3) + ++# (X3.h * H2.h + X3.l * H2.l + X3 * H2) + ++# (X4.h * H.h + X4.l * H.l + X4 * H) ++# ++# Xi = v0 ++# H Poly = v2 ++# Hash keys = v3 - v14 ++# ( H.l, H, H.h) ++# ( H^2.l, H^2, H^2.h) ++# ( H^3.l, H^3, H^3.h) ++# ( H^4.l, H^4, H^4.h) ++# ++# v30 is IV ++# v31 - counter 1 ++# ++# AES used, ++# vs0 - vs14 for round keys ++# v15, v16, v17, v18, v19, v20, v21, v22 for 8 blocks (encrypted) ++# ++# This implementation uses stitched AES-GCM approach to improve overall performance. ++# AES is implemented with 8x blocks and GHASH is using 2 4x blocks. ++# ++# Current large block (16384 bytes) performance per second with 128 bit key -- ++# ++# Encrypt Decrypt ++# Power10[le] (3.5GHz) 5.32G 5.26G ++# ++# =================================================================================== ++# ++# $output is the last argument if it looks like a file (it has an extension) ++# $flavour is the first argument if it doesn't look like a file ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; ++ ++if ($flavour =~ /64/) { ++ $SIZE_T=8; ++ $LRSAVE=2*$SIZE_T; ++ $STU="stdu"; ++ $POP="ld"; ++ $PUSH="std"; ++ $UCMP="cmpld"; ++ $SHRI="srdi"; ++} elsif ($flavour =~ /32/) { ++ $SIZE_T=4; ++ $LRSAVE=$SIZE_T; ++ $STU="stwu"; ++ $POP="lwz"; ++ $PUSH="stw"; ++ $UCMP="cmplw"; ++ $SHRI="srwi"; ++} else { die "nonsense $flavour"; } ++ ++$sp="r1"; ++$FRAME=6*$SIZE_T+13*16; # 13*16 is for v20-v31 offload ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open STDOUT,"| $^X $xlate $flavour \"$output\"" ++ or die "can't call $xlate: $!"; ++ ++$code=<<___; ++.machine "any" ++.text ++ ++# 4x loops ++# v15 - v18 - input states ++# vs1 - vs9 - round keys ++# ++.macro Loop_aes_middle4x ++ xxlor 19+32, 1, 1 ++ xxlor 20+32, 2, 2 ++ xxlor 21+32, 3, 3 ++ xxlor 22+32, 4, 4 ++ ++ vcipher 15, 15, 19 ++ vcipher 16, 16, 19 ++ vcipher 17, 17, 19 ++ vcipher 18, 18, 19 ++ ++ vcipher 15, 15, 20 ++ vcipher 16, 16, 20 ++ vcipher 17, 17, 20 ++ vcipher 18, 18, 20 ++ ++ vcipher 15, 15, 21 ++ vcipher 16, 16, 21 ++ vcipher 17, 17, 21 ++ vcipher 18, 18, 21 ++ ++ vcipher 15, 15, 22 ++ vcipher 16, 16, 22 ++ vcipher 17, 17, 22 ++ vcipher 18, 18, 22 ++ ++ xxlor 19+32, 5, 5 ++ xxlor 20+32, 6, 6 ++ xxlor 21+32, 7, 7 ++ xxlor 22+32, 8, 8 ++ ++ vcipher 15, 15, 19 ++ vcipher 16, 16, 19 ++ vcipher 17, 17, 19 ++ vcipher 18, 18, 19 ++ ++ vcipher 15, 15, 20 ++ vcipher 16, 16, 20 ++ vcipher 17, 17, 20 ++ vcipher 18, 18, 20 ++ ++ vcipher 15, 15, 21 ++ vcipher 16, 16, 21 ++ vcipher 17, 17, 21 ++ vcipher 18, 18, 21 ++ ++ vcipher 15, 15, 22 ++ vcipher 16, 16, 22 ++ vcipher 17, 17, 22 ++ vcipher 18, 18, 22 ++ ++ xxlor 23+32, 9, 9 ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++.endm ++ ++# 8x loops ++# v15 - v22 - input states ++# vs1 - vs9 - round keys ++# ++.macro Loop_aes_middle8x ++ xxlor 23+32, 1, 1 ++ xxlor 24+32, 2, 2 ++ xxlor 25+32, 3, 3 ++ xxlor 26+32, 4, 4 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ vcipher 15, 15, 25 ++ vcipher 16, 16, 25 ++ vcipher 17, 17, 25 ++ vcipher 18, 18, 25 ++ vcipher 19, 19, 25 ++ vcipher 20, 20, 25 ++ vcipher 21, 21, 25 ++ vcipher 22, 22, 25 ++ ++ vcipher 15, 15, 26 ++ vcipher 16, 16, 26 ++ vcipher 17, 17, 26 ++ vcipher 18, 18, 26 ++ vcipher 19, 19, 26 ++ vcipher 20, 20, 26 ++ vcipher 21, 21, 26 ++ vcipher 22, 22, 26 ++ ++ xxlor 23+32, 5, 5 ++ xxlor 24+32, 6, 6 ++ xxlor 25+32, 7, 7 ++ xxlor 26+32, 8, 8 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ vcipher 15, 15, 25 ++ vcipher 16, 16, 25 ++ vcipher 17, 17, 25 ++ vcipher 18, 18, 25 ++ vcipher 19, 19, 25 ++ vcipher 20, 20, 25 ++ vcipher 21, 21, 25 ++ vcipher 22, 22, 25 ++ ++ vcipher 15, 15, 26 ++ vcipher 16, 16, 26 ++ vcipher 17, 17, 26 ++ vcipher 18, 18, 26 ++ vcipher 19, 19, 26 ++ vcipher 20, 20, 26 ++ vcipher 21, 21, 26 ++ vcipher 22, 22, 26 ++ ++ xxlor 23+32, 9, 9 ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++.endm ++ ++# ++# Compute 4x hash values based on Karatsuba method. ++# ++ppc_aes_gcm_ghash: ++ vxor 15, 15, 0 ++ ++ xxlxor 29, 29, 29 ++ ++ vpmsumd 23, 12, 15 # H4.L * X.L ++ vpmsumd 24, 9, 16 ++ vpmsumd 25, 6, 17 ++ vpmsumd 26, 3, 18 ++ ++ vxor 23, 23, 24 ++ vxor 23, 23, 25 ++ vxor 23, 23, 26 # L ++ ++ vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L ++ vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L ++ vpmsumd 26, 7, 17 ++ vpmsumd 27, 4, 18 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ vxor 24, 24, 27 # M ++ ++ # sum hash and reduction with H Poly ++ vpmsumd 28, 23, 2 # reduction ++ ++ xxlor 29+32, 29, 29 ++ vsldoi 26, 24, 29, 8 # mL ++ vsldoi 29, 29, 24, 8 # mH ++ vxor 23, 23, 26 # mL + L ++ ++ vsldoi 23, 23, 23, 8 # swap ++ vxor 23, 23, 28 ++ ++ vpmsumd 24, 14, 15 # H4.H * X.H ++ vpmsumd 25, 11, 16 ++ vpmsumd 26, 8, 17 ++ vpmsumd 27, 5, 18 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ vxor 24, 24, 27 ++ ++ vxor 24, 24, 29 ++ ++ # sum hash and reduction with H Poly ++ vsldoi 27, 23, 23, 8 # swap ++ vpmsumd 23, 23, 2 ++ vxor 27, 27, 24 ++ vxor 23, 23, 27 ++ ++ xxlor 32, 23+32, 23+32 # update hash ++ ++ blr ++ ++# ++# Combine two 4x ghash ++# v15 - v22 - input blocks ++# ++.macro ppc_aes_gcm_ghash2_4x ++ # first 4x hash ++ vxor 15, 15, 0 # Xi + X ++ ++ xxlxor 29, 29, 29 ++ ++ vpmsumd 23, 12, 15 # H4.L * X.L ++ vpmsumd 24, 9, 16 ++ vpmsumd 25, 6, 17 ++ vpmsumd 26, 3, 18 ++ ++ vxor 23, 23, 24 ++ vxor 23, 23, 25 ++ vxor 23, 23, 26 # L ++ ++ vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L ++ vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L ++ vpmsumd 26, 7, 17 ++ vpmsumd 27, 4, 18 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ ++ # sum hash and reduction with H Poly ++ vpmsumd 28, 23, 2 # reduction ++ ++ xxlor 29+32, 29, 29 ++ ++ vxor 24, 24, 27 # M ++ vsldoi 26, 24, 29, 8 # mL ++ vsldoi 29, 29, 24, 8 # mH ++ vxor 23, 23, 26 # mL + L ++ ++ vsldoi 23, 23, 23, 8 # swap ++ vxor 23, 23, 28 ++ ++ vpmsumd 24, 14, 15 # H4.H * X.H ++ vpmsumd 25, 11, 16 ++ vpmsumd 26, 8, 17 ++ vpmsumd 27, 5, 18 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ vxor 24, 24, 27 # H ++ ++ vxor 24, 24, 29 # H + mH ++ ++ # sum hash and reduction with H Poly ++ vsldoi 27, 23, 23, 8 # swap ++ vpmsumd 23, 23, 2 ++ vxor 27, 27, 24 ++ vxor 27, 23, 27 # 1st Xi ++ ++ # 2nd 4x hash ++ vpmsumd 24, 9, 20 ++ vpmsumd 25, 6, 21 ++ vpmsumd 26, 3, 22 ++ vxor 19, 19, 27 # Xi + X ++ vpmsumd 23, 12, 19 # H4.L * X.L ++ ++ vxor 23, 23, 24 ++ vxor 23, 23, 25 ++ vxor 23, 23, 26 # L ++ ++ vpmsumd 24, 13, 19 # H4.L * X.H + H4.H * X.L ++ vpmsumd 25, 10, 20 # H3.L * X1.H + H3.H * X1.L ++ vpmsumd 26, 7, 21 ++ vpmsumd 27, 4, 22 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ ++ # sum hash and reduction with H Poly ++ vpmsumd 28, 23, 2 # reduction ++ ++ xxlor 29+32, 29, 29 ++ ++ vxor 24, 24, 27 # M ++ vsldoi 26, 24, 29, 8 # mL ++ vsldoi 29, 29, 24, 8 # mH ++ vxor 23, 23, 26 # mL + L ++ ++ vsldoi 23, 23, 23, 8 # swap ++ vxor 23, 23, 28 ++ ++ vpmsumd 24, 14, 19 # H4.H * X.H ++ vpmsumd 25, 11, 20 ++ vpmsumd 26, 8, 21 ++ vpmsumd 27, 5, 22 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ vxor 24, 24, 27 # H ++ ++ vxor 24, 24, 29 # H + mH ++ ++ # sum hash and reduction with H Poly ++ vsldoi 27, 23, 23, 8 # swap ++ vpmsumd 23, 23, 2 ++ vxor 27, 27, 24 ++ vxor 23, 23, 27 ++ ++ xxlor 32, 23+32, 23+32 # update hash ++ ++.endm ++ ++# ++# Compute update single hash ++# ++.macro ppc_update_hash_1x ++ vxor 28, 28, 0 ++ ++ vxor 19, 19, 19 ++ ++ vpmsumd 22, 3, 28 # L ++ vpmsumd 23, 4, 28 # M ++ vpmsumd 24, 5, 28 # H ++ ++ vpmsumd 27, 22, 2 # reduction ++ ++ vsldoi 25, 23, 19, 8 # mL ++ vsldoi 26, 19, 23, 8 # mH ++ vxor 22, 22, 25 # LL + LL ++ vxor 24, 24, 26 # HH + HH ++ ++ vsldoi 22, 22, 22, 8 # swap ++ vxor 22, 22, 27 ++ ++ vsldoi 20, 22, 22, 8 # swap ++ vpmsumd 22, 22, 2 # reduction ++ vxor 20, 20, 24 ++ vxor 22, 22, 20 ++ ++ vmr 0, 22 # update hash ++ ++.endm ++ ++# ++# ppc_aes_gcm_encrypt (const void *inp, void *out, size_t len, ++# const AES_KEY *key, unsigned char iv[16], ++# void *Xip); ++# ++# r3 - inp ++# r4 - out ++# r5 - len ++# r6 - AES round keys ++# r7 - iv ++# r8 - Xi, HPoli, hash keys ++# ++.global ppc_aes_gcm_encrypt ++.align 5 ++ppc_aes_gcm_encrypt: ++_ppc_aes_gcm_encrypt: ++ ++ stdu 1,-512(1) ++ mflr 0 ++ ++ std 14,112(1) ++ std 15,120(1) ++ std 16,128(1) ++ std 17,136(1) ++ std 18,144(1) ++ std 19,152(1) ++ std 20,160(1) ++ std 21,168(1) ++ li 9, 256 ++ stvx 20, 9, 1 ++ addi 9, 9, 16 ++ stvx 21, 9, 1 ++ addi 9, 9, 16 ++ stvx 22, 9, 1 ++ addi 9, 9, 16 ++ stvx 23, 9, 1 ++ addi 9, 9, 16 ++ stvx 24, 9, 1 ++ addi 9, 9, 16 ++ stvx 25, 9, 1 ++ addi 9, 9, 16 ++ stvx 26, 9, 1 ++ addi 9, 9, 16 ++ stvx 27, 9, 1 ++ addi 9, 9, 16 ++ stvx 28, 9, 1 ++ addi 9, 9, 16 ++ stvx 29, 9, 1 ++ addi 9, 9, 16 ++ stvx 30, 9, 1 ++ addi 9, 9, 16 ++ stvx 31, 9, 1 ++ std 0, 528(1) ++ ++ # Load Xi ++ lxvb16x 32, 0, 8 # load Xi ++ ++ # load Hash - h^4, h^3, h^2, h ++ li 10, 32 ++ lxvd2x 2+32, 10, 8 # H Poli ++ li 10, 48 ++ lxvd2x 3+32, 10, 8 # Hl ++ li 10, 64 ++ lxvd2x 4+32, 10, 8 # H ++ li 10, 80 ++ lxvd2x 5+32, 10, 8 # Hh ++ ++ li 10, 96 ++ lxvd2x 6+32, 10, 8 # H^2l ++ li 10, 112 ++ lxvd2x 7+32, 10, 8 # H^2 ++ li 10, 128 ++ lxvd2x 8+32, 10, 8 # H^2h ++ ++ li 10, 144 ++ lxvd2x 9+32, 10, 8 # H^3l ++ li 10, 160 ++ lxvd2x 10+32, 10, 8 # H^3 ++ li 10, 176 ++ lxvd2x 11+32, 10, 8 # H^3h ++ ++ li 10, 192 ++ lxvd2x 12+32, 10, 8 # H^4l ++ li 10, 208 ++ lxvd2x 13+32, 10, 8 # H^4 ++ li 10, 224 ++ lxvd2x 14+32, 10, 8 # H^4h ++ ++ # initialize ICB: GHASH( IV ), IV - r7 ++ lxvb16x 30+32, 0, 7 # load IV - v30 ++ ++ mr 12, 5 # length ++ li 11, 0 # block index ++ ++ # counter 1 ++ vxor 31, 31, 31 ++ vspltisb 22, 1 ++ vsldoi 31, 31, 22,1 # counter 1 ++ ++ # load round key to VSR ++ lxv 0, 0(6) ++ lxv 1, 0x10(6) ++ lxv 2, 0x20(6) ++ lxv 3, 0x30(6) ++ lxv 4, 0x40(6) ++ lxv 5, 0x50(6) ++ lxv 6, 0x60(6) ++ lxv 7, 0x70(6) ++ lxv 8, 0x80(6) ++ lxv 9, 0x90(6) ++ lxv 10, 0xa0(6) ++ ++ # load rounds - 10 (128), 12 (192), 14 (256) ++ lwz 9,240(6) ++ ++ # ++ # vxor state, state, w # addroundkey ++ xxlor 32+29, 0, 0 ++ vxor 15, 30, 29 # IV + round key - add round key 0 ++ ++ cmpdi 9, 10 ++ beq Loop_aes_gcm_8x ++ ++ # load 2 more round keys (v11, v12) ++ lxv 11, 0xb0(6) ++ lxv 12, 0xc0(6) ++ ++ cmpdi 9, 12 ++ beq Loop_aes_gcm_8x ++ ++ # load 2 more round keys (v11, v12, v13, v14) ++ lxv 13, 0xd0(6) ++ lxv 14, 0xe0(6) ++ cmpdi 9, 14 ++ beq Loop_aes_gcm_8x ++ ++ b aes_gcm_out ++ ++.align 5 ++Loop_aes_gcm_8x: ++ mr 14, 3 ++ mr 9, 4 ++ ++ # n blocks ++ li 10, 128 ++ divdu 10, 5, 10 # n 128 bytes-blocks ++ cmpdi 10, 0 ++ beq Loop_last_block ++ ++ vaddudm 30, 30, 31 # IV + counter ++ vxor 16, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 17, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 18, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 19, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 20, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 21, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 22, 30, 29 ++ ++ mtctr 10 ++ ++ li 15, 16 ++ li 16, 32 ++ li 17, 48 ++ li 18, 64 ++ li 19, 80 ++ li 20, 96 ++ li 21, 112 ++ ++ lwz 10, 240(6) ++ ++Loop_8x_block: ++ ++ lxvb16x 15, 0, 14 # load block ++ lxvb16x 16, 15, 14 # load block ++ lxvb16x 17, 16, 14 # load block ++ lxvb16x 18, 17, 14 # load block ++ lxvb16x 19, 18, 14 # load block ++ lxvb16x 20, 19, 14 # load block ++ lxvb16x 21, 20, 14 # load block ++ lxvb16x 22, 21, 14 # load block ++ addi 14, 14, 128 ++ ++ Loop_aes_middle8x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_next_ghash ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_next_ghash ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_next_ghash ++ b aes_gcm_out ++ ++Do_next_ghash: ++ ++ # ++ # last round ++ vcipherlast 15, 15, 23 ++ vcipherlast 16, 16, 23 ++ ++ xxlxor 47, 47, 15 ++ stxvb16x 47, 0, 9 # store output ++ xxlxor 48, 48, 16 ++ stxvb16x 48, 15, 9 # store output ++ ++ vcipherlast 17, 17, 23 ++ vcipherlast 18, 18, 23 ++ ++ xxlxor 49, 49, 17 ++ stxvb16x 49, 16, 9 # store output ++ xxlxor 50, 50, 18 ++ stxvb16x 50, 17, 9 # store output ++ ++ vcipherlast 19, 19, 23 ++ vcipherlast 20, 20, 23 ++ ++ xxlxor 51, 51, 19 ++ stxvb16x 51, 18, 9 # store output ++ xxlxor 52, 52, 20 ++ stxvb16x 52, 19, 9 # store output ++ ++ vcipherlast 21, 21, 23 ++ vcipherlast 22, 22, 23 ++ ++ xxlxor 53, 53, 21 ++ stxvb16x 53, 20, 9 # store output ++ xxlxor 54, 54, 22 ++ stxvb16x 54, 21, 9 # store output ++ ++ addi 9, 9, 128 ++ ++ # ghash here ++ ppc_aes_gcm_ghash2_4x ++ ++ xxlor 27+32, 0, 0 ++ vaddudm 30, 30, 31 # IV + counter ++ vmr 29, 30 ++ vxor 15, 30, 27 # add round key ++ vaddudm 30, 30, 31 ++ vxor 16, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 17, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 18, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 19, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 20, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 21, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 22, 30, 27 ++ ++ addi 12, 12, -128 ++ addi 11, 11, 128 ++ ++ bdnz Loop_8x_block ++ ++ vmr 30, 29 ++ ++Loop_last_block: ++ cmpdi 12, 0 ++ beq aes_gcm_out ++ ++ # loop last few blocks ++ li 10, 16 ++ divdu 10, 12, 10 ++ ++ mtctr 10 ++ ++ lwz 10, 240(6) ++ ++ cmpdi 12, 16 ++ blt Final_block ++ ++.macro Loop_aes_middle_1x ++ xxlor 19+32, 1, 1 ++ xxlor 20+32, 2, 2 ++ xxlor 21+32, 3, 3 ++ xxlor 22+32, 4, 4 ++ ++ vcipher 15, 15, 19 ++ vcipher 15, 15, 20 ++ vcipher 15, 15, 21 ++ vcipher 15, 15, 22 ++ ++ xxlor 19+32, 5, 5 ++ xxlor 20+32, 6, 6 ++ xxlor 21+32, 7, 7 ++ xxlor 22+32, 8, 8 ++ ++ vcipher 15, 15, 19 ++ vcipher 15, 15, 20 ++ vcipher 15, 15, 21 ++ vcipher 15, 15, 22 ++ ++ xxlor 19+32, 9, 9 ++ vcipher 15, 15, 19 ++.endm ++ ++Next_rem_block: ++ lxvb16x 15, 0, 14 # load block ++ ++ Loop_aes_middle_1x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_next_1x ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_next_1x ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_next_1x ++ ++Do_next_1x: ++ vcipherlast 15, 15, 23 ++ ++ xxlxor 47, 47, 15 ++ stxvb16x 47, 0, 9 # store output ++ addi 14, 14, 16 ++ addi 9, 9, 16 ++ ++ vmr 28, 15 ++ ppc_update_hash_1x ++ ++ addi 12, 12, -16 ++ addi 11, 11, 16 ++ xxlor 19+32, 0, 0 ++ vaddudm 30, 30, 31 # IV + counter ++ vxor 15, 30, 19 # add round key ++ ++ bdnz Next_rem_block ++ ++ cmpdi 12, 0 ++ beq aes_gcm_out ++ ++Final_block: ++ Loop_aes_middle_1x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_final_1x ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_final_1x ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_final_1x ++ ++Do_final_1x: ++ vcipherlast 15, 15, 23 ++ ++ lxvb16x 15, 0, 14 # load last block ++ xxlxor 47, 47, 15 ++ ++ # create partial block mask ++ li 15, 16 ++ sub 15, 15, 12 # index to the mask ++ ++ vspltisb 16, -1 # first 16 bytes - 0xffff...ff ++ vspltisb 17, 0 # second 16 bytes - 0x0000...00 ++ li 10, 192 ++ stvx 16, 10, 1 ++ addi 10, 10, 16 ++ stvx 17, 10, 1 ++ ++ addi 10, 1, 192 ++ lxvb16x 16, 15, 10 # load partial block mask ++ xxland 47, 47, 16 ++ ++ vmr 28, 15 ++ ppc_update_hash_1x ++ ++ # * should store only the remaining bytes. ++ bl Write_partial_block ++ ++ b aes_gcm_out ++ ++# ++# Write partial block ++# r9 - output ++# r12 - remaining bytes ++# v15 - partial input data ++# ++Write_partial_block: ++ li 10, 192 ++ stxvb16x 15+32, 10, 1 # last block ++ ++ #add 10, 9, 11 # Output ++ addi 10, 9, -1 ++ addi 16, 1, 191 ++ ++ mtctr 12 # remaining bytes ++ li 15, 0 ++ ++Write_last_byte: ++ lbzu 14, 1(16) ++ stbu 14, 1(10) ++ bdnz Write_last_byte ++ blr ++ ++aes_gcm_out: ++ # out = state ++ stxvb16x 32, 0, 8 # write out Xi ++ add 3, 11, 12 # return count ++ ++ li 9, 256 ++ lvx 20, 9, 1 ++ addi 9, 9, 16 ++ lvx 21, 9, 1 ++ addi 9, 9, 16 ++ lvx 22, 9, 1 ++ addi 9, 9, 16 ++ lvx 23, 9, 1 ++ addi 9, 9, 16 ++ lvx 24, 9, 1 ++ addi 9, 9, 16 ++ lvx 25, 9, 1 ++ addi 9, 9, 16 ++ lvx 26, 9, 1 ++ addi 9, 9, 16 ++ lvx 27, 9, 1 ++ addi 9, 9, 16 ++ lvx 28, 9, 1 ++ addi 9, 9, 16 ++ lvx 29, 9, 1 ++ addi 9, 9, 16 ++ lvx 30, 9, 1 ++ addi 9, 9, 16 ++ lvx 31, 9, 1 ++ ++ ld 0, 528(1) ++ ld 14,112(1) ++ ld 15,120(1) ++ ld 16,128(1) ++ ld 17,136(1) ++ ld 18,144(1) ++ ld 19,152(1) ++ ld 20,160(1) ++ ld 21,168(1) ++ ++ mtlr 0 ++ addi 1, 1, 512 ++ blr ++ ++# ++# 8x Decrypt ++# ++.global ppc_aes_gcm_decrypt ++.align 5 ++ppc_aes_gcm_decrypt: ++_ppc_aes_gcm_decrypt: ++ ++ stdu 1,-512(1) ++ mflr 0 ++ ++ std 14,112(1) ++ std 15,120(1) ++ std 16,128(1) ++ std 17,136(1) ++ std 18,144(1) ++ std 19,152(1) ++ std 20,160(1) ++ std 21,168(1) ++ li 9, 256 ++ stvx 20, 9, 1 ++ addi 9, 9, 16 ++ stvx 21, 9, 1 ++ addi 9, 9, 16 ++ stvx 22, 9, 1 ++ addi 9, 9, 16 ++ stvx 23, 9, 1 ++ addi 9, 9, 16 ++ stvx 24, 9, 1 ++ addi 9, 9, 16 ++ stvx 25, 9, 1 ++ addi 9, 9, 16 ++ stvx 26, 9, 1 ++ addi 9, 9, 16 ++ stvx 27, 9, 1 ++ addi 9, 9, 16 ++ stvx 28, 9, 1 ++ addi 9, 9, 16 ++ stvx 29, 9, 1 ++ addi 9, 9, 16 ++ stvx 30, 9, 1 ++ addi 9, 9, 16 ++ stvx 31, 9, 1 ++ std 0, 528(1) ++ ++ # Load Xi ++ lxvb16x 32, 0, 8 # load Xi ++ ++ # load Hash - h^4, h^3, h^2, h ++ li 10, 32 ++ lxvd2x 2+32, 10, 8 # H Poli ++ li 10, 48 ++ lxvd2x 3+32, 10, 8 # Hl ++ li 10, 64 ++ lxvd2x 4+32, 10, 8 # H ++ li 10, 80 ++ lxvd2x 5+32, 10, 8 # Hh ++ ++ li 10, 96 ++ lxvd2x 6+32, 10, 8 # H^2l ++ li 10, 112 ++ lxvd2x 7+32, 10, 8 # H^2 ++ li 10, 128 ++ lxvd2x 8+32, 10, 8 # H^2h ++ ++ li 10, 144 ++ lxvd2x 9+32, 10, 8 # H^3l ++ li 10, 160 ++ lxvd2x 10+32, 10, 8 # H^3 ++ li 10, 176 ++ lxvd2x 11+32, 10, 8 # H^3h ++ ++ li 10, 192 ++ lxvd2x 12+32, 10, 8 # H^4l ++ li 10, 208 ++ lxvd2x 13+32, 10, 8 # H^4 ++ li 10, 224 ++ lxvd2x 14+32, 10, 8 # H^4h ++ ++ # initialize ICB: GHASH( IV ), IV - r7 ++ lxvb16x 30+32, 0, 7 # load IV - v30 ++ ++ mr 12, 5 # length ++ li 11, 0 # block index ++ ++ # counter 1 ++ vxor 31, 31, 31 ++ vspltisb 22, 1 ++ vsldoi 31, 31, 22,1 # counter 1 ++ ++ # load round key to VSR ++ lxv 0, 0(6) ++ lxv 1, 0x10(6) ++ lxv 2, 0x20(6) ++ lxv 3, 0x30(6) ++ lxv 4, 0x40(6) ++ lxv 5, 0x50(6) ++ lxv 6, 0x60(6) ++ lxv 7, 0x70(6) ++ lxv 8, 0x80(6) ++ lxv 9, 0x90(6) ++ lxv 10, 0xa0(6) ++ ++ # load rounds - 10 (128), 12 (192), 14 (256) ++ lwz 9,240(6) ++ ++ # ++ # vxor state, state, w # addroundkey ++ xxlor 32+29, 0, 0 ++ vxor 15, 30, 29 # IV + round key - add round key 0 ++ ++ cmpdi 9, 10 ++ beq Loop_aes_gcm_8x_dec ++ ++ # load 2 more round keys (v11, v12) ++ lxv 11, 0xb0(6) ++ lxv 12, 0xc0(6) ++ ++ cmpdi 9, 12 ++ beq Loop_aes_gcm_8x_dec ++ ++ # load 2 more round keys (v11, v12, v13, v14) ++ lxv 13, 0xd0(6) ++ lxv 14, 0xe0(6) ++ cmpdi 9, 14 ++ beq Loop_aes_gcm_8x_dec ++ ++ b aes_gcm_out ++ ++.align 5 ++Loop_aes_gcm_8x_dec: ++ mr 14, 3 ++ mr 9, 4 ++ ++ # n blocks ++ li 10, 128 ++ divdu 10, 5, 10 # n 128 bytes-blocks ++ cmpdi 10, 0 ++ beq Loop_last_block_dec ++ ++ vaddudm 30, 30, 31 # IV + counter ++ vxor 16, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 17, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 18, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 19, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 20, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 21, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 22, 30, 29 ++ ++ mtctr 10 ++ ++ li 15, 16 ++ li 16, 32 ++ li 17, 48 ++ li 18, 64 ++ li 19, 80 ++ li 20, 96 ++ li 21, 112 ++ ++ lwz 10, 240(6) ++ ++Loop_8x_block_dec: ++ ++ lxvb16x 15, 0, 14 # load block ++ lxvb16x 16, 15, 14 # load block ++ lxvb16x 17, 16, 14 # load block ++ lxvb16x 18, 17, 14 # load block ++ lxvb16x 19, 18, 14 # load block ++ lxvb16x 20, 19, 14 # load block ++ lxvb16x 21, 20, 14 # load block ++ lxvb16x 22, 21, 14 # load block ++ addi 14, 14, 128 ++ ++ Loop_aes_middle8x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_last_aes_dec ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_last_aes_dec ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_last_aes_dec ++ b aes_gcm_out ++ ++Do_last_aes_dec: ++ ++ # ++ # last round ++ vcipherlast 15, 15, 23 ++ vcipherlast 16, 16, 23 ++ ++ xxlxor 47, 47, 15 ++ stxvb16x 47, 0, 9 # store output ++ xxlxor 48, 48, 16 ++ stxvb16x 48, 15, 9 # store output ++ ++ vcipherlast 17, 17, 23 ++ vcipherlast 18, 18, 23 ++ ++ xxlxor 49, 49, 17 ++ stxvb16x 49, 16, 9 # store output ++ xxlxor 50, 50, 18 ++ stxvb16x 50, 17, 9 # store output ++ ++ vcipherlast 19, 19, 23 ++ vcipherlast 20, 20, 23 ++ ++ xxlxor 51, 51, 19 ++ stxvb16x 51, 18, 9 # store output ++ xxlxor 52, 52, 20 ++ stxvb16x 52, 19, 9 # store output ++ ++ vcipherlast 21, 21, 23 ++ vcipherlast 22, 22, 23 ++ ++ xxlxor 53, 53, 21 ++ stxvb16x 53, 20, 9 # store output ++ xxlxor 54, 54, 22 ++ stxvb16x 54, 21, 9 # store output ++ ++ addi 9, 9, 128 ++ ++ xxlor 15+32, 15, 15 ++ xxlor 16+32, 16, 16 ++ xxlor 17+32, 17, 17 ++ xxlor 18+32, 18, 18 ++ xxlor 19+32, 19, 19 ++ xxlor 20+32, 20, 20 ++ xxlor 21+32, 21, 21 ++ xxlor 22+32, 22, 22 ++ ++ # ghash here ++ ppc_aes_gcm_ghash2_4x ++ ++ xxlor 27+32, 0, 0 ++ vaddudm 30, 30, 31 # IV + counter ++ vmr 29, 30 ++ vxor 15, 30, 27 # add round key ++ vaddudm 30, 30, 31 ++ vxor 16, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 17, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 18, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 19, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 20, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 21, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 22, 30, 27 ++ addi 12, 12, -128 ++ addi 11, 11, 128 ++ ++ bdnz Loop_8x_block_dec ++ ++ vmr 30, 29 ++ ++Loop_last_block_dec: ++ cmpdi 12, 0 ++ beq aes_gcm_out ++ ++ # loop last few blocks ++ li 10, 16 ++ divdu 10, 12, 10 ++ ++ mtctr 10 ++ ++ lwz 10,240(6) ++ ++ cmpdi 12, 16 ++ blt Final_block_dec ++ ++Next_rem_block_dec: ++ lxvb16x 15, 0, 14 # load block ++ ++ Loop_aes_middle_1x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_next_1x_dec ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_next_1x_dec ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_next_1x_dec ++ ++Do_next_1x_dec: ++ vcipherlast 15, 15, 23 ++ ++ xxlxor 47, 47, 15 ++ stxvb16x 47, 0, 9 # store output ++ addi 14, 14, 16 ++ addi 9, 9, 16 ++ ++ xxlor 28+32, 15, 15 ++ ppc_update_hash_1x ++ ++ addi 12, 12, -16 ++ addi 11, 11, 16 ++ xxlor 19+32, 0, 0 ++ vaddudm 30, 30, 31 # IV + counter ++ vxor 15, 30, 19 # add round key ++ ++ bdnz Next_rem_block_dec ++ ++ cmpdi 12, 0 ++ beq aes_gcm_out ++ ++Final_block_dec: ++ Loop_aes_middle_1x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_final_1x_dec ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_final_1x_dec ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_final_1x_dec ++ ++Do_final_1x_dec: ++ vcipherlast 15, 15, 23 ++ ++ lxvb16x 15, 0, 14 # load block ++ xxlxor 47, 47, 15 ++ ++ # create partial block mask ++ li 15, 16 ++ sub 15, 15, 12 # index to the mask ++ ++ vspltisb 16, -1 # first 16 bytes - 0xffff...ff ++ vspltisb 17, 0 # second 16 bytes - 0x0000...00 ++ li 10, 192 ++ stvx 16, 10, 1 ++ addi 10, 10, 16 ++ stvx 17, 10, 1 ++ ++ addi 10, 1, 192 ++ lxvb16x 16, 15, 10 # load block mask ++ xxland 47, 47, 16 ++ ++ xxlor 28+32, 15, 15 ++ ppc_update_hash_1x ++ ++ # * should store only the remaining bytes. ++ bl Write_partial_block ++ ++ b aes_gcm_out ++ ++ ++___ ++ ++foreach (split("\n",$code)) { ++ s/\`([^\`]*)\`/eval $1/geo; ++ ++ if ($flavour =~ /le$/o) { # little-endian ++ s/le\?//o or ++ s/be\?/#be#/o; ++ } else { ++ s/le\?/#le#/o or ++ s/be\?//o; ++ } ++ print $_,"\n"; ++} ++ ++close STDOUT or die "error closing STDOUT: $!"; # enforce flush +diff --git a/crypto/modes/build.info b/crypto/modes/build.info +index 687e872..0ea122e 100644 +--- a/crypto/modes/build.info ++++ b/crypto/modes/build.info +@@ -32,7 +32,7 @@ IF[{- !$disabled{asm} -}] + $MODESASM_parisc20_64=$MODESASM_parisc11 + $MODESDEF_parisc20_64=$MODESDEF_parisc11 + +- $MODESASM_ppc32=ghashp8-ppc.s ++ $MODESASM_ppc32=ghashp8-ppc.s aes-gcm-ppc.s + $MODESDEF_ppc32= + $MODESASM_ppc64=$MODESASM_ppc32 + $MODESDEF_ppc64=$MODESDEF_ppc32 +@@ -71,6 +71,7 @@ INCLUDE[ghash-sparcv9.o]=.. + GENERATE[ghash-alpha.S]=asm/ghash-alpha.pl + GENERATE[ghash-parisc.s]=asm/ghash-parisc.pl + GENERATE[ghashp8-ppc.s]=asm/ghashp8-ppc.pl ++GENERATE[aes-gcm-ppc.s]=asm/aes-gcm-ppc.pl + GENERATE[ghash-armv4.S]=asm/ghash-armv4.pl + INCLUDE[ghash-armv4.o]=.. + GENERATE[ghashv8-armx.S]=asm/ghashv8-armx.pl +diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h +index e95ad5a..0c281a3 100644 +--- a/include/crypto/aes_platform.h ++++ b/include/crypto/aes_platform.h +@@ -74,6 +74,26 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, + # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks + # define HWAES_xts_encrypt aes_p8_xts_encrypt + # define HWAES_xts_decrypt aes_p8_xts_decrypt ++# define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300) ++# define AES_GCM_ENC_BYTES 128 ++# define AES_GCM_DEC_BYTES 128 ++size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, ++ size_t len, const void *key, unsigned char ivec[16], ++ u64 *Xi); ++size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, ++ size_t len, const void *key, unsigned char ivec[16], ++ u64 *Xi); ++size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, ++ size_t len, const void *key, ++ unsigned char ivec[16], u64 *Xi); ++size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, ++ size_t len, const void *key, ++ unsigned char ivec[16], u64 *Xi); ++# define AES_gcm_encrypt ppc_aes_gcm_encrypt_wrap ++# define AES_gcm_decrypt ppc_aes_gcm_decrypt_wrap ++# define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \ ++ (gctx)->gcm.ghash==gcm_ghash_p8) ++void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); + # endif /* PPC */ + + # if (defined(__arm__) || defined(__arm) || defined(__aarch64__)) +diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw.c b/providers/implementations/ciphers/cipher_aes_gcm_hw.c +index 44fa9d4..789ec12 100644 +--- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c ++++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c +@@ -141,6 +141,8 @@ static const PROV_GCM_HW aes_gcm = { + # include "cipher_aes_gcm_hw_t4.inc" + #elif defined(AES_PMULL_CAPABLE) && defined(AES_GCM_ASM) + # include "cipher_aes_gcm_hw_armv8.inc" ++#elif defined(PPC_AES_GCM_CAPABLE) ++# include "cipher_aes_gcm_hw_ppc.inc" + #else + const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) + { +diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc +new file mode 100644 +index 0000000..4eed0f4 +--- /dev/null ++++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc +@@ -0,0 +1,119 @@ ++/* ++ * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/*- ++ * PPC support for AES GCM. ++ * This file is included by cipher_aes_gcm_hw.c ++ */ ++ ++static int aes_ppc_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, ++ size_t keylen) ++{ ++ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; ++ AES_KEY *ks = &actx->ks.ks; ++ ++ GCM_HW_SET_KEY_CTR_FN(ks, aes_p8_set_encrypt_key, aes_p8_encrypt, ++ aes_p8_ctr32_encrypt_blocks); ++ return 1; ++} ++ ++ ++extern size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi); ++extern size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi); ++ ++static inline u32 UTO32(unsigned char *buf) ++{ ++ return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) | ((u32) buf[2] << 8) | ((u32) buf[3]); ++} ++ ++static inline u32 add32TOU(unsigned char buf[4], u32 n) ++{ ++ u32 r; ++ ++ r = UTO32(buf); ++ r += n; ++ buf[0] = (unsigned char) (r >> 24) & 0xFF; ++ buf[1] = (unsigned char) (r >> 16) & 0xFF; ++ buf[2] = (unsigned char) (r >> 8) & 0xFF; ++ buf[3] = (unsigned char) r & 0xFF; ++ return r; ++} ++ ++static size_t aes_p10_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi, int encrypt) ++{ ++ int s = 0; ++ int ndone = 0; ++ int ctr_reset = 0; ++ u64 blocks_unused; ++ u64 nb = len / 16; ++ u64 next_ctr = 0; ++ unsigned char ctr_saved[12]; ++ ++ memcpy(ctr_saved, ivec, 12); ++ ++ while (nb) { ++ blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12); ++ if (nb > blocks_unused) { ++ len = blocks_unused * 16; ++ nb -= blocks_unused; ++ next_ctr = blocks_unused; ++ ctr_reset = 1; ++ } else { ++ len = nb * 16; ++ next_ctr = nb; ++ nb = 0; ++ } ++ ++ s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi) ++ : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi); ++ ++ /* add counter to ivec */ ++ add32TOU(ivec + 12, (u32) next_ctr); ++ if (ctr_reset) { ++ ctr_reset = 0; ++ in += len; ++ out += len; ++ } ++ memcpy(ivec, ctr_saved, 12); ++ ndone += s; ++ } ++ ++ return ndone; ++} ++ ++size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi) ++{ ++ return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 1); ++} ++ ++size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi) ++{ ++ return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 0); ++} ++ ++ ++static const PROV_GCM_HW aes_ppc_gcm = { ++ aes_ppc_gcm_initkey, ++ ossl_gcm_setiv, ++ ossl_gcm_aad_update, ++ generic_aes_gcm_cipher_update, ++ ossl_gcm_cipher_final, ++ ossl_gcm_one_shot ++}; ++ ++const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) ++{ ++ return PPC_AES_GCM_CAPABLE ? &aes_ppc_gcm : &aes_gcm; ++} ++ diff --git a/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch b/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch new file mode 100644 index 0000000..e5e7f9b --- /dev/null +++ b/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch @@ -0,0 +1,1493 @@ +Upstream-Status: Backport [ + https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149, + https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa, + hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 +] +diff --git a/crypto/chacha/asm/chachap10-ppc.pl b/crypto/chacha/asm/chachap10-ppc.pl +new file mode 100755 +index 0000000..36e9a8d +--- /dev/null ++++ b/crypto/chacha/asm/chachap10-ppc.pl +@@ -0,0 +1,1288 @@ ++#! /usr/bin/env perl ++# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++# ++# ==================================================================== ++# Written by Andy Polyakov for the OpenSSL ++# project. The module is, however, dual licensed under OpenSSL and ++# CRYPTOGAMS licenses depending on where you obtain it. For further ++# details see http://www.openssl.org/~appro/cryptogams/. ++# ==================================================================== ++# ++# October 2015 ++# ++# ChaCha20 for PowerPC/AltiVec. ++# ++# June 2018 ++# ++# Add VSX 2.07 code path. Original 3xAltiVec+1xIALU is well-suited for ++# processors that can't issue more than one vector instruction per ++# cycle. But POWER8 (and POWER9) can issue a pair, and vector-only 4x ++# interleave would perform better. Incidentally PowerISA 2.07 (first ++# implemented by POWER8) defined new usable instructions, hence 4xVSX ++# code path... ++# ++# Performance in cycles per byte out of large buffer. ++# ++# IALU/gcc-4.x 3xAltiVec+1xIALU 4xVSX ++# ++# Freescale e300 13.6/+115% - - ++# PPC74x0/G4e 6.81/+310% 3.81 - ++# PPC970/G5 9.29/+160% ? - ++# POWER7 8.62/+61% 3.35 - ++# POWER8 8.70/+51% 2.91 2.09 ++# POWER9 8.80/+29% 4.44(*) 2.45(**) ++# ++# (*) this is trade-off result, it's possible to improve it, but ++# then it would negatively affect all others; ++# (**) POWER9 seems to be "allergic" to mixing vector and integer ++# instructions, which is why switch to vector-only code pays ++# off that much; ++ ++# $output is the last argument if it looks like a file (it has an extension) ++# $flavour is the first argument if it doesn't look like a file ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; ++ ++if ($flavour =~ /64/) { ++ $SIZE_T =8; ++ $LRSAVE =2*$SIZE_T; ++ $STU ="stdu"; ++ $POP ="ld"; ++ $PUSH ="std"; ++ $UCMP ="cmpld"; ++} elsif ($flavour =~ /32/) { ++ $SIZE_T =4; ++ $LRSAVE =$SIZE_T; ++ $STU ="stwu"; ++ $POP ="lwz"; ++ $PUSH ="stw"; ++ $UCMP ="cmplw"; ++} else { die "nonsense $flavour"; } ++ ++$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0; ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open STDOUT,"| $^X $xlate $flavour \"$output\"" ++ or die "can't call $xlate: $!"; ++ ++$LOCALS=6*$SIZE_T; ++$FRAME=$LOCALS+64+18*$SIZE_T; # 64 is for local variables ++ ++sub AUTOLOAD() # thunk [simplified] x86-style perlasm ++{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./; ++ $code .= "\t$opcode\t".join(',',@_)."\n"; ++} ++ ++my $sp = "r1"; ++ ++my ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); ++ ++ ++{{{ ++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, ++ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = map("v$_",(0..15)); ++my @K = map("v$_",(16..19)); ++my $CTR = "v26"; ++my ($xt0,$xt1,$xt2,$xt3) = map("v$_",(27..30)); ++my ($sixteen,$twelve,$eight,$seven) = ($xt0,$xt1,$xt2,$xt3); ++my $beperm = "v31"; ++ ++my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); ++ ++my $FRAME=$LOCALS+64+7*16; # 7*16 is for v26-v31 offload ++ ++ ++sub VSX_lane_ROUND_4x { ++my ($a0,$b0,$c0,$d0)=@_; ++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); ++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); ++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); ++my @x=map("\"v$_\"",(0..15)); ++ ++ ( ++ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 ++ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 ++ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 ++ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 ++ "&vxor (@x[$d0],@x[$d0],@x[$a0])", ++ "&vxor (@x[$d1],@x[$d1],@x[$a1])", ++ "&vxor (@x[$d2],@x[$d2],@x[$a2])", ++ "&vxor (@x[$d3],@x[$d3],@x[$a3])", ++ "&vrlw (@x[$d0],@x[$d0],'$sixteen')", ++ "&vrlw (@x[$d1],@x[$d1],'$sixteen')", ++ "&vrlw (@x[$d2],@x[$d2],'$sixteen')", ++ "&vrlw (@x[$d3],@x[$d3],'$sixteen')", ++ ++ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", ++ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", ++ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", ++ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", ++ "&vxor (@x[$b0],@x[$b0],@x[$c0])", ++ "&vxor (@x[$b1],@x[$b1],@x[$c1])", ++ "&vxor (@x[$b2],@x[$b2],@x[$c2])", ++ "&vxor (@x[$b3],@x[$b3],@x[$c3])", ++ "&vrlw (@x[$b0],@x[$b0],'$twelve')", ++ "&vrlw (@x[$b1],@x[$b1],'$twelve')", ++ "&vrlw (@x[$b2],@x[$b2],'$twelve')", ++ "&vrlw (@x[$b3],@x[$b3],'$twelve')", ++ ++ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", ++ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", ++ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", ++ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", ++ "&vxor (@x[$d0],@x[$d0],@x[$a0])", ++ "&vxor (@x[$d1],@x[$d1],@x[$a1])", ++ "&vxor (@x[$d2],@x[$d2],@x[$a2])", ++ "&vxor (@x[$d3],@x[$d3],@x[$a3])", ++ "&vrlw (@x[$d0],@x[$d0],'$eight')", ++ "&vrlw (@x[$d1],@x[$d1],'$eight')", ++ "&vrlw (@x[$d2],@x[$d2],'$eight')", ++ "&vrlw (@x[$d3],@x[$d3],'$eight')", ++ ++ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", ++ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", ++ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", ++ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", ++ "&vxor (@x[$b0],@x[$b0],@x[$c0])", ++ "&vxor (@x[$b1],@x[$b1],@x[$c1])", ++ "&vxor (@x[$b2],@x[$b2],@x[$c2])", ++ "&vxor (@x[$b3],@x[$b3],@x[$c3])", ++ "&vrlw (@x[$b0],@x[$b0],'$seven')", ++ "&vrlw (@x[$b1],@x[$b1],'$seven')", ++ "&vrlw (@x[$b2],@x[$b2],'$seven')", ++ "&vrlw (@x[$b3],@x[$b3],'$seven')" ++ ); ++} ++ ++$code.=<<___; ++ ++.globl .ChaCha20_ctr32_vsx_p10 ++.align 5 ++.ChaCha20_ctr32_vsx_p10: ++ ${UCMP}i $len,255 ++ bgt ChaCha20_ctr32_vsx_8x ++ $STU $sp,-$FRAME($sp) ++ mflr r0 ++ li r10,`15+$LOCALS+64` ++ li r11,`31+$LOCALS+64` ++ mfspr r12,256 ++ stvx v26,r10,$sp ++ addi r10,r10,32 ++ stvx v27,r11,$sp ++ addi r11,r11,32 ++ stvx v28,r10,$sp ++ addi r10,r10,32 ++ stvx v29,r11,$sp ++ addi r11,r11,32 ++ stvx v30,r10,$sp ++ stvx v31,r11,$sp ++ stw r12,`$FRAME-4`($sp) # save vrsave ++ li r12,-4096+63 ++ $PUSH r0, `$FRAME+$LRSAVE`($sp) ++ mtspr 256,r12 # preserve 29 AltiVec registers ++ ++ bl Lconsts # returns pointer Lsigma in r12 ++ lvx_4w @K[0],0,r12 # load sigma ++ addi r12,r12,0x70 ++ li $x10,16 ++ li $x20,32 ++ li $x30,48 ++ li r11,64 ++ ++ lvx_4w @K[1],0,$key # load key ++ lvx_4w @K[2],$x10,$key ++ lvx_4w @K[3],0,$ctr # load counter ++ ++ vxor $xt0,$xt0,$xt0 ++ lvx_4w $xt1,r11,r12 ++ vspltw $CTR,@K[3],0 ++ vsldoi @K[3],@K[3],$xt0,4 ++ vsldoi @K[3],$xt0,@K[3],12 # clear @K[3].word[0] ++ vadduwm $CTR,$CTR,$xt1 ++ ++ be?lvsl $beperm,0,$x10 # 0x00..0f ++ be?vspltisb $xt0,3 # 0x03..03 ++ be?vxor $beperm,$beperm,$xt0 # swap bytes within words ++ ++ li r0,10 # inner loop counter ++ mtctr r0 ++ b Loop_outer_vsx ++ ++.align 5 ++Loop_outer_vsx: ++ lvx $xa0,$x00,r12 # load [smashed] sigma ++ lvx $xa1,$x10,r12 ++ lvx $xa2,$x20,r12 ++ lvx $xa3,$x30,r12 ++ ++ vspltw $xb0,@K[1],0 # smash the key ++ vspltw $xb1,@K[1],1 ++ vspltw $xb2,@K[1],2 ++ vspltw $xb3,@K[1],3 ++ ++ vspltw $xc0,@K[2],0 ++ vspltw $xc1,@K[2],1 ++ vspltw $xc2,@K[2],2 ++ vspltw $xc3,@K[2],3 ++ ++ vmr $xd0,$CTR # smash the counter ++ vspltw $xd1,@K[3],1 ++ vspltw $xd2,@K[3],2 ++ vspltw $xd3,@K[3],3 ++ ++ vspltisw $sixteen,-16 # synthesize constants ++ vspltisw $twelve,12 ++ vspltisw $eight,8 ++ vspltisw $seven,7 ++ ++Loop_vsx_4x: ++___ ++ foreach (&VSX_lane_ROUND_4x(0, 4, 8,12)) { eval; } ++ foreach (&VSX_lane_ROUND_4x(0, 5,10,15)) { eval; } ++$code.=<<___; ++ ++ bdnz Loop_vsx_4x ++ ++ vadduwm $xd0,$xd0,$CTR ++ ++ vmrgew $xt0,$xa0,$xa1 # transpose data ++ vmrgew $xt1,$xa2,$xa3 ++ vmrgow $xa0,$xa0,$xa1 ++ vmrgow $xa2,$xa2,$xa3 ++ vmrgew $xt2,$xb0,$xb1 ++ vmrgew $xt3,$xb2,$xb3 ++ vpermdi $xa1,$xa0,$xa2,0b00 ++ vpermdi $xa3,$xa0,$xa2,0b11 ++ vpermdi $xa0,$xt0,$xt1,0b00 ++ vpermdi $xa2,$xt0,$xt1,0b11 ++ ++ vmrgow $xb0,$xb0,$xb1 ++ vmrgow $xb2,$xb2,$xb3 ++ vmrgew $xt0,$xc0,$xc1 ++ vmrgew $xt1,$xc2,$xc3 ++ vpermdi $xb1,$xb0,$xb2,0b00 ++ vpermdi $xb3,$xb0,$xb2,0b11 ++ vpermdi $xb0,$xt2,$xt3,0b00 ++ vpermdi $xb2,$xt2,$xt3,0b11 ++ ++ vmrgow $xc0,$xc0,$xc1 ++ vmrgow $xc2,$xc2,$xc3 ++ vmrgew $xt2,$xd0,$xd1 ++ vmrgew $xt3,$xd2,$xd3 ++ vpermdi $xc1,$xc0,$xc2,0b00 ++ vpermdi $xc3,$xc0,$xc2,0b11 ++ vpermdi $xc0,$xt0,$xt1,0b00 ++ vpermdi $xc2,$xt0,$xt1,0b11 ++ ++ vmrgow $xd0,$xd0,$xd1 ++ vmrgow $xd2,$xd2,$xd3 ++ vspltisw $xt0,4 ++ vadduwm $CTR,$CTR,$xt0 # next counter value ++ vpermdi $xd1,$xd0,$xd2,0b00 ++ vpermdi $xd3,$xd0,$xd2,0b11 ++ vpermdi $xd0,$xt2,$xt3,0b00 ++ vpermdi $xd2,$xt2,$xt3,0b11 ++ ++ vadduwm $xa0,$xa0,@K[0] ++ vadduwm $xb0,$xb0,@K[1] ++ vadduwm $xc0,$xc0,@K[2] ++ vadduwm $xd0,$xd0,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx ++ ++ vadduwm $xa0,$xa1,@K[0] ++ vadduwm $xb0,$xb1,@K[1] ++ vadduwm $xc0,$xc1,@K[2] ++ vadduwm $xd0,$xd1,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx ++ ++ vadduwm $xa0,$xa2,@K[0] ++ vadduwm $xb0,$xb2,@K[1] ++ vadduwm $xc0,$xc2,@K[2] ++ vadduwm $xd0,$xd2,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx ++ ++ vadduwm $xa0,$xa3,@K[0] ++ vadduwm $xb0,$xb3,@K[1] ++ vadduwm $xc0,$xc3,@K[2] ++ vadduwm $xd0,$xd3,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ mtctr r0 ++ bne Loop_outer_vsx ++ ++Ldone_vsx: ++ lwz r12,`$FRAME-4`($sp) # pull vrsave ++ li r10,`15+$LOCALS+64` ++ li r11,`31+$LOCALS+64` ++ $POP r0, `$FRAME+$LRSAVE`($sp) ++ mtspr 256,r12 # restore vrsave ++ lvx v26,r10,$sp ++ addi r10,r10,32 ++ lvx v27,r11,$sp ++ addi r11,r11,32 ++ lvx v28,r10,$sp ++ addi r10,r10,32 ++ lvx v29,r11,$sp ++ addi r11,r11,32 ++ lvx v30,r10,$sp ++ lvx v31,r11,$sp ++ mtlr r0 ++ addi $sp,$sp,$FRAME ++ blr ++ ++.align 4 ++Ltail_vsx: ++ addi r11,$sp,$LOCALS ++ mtctr $len ++ stvx_4w $xa0,$x00,r11 # offload block to stack ++ stvx_4w $xb0,$x10,r11 ++ stvx_4w $xc0,$x20,r11 ++ stvx_4w $xd0,$x30,r11 ++ subi r12,r11,1 # prepare for *++ptr ++ subi $inp,$inp,1 ++ subi $out,$out,1 ++ ++Loop_tail_vsx: ++ lbzu r6,1(r12) ++ lbzu r7,1($inp) ++ xor r6,r6,r7 ++ stbu r6,1($out) ++ bdnz Loop_tail_vsx ++ ++ stvx_4w $K[0],$x00,r11 # wipe copy of the block ++ stvx_4w $K[0],$x10,r11 ++ stvx_4w $K[0],$x20,r11 ++ stvx_4w $K[0],$x30,r11 ++ ++ b Ldone_vsx ++ .long 0 ++ .byte 0,12,0x04,1,0x80,0,5,0 ++ .long 0 ++.size .ChaCha20_ctr32_vsx_p10,.-.ChaCha20_ctr32_vsx_p10 ++___ ++}}} ++ ++##This is 8 block in parallel implementation. The heart of chacha round uses vector instruction that has access to ++# vsr[32+X]. To perform the 8 parallel block we tend to use all 32 register to hold the 8 block info. ++# WE need to store few register value on side, so we can use VSR{32+X} for few vector instructions used in round op and hold intermediate value. ++# WE use the VSR[0]-VSR[31] for holding intermediate value and perform 8 block in parallel. ++# ++{{{ ++#### ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); ++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, ++ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3, ++ $xa4,$xa5,$xa6,$xa7, $xb4,$xb5,$xb6,$xb7, ++ $xc4,$xc5,$xc6,$xc7, $xd4,$xd5,$xd6,$xd7) = map("v$_",(0..31)); ++my ($xcn4,$xcn5,$xcn6,$xcn7, $xdn4,$xdn5,$xdn6,$xdn7) = map("v$_",(8..15)); ++my ($xan0,$xbn0,$xcn0,$xdn0) = map("v$_",(0..3)); ++my @K = map("v$_",27,(24..26)); ++my ($xt0,$xt1,$xt2,$xt3,$xt4) = map("v$_",23,(28..31)); ++my $xr0 = "v4"; ++my $CTR0 = "v22"; ++my $CTR1 = "v5"; ++my $beperm = "v31"; ++my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); ++my ($xv0,$xv1,$xv2,$xv3,$xv4,$xv5,$xv6,$xv7) = map("v$_",(0..7)); ++my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("v$_",(8..17)); ++my ($xv18,$xv19,$xv20,$xv21) = map("v$_",(18..21)); ++my ($xv22,$xv23,$xv24,$xv25,$xv26) = map("v$_",(22..26)); ++ ++my $FRAME=$LOCALS+64+9*16; # 8*16 is for v24-v31 offload ++ ++sub VSX_lane_ROUND_8x { ++my ($a0,$b0,$c0,$d0,$a4,$b4,$c4,$d4)=@_; ++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); ++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); ++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); ++my ($a5,$b5,$c5,$d5)=map(($_&~3)+(($_+1)&3),($a4,$b4,$c4,$d4)); ++my ($a6,$b6,$c6,$d6)=map(($_&~3)+(($_+1)&3),($a5,$b5,$c5,$d5)); ++my ($a7,$b7,$c7,$d7)=map(($_&~3)+(($_+1)&3),($a6,$b6,$c6,$d6)); ++my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("\"v$_\"",(8..17)); ++my @x=map("\"v$_\"",(0..31)); ++ ++ ( ++ "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", #copy v30 to v13 ++ "&vxxlorc (@x[$c7], $xv9,$xv9)", ++ ++ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 ++ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 ++ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 ++ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 ++ "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", # Q1 ++ "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", # Q2 ++ "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", # Q3 ++ "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", # Q4 ++ ++ "&vxor (@x[$d0],@x[$d0],@x[$a0])", ++ "&vxor (@x[$d1],@x[$d1],@x[$a1])", ++ "&vxor (@x[$d2],@x[$d2],@x[$a2])", ++ "&vxor (@x[$d3],@x[$d3],@x[$a3])", ++ "&vxor (@x[$d4],@x[$d4],@x[$a4])", ++ "&vxor (@x[$d5],@x[$d5],@x[$a5])", ++ "&vxor (@x[$d6],@x[$d6],@x[$a6])", ++ "&vxor (@x[$d7],@x[$d7],@x[$a7])", ++ ++ "&vrlw (@x[$d0],@x[$d0],@x[$c7])", ++ "&vrlw (@x[$d1],@x[$d1],@x[$c7])", ++ "&vrlw (@x[$d2],@x[$d2],@x[$c7])", ++ "&vrlw (@x[$d3],@x[$d3],@x[$c7])", ++ "&vrlw (@x[$d4],@x[$d4],@x[$c7])", ++ "&vrlw (@x[$d5],@x[$d5],@x[$c7])", ++ "&vrlw (@x[$d6],@x[$d6],@x[$c7])", ++ "&vrlw (@x[$d7],@x[$d7],@x[$c7])", ++ ++ "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", ++ "&vxxlorc (@x[$c7], $xv15,$xv15)", ++ "&vxxlorc (@x[$a7], $xv10,$xv10)", ++ ++ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", ++ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", ++ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", ++ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", ++ "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", ++ "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", ++ "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", ++ "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", ++ ++ "&vxor (@x[$b0],@x[$b0],@x[$c0])", ++ "&vxor (@x[$b1],@x[$b1],@x[$c1])", ++ "&vxor (@x[$b2],@x[$b2],@x[$c2])", ++ "&vxor (@x[$b3],@x[$b3],@x[$c3])", ++ "&vxor (@x[$b4],@x[$b4],@x[$c4])", ++ "&vxor (@x[$b5],@x[$b5],@x[$c5])", ++ "&vxor (@x[$b6],@x[$b6],@x[$c6])", ++ "&vxor (@x[$b7],@x[$b7],@x[$c7])", ++ ++ "&vrlw (@x[$b0],@x[$b0],@x[$a7])", ++ "&vrlw (@x[$b1],@x[$b1],@x[$a7])", ++ "&vrlw (@x[$b2],@x[$b2],@x[$a7])", ++ "&vrlw (@x[$b3],@x[$b3],@x[$a7])", ++ "&vrlw (@x[$b4],@x[$b4],@x[$a7])", ++ "&vrlw (@x[$b5],@x[$b5],@x[$a7])", ++ "&vrlw (@x[$b6],@x[$b6],@x[$a7])", ++ "&vrlw (@x[$b7],@x[$b7],@x[$a7])", ++ ++ "&vxxlorc (@x[$a7], $xv13,$xv13)", ++ "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", ++ "&vxxlorc (@x[$c7], $xv11,$xv11)", ++ ++ ++ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", ++ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", ++ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", ++ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", ++ "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", ++ "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", ++ "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", ++ "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", ++ ++ "&vxor (@x[$d0],@x[$d0],@x[$a0])", ++ "&vxor (@x[$d1],@x[$d1],@x[$a1])", ++ "&vxor (@x[$d2],@x[$d2],@x[$a2])", ++ "&vxor (@x[$d3],@x[$d3],@x[$a3])", ++ "&vxor (@x[$d4],@x[$d4],@x[$a4])", ++ "&vxor (@x[$d5],@x[$d5],@x[$a5])", ++ "&vxor (@x[$d6],@x[$d6],@x[$a6])", ++ "&vxor (@x[$d7],@x[$d7],@x[$a7])", ++ ++ "&vrlw (@x[$d0],@x[$d0],@x[$c7])", ++ "&vrlw (@x[$d1],@x[$d1],@x[$c7])", ++ "&vrlw (@x[$d2],@x[$d2],@x[$c7])", ++ "&vrlw (@x[$d3],@x[$d3],@x[$c7])", ++ "&vrlw (@x[$d4],@x[$d4],@x[$c7])", ++ "&vrlw (@x[$d5],@x[$d5],@x[$c7])", ++ "&vrlw (@x[$d6],@x[$d6],@x[$c7])", ++ "&vrlw (@x[$d7],@x[$d7],@x[$c7])", ++ ++ "&vxxlorc (@x[$c7], $xv15,$xv15)", ++ "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", ++ "&vxxlorc (@x[$a7], $xv12,$xv12)", ++ ++ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", ++ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", ++ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", ++ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", ++ "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", ++ "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", ++ "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", ++ "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", ++ "&vxor (@x[$b0],@x[$b0],@x[$c0])", ++ "&vxor (@x[$b1],@x[$b1],@x[$c1])", ++ "&vxor (@x[$b2],@x[$b2],@x[$c2])", ++ "&vxor (@x[$b3],@x[$b3],@x[$c3])", ++ "&vxor (@x[$b4],@x[$b4],@x[$c4])", ++ "&vxor (@x[$b5],@x[$b5],@x[$c5])", ++ "&vxor (@x[$b6],@x[$b6],@x[$c6])", ++ "&vxor (@x[$b7],@x[$b7],@x[$c7])", ++ "&vrlw (@x[$b0],@x[$b0],@x[$a7])", ++ "&vrlw (@x[$b1],@x[$b1],@x[$a7])", ++ "&vrlw (@x[$b2],@x[$b2],@x[$a7])", ++ "&vrlw (@x[$b3],@x[$b3],@x[$a7])", ++ "&vrlw (@x[$b4],@x[$b4],@x[$a7])", ++ "&vrlw (@x[$b5],@x[$b5],@x[$a7])", ++ "&vrlw (@x[$b6],@x[$b6],@x[$a7])", ++ "&vrlw (@x[$b7],@x[$b7],@x[$a7])", ++ ++ "&vxxlorc (@x[$a7], $xv13,$xv13)", ++ ); ++} ++ ++$code.=<<___; ++ ++.globl .ChaCha20_ctr32_vsx_8x ++.align 5 ++.ChaCha20_ctr32_vsx_8x: ++ $STU $sp,-$FRAME($sp) ++ mflr r0 ++ li r10,`15+$LOCALS+64` ++ li r11,`31+$LOCALS+64` ++ mfspr r12,256 ++ stvx v24,r10,$sp ++ addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 ++ stvx v26,r10,$sp ++ addi r10,r10,32 ++ stvx v27,r11,$sp ++ addi r11,r11,32 ++ stvx v28,r10,$sp ++ addi r10,r10,32 ++ stvx v29,r11,$sp ++ addi r11,r11,32 ++ stvx v30,r10,$sp ++ stvx v31,r11,$sp ++ stw r12,`$FRAME-4`($sp) # save vrsave ++ li r12,-4096+63 ++ $PUSH r0, `$FRAME+$LRSAVE`($sp) ++ mtspr 256,r12 # preserve 29 AltiVec registers ++ ++ bl Lconsts # returns pointer Lsigma in r12 ++ ++ lvx_4w @K[0],0,r12 # load sigma ++ addi r12,r12,0x70 ++ li $x10,16 ++ li $x20,32 ++ li $x30,48 ++ li r11,64 ++ ++ vspltisw $xa4,-16 # synthesize constants ++ vspltisw $xb4,12 # synthesize constants ++ vspltisw $xc4,8 # synthesize constants ++ vspltisw $xd4,7 # synthesize constants ++ ++ lvx $xa0,$x00,r12 # load [smashed] sigma ++ lvx $xa1,$x10,r12 ++ lvx $xa2,$x20,r12 ++ lvx $xa3,$x30,r12 ++ ++ vxxlor $xv9 ,$xa4,$xa4 #save shift val in vr9-12 ++ vxxlor $xv10 ,$xb4,$xb4 ++ vxxlor $xv11 ,$xc4,$xc4 ++ vxxlor $xv12 ,$xd4,$xd4 ++ vxxlor $xv22 ,$xa0,$xa0 #save sigma in vr22-25 ++ vxxlor $xv23 ,$xa1,$xa1 ++ vxxlor $xv24 ,$xa2,$xa2 ++ vxxlor $xv25 ,$xa3,$xa3 ++ ++ lvx_4w @K[1],0,$key # load key ++ lvx_4w @K[2],$x10,$key ++ lvx_4w @K[3],0,$ctr # load counter ++ vspltisw $xt3,4 ++ ++ ++ vxor $xt2,$xt2,$xt2 ++ lvx_4w $xt1,r11,r12 ++ vspltw $xa2,@K[3],0 #save the original count after spltw ++ vsldoi @K[3],@K[3],$xt2,4 ++ vsldoi @K[3],$xt2,@K[3],12 # clear @K[3].word[0] ++ vadduwm $xt1,$xa2,$xt1 ++ vadduwm $xt3,$xt1,$xt3 # next counter value ++ vspltw $xa0,@K[2],2 # save the K[2] spltw 2 and save v8. ++ ++ be?lvsl $beperm,0,$x10 # 0x00..0f ++ be?vspltisb $xt0,3 # 0x03..03 ++ be?vxor $beperm,$beperm,$xt0 # swap bytes within words ++ be?vxxlor $xv26 ,$beperm,$beperm ++ ++ vxxlor $xv0 ,@K[0],@K[0] # K0,k1,k2 to vr0,1,2 ++ vxxlor $xv1 ,@K[1],@K[1] ++ vxxlor $xv2 ,@K[2],@K[2] ++ vxxlor $xv3 ,@K[3],@K[3] ++ vxxlor $xv4 ,$xt1,$xt1 #CTR ->4, CTR+4-> 5 ++ vxxlor $xv5 ,$xt3,$xt3 ++ vxxlor $xv8 ,$xa0,$xa0 ++ ++ li r0,10 # inner loop counter ++ mtctr r0 ++ b Loop_outer_vsx_8x ++ ++.align 5 ++Loop_outer_vsx_8x: ++ vxxlorc $xa0,$xv22,$xv22 # load [smashed] sigma ++ vxxlorc $xa1,$xv23,$xv23 ++ vxxlorc $xa2,$xv24,$xv24 ++ vxxlorc $xa3,$xv25,$xv25 ++ vxxlorc $xa4,$xv22,$xv22 ++ vxxlorc $xa5,$xv23,$xv23 ++ vxxlorc $xa6,$xv24,$xv24 ++ vxxlorc $xa7,$xv25,$xv25 ++ ++ vspltw $xb0,@K[1],0 # smash the key ++ vspltw $xb1,@K[1],1 ++ vspltw $xb2,@K[1],2 ++ vspltw $xb3,@K[1],3 ++ vspltw $xb4,@K[1],0 # smash the key ++ vspltw $xb5,@K[1],1 ++ vspltw $xb6,@K[1],2 ++ vspltw $xb7,@K[1],3 ++ ++ vspltw $xc0,@K[2],0 ++ vspltw $xc1,@K[2],1 ++ vspltw $xc2,@K[2],2 ++ vspltw $xc3,@K[2],3 ++ vspltw $xc4,@K[2],0 ++ vspltw $xc7,@K[2],3 ++ vspltw $xc5,@K[2],1 ++ ++ vxxlorc $xd0,$xv4,$xv4 # smash the counter ++ vspltw $xd1,@K[3],1 ++ vspltw $xd2,@K[3],2 ++ vspltw $xd3,@K[3],3 ++ vxxlorc $xd4,$xv5,$xv5 # smash the counter ++ vspltw $xd5,@K[3],1 ++ vspltw $xd6,@K[3],2 ++ vspltw $xd7,@K[3],3 ++ vxxlorc $xc6,$xv8,$xv8 #copy of vlspt k[2],2 is in v8.v26 ->k[3] so need to wait until k3 is done ++ ++Loop_vsx_8x: ++___ ++ foreach (&VSX_lane_ROUND_8x(0,4, 8,12,16,20,24,28)) { eval; } ++ foreach (&VSX_lane_ROUND_8x(0,5,10,15,16,21,26,31)) { eval; } ++$code.=<<___; ++ ++ bdnz Loop_vsx_8x ++ vxxlor $xv13 ,$xd4,$xd4 # save the register vr24-31 ++ vxxlor $xv14 ,$xd5,$xd5 # ++ vxxlor $xv15 ,$xd6,$xd6 # ++ vxxlor $xv16 ,$xd7,$xd7 # ++ ++ vxxlor $xv18 ,$xc4,$xc4 # ++ vxxlor $xv19 ,$xc5,$xc5 # ++ vxxlor $xv20 ,$xc6,$xc6 # ++ vxxlor $xv21 ,$xc7,$xc7 # ++ ++ vxxlor $xv6 ,$xb6,$xb6 # save vr23, so we get 8 regs ++ vxxlor $xv7 ,$xb7,$xb7 # save vr23, so we get 8 regs ++ be?vxxlorc $beperm,$xv26,$xv26 # copy back the the beperm. ++ ++ vxxlorc @K[0],$xv0,$xv0 #27 ++ vxxlorc @K[1],$xv1,$xv1 #24 ++ vxxlorc @K[2],$xv2,$xv2 #25 ++ vxxlorc @K[3],$xv3,$xv3 #26 ++ vxxlorc $CTR0,$xv4,$xv4 ++###changing to vertical ++ ++ vmrgew $xt0,$xa0,$xa1 # transpose data ++ vmrgew $xt1,$xa2,$xa3 ++ vmrgow $xa0,$xa0,$xa1 ++ vmrgow $xa2,$xa2,$xa3 ++ ++ vmrgew $xt2,$xb0,$xb1 ++ vmrgew $xt3,$xb2,$xb3 ++ vmrgow $xb0,$xb0,$xb1 ++ vmrgow $xb2,$xb2,$xb3 ++ ++ vadduwm $xd0,$xd0,$CTR0 ++ ++ vpermdi $xa1,$xa0,$xa2,0b00 ++ vpermdi $xa3,$xa0,$xa2,0b11 ++ vpermdi $xa0,$xt0,$xt1,0b00 ++ vpermdi $xa2,$xt0,$xt1,0b11 ++ vpermdi $xb1,$xb0,$xb2,0b00 ++ vpermdi $xb3,$xb0,$xb2,0b11 ++ vpermdi $xb0,$xt2,$xt3,0b00 ++ vpermdi $xb2,$xt2,$xt3,0b11 ++ ++ vmrgew $xt0,$xc0,$xc1 ++ vmrgew $xt1,$xc2,$xc3 ++ vmrgow $xc0,$xc0,$xc1 ++ vmrgow $xc2,$xc2,$xc3 ++ vmrgew $xt2,$xd0,$xd1 ++ vmrgew $xt3,$xd2,$xd3 ++ vmrgow $xd0,$xd0,$xd1 ++ vmrgow $xd2,$xd2,$xd3 ++ ++ vpermdi $xc1,$xc0,$xc2,0b00 ++ vpermdi $xc3,$xc0,$xc2,0b11 ++ vpermdi $xc0,$xt0,$xt1,0b00 ++ vpermdi $xc2,$xt0,$xt1,0b11 ++ vpermdi $xd1,$xd0,$xd2,0b00 ++ vpermdi $xd3,$xd0,$xd2,0b11 ++ vpermdi $xd0,$xt2,$xt3,0b00 ++ vpermdi $xd2,$xt2,$xt3,0b11 ++ ++ vspltisw $xt0,8 ++ vadduwm $CTR0,$CTR0,$xt0 # next counter value ++ vxxlor $xv4 ,$CTR0,$CTR0 #CTR+4-> 5 ++ ++ vadduwm $xa0,$xa0,@K[0] ++ vadduwm $xb0,$xb0,@K[1] ++ vadduwm $xc0,$xc0,@K[2] ++ vadduwm $xd0,$xd0,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xa0,$xa1,@K[0] ++ vadduwm $xb0,$xb1,@K[1] ++ vadduwm $xc0,$xc1,@K[2] ++ vadduwm $xd0,$xd1,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xa0,$xa2,@K[0] ++ vadduwm $xb0,$xb2,@K[1] ++ vadduwm $xc0,$xc2,@K[2] ++ vadduwm $xd0,$xd2,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xa0,$xa3,@K[0] ++ vadduwm $xb0,$xb3,@K[1] ++ vadduwm $xc0,$xc3,@K[2] ++ vadduwm $xd0,$xd3,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++#blk4-7: 24:31 remain the same as we can use the same logic above . Reg a4-b7 remain same.Load c4,d7--> position 8-15.we can reuse vr24-31. ++#VR0-3 : are used to load temp value, vr4 --> as xr0 instead of xt0. ++ ++ vxxlorc $CTR1 ,$xv5,$xv5 ++ ++ vxxlorc $xcn4 ,$xv18,$xv18 ++ vxxlorc $xcn5 ,$xv19,$xv19 ++ vxxlorc $xcn6 ,$xv20,$xv20 ++ vxxlorc $xcn7 ,$xv21,$xv21 ++ ++ vxxlorc $xdn4 ,$xv13,$xv13 ++ vxxlorc $xdn5 ,$xv14,$xv14 ++ vxxlorc $xdn6 ,$xv15,$xv15 ++ vxxlorc $xdn7 ,$xv16,$xv16 ++ vadduwm $xdn4,$xdn4,$CTR1 ++ ++ vxxlorc $xb6 ,$xv6,$xv6 ++ vxxlorc $xb7 ,$xv7,$xv7 ++#use xa1->xr0, as xt0...in the block 4-7 ++ ++ vmrgew $xr0,$xa4,$xa5 # transpose data ++ vmrgew $xt1,$xa6,$xa7 ++ vmrgow $xa4,$xa4,$xa5 ++ vmrgow $xa6,$xa6,$xa7 ++ vmrgew $xt2,$xb4,$xb5 ++ vmrgew $xt3,$xb6,$xb7 ++ vmrgow $xb4,$xb4,$xb5 ++ vmrgow $xb6,$xb6,$xb7 ++ ++ vpermdi $xa5,$xa4,$xa6,0b00 ++ vpermdi $xa7,$xa4,$xa6,0b11 ++ vpermdi $xa4,$xr0,$xt1,0b00 ++ vpermdi $xa6,$xr0,$xt1,0b11 ++ vpermdi $xb5,$xb4,$xb6,0b00 ++ vpermdi $xb7,$xb4,$xb6,0b11 ++ vpermdi $xb4,$xt2,$xt3,0b00 ++ vpermdi $xb6,$xt2,$xt3,0b11 ++ ++ vmrgew $xr0,$xcn4,$xcn5 ++ vmrgew $xt1,$xcn6,$xcn7 ++ vmrgow $xcn4,$xcn4,$xcn5 ++ vmrgow $xcn6,$xcn6,$xcn7 ++ vmrgew $xt2,$xdn4,$xdn5 ++ vmrgew $xt3,$xdn6,$xdn7 ++ vmrgow $xdn4,$xdn4,$xdn5 ++ vmrgow $xdn6,$xdn6,$xdn7 ++ ++ vpermdi $xcn5,$xcn4,$xcn6,0b00 ++ vpermdi $xcn7,$xcn4,$xcn6,0b11 ++ vpermdi $xcn4,$xr0,$xt1,0b00 ++ vpermdi $xcn6,$xr0,$xt1,0b11 ++ vpermdi $xdn5,$xdn4,$xdn6,0b00 ++ vpermdi $xdn7,$xdn4,$xdn6,0b11 ++ vpermdi $xdn4,$xt2,$xt3,0b00 ++ vpermdi $xdn6,$xt2,$xt3,0b11 ++ ++ vspltisw $xr0,8 ++ vadduwm $CTR1,$CTR1,$xr0 # next counter value ++ vxxlor $xv5 ,$CTR1,$CTR1 #CTR+4-> 5 ++ ++ vadduwm $xan0,$xa4,@K[0] ++ vadduwm $xbn0,$xb4,@K[1] ++ vadduwm $xcn0,$xcn4,@K[2] ++ vadduwm $xdn0,$xdn4,@K[3] ++ ++ be?vperm $xan0,$xa4,$xa4,$beperm ++ be?vperm $xbn0,$xb4,$xb4,$beperm ++ be?vperm $xcn0,$xcn4,$xcn4,$beperm ++ be?vperm $xdn0,$xdn4,$xdn4,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x_1 ++ ++ lvx_4w $xr0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xr0,$xr0,$xan0 ++ vxor $xt1,$xt1,$xbn0 ++ vxor $xt2,$xt2,$xcn0 ++ vxor $xt3,$xt3,$xdn0 ++ ++ stvx_4w $xr0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xan0,$xa5,@K[0] ++ vadduwm $xbn0,$xb5,@K[1] ++ vadduwm $xcn0,$xcn5,@K[2] ++ vadduwm $xdn0,$xdn5,@K[3] ++ ++ be?vperm $xan0,$xan0,$xan0,$beperm ++ be?vperm $xbn0,$xbn0,$xbn0,$beperm ++ be?vperm $xcn0,$xcn0,$xcn0,$beperm ++ be?vperm $xdn0,$xdn0,$xdn0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x_1 ++ ++ lvx_4w $xr0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xr0,$xr0,$xan0 ++ vxor $xt1,$xt1,$xbn0 ++ vxor $xt2,$xt2,$xcn0 ++ vxor $xt3,$xt3,$xdn0 ++ ++ stvx_4w $xr0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xan0,$xa6,@K[0] ++ vadduwm $xbn0,$xb6,@K[1] ++ vadduwm $xcn0,$xcn6,@K[2] ++ vadduwm $xdn0,$xdn6,@K[3] ++ ++ be?vperm $xan0,$xan0,$xan0,$beperm ++ be?vperm $xbn0,$xbn0,$xbn0,$beperm ++ be?vperm $xcn0,$xcn0,$xcn0,$beperm ++ be?vperm $xdn0,$xdn0,$xdn0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x_1 ++ ++ lvx_4w $xr0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xr0,$xr0,$xan0 ++ vxor $xt1,$xt1,$xbn0 ++ vxor $xt2,$xt2,$xcn0 ++ vxor $xt3,$xt3,$xdn0 ++ ++ stvx_4w $xr0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xan0,$xa7,@K[0] ++ vadduwm $xbn0,$xb7,@K[1] ++ vadduwm $xcn0,$xcn7,@K[2] ++ vadduwm $xdn0,$xdn7,@K[3] ++ ++ be?vperm $xan0,$xan0,$xan0,$beperm ++ be?vperm $xbn0,$xbn0,$xbn0,$beperm ++ be?vperm $xcn0,$xcn0,$xcn0,$beperm ++ be?vperm $xdn0,$xdn0,$xdn0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x_1 ++ ++ lvx_4w $xr0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xr0,$xr0,$xan0 ++ vxor $xt1,$xt1,$xbn0 ++ vxor $xt2,$xt2,$xcn0 ++ vxor $xt3,$xt3,$xdn0 ++ ++ stvx_4w $xr0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ mtctr r0 ++ bne Loop_outer_vsx_8x ++ ++Ldone_vsx_8x: ++ lwz r12,`$FRAME-4`($sp) # pull vrsave ++ li r10,`15+$LOCALS+64` ++ li r11,`31+$LOCALS+64` ++ $POP r0, `$FRAME+$LRSAVE`($sp) ++ mtspr 256,r12 # restore vrsave ++ lvx v24,r10,$sp ++ addi r10,r10,32 ++ lvx v25,r11,$sp ++ addi r11,r11,32 ++ lvx v26,r10,$sp ++ addi r10,r10,32 ++ lvx v27,r11,$sp ++ addi r11,r11,32 ++ lvx v28,r10,$sp ++ addi r10,r10,32 ++ lvx v29,r11,$sp ++ addi r11,r11,32 ++ lvx v30,r10,$sp ++ lvx v31,r11,$sp ++ mtlr r0 ++ addi $sp,$sp,$FRAME ++ blr ++ ++.align 4 ++Ltail_vsx_8x: ++ addi r11,$sp,$LOCALS ++ mtctr $len ++ stvx_4w $xa0,$x00,r11 # offload block to stack ++ stvx_4w $xb0,$x10,r11 ++ stvx_4w $xc0,$x20,r11 ++ stvx_4w $xd0,$x30,r11 ++ subi r12,r11,1 # prepare for *++ptr ++ subi $inp,$inp,1 ++ subi $out,$out,1 ++ bl Loop_tail_vsx_8x ++Ltail_vsx_8x_1: ++ addi r11,$sp,$LOCALS ++ mtctr $len ++ stvx_4w $xan0,$x00,r11 # offload block to stack ++ stvx_4w $xbn0,$x10,r11 ++ stvx_4w $xcn0,$x20,r11 ++ stvx_4w $xdn0,$x30,r11 ++ subi r12,r11,1 # prepare for *++ptr ++ subi $inp,$inp,1 ++ subi $out,$out,1 ++ bl Loop_tail_vsx_8x ++ ++Loop_tail_vsx_8x: ++ lbzu r6,1(r12) ++ lbzu r7,1($inp) ++ xor r6,r6,r7 ++ stbu r6,1($out) ++ bdnz Loop_tail_vsx_8x ++ ++ stvx_4w $K[0],$x00,r11 # wipe copy of the block ++ stvx_4w $K[0],$x10,r11 ++ stvx_4w $K[0],$x20,r11 ++ stvx_4w $K[0],$x30,r11 ++ ++ b Ldone_vsx_8x ++ .long 0 ++ .byte 0,12,0x04,1,0x80,0,5,0 ++ .long 0 ++.size .ChaCha20_ctr32_vsx_8x,.-.ChaCha20_ctr32_vsx_8x ++___ ++}}} ++ ++ ++$code.=<<___; ++.align 5 ++Lconsts: ++ mflr r0 ++ bcl 20,31,\$+4 ++ mflr r12 #vvvvv "distance between . and Lsigma ++ addi r12,r12,`64-8` ++ mtlr r0 ++ blr ++ .long 0 ++ .byte 0,12,0x14,0,0,0,0,0 ++ .space `64-9*4` ++Lsigma: ++ .long 0x61707865,0x3320646e,0x79622d32,0x6b206574 ++ .long 1,0,0,0 ++ .long 2,0,0,0 ++ .long 3,0,0,0 ++ .long 4,0,0,0 ++___ ++$code.=<<___ if ($LITTLE_ENDIAN); ++ .long 0x0e0f0c0d,0x0a0b0809,0x06070405,0x02030001 ++ .long 0x0d0e0f0c,0x090a0b08,0x05060704,0x01020300 ++___ ++$code.=<<___ if (!$LITTLE_ENDIAN); # flipped words ++ .long 0x02030001,0x06070405,0x0a0b0809,0x0e0f0c0d ++ .long 0x01020300,0x05060704,0x090a0b08,0x0d0e0f0c ++___ ++$code.=<<___; ++ .long 0x61707865,0x61707865,0x61707865,0x61707865 ++ .long 0x3320646e,0x3320646e,0x3320646e,0x3320646e ++ .long 0x79622d32,0x79622d32,0x79622d32,0x79622d32 ++ .long 0x6b206574,0x6b206574,0x6b206574,0x6b206574 ++ .long 0,1,2,3 ++ .long 0x03020100,0x07060504,0x0b0a0908,0x0f0e0d0c ++.asciz "ChaCha20 for PowerPC/AltiVec, CRYPTOGAMS by " ++.align 2 ++___ ++ ++foreach (split("\n",$code)) { ++ s/\`([^\`]*)\`/eval $1/ge; ++ ++ # instructions prefixed with '?' are endian-specific and need ++ # to be adjusted accordingly... ++ if ($flavour !~ /le$/) { # big-endian ++ s/be\?// or ++ s/le\?/#le#/ or ++ s/\?lvsr/lvsl/ or ++ s/\?lvsl/lvsr/ or ++ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/ or ++ s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 16-$3/; ++ } else { # little-endian ++ s/le\?// or ++ s/be\?/#be#/ or ++ s/\?([a-z]+)/$1/ or ++ s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 $3/; ++ } ++ ++ print $_,"\n"; ++} ++ ++close STDOUT or die "error closing STDOUT: $!"; +diff --git a/crypto/chacha/build.info b/crypto/chacha/build.info +index c12cb9c..2a819b2 100644 +--- a/crypto/chacha/build.info ++++ b/crypto/chacha/build.info +@@ -12,7 +12,7 @@ IF[{- !$disabled{asm} -}] + $CHACHAASM_armv4=chacha-armv4.S + $CHACHAASM_aarch64=chacha-armv8.S + +- $CHACHAASM_ppc32=chacha_ppc.c chacha-ppc.s ++ $CHACHAASM_ppc32=chacha_ppc.c chacha-ppc.s chachap10-ppc.s + $CHACHAASM_ppc64=$CHACHAASM_ppc32 + + $CHACHAASM_c64xplus=chacha-c64xplus.s +@@ -29,6 +29,7 @@ SOURCE[../../libcrypto]=$CHACHAASM + GENERATE[chacha-x86.S]=asm/chacha-x86.pl + GENERATE[chacha-x86_64.s]=asm/chacha-x86_64.pl + GENERATE[chacha-ppc.s]=asm/chacha-ppc.pl ++GENERATE[chachap10-ppc.s]=asm/chachap10-ppc.pl + GENERATE[chacha-armv4.S]=asm/chacha-armv4.pl + INCLUDE[chacha-armv4.o]=.. + GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl +diff --git a/crypto/chacha/chacha_ppc.c b/crypto/chacha/chacha_ppc.c +index 5319040..f99cca8 100644 +--- a/crypto/chacha/chacha_ppc.c ++++ b/crypto/chacha/chacha_ppc.c +@@ -23,13 +23,18 @@ void ChaCha20_ctr32_vmx(unsigned char *out, const unsigned char *inp, + void ChaCha20_ctr32_vsx(unsigned char *out, const unsigned char *inp, + size_t len, const unsigned int key[8], + const unsigned int counter[4]); ++void ChaCha20_ctr32_vsx_p10(unsigned char *out, const unsigned char *inp, ++ size_t len, const unsigned int key[8], ++ const unsigned int counter[4]); + void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, + size_t len, const unsigned int key[8], + const unsigned int counter[4]) + { +- OPENSSL_ppccap_P & PPC_CRYPTO207 +- ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) +- : OPENSSL_ppccap_P & PPC_ALTIVEC +- ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) +- : ChaCha20_ctr32_int(out, inp, len, key, counter); ++ OPENSSL_ppccap_P & PPC_BRD31 ++ ? ChaCha20_ctr32_vsx_p10(out, inp, len, key, counter) ++ :OPENSSL_ppccap_P & PPC_CRYPTO207 ++ ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) ++ : OPENSSL_ppccap_P & PPC_ALTIVEC ++ ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) ++ : ChaCha20_ctr32_int(out, inp, len, key, counter); + } +diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl +index 2ee4440..4590340 100755 +--- a/crypto/perlasm/ppc-xlate.pl ++++ b/crypto/perlasm/ppc-xlate.pl +@@ -293,6 +293,14 @@ my $vpermdi = sub { # xxpermdi + $dm = oct($dm) if ($dm =~ /^0/); + " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($dm<<8)|(10<<3)|7; + }; ++my $vxxlor = sub { # xxlor ++ my ($f, $vrt, $vra, $vrb) = @_; ++ " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|6; ++}; ++my $vxxlorc = sub { # xxlor ++ my ($f, $vrt, $vra, $vrb) = @_; ++ " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|1; ++}; + + # PowerISA 2.07 stuff + sub vcrypto_op { +@@ -377,6 +385,15 @@ my $addex = sub { + }; + my $vmsumudm = sub { vfour_vsr(@_, 35); }; + ++# PowerISA 3.1 stuff ++my $brd = sub { ++ my ($f, $ra, $rs) = @_; ++ " .long ".sprintf "0x%X",(31<<26)|($rs<<21)|($ra<<16)|(187<<1); ++}; ++my $vsrq = sub { vcrypto_op(@_, 517); }; ++ ++ ++ + while($line=<>) { + + $line =~ s|[#!;].*$||; # get rid of asm-style comments... +diff --git a/crypto/ppccap.c b/crypto/ppccap.c +index 8bcfed2..664627c 100644 +--- a/crypto/ppccap.c ++++ b/crypto/ppccap.c +@@ -45,6 +45,7 @@ void OPENSSL_ppc64_probe(void); + void OPENSSL_altivec_probe(void); + void OPENSSL_crypto207_probe(void); + void OPENSSL_madd300_probe(void); ++void OPENSSL_brd31_probe(void); + + long OPENSSL_rdtsc_mftb(void); + long OPENSSL_rdtsc_mfspr268(void); +@@ -117,16 +118,21 @@ static unsigned long getauxval(unsigned long key) + #endif + + /* I wish was universally available */ +-#define HWCAP 16 /* AT_HWCAP */ ++#ifndef AT_HWCAP ++# define AT_HWCAP 16 /* AT_HWCAP */ ++#endif + #define HWCAP_PPC64 (1U << 30) + #define HWCAP_ALTIVEC (1U << 28) + #define HWCAP_FPU (1U << 27) + #define HWCAP_POWER6_EXT (1U << 9) + #define HWCAP_VSX (1U << 7) + +-#define HWCAP2 26 /* AT_HWCAP2 */ ++#ifndef AT_HWCAP2 ++# define AT_HWCAP2 26 /* AT_HWCAP2 */ ++#endif + #define HWCAP_VEC_CRYPTO (1U << 25) + #define HWCAP_ARCH_3_00 (1U << 23) ++#define HWCAP_ARCH_3_1 (1U << 18) + + # if defined(__GNUC__) && __GNUC__>=2 + __attribute__ ((constructor)) +@@ -187,6 +193,9 @@ void OPENSSL_cpuid_setup(void) + if (__power_set(0xffffffffU<<17)) /* POWER9 and later */ + OPENSSL_ppccap_P |= PPC_MADD300; + ++ if (__power_set(0xffffffffU<<18)) /* POWER10 and later */ ++ OPENSSL_ppccap_P |= PPC_BRD31; ++ + return; + # endif + #endif +@@ -215,8 +224,8 @@ void OPENSSL_cpuid_setup(void) + + #ifdef OSSL_IMPLEMENT_GETAUXVAL + { +- unsigned long hwcap = getauxval(HWCAP); +- unsigned long hwcap2 = getauxval(HWCAP2); ++ unsigned long hwcap = getauxval(AT_HWCAP); ++ unsigned long hwcap2 = getauxval(AT_HWCAP2); + + if (hwcap & HWCAP_FPU) { + OPENSSL_ppccap_P |= PPC_FPU; +@@ -242,6 +251,10 @@ void OPENSSL_cpuid_setup(void) + if (hwcap2 & HWCAP_ARCH_3_00) { + OPENSSL_ppccap_P |= PPC_MADD300; + } ++ ++ if (hwcap2 & HWCAP_ARCH_3_1) { ++ OPENSSL_ppccap_P |= PPC_BRD31; ++ } + } + #endif + +@@ -263,7 +276,7 @@ void OPENSSL_cpuid_setup(void) + sigaction(SIGILL, &ill_act, &ill_oact); + + #ifndef OSSL_IMPLEMENT_GETAUXVAL +- if (sigsetjmp(ill_jmp,1) == 0) { ++ if (sigsetjmp(ill_jmp, 1) == 0) { + OPENSSL_fpu_probe(); + OPENSSL_ppccap_P |= PPC_FPU; + +diff --git a/crypto/ppccpuid.pl b/crypto/ppccpuid.pl +index c6555df..706164a 100755 +--- a/crypto/ppccpuid.pl ++++ b/crypto/ppccpuid.pl +@@ -81,6 +81,17 @@ $code=<<___; + .long 0 + .byte 0,12,0x14,0,0,0,0,0 + ++.globl .OPENSSL_brd31_probe ++.align 4 ++.OPENSSL_brd31_probe: ++ xor r0,r0,r0 ++ brd r3,r0 ++ blr ++ .long 0 ++ .byte 0,12,0x14,0,0,0,0,0 ++.size .OPENSSL_brd31_probe,.-.OPENSSL_brd31_probe ++ ++ + .globl .OPENSSL_wipe_cpu + .align 4 + .OPENSSL_wipe_cpu: +diff --git a/include/crypto/ppc_arch.h b/include/crypto/ppc_arch.h +index 3b3ce4b..fcc846c 100644 +--- a/include/crypto/ppc_arch.h ++++ b/include/crypto/ppc_arch.h +@@ -24,5 +24,6 @@ extern unsigned int OPENSSL_ppccap_P; + # define PPC_MADD300 (1<<4) + # define PPC_MFTB (1<<5) + # define PPC_MFSPR268 (1<<6) ++# define PPC_BRD31 (1<<7) + + #endif diff --git a/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch new file mode 100644 index 0000000..eeafbfa --- /dev/null +++ b/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch @@ -0,0 +1,373 @@ +From 4a2239bd7d444c30c55b20ea8b4aeadafdfe1afd Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 22 Jul 2022 13:59:37 +0200 +Subject: [PATCH] FIPS: Use OAEP in KATs, support fixed OAEP seed + +Review by our lab for FIPS 140-3 certification expects the RSA +encryption and decryption tests to use a supported padding mode, not raw +RSA signatures. Switch to RSA-OAEP for the self tests to fulfill that. + +The FIPS 140-3 Implementation Guidance specifies in section 10.3.A +"Cryptographic Algorithm Self-Test Requirements" that a self-test may be +a known-answer test, a comparison test, or a fault-detection test. + +Comparison tests are not an option, because they would require +a separate implementation of RSA-OAEP, which we do not have. Fault +detection tests require implementing fault detection mechanisms into the +cryptographic algorithm implementation, we we also do not have. + +As a consequence, a known-answer test must be used to test RSA +encryption and decryption, but RSA encryption with OAEP padding is not +deterministic, and thus encryption will always yield different results +that could not be compared to known answers. For this reason, this +change explicitly sets the seed in OAEP (see RFC 8017 section 7.1.1), +which is the source of randomness for RSA-OAEP, to a fixed value. This +setting is only available during self-test execution, and the parameter +set using EVP_PKEY_CTX_set_params() will be ignored otherwise. + +Signed-off-by: Clemens Lang +--- + crypto/rsa/rsa_local.h | 8 ++ + crypto/rsa/rsa_oaep.c | 34 ++++++-- + include/openssl/core_names.h | 3 + + providers/fips/self_test_data.inc | 83 +++++++++++-------- + providers/fips/self_test_kats.c | 7 ++ + .../implementations/asymciphers/rsa_enc.c | 41 ++++++++- + 6 files changed, 133 insertions(+), 43 deletions(-) + +diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h +index ea70da05ad..dde57a1a0e 100644 +--- a/crypto/rsa/rsa_local.h ++++ b/crypto/rsa/rsa_local.h +@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to + int tlen, const unsigned char *from, + int flen); + ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md, ++ const char *redhat_st_seed); ++ + #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ +diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c +index d9be1a4f98..b2f7f7dc4b 100644 +--- a/crypto/rsa/rsa_oaep.c ++++ b/crypto/rsa/rsa_oaep.c +@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, + param, plen, NULL, NULL); + } + ++#ifdef FIPS_MODULE ++extern int REDHAT_FIPS_asym_cipher_st; ++#endif /* FIPS_MODULE */ ++ + /* + * Perform the padding as per NIST 800-56B 7.2.2.3 + * from (K) is the key material. +@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, + * Step numbers are included here but not in the constant time inverse below + * to avoid complicating an already difficult enough function. + */ +-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, +- unsigned char *to, int tlen, +- const unsigned char *from, int flen, +- const unsigned char *param, +- int plen, const EVP_MD *md, +- const EVP_MD *mgf1md) ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md, ++ const char *redhat_st_seed) + { + int rv = 0; + int i, emlen = tlen - 1; +@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, + db[emlen - flen - mdlen - 1] = 0x01; + memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); + /* step 3d: generate random byte string */ ++#ifdef FIPS_MODULE ++ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) { ++ memcpy(seed, redhat_st_seed, mdlen); ++ } else ++#endif + if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0) + goto err; + +@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, + return rv; + } + ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md) ++{ ++ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from, ++ flen, param, plen, md, ++ mgf1md, NULL); ++} ++ + int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, + const unsigned char *param, int plen, +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 59a6e79566..11216fb8f8 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -469,6 +469,9 @@ extern "C" { + #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" + #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" + #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" ++#ifdef FIPS_MODULE ++#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" ++#endif + + /* + * Encoder / decoder parameters +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 4e30ec56dd..0103c87528 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -1294,15 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = { + ST_KAT_PARAM_END() + }; + +-/*- +- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the +- * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient +- * HP/UX PA-RISC compilers. +- */ +-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; +- ++/*- ++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the ++ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient ++ * HP/UX PA-RISC compilers. ++ */ ++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP; ++static const char oaep_fixed_seed[] = { ++ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25, ++ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab, ++ 0x2e, 0x4b, 0x2c, 0xe6 ++}; ++ + static const ST_KAT_PARAM rsa_enc_params[] = { +- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), ++ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep), ++ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, ++ oaep_fixed_seed), + ST_KAT_PARAM_END() + }; + +@@ -1335,43 +1348,43 @@ static const unsigned char rsa_expected_sig[256] = { + 0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6 + }; + +-static const unsigned char rsa_asym_plaintext_encrypt[256] = { ++static const unsigned char rsa_asym_plaintext_encrypt[208] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, + }; + static const unsigned char rsa_asym_expected_encrypt[256] = { +- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b, +- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61, +- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c, +- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc, +- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0, +- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa, +- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a, +- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc, +- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35, +- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a, +- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd, +- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda, +- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18, +- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7, +- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39, +- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87, +- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21, +- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0, +- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8, +- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c, +- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa, +- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69, +- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52, +- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c, +- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6, +- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93, +- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d, +- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5, +- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9, +- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04, +- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa, +- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab, ++ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74, ++ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c, ++ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e, ++ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b, ++ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25, ++ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89, ++ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1, ++ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50, ++ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17, ++ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2, ++ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb, ++ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d, ++ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e, ++ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f, ++ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3, ++ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06, ++ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25, ++ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78, ++ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04, ++ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c, ++ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47, ++ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce, ++ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0, ++ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6, ++ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99, ++ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30, ++ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20, ++ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb, ++ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27, ++ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66, ++ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a, ++ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06 + }; + + #ifndef OPENSSL_NO_EC +diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c +index 064794d9bf..b6d5e8e134 100644 +--- a/providers/fips/self_test_kats.c ++++ b/providers/fips/self_test_kats.c +@@ -647,14 +647,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + return ret; + } + ++int REDHAT_FIPS_asym_cipher_st = 0; ++ + static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + { + int i, ret = 1; + ++ REDHAT_FIPS_asym_cipher_st = 1; ++ + for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) { + if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) + ret = 0; + } ++ ++ REDHAT_FIPS_asym_cipher_st = 0; ++ + return ret; + } + +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 00cf65fcd6..83be3d8ede 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -30,6 +30,9 @@ + #include "prov/implementations.h" + #include "prov/providercommon.h" + #include "prov/securitycheck.h" ++#ifdef FIPS_MODULE ++# include "crypto/rsa/rsa_local.h" ++#endif + + #include + +@@ -75,6 +78,9 @@ typedef struct { + /* TLS padding */ + unsigned int client_version; + unsigned int alt_version; ++#ifdef FIPS_MODULE ++ char *redhat_st_oaep_seed; ++#endif /* FIPS_MODULE */ + } PROV_RSA_CTX; + + static void *rsa_newctx(void *provctx) +@@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, + return 0; + } + ret = +- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, ++#ifdef FIPS_MODULE ++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2( ++#else ++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex( ++#endif ++ prsactx->libctx, tbuf, + rsasize, in, inlen, + prsactx->oaep_label, + prsactx->oaep_labellen, + prsactx->oaep_md, +- prsactx->mgf1_md); ++ prsactx->mgf1_md ++#ifdef FIPS_MODULE ++ , prsactx->redhat_st_oaep_seed ++#endif ++ ); + + if (!ret) { + OPENSSL_free(tbuf); +@@ -326,6 +341,9 @@ static void rsa_freectx(void *vprsactx) + EVP_MD_free(prsactx->oaep_md); + EVP_MD_free(prsactx->mgf1_md); + OPENSSL_free(prsactx->oaep_label); ++#ifdef FIPS_MODULE ++ OPENSSL_free(prsactx->redhat_st_oaep_seed); ++#endif /* FIPS_MODULE */ + + OPENSSL_free(prsactx); + } +@@ -445,6 +463,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), ++#endif /* FIPS_MODULE */ + OSSL_PARAM_END + }; + +@@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, + return known_gettable_ctx_params; + } + ++#ifdef FIPS_MODULE ++extern int REDHAT_FIPS_asym_cipher_st; ++#endif /* FIPS_MODULE */ ++ + static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; +@@ -563,6 +588,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + prsactx->oaep_labellen = tmp_labellen; + } + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED); ++ if (p != NULL && REDHAT_FIPS_asym_cipher_st) { ++ void *tmp_oaep_seed = NULL; ++ ++ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL)) ++ return 0; ++ OPENSSL_free(prsactx->redhat_st_oaep_seed); ++ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed; ++ } ++#endif /* FIPS_MODULE */ ++ + p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); + if (p != NULL) { + unsigned int client_version; +-- +2.37.1 + diff --git a/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch new file mode 100644 index 0000000..0b6a9fb --- /dev/null +++ b/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch @@ -0,0 +1,313 @@ +From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 15 Jul 2022 17:45:40 +0200 +Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test + +In review for FIPS 140-3, the lack of a self-test for the digest_sign +and digest_verify provider functions was highlighted as a problem. NIST +no longer provides ACVP tests for the RSA SigVer primitive (see +https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3 +recommends the use of functions that compute the digest and signature +within the module, we have been advised in our module review that the +self tests should also use the combined digest and signature APIs, i.e. +the digest_sign and digest_verify provider functions. + +Modify the signature self-test to use these instead by switching to +EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to +crypto/evp/m_sigver.c to make these functions usable in the FIPS module. + +Signed-off-by: Clemens Lang +--- + crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------ + providers/fips/self_test_kats.c | 37 +++++++++++++++------------- + 2 files changed, 56 insertions(+), 24 deletions(-) + +diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c +index db1a1d7bc3..c94c3c53bd 100644 +--- a/crypto/evp/m_sigver.c ++++ b/crypto/evp/m_sigver.c +@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) + ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); + return 0; + } ++#endif /* !defined(FIPS_MODULE) */ + + /* + * If we get the "NULL" md then the name comes back as "UNDEF". We want to use +@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + reinit = 0; + if (e == NULL) + ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); ++#ifndef FIPS_MODULE + else + ctx->pctx = EVP_PKEY_CTX_new(pkey, e); ++#endif /* !defined(FIPS_MODULE) */ + } + if (ctx->pctx == NULL) + return 0; +@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + locpctx = ctx->pctx; + ERR_set_mark(); + ++#ifndef FIPS_MODULE + if (evp_pkey_ctx_is_legacy(locpctx)) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + /* do not reinitialize if pkey is set or operation is different */ + if (reinit +@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + signature = + evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + supported_sig, locpctx->propquery); ++#ifndef FIPS_MODULE + if (signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + break; + } + if (signature == NULL) +@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); + if (ctx->fetched_digest != NULL) { + ctx->digest = ctx->reqdigest = ctx->fetched_digest; ++#ifndef FIPS_MODULE + } else { + /* legacy engine support : remove the mark when this is deleted */ + ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); +@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + goto err; + } ++#endif /* !defined(FIPS_MODULE) */ + } + (void)ERR_pop_to_mark(); + } + } + ++#ifndef FIPS_MODULE + if (ctx->reqdigest != NULL + && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) + && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) +@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + goto err; + } + } ++#endif /* !defined(FIPS_MODULE) */ + + if (ver) { + if (signature->digest_verify_init == NULL) { +@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + EVP_KEYMGMT_free(tmp_keymgmt); + return 0; + ++#ifndef FIPS_MODULE + legacy: + /* + * If we don't have the full support we need with provided methods, +@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + ctx->pctx->flag_call_digest_custom = 1; + + ret = 1; ++#endif /* !defined(FIPS_MODULE) */ + + end: + #ifndef FIPS_MODULE +@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, + NULL); + } +-#endif /* FIPS_MDOE */ + + int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) + { +@@ -541,23 +553,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) + return EVP_DigestUpdate(ctx, data, dsize); + } + +-#ifndef FIPS_MODULE + int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + size_t *siglen) + { +- int sctx = 0, r = 0; +- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; ++ int r = 0; ++#ifndef FIPS_MODULE ++ int sctx = 0; ++ EVP_PKEY_CTX *dctx; ++#endif /* !defined(FIPS_MODULE) */ ++ EVP_PKEY_CTX *pctx = ctx->pctx; + ++#ifndef FIPS_MODULE + if (pctx == NULL + || pctx->operation != EVP_PKEY_OP_SIGNCTX + || pctx->op.sig.algctx == NULL + || pctx->op.sig.signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) + return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, + sigret, siglen, + sigret == NULL ? 0 : *siglen); ++#ifndef FIPS_MODULE + dctx = EVP_PKEY_CTX_dup(pctx); + if (dctx == NULL) + return 0; +@@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + sigret, siglen, + *siglen); + EVP_PKEY_CTX_free(dctx); ++#endif /* defined(FIPS_MODULE) */ + return r; + ++#ifndef FIPS_MODULE + legacy: + if (pctx == NULL || pctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + } + } + return 1; ++#endif /* !defined(FIPS_MODULE) */ + } + + int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, +@@ -669,21 +690,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, + int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + size_t siglen) + { +- unsigned char md[EVP_MAX_MD_SIZE]; + int r = 0; ++#ifndef FIPS_MODULE ++ unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen = 0; + int vctx = 0; +- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; ++ EVP_PKEY_CTX *dctx; ++#endif /* !defined(FIPS_MODULE) */ ++ EVP_PKEY_CTX *pctx = ctx->pctx; + ++#ifndef FIPS_MODULE + if (pctx == NULL + || pctx->operation != EVP_PKEY_OP_VERIFYCTX + || pctx->op.sig.algctx == NULL + || pctx->op.sig.signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) + return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, + sig, siglen); ++#ifndef FIPS_MODULE + dctx = EVP_PKEY_CTX_dup(pctx); + if (dctx == NULL) + return 0; +@@ -691,8 +718,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx, + sig, siglen); + EVP_PKEY_CTX_free(dctx); ++#endif /* !defined(FIPS_MODULE) */ + return r; + ++#ifndef FIPS_MODULE + legacy: + if (pctx == NULL || pctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + if (vctx || !r) + return r; + return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); ++#endif /* !defined(FIPS_MODULE) */ + } + + int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, +@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, + return -1; + return EVP_DigestVerifyFinal(ctx, sigret, siglen); + } +-#endif /* FIPS_MODULE */ +diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c +index b6d5e8e134..77eec075e6 100644 +--- a/providers/fips/self_test_kats.c ++++ b/providers/fips/self_test_kats.c +@@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t, + int ret = 0; + OSSL_PARAM *params = NULL, *params_sig = NULL; + OSSL_PARAM_BLD *bld = NULL; ++ EVP_MD *md = NULL; ++ EVP_MD_CTX *ctx = NULL; + EVP_PKEY_CTX *sctx = NULL, *kctx = NULL; + EVP_PKEY *pkey = NULL; +- unsigned char sig[256]; + BN_CTX *bnctx = NULL; + BIGNUM *K = NULL; ++ const char *msg = "Hello World!"; ++ unsigned char sig[256]; + size_t siglen = sizeof(sig); + static const unsigned char dgst[] = { + 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, +@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t, + || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) + goto err; + +- /* Create a EVP_PKEY_CTX to use for the signing operation */ +- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL); +- if (sctx == NULL +- || EVP_PKEY_sign_init(sctx) <= 0) +- goto err; +- +- /* set signature parameters */ +- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST, +- t->mdalgorithm, +- strlen(t->mdalgorithm) + 1)) +- goto err; ++ /* Create a EVP_MD_CTX to use for the signature operation, assign signature ++ * parameters and sign */ + params_sig = OSSL_PARAM_BLD_to_param(bld); +- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) ++ md = EVP_MD_fetch(libctx, "SHA256", NULL); ++ ctx = EVP_MD_CTX_new(); ++ if (md == NULL || ctx == NULL) ++ goto err; ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); ++ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0 ++ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0 ++ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0 ++ || EVP_MD_CTX_reset(ctx) <= 0) + goto err; + +- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0 +- || EVP_PKEY_verify_init(sctx) <= 0 ++ /* sctx is not freed automatically inside the FIPS module */ ++ EVP_PKEY_CTX_free(sctx); ++ sctx = NULL; ++ ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); ++ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0 + || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) + goto err; + +@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t, + goto err; + + OSSL_SELF_TEST_oncorrupt_byte(st, sig); +- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0) ++ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0) + goto err; + ret = 1; + err: + BN_CTX_free(bnctx); + EVP_PKEY_free(pkey); +- EVP_PKEY_CTX_free(kctx); ++ EVP_MD_free(md); ++ EVP_MD_CTX_free(ctx); ++ /* sctx is not freed automatically inside the FIPS module */ + EVP_PKEY_CTX_free(sctx); ++ EVP_PKEY_CTX_free(kctx); + OSSL_PARAM_free(params); + OSSL_PARAM_free(params_sig); + OSSL_PARAM_BLD_free(bld); +-- +2.37.1 + diff --git a/SOURCES/0075-FIPS-Use-FFDHE2048-in-self-test.patch b/SOURCES/0075-FIPS-Use-FFDHE2048-in-self-test.patch new file mode 100644 index 0000000..096e62d --- /dev/null +++ b/SOURCES/0075-FIPS-Use-FFDHE2048-in-self-test.patch @@ -0,0 +1,378 @@ +From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 22 Jul 2022 17:51:16 +0200 +Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test + +Signed-off-by: Clemens Lang +--- + providers/fips/self_test_data.inc | 342 +++++++++++++++--------------- + 1 file changed, 172 insertions(+), 170 deletions(-) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index a29cc650b5..1b5623833f 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] = + + #ifndef OPENSSL_NO_DH + /* DH KAT */ ++/* RFC7919 FFDHE2048 p */ + static const unsigned char dh_p[] = { +- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25, +- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0, +- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66, +- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b, +- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe, +- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce, +- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d, +- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d, +- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde, +- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb, +- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17, +- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0, +- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97, +- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9, +- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7, +- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1, +- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d, +- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82, +- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4, +- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c, +- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b, +- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50, +- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31, +- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44, +- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5, +- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80, +- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12, +- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94, +- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7, +- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1, +- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d, +- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69 +-}; ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a, ++ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, ++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, ++ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb, ++ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, ++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, ++ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a, ++ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, ++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, ++ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3, ++ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, ++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, ++ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72, ++ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, ++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, ++ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61, ++ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, ++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, ++ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4, ++ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, ++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, ++ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec, ++ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, ++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, ++ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83, ++ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, ++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, ++ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2, ++ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, ++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff ++}; ++/* RFC7919 FFDHE2048 q */ + static const unsigned char dh_q[] = { +- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e, +- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83, +- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea, +- 0x11, 0xac, 0xb5, 0x7d +-}; ++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d, ++ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, ++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, ++ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd, ++ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, ++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, ++ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd, ++ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, ++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, ++ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79, ++ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, ++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, ++ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39, ++ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, ++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, ++ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0, ++ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, ++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, ++ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa, ++ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, ++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, ++ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76, ++ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, ++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, ++ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1, ++ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, ++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, ++ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9, ++ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, ++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff ++}; ++/* RFC7919 FFDHE2048 g */ + static const unsigned char dh_g[] = { +- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39, +- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f, +- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0, +- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f, +- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f, +- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a, +- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4, +- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c, +- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20, +- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25, +- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53, +- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9, +- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc, +- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9, +- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43, +- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86, +- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16, +- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40, +- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23, +- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa, +- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6, +- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2, +- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61, +- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a, +- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef, +- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f, +- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3, +- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a, +- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4, +- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74, +- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4, +- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32 ++ 0x02 + }; + static const unsigned char dh_priv[] = { +- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a, +- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70, +- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15, +- 0x40, 0xb8, 0xfc, 0xe6 ++ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f, ++ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d, ++ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d, ++ 0x6c, 0xdc, 0x5d, 0x6e, 0x94 + }; + static const unsigned char dh_pub[] = { +- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04, +- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69, +- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59, +- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b, +- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c, +- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21, +- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06, +- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb, +- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2, +- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0, +- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83, +- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90, +- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2, +- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7, +- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0, +- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88, +- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb, +- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a, +- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97, +- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d, +- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf, +- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e, +- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f, +- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d, +- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1, +- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c, +- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47, +- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e, +- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f, +- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9, +- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c, +- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3 ++ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05, ++ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f, ++ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43, ++ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23, ++ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a, ++ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b, ++ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c, ++ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63, ++ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38, ++ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6, ++ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a, ++ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94, ++ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92, ++ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44, ++ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53, ++ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13, ++ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30, ++ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b, ++ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01, ++ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d, ++ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18, ++ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81, ++ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f, ++ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7, ++ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39, ++ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed, ++ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71, ++ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce, ++ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04, ++ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69, ++ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed, ++ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2, ++ 0x32 + }; + static const unsigned char dh_peer_pub[] = { +- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a, +- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d, +- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58, +- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32, +- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb, +- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0, +- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0, +- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc, +- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1, +- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e, +- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97, +- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05, +- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3, +- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f, +- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7, +- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1, +- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96, +- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf, +- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22, +- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98, +- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42, +- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c, +- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde, +- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20, +- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22, +- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3, +- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3, +- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2, +- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00, +- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51, +- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f, +- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b ++ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79, ++ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda, ++ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29, ++ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84, ++ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57, ++ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5, ++ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68, ++ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c, ++ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6, ++ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20, ++ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d, ++ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3, ++ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a, ++ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77, ++ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73, ++ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53, ++ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1, ++ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05, ++ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a, ++ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5, ++ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9, ++ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91, ++ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31, ++ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f, ++ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4, ++ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e, ++ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59, ++ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84, ++ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a, ++ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd, ++ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2, ++ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87, ++ 0x64 + }; + + static const unsigned char dh_secret_expected[] = { +- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a, +- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a, +- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c, +- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe, +- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2, +- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21, +- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53, +- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd, +- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87, +- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4, +- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d, +- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd, +- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33, +- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe, +- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a, +- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73, +- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad, +- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0, +- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79, +- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9, +- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2, +- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6, +- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae, +- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57, +- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a, +- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63, +- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9, +- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86, +- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5, +- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00, +- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52, +- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6 ++ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5, ++ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5, ++ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93, ++ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5, ++ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e, ++ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39, ++ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04, ++ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d, ++ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c, ++ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47, ++ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae, ++ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08, ++ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19, ++ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8, ++ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f, ++ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e, ++ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2, ++ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d, ++ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4, ++ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4, ++ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66, ++ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46, ++ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0, ++ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70, ++ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c, ++ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f, ++ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25, ++ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc, ++ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02, ++ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04, ++ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1, ++ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89 + }; + + static const ST_KAT_PARAM dh_group[] = { +-- +2.35.3 + diff --git a/SOURCES/0076-FIPS-140-3-DRBG.patch b/SOURCES/0076-FIPS-140-3-DRBG.patch new file mode 100644 index 0000000..4a276f7 --- /dev/null +++ b/SOURCES/0076-FIPS-140-3-DRBG.patch @@ -0,0 +1,157 @@ +diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c +--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200 ++++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200 +@@ -48,6 +48,8 @@ + # include + # include + # include ++# include ++# include + + static uint64_t get_time_stamp(void); + static uint64_t get_timer_bits(void); +@@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf, + * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion + * between size_t and ssize_t is safe even without a range check. + */ +- +- /* +- * Do runtime detection to find getentropy(). +- * +- * Known OSs that should support this: +- * - Darwin since 16 (OSX 10.12, IOS 10.0). +- * - Solaris since 11.3 +- * - OpenBSD since 5.6 +- * - Linux since 3.17 with glibc 2.25 +- * - FreeBSD since 12.0 (1200061) +- * +- * Note: Sometimes getentropy() can be provided but not implemented +- * internally. So we need to check errno for ENOSYS +- */ +-# if !defined(__DragonFly__) && !defined(__NetBSD__) +-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) +- extern int getentropy(void *buffer, size_t length) __attribute__((weak)); +- +- if (getentropy != NULL) { +- if (getentropy(buf, buflen) == 0) +- return (ssize_t)buflen; +- if (errno != ENOSYS) +- return -1; +- } +-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM) +- +- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) +- return (ssize_t)buflen; +- +- return -1; +-# else +- union { +- void *p; +- int (*f)(void *buffer, size_t length); +- } p_getentropy; +- +- /* +- * We could cache the result of the lookup, but we normally don't +- * call this function often. +- */ +- ERR_set_mark(); +- p_getentropy.p = DSO_global_lookup("getentropy"); +- ERR_pop_to_mark(); +- if (p_getentropy.p != NULL) +- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; +-# endif +-# endif /* !__DragonFly__ */ +- +- /* Linux supports this since version 3.17 */ +-# if defined(__linux) && defined(__NR_getrandom) +- return syscall(__NR_getrandom, buf, buflen, 0); +-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) +- return sysctl_random(buf, buflen); +-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \ +- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) +- return getrandom(buf, buflen, 0); +-# else +- errno = ENOSYS; +- return -1; +-# endif ++ /* Red Hat uses downstream patch to always seed from getrandom() */ ++ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0); + } + # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ + +diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c +--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200 ++++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200 +@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb + #endif + } + ++#ifdef FIPS_MODULE ++ prediction_resistance = 1; ++#endif + /* Reseed using our sources in addition */ + entropylen = get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropylen, drbg->max_entropylen, +@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0, +diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c +--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 ++++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 +@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused + size_t entropy_available; + RAND_POOL *pool; + +- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE); + return 0; +diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c +--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200 ++++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200 +@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG + * to the nearest byte. If the entropy is of less than full quality, + * the amount required should be scaled up appropriately here. + */ +- bytes_needed = (entropy + 7) / 8; ++ /* ++ * FIPS 140-3: the yet draft SP800-90C requires requested entropy ++ * + 128 bits during initial seeding ++ */ ++ bytes_needed = (entropy + 128 + 7) / 8; + if (bytes_needed < min_len) + bytes_needed = min_len; + if (bytes_needed > max_len) +diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h +--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 ++++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 +@@ -38,7 +38,7 @@ + * + * The value is in bytes. + */ +-#define CRNGT_BUFSIZ 16 ++#define CRNGT_BUFSIZ 32 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) diff --git a/SOURCES/0077-FIPS-140-3-zeroization.patch b/SOURCES/0077-FIPS-140-3-zeroization.patch new file mode 100644 index 0000000..f6a50a5 --- /dev/null +++ b/SOURCES/0077-FIPS-140-3-zeroization.patch @@ -0,0 +1,76 @@ +diff -up openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero openssl-3.0.1/crypto/ffc/ffc_params.c +--- openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero 2022-08-05 13:11:27.211413931 +0200 ++++ openssl-3.0.1/crypto/ffc/ffc_params.c 2022-08-05 13:11:34.151475891 +0200 +@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa + + void ossl_ffc_params_cleanup(FFC_PARAMS *params) + { +- BN_free(params->p); +- BN_free(params->q); +- BN_free(params->g); +- BN_free(params->j); ++ BN_clear_free(params->p); ++ BN_clear_free(params->q); ++ BN_clear_free(params->g); ++ BN_clear_free(params->j); + OPENSSL_free(params->seed); + ossl_ffc_params_init(params); + } +diff -up openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero openssl-3.0.1/crypto/rsa/rsa_lib.c +--- openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero 2022-08-05 13:08:31.875848536 +0200 ++++ openssl-3.0.1/crypto/rsa/rsa_lib.c 2022-08-05 13:09:35.438416025 +0200 +@@ -155,8 +155,8 @@ void RSA_free(RSA *r) + + CRYPTO_THREAD_lock_free(r->lock); + +- BN_free(r->n); +- BN_free(r->e); ++ BN_clear_free(r->n); ++ BN_clear_free(r->e); + BN_clear_free(r->d); + BN_clear_free(r->p); + BN_clear_free(r->q); +diff -up openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero openssl-3.0.1/providers/implementations/kdfs/hkdf.c +--- openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero 2022-08-05 13:14:58.827303241 +0200 ++++ openssl-3.0.1/providers/implementations/kdfs/hkdf.c 2022-08-05 13:16:24.530068399 +0200 +@@ -116,7 +116,7 @@ static void kdf_hkdf_reset(void *vctx) + void *provctx = ctx->provctx; + + ossl_prov_digest_reset(&ctx->digest); +- OPENSSL_free(ctx->salt); ++ OPENSSL_clear_free(ctx->salt, ctx->salt_len); + OPENSSL_free(ctx->prefix); + OPENSSL_free(ctx->label); + OPENSSL_clear_free(ctx->data, ctx->data_len); +diff -up openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c +--- openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero 2022-08-05 13:12:40.552068717 +0200 ++++ openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c 2022-08-05 13:13:34.324548799 +0200 +@@ -83,7 +83,7 @@ static void *kdf_pbkdf2_new(void *provct + static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) + { + ossl_prov_digest_reset(&ctx->digest); +- OPENSSL_free(ctx->salt); ++ OPENSSL_clear_free(ctx->salt, ctx->salt_len); + OPENSSL_clear_free(ctx->pass, ctx->pass_len); + memset(ctx, 0, sizeof(*ctx)); + } +diff -up openssl-3.0.1/crypto/ec/ec_lib.c.fipszero openssl-3.0.1/crypto/ec/ec_lib.c +--- openssl-3.0.1/crypto/ec/ec_lib.c.fipszero 2022-08-05 13:48:32.221345774 +0200 ++++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-08-05 13:49:16.138741452 +0200 +@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g + + void EC_POINT_free(EC_POINT *point) + { ++#ifdef FIPS_MODULE ++ EC_POINT_clear_free(point); ++#else + if (point == NULL) + return; + + if (point->meth->point_finish != 0) + point->meth->point_finish(point); + OPENSSL_free(point); ++#endif + } + + void EC_POINT_clear_free(EC_POINT *point) diff --git a/SOURCES/0078-KDF-Add-FIPS-indicators.patch b/SOURCES/0078-KDF-Add-FIPS-indicators.patch new file mode 100644 index 0000000..40e390a --- /dev/null +++ b/SOURCES/0078-KDF-Add-FIPS-indicators.patch @@ -0,0 +1,906 @@ +From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 Aug 2022 09:27:12 +0200 +Subject: KDF: Add FIPS indicators + +FIPS requires a number of restrictions on the parameters of the various +key derivation functions implemented in OpenSSL. The KDFs that use +digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG +C.C). Additionally, some application-specific KDFs have further +restrictions defined in SP 800-135r1. + +Generally, all KDFs shall use a key-derivation key length of at least +112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF +to generate and output length of less than 112 bits will also set the +indicator to unapproved. + +Add explicit indicators to all KDFs usable in FIPS mode except for +PBKDF2 (which has its specific FIPS limits already implemented). The +indicator can be queried using EVP_KDF_CTX_get_params() after setting +the required parameters and keys for the KDF. + +Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the +truncated variants -224 and -384) and SHA3 (-256 and -512, and the +truncated versions -224 and -384), as well as SHAKE-128 and -256. + +The SHAKE functions are generally not allowed in KDFs. For the rest, the +support matrix is: + + KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated +========================================================================== +KBKDF | x | x | x | x | x +HKDF | x | x | x | x | x +TLS1PRF | | SHA-{256,384,512} only | | +SSHKDF | x | x | x | | +SSKDF | x | x | x | x | x +X9.63KDF | | x | x | x | x +X9.42-ASN1 | x | x | x | x | x +TLS1.3PRF | | SHA-{256,384} only | | + +Signed-off-by: Clemens Lang +Resolves: rhbz#2160733 rhbz#2164763 +Related: rhbz#2114772 rhbz#2141695 +--- + include/crypto/evp.h | 7 ++ + include/openssl/core_names.h | 1 + + include/openssl/kdf.h | 4 + + providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- + providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- + providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- + providers/implementations/kdfs/x942kdf.c | 67 ++++++++++++++- + 9 files changed, 488 insertions(+), 22 deletions(-) + +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index e70d8e9e84..76fb990de4 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -219,6 +219,13 @@ struct evp_mac_st { + OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; + }; + ++#ifdef FIPS_MODULE ++/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving ++ * Additional Keys from a Cryptographic Key, "[t]he length of the ++ * key-derivation key [i.e., the input key] shall be at least 112 bits". */ ++# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8) ++#endif ++ + struct evp_kdf_st { + OSSL_PROVIDER *prov; + int name_id; +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 6bed5a8a67..680bfbc7cc 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -223,6 +223,7 @@ extern "C" { + #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" + #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" + #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" ++#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" + + /* Known KDF names */ + #define OSSL_KDF_NAME_HKDF "HKDF" +diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h +index 0983230a48..86171635ea 100644 +--- a/include/openssl/kdf.h ++++ b/include/openssl/kdf.h +@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 + # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 + ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 + #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 +diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c +index dfa7786bde..f01e40ff5a 100644 +--- a/providers/implementations/kdfs/hkdf.c ++++ b/providers/implementations/kdfs/hkdf.c +@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; + static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; + static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; ++static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new; + static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; + static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; +@@ -85,6 +86,10 @@ typedef struct { + size_t data_len; + unsigned char info[HKDF_MAXBUF]; + size_t info_len; ++ int is_tls13; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_HKDF; + + static void *kdf_hkdf_new(void *provctx) +@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: + default: +@@ -332,15 +342,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_HKDF *ctx = (KDF_HKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { + size_t sz = kdf_hkdf_size(ctx); + +- if (sz == 0) ++ any_valid = 1; ++ ++ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz)) + return 0; +- return OSSL_PARAM_set_size_t(p, sz); + } +- return -2; ++ ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (ctx->is_tls13) { ++ if (md != NULL ++ && !EVP_MD_is_a(md, "SHA2-256") ++ && !EVP_MD_is_a(md, "SHA2-384")) { ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic ++ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3 ++ * key derivation function documented in Section 7.1 of RFC ++ * 8446. This is considered an approved CVL because the ++ * underlying functions performed within the TLS 1.3 KDF map to ++ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3 ++ * Option #3), SP 800-56Crev2, and SP 800-108." ++ * ++ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */ ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } else { ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || ++ EVP_MD_is_a(md, "SHAKE-256"))) { ++ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1, ++ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because ++ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the ++ * standalone algorithms." */ ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, + return ret; + } + ++static void *kdf_tls1_3_new(void *provctx) ++{ ++ KDF_HKDF *hkdf = kdf_hkdf_new(provctx); ++ ++ if (hkdf != NULL) ++ hkdf->is_tls13 = 1; ++ ++ return hkdf; ++} ++ ++ + static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) + { +@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + default: + return 0; +@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, + } + + const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, + { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive }, +diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c +index a542f84dfa..6b6dfb94ac 100644 +--- a/providers/implementations/kdfs/kbkdf.c ++++ b/providers/implementations/kdfs/kbkdf.c +@@ -59,6 +59,9 @@ typedef struct { + kbkdf_mode mode; + EVP_MAC_CTX *ctx_init; + ++ /* HMAC digest algorithm, if any; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ + /* Names are lowercased versions of those found in SP800-108. */ + int r; + unsigned char *ki; +@@ -70,6 +73,9 @@ typedef struct { + size_t iv_len; + int use_l; + int use_separator; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KBKDF; + + /* Definitions needed for typechecking. */ +@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx) + void *provctx = ctx->provctx; + + EVP_MAC_CTX_free(ctx->ctx_init); ++ ossl_prov_digest_reset(&ctx->digest); + OPENSSL_clear_free(ctx->context, ctx->context_len); + OPENSSL_clear_free(ctx->label, ctx->label_len); + OPENSSL_clear_free(ctx->ki, ctx->ki_len); +@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); + if (h == 0) + goto done; +@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + return 0; + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); + if (p != NULL + && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { +@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, + static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE); +- if (p == NULL) ++ if (p != NULL) { ++ any_valid = 1; ++ ++ /* KBKDF can produce results as large as you like. */ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ KBKDF *ctx = (KBKDF *)vctx; ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." Note that the digest is only used when the MAC ++ * algorithm is HMAC. */ ++ if (ctx->ctx_init != NULL ++ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) { ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) + return -2; + +- /* KBKDF can produce results as large as you like. */ +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); ++ return 1; + } + + static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) + { +- static const OSSL_PARAM known_gettable_ctx_params[] = +- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; ++ static const OSSL_PARAM known_gettable_ctx_params[] = { ++ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ ++ OSSL_PARAM_END ++ }; + return known_gettable_ctx_params; + } + +diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c +index c592ba72f1..4a52b38266 100644 +--- a/providers/implementations/kdfs/sshkdf.c ++++ b/providers/implementations/kdfs/sshkdf.c +@@ -48,6 +48,9 @@ typedef struct { + char type; /* X */ + unsigned char *session_id; + size_t session_id_len; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSHKDF; + + static void *kdf_sshkdf_new(void *provctx) +@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); + return 0; + } ++ ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSHKDF(md, ctx->key, ctx->key_len, + ctx->xcghash, ctx->xcghash_len, + ctx->session_id, ctx->session_id_len, +@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, + static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ KDF_SSHKDF *ctx = vctx; ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." ++ * ++ * Additionally, SP 800-135r1 section 5.2 specifies that the hash ++ * function used in SSHKDF "is one of the hash functions specified in ++ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2. ++ * */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA-1") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c +index eb54972e1c..23865cd70f 100644 +--- a/providers/implementations/kdfs/sskdf.c ++++ b/providers/implementations/kdfs/sskdf.c +@@ -62,6 +62,10 @@ typedef struct { + unsigned char *salt; + size_t salt_len; + size_t out_len; /* optional KMAC parameter */ ++ int is_x963kdf; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSKDF; + + #define SSKDF_MAX_INLEN (1<<30) +@@ -73,6 +77,7 @@ typedef struct { + static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; + + static OSSL_FUNC_kdf_newctx_fn sskdf_new; ++static OSSL_FUNC_kdf_newctx_fn x963kdf_new; + static OSSL_FUNC_kdf_freectx_fn sskdf_free; + static OSSL_FUNC_kdf_reset_fn sskdf_reset; + static OSSL_FUNC_kdf_derive_fn sskdf_derive; +@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) + return ctx; + } + ++static void *x963kdf_new(void *provctx) ++{ ++ KDF_SSKDF *ctx = sskdf_new(provctx); ++ ++ if (ctx) ++ ctx->is_x963kdf = 1; ++ ++ return ctx; ++} ++ + static void sskdf_reset(void *vctx) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; +@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, + } + md = ossl_prov_digest_md(&ctx->digest); + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + if (ctx->macctx != NULL) { + /* H(x) = KMAC or H(x) = HMAC */ + int ret; +@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, + ctx->info, ctx->info_len, 1, key, keylen); + } +@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx))) ++ return 0; ++ } + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx)); +- return -2; ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->macctx == NULL ++ || (ctx->macctx != NULL && ++ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) { ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions ++ * should only be used for 80-bit key agreement, but FIPS 140-3 ++ * requires a security strength of 112 bits, so SHA-1 cannot be ++ * used with X9.63. See the discussion in ++ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395. ++ */ ++ if (ctx->is_x963kdf ++ && ctx->digest.md != NULL ++ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { + }; + + const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, + { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive }, +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index a4d64b9352..f6782a6ca2 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -93,6 +93,13 @@ typedef struct { + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; ++ ++ /* MAC digest algorithm; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } TLS1_PRF; + + static void *kdf_tls1_prf_new(void *provctx) +@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx) + EVP_MAC_CTX_free(ctx->P_sha1); + OPENSSL_clear_free(ctx->sec, ctx->seclen); + OPENSSL_cleanse(ctx->seed, ctx->seedlen); ++ ossl_prov_digest_reset(&ctx->digest); + memset(ctx, 0, sizeof(*ctx)); + ctx->provctx = provctx; + } +@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + + return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, + ctx->sec, ctx->seclen, +@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + } + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { + OPENSSL_clear_free(ctx->sec, ctx->seclen); + ctx->sec = NULL; +@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( + static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++#ifdef FIPS_MODULE ++ TLS1_PRF *ctx = vctx; ++#endif /* defined(FIPS_MODULE) */ ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3) ++ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( +@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c +index b1bc6f7e1b..8173fc2cc7 100644 +--- a/providers/implementations/kdfs/x942kdf.c ++++ b/providers/implementations/kdfs/x942kdf.c +@@ -13,10 +13,13 @@ + #include + #include + #include ++#include + #include + #include + #include "internal/packet.h" + #include "internal/der.h" ++#include "internal/nelem.h" ++#include "crypto/evp.h" + #include "prov/provider_ctx.h" + #include "prov/providercommon.h" + #include "prov/implementations.h" +@@ -47,6 +50,9 @@ typedef struct { + const unsigned char *cek_oid; + size_t cek_oid_len; + int use_keybits; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_X942; + + /* +@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, + der, der_len, ctr, key, keylen); + OPENSSL_free(der); +@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_X942 *ctx = (KDF_X942 *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx))) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +-- +2.39.2 + diff --git a/SOURCES/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch b/SOURCES/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch new file mode 100644 index 0000000..a5633d3 --- /dev/null +++ b/SOURCES/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch @@ -0,0 +1,3154 @@ +From 6aed6931cf50499e778a6d34502f9bf82f5a4c0d Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Wed, 16 Nov 2022 13:53:24 +0100 +Subject: [PATCH] rand: Forbid truncated hashes & SHA-3 in FIPS prov + +Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs" +of the Implementation Guidance for FIPS 140-3 [1] notes that there is no +efficiency improvement when using truncated hash functions (i.e. SHA-224 +rather than SHA-256 or SHA-384, SHA-512/224, or SHA512/256 rather than +SHA-512). Starting on 2023-05-16, all submissions to NIST's +Cryptographic Module Validation Program shall only use SHA-1, SHA-256, +or SHA-512. + +NIST further notes that the same will apply for the truncated versions +of SHA-3, i.e. SHA3-224 and SHA3-384, and that SHA-3 should currently +not be used. + +Adjust tests to only run Hash-DRBG and HMAC-DRBG tests with truncated +algorithms in the default provider. + +[1]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf + +Signed-off-by: Clemens Lang +--- + providers/implementations/rands/drbg_hash.c | 12 + + providers/implementations/rands/drbg_hmac.c | 12 + + test/recipes/30-test_evp_data/evprand.txt | 384 ++++++++++++++++++++ + 3 files changed, 408 insertions(+) + +diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c +index 12faa993d0..5f9602cf84 100644 +--- a/providers/implementations/rands/drbg_hash.c ++++ b/providers/implementations/rands/drbg_hash.c +@@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + return 0; + } + ++#ifdef FIPS_MODULE ++ if (!EVP_MD_is_a(md, SN_sha1) ++ && !EVP_MD_is_a(md, SN_sha256) ++ && !EVP_MD_is_a(md, SN_sha512)) { ++ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, ++ "%s is not an acceptable hash function for an SP 800-90A" ++ " DRBG according to FIPS 140-3 IG, section D.R", ++ EVP_MD_get0_name(md)); ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + /* These are taken from SP 800-90 10.1 Table 2 */ + hash->blocklen = EVP_MD_get_size(md); + /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ +diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c +index ffeb70f8c3..79ed96a15a 100644 +--- a/providers/implementations/rands/drbg_hmac.c ++++ b/providers/implementations/rands/drbg_hmac.c +@@ -372,6 +372,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + return 0; + } + ++#ifdef FIPS_MODULE ++ if (!EVP_MD_is_a(md, SN_sha1) ++ && !EVP_MD_is_a(md, SN_sha256) ++ && !EVP_MD_is_a(md, SN_sha512)) { ++ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, ++ "%s is not an acceptable hash function for an SP 800-90A" ++ " DRBG according to FIPS 140-3 IG, section D.R", ++ EVP_MD_get0_name(md)); ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params, + NULL, NULL, NULL, libctx)) + return 0; +diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt +index 8cb70247a0..8a0a2dea15 100644 +--- a/test/recipes/30-test_evp_data/evprand.txt ++++ b/test/recipes/30-test_evp_data/evprand.txt +@@ -7483,6 +7483,7 @@ AdditionalInputA.14 = fc54b5339b37eb6889cfd7c185070bd0 + AdditionalInputB.14 = f6a783d6d42e5ad5abb0a996bddfa04c + Output.14 = 683faa732c4551604c8865b5f777571c7d3cf1a60124c59b91283da0cda9b21761d1c17c81856958c6d590436c73594bb36f46c2f89237d8c7a7ddd2c58394c983f8f6c000d77566f2a1d89bac054bdb + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -7533,6 +7534,7 @@ Entropy.14 = 08a325accfe119fa807a95e8cc2cd8ff041ccad8e2c4cf49 + Nonce.14 = c85baec1c2d1f3f189eecad5 + Output.14 = 2567712d6fd3b52364b508bb2e4ae18e34b155dbe99fef9acbe21346715d36c538dc380a5e5900e0ebde76c779006fabe2b3f171fa63fa0f5ba264748278549c9beb26db701c8fab7adfdf48eb63e48ca6f3be8f17131c5e9145f5dadb00fe666a651d2b1b9e785fd444b05d4efa8ccc + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -7613,6 +7615,7 @@ AdditionalInputA.14 = ae701404440c584e27266a12318c1793b6a112d96e6a6749 + AdditionalInputB.14 = 53861747c9627e9244679d58e2dc8cfd8a72d1bab611dfd1 + Output.14 = 665481033912ca7d87caa56af2612338768b044953b02b9a50e0244bb805ca007648f71ccf923030e56baa13a88111fe211091a54744aa5d82abe97775878059dedc6272e7c7a5392d1fb443b770ee7f5dd05a3f2bba4cab1cf473d02648d4f8acce91ef167e3ac00c1c9324ca074486 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -7678,6 +7681,7 @@ Nonce.14 = e41f19a969494a2293ad0542 + PersonalisationString.14 = f67bda6553b5e4b89e309cb48a336b78460aff498846c2e9 + Output.14 = 44d544ac910b7668ba9c5524e388957520fdbf11383808a5a8008d119aff7e1e2bbe63b4cbff19455f20f3dc79ab0a83dcf0e403728f2a2b2a9f3b98930d9f285641da3b6b9a9467b2701ce1ecac82bad8214bb618c40999f5023dc2d97dc1a53a0296d44f6fc9d49db00959c89e9f5e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -7773,6 +7777,7 @@ AdditionalInputA.14 = 6a7418d4ffc40e11859f33189d5a8327042ec268b004ade8 + AdditionalInputB.14 = 97beb8c47434a23efe536287d776edda7ed7cae84c0c7e35 + Output.14 = 1fe94acb5f5cb7e4a8edf5be61673bdc066288538dbd0ac29ce2d43f7b890028e48131e6b3a7cfbb42772b63f2fac8c0472418653ee2ebcdfa5ec08683e7d4a9cb2c67cf7e22c2ddc779c6d9971b29347e6688113294c902a5d62c1fc35595e091cb10e5a895d7c3697056659ae457d1 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -7823,6 +7828,7 @@ Entropy.14 = a71c303bf17e128c8e0aa07fb61ccc1f40fdb487a955fd95 + Nonce.14 = d3ca16fb12ae4709d411e5c5 + Output.14 = 61a51fe1eca4cf947bbf2a77d643e7963ca2c587e0eacc8f7fab3b3f0e166197a4d15184cec4f0858de2773d8becb339bbb18ab2c10c8b246ca66dce48e2a0938fe1ab122b4930d603b937491ddd3d10abac731957f2e1e030eef33f7f311ed782b06697914145e266d0b967914d638a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -7903,6 +7909,7 @@ AdditionalInputA.14 = e098f0e076a3f40fd970f5d221944f0040ef4a18d88dbe6c + AdditionalInputB.14 = d7eb01dfd7c13fece92d35133c3be71efba145d7353c6d69 + Output.14 = f03074a219ef31d395451ebc8534e4f2cd2dbfebbd9257507979ecec79a5f76359f2d6b4653b31704ae5a49f884db91ac335ddc6d11768cac7850734e76734b63b71ff12f3f8d42cd404009e7f4b66bc0a639a9354ebd754c17f3cc65704e698d9bc0640919c386e96760f3c36d8789e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -7968,6 +7975,7 @@ Nonce.14 = 838d1c69d8408cf0134f54e1 + PersonalisationString.14 = f08a964b386eeadc4bbe57164d3b3a0c7c0068c49c9bc5ad + Output.14 = d8af077476875fca2ef9f04013976c3c278d30592361b923bab2f7e3c8af4affac5408c390b4989da254eeb97ccdabf32f5e246739d0e532a6ea317e7dda02bae5051ca97a445f5e0696a041e5f9f2c077b26e575d749cae344859864aa00f262c1c41b2964b78f72f9cb98abce103f9 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -8063,6 +8071,7 @@ AdditionalInputA.14 = fa0823db6808a3de1a7dcc081c01cca840f68b005d473bfe + AdditionalInputB.14 = d3054fa2bdec7c63dc009ecccf25c1116380ac25f82a9085 + Output.14 = 556e90c95c1abcdde027fb2b88cf191f0686830ecf3fbf89de51c9bd735726131472a17f307263d57c03bd5ecd9ceba6cd5759b06594bf901418e2421fcef4b72678614079cdf4d25fa0b74985380552d2bbf478290445066e3f4a40a2e2b0792a685b769ffdb27721b1faa484e9c783 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -8113,6 +8122,7 @@ Entropy.14 = 2a55ddbf673f4e12538e61cd2bfda6f0316277661f553c38 + Nonce.14 = a0c71049f5c75c23cc11c7ca + Output.14 = a88e6cc37617929bee1e14f74ee363d1e05fee618fc1eb1f8abaff42c571048032c84ef0ec7a6d8ad7e6c5a4a6e90d714d76643eca063287929032fe75a2b63fb1f83ab36a7fa12a12d7332459bba56b017654bc0fc29beae1897863a63276208f9d11a32780a627135b271efda4f4f0 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -8193,6 +8203,7 @@ AdditionalInputA.14 = 65e70309f7386d1a0aaa53da65263d5263bc5eaff0d5f3d8 + AdditionalInputB.14 = abb8cd0ce0560309d2424d2f3fdce7af085e6c14699b4799 + Output.14 = 8188a498ef9e0fd52a77c3a44f1c7edccf9248590aebc52cb9ba7b5cddffe867b26309f032a78c0ab751741fdd9bd77d4bd17be90dd045f6f8b45826c9900028f68138cf1ca8e18b253b8eb73ae04f2e156d51a792abdc6524e4f45e4ed0b06ab3b0c94bc5e1ed58f917c17f72161d31 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -8258,6 +8269,7 @@ Nonce.14 = 1ffb77244697c3d67a564d06 + PersonalisationString.14 = 62865bf0f5af2146440d74e5ac8787cbedc544de16db24f1 + Output.14 = 1a74f62cc6bb05ff956d1af526926b937a84352830a78c7ecd2ad9c39a796f29f640d188ded8bda0e66ba81c941fed5e82f3c78543d9fca14335459ad9d573362f6b5d69861cb94c0bb055723ba5416b1fe08e74f27f23cdec9db05b50b01a20f0337cafec896f5f7412e1dbe7307e0c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -8353,6 +8365,7 @@ AdditionalInputA.14 = 1a6853817be281e26796430dc90f014f6fde64cbef16e58d + AdditionalInputB.14 = bdfa703974a758cd4eb00661e0f4663f4e574cc7be6906e9 + Output.14 = 23c9f591ec9abea9f9eb89ab8d705a1e570fd2888772db5d6fc6e418a34e32d78fe49be8d4d8288fa397b57afd49c07b715e276c68a2eb8f3e63f67de21d8ad23fbbdcfa03b201952fae49928ce4da66cb70638398bfdba4db7635c8c726a3cdac22c98ae776e881edd60b69f0b38e4c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -8403,6 +8416,7 @@ Entropy.14 = 7c8a961f01c1888456ae6042caf338c3ab8b5be28b34d15b + Nonce.14 = 61edc22b49e518eaa9e4e04d + Output.14 = 9d2eb0a41f7b03ccae8e4e3c61628e6710f5999f3991f04ba90fb3007275d07ff169d325ab26f3446e585c2d454ff8f6cd4a520190afbc06f30ec9b49668b09de45a116b171c210f5f888cf3c273c803044b17a16b06b44bc39344f2b2acb2f21f4b0a7abafec8c8d406d26477db9b7b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -8483,6 +8497,7 @@ AdditionalInputA.14 = 71b5b9e9b813b5f69e8fa9fa7f588217268581b7d135fd7b + AdditionalInputB.14 = e5b06d8f12539d36c665cf129c1c42e3b7e88edce1650870 + Output.14 = 64595391a02ff750b46418274b8366bbca0e9c52c95bbdfa65882b76395887a018faa276f3fd6c8dbccdb964755e36508897cdac977037d0978f2752d1dc68bde3ba1edc94787c1c8cfe42c2347052da30ba7f1e06b44c10805196e7bb048cf572fda62b4a28fc189702b1e575b008ef + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -8548,6 +8563,7 @@ Nonce.14 = a16783ada78fa029ca3fe31b + PersonalisationString.14 = b20dae78f254b07fe3eeb7c793334f3f432930353fe7f221 + Output.14 = 081803927779c7b2039681db542c965fe48dc3cfde712a361e77da9aaf9f21cf38e18b4e8e5ae5a365910ada327b05630abe87858163713fd8c2988975eca44ee3725370f1c68117e58c2164605524102f22f3ea55f21f7e8fccd9861c59973d71c0aaca574480be6ec8e1fb9a163680 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -9803,6 +9819,7 @@ AdditionalInputA.14 = 228522e58e65d50dfd176e8ff1749faa70fc2c82eda25b0748ddc5d41f + AdditionalInputB.14 = 7af60c47b4cd146a39887c9b812a1dd814d74c398609bbbfb57e73da9caff57a + Output.14 = 9528c88f0aea3fc03bb8a9061e159a06d78a2a654408808aa4d0e73ab1a51e5aa85e8bcae72d34784ff6f513193e183d556ddac5675314f2b5cfe392d1526056afe32d7c03e09ba2bdf3b10e228b0f600a61cccd9e7bf14dccf13b16a838e60909785307e6905d510d9888eaab169fa601558fc952aa8559d270ecd386d7fbd7 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -9853,6 +9870,7 @@ Entropy.14 = c0509068d88167921812103b67e734698d68718ecf42cd99e0f55836c162d450 + Nonce.14 = 71a50d2db258ea35ba69b5716bf68a14 + Output.14 = f66c05713ebe804b4273103997d260adbe8a7d0f6b2bb862b867ca59874ab9e0898102664af2a8db24a7ccb4637269ac67d5e834941303acab9076ebfa04cef64f73480afb6808f11e6ab1a9deae514f5db1c90c59ce988cc1d04012640a40173362de2689f88647268c665ca44f57534c9ad9b8316b9cd1d5a14942e94e90607acf6ad37a2398979e56e9c227c1803f90844d6140f10d0baf20dd789d808a647b4df54d2136d967461383dd4db9dc154dd89cd282a2766dd6086bf3825d095c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -9933,6 +9951,7 @@ AdditionalInputA.14 = 25d2ad9eecd3bb8bb60769942abd16edf0ba777f2541a4b0e80fdd70fc + AdditionalInputB.14 = 608c5789b5a2a6c11c7df095be8c81968c0bdbc6296026ab65195bdc5a297366 + Output.14 = e1c600294a86393b7067b6e77ca83e68d28a6b76f6f81007183be65a50fd2f1adf6eec5a64cc753c5bd0ebc12387bde8c6ec10e6ec7e603f09d4ae624cc5423b5bd53da4f0af064e14a7d176369f1726fdcf6468ee15ffd7db3be48d196601506c71e2f443a768e03ebc35245d254bb87a392508ab07c95bce84ba81058ca1545289c9d8142aa0858c9cd5ba54ee2bb75cebb5b74e0d099ee458752d11ed70122aed1254609a715ddf2720798c9194ae4a7424e2c518ce7a8277ec79da86263a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -9998,6 +10017,7 @@ Nonce.14 = aadd62dbd7b34bf2021ea74a2788b17b + PersonalisationString.14 = cc3308e380672a955620fba59999ec4fcabf1b7f63089a124cc1f65d58b691e3 + Output.14 = 6c39f49bb51765dbae1de8325e7a6f8f8aec031dbdd94b83d5c4e062848eb4e01e3912784f817ee16f9c2dd0129eacd3f7b8d5bb4cf9a4a2ef823b0505c2ac8e4a1ec30812e98564aebaec14ff710a77c1904ab1fa3fef3c3d09f2d55b047a8db860322fab6d939093385838ec6d11667ca843f69268ba1fb7edc462fcc285adc9b4b97f0f717c28ac1b6f371d90baa86e8728051dfe9b68f15dd31a6da35194253545a5d667df6a1322f6b73ba661c7407608fa42e1b894bd1b6e7641749977 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10093,6 +10113,7 @@ AdditionalInputA.14 = 0d81d8c5af9885d1b30d2174429bcc6979bdb2b82e6fd3ccdfe93f36fa + AdditionalInputB.14 = c63866629ed771e53d2fe2d5c21e98ebde295c3fc3896fb67279427c61a89eb7 + Output.14 = b369b226dd535dbdab45ff8f13735214f9abe6d11463a44804b838d2932112ce6799341505b7b5bab423a3794c37f383b06be1fe21f5c7da97b333a41fb67908dbeeb2450a3581ef71870c964c976f039ee856fa507e9de948c4c097a64070b23cfa09ab7506a8ec4fc38a38ce21fbee3f3c1ef3ab598f5da202f35b90f422af31688402509c38ac25359409d2b61958390d28ca2d8b5dea99ae26c90978f01d7a482c12e134a81de0bf6c9f39e32a8b597ec7b7a05a805ebc7ce260c381f189 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10143,6 +10164,7 @@ Entropy.14 = 5b50064163ae6238f462461472ad2ac9acc300316e140abd9cd6edb87b8ffa09 + Nonce.14 = 581d145675384210801d9c75d4d19624 + Output.14 = de0ace4f4a728c681a0b326298142fe79cbff2ce5230e6c1ca3e2808692d02e4845867763cb9e93acb983aa54659be6f9baf210048baf7ea4f062bd7e3d9a6d5e7dccf427422b9dd93d392ffc810dfe185bbee253c3208e22a83c9804501321c6cc0357d22859487a3eaba53444f4027843699d5a78214c431ea741bba73bd29550925443cfa5f494372bd0e482e3ab4eace1b60187b6db588c0d252c8da3e0d6dd3e475040817ca2c85b1149d8447a52c111f05d7c14a0f6b7b6ea4f60aed3e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10223,6 +10245,7 @@ AdditionalInputA.14 = 80bb70930ef2015949b53d787630f5de93d93f98c577ca4632266e1bb1 + AdditionalInputB.14 = b6afd2c00be2eaed5c1991909e89029db0b04598115fae5118cc215298e0528b + Output.14 = c20bd78d9c396fc8fb408361e1dd4827ed3231617a73cd8848e493927207ea23e6efecd4fae36aff74b5235067543c7eb44c290122f9167a0ec4c6a530ecb0936fd683fbd866b73afb712b2f20ccc981b3f70faec4f4fda62e956c7d04cf578b06259b0f3c044e6dc68baf91e6149efa70b2ad2b81c8e14d1a994887193e53bdb5986a23d0412e989c447689a71b283934e50c25e10bdef0b22ce7368840cf761e32aebc07d7b51da16dad4c332926a4cc9853ac8db36b4b01bb36746a28f527 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10288,6 +10311,7 @@ Nonce.14 = 3432a2e2263728e375ab973bb5842d40 + PersonalisationString.14 = ccfee35071757d5141f55a481b7c44a584c5e537c636d4d0ba10dc3c88adf6a2 + Output.14 = 72a77d1c5dea9d00c349d4e5a9e6dff63ef6cb80b7998ef62e7a1fdc2267057d07fafb993e8df868821c6cf76430f3b7ff24a527f7e41fda6d560a773d05bc003f7e1ed5085f6da3785dd999a4763894455febf7618750bad4e30d8f52f3a072af30d57df5afda08ae7cebdcb659e6cdeaff52b47d4dc571e28315ff0e38538baf436e02d157b64afc6d50e6a4c5842aff1e7573888c6ff9beaf4f91aed988f03032388940c4f54afda05bf55ef6fc8c673f01ab545838574f3bd4f22865cfd6 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10383,6 +10407,7 @@ AdditionalInputA.14 = 0facad642bc0004f946e3fdd149a4c0e52475c9e832c85b228bff6f2a4 + AdditionalInputB.14 = 19d477a7dd45a0b733e6c301a4fd44ddf65d4fe0a0435b57e319e31de4797427 + Output.14 = 2a48844f6919ed43a2b0b64a1d28707fd3265b418e0673190b49a606358062c1a54a6071c845adc6ad74193d746668f890423ebb971a63cedae3241005432c8f3fa3fe7f98d5912da34dabcfeb17c03ee8881de7b2ef04fa2147b78532eb0ce7d9244d717697138f116341c7b9e99f15728207f6a73c651b8940582f9f926253420a853ae18132093183a6073e3bc85633b75e1c6cec9323ed4142d0c8ca0dd5ab2ff2e6b304ab8cfe4aa98ac64951d836e074169d375ebeae8498f11bd02c05 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10433,6 +10458,7 @@ Entropy.14 = 3b6dde5f550d482d30eee2288bff802241ef20ec15696e614b7268f7c574eb1f + Nonce.14 = b8d8984703ca7f942951fca97129135a + Output.14 = 36d0cce70eb5aaccf9b172fccf68e01eb8ac8b1f2652cdd238f4b070c8f2d9a128418badb38d5d5fabe28b59d15cd432010716fa6a48071114b2168cd29028386171594291118e54fbf5b61ae3fbbf9a21ebe73a4aba482c7cdc5ea1a4f21a0f1b38812cefff9bae78c2b95f417dc0cda010079b637f825dcba059d154f5a53050db773250013a1f051de9f7882433d2054ef2adf9b7b57c67173c06ad16cac6bdf74a10bcc666f7d4a091a78131c5ed76fb733791278b6ee0f55302c4b122a4 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10513,6 +10539,7 @@ AdditionalInputA.14 = c6a3bc83220c7708eb7fff5787ecba27e48c894e15302e0ee7f4e5f09b + AdditionalInputB.14 = 39b854a1c487e24e1ed58916d8012277fafd6e7b6175c4be43927cfac9958404 + Output.14 = f7d2f39a513f6c4eab993fa440b769ce09a15476e06ceda47969be05f53ec7f8409de284749cdcfac07fe7df66b1b6bd39389401909f3a84538d041e1c038a289869e51bce8bac13a0f786cb091628f0a3a7f7f9a2f620c98889688d46a2a037fbc1b2a4fff40800eaccf98a0bc1452ff1f53f040daa94e17dcd6acef97192c74075d064be5a97205ad97f693257d96c04e78654a694e90b80a5234a25d1c7ceef360d53e768067335097c4aa8f126a31882eff8e55cee05eba4b4325c203f4b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10578,6 +10605,7 @@ Nonce.14 = a684932ea2337296cc3d150174a47ce0 + PersonalisationString.14 = b2c0af9038c2ef79ca8263a047bb9293a44ecdb457fb45945996157dcd199cec + Output.14 = 316fbc32ecc1dfa778b13921b1d624f9231c0ecca03e17fde750b1e31e76b1c330ea5bd62ca76150f231ac4aa96b06f845db2d03b65cdaba4c160b288a121eb144058f65a751e22151f91b90131e6756356e7f90d880ce754cf965f439189eb8bedf86c58e1fc2751e65637930c42552fdf81acfa1d4515ad49dc532b2a10b2b11209425ed1cf43c991b4a7c49bf6e701990fddc420608d74c3636829e4683c4e77a8151708d82ef8fb81b3655670fd4d242e357831bc091f30e6d139d5e5ba5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10673,6 +10701,7 @@ AdditionalInputA.14 = fa32817ad83c85b594976eafab28fe25c45aa74d0ab4750b33dbfd8836 + AdditionalInputB.14 = 2e5cb3c7c9503e019b3383eb6264d6000160c3c99ee5700e7a92433da1c01f56 + Output.14 = a7571c1afd3d1dc1d3b28dbab54fe3514a0ec74ccf999376a963a3820474cdd67b190551ad5b24f4376633b4964490f79a94059a55b967f8dbe58eb20d70f1fdac91565bd8daf5223abfa13b132a140acd33e36f29fe1b107f62e6c45a679247b80c0aa050f1c2d3195629baef7422b72fb3cfbb82a2e4dd1966b1cc27b8e6df1907fbd6320f25594e1eff912cd9685755473b908e06fd30c4359258be0580e6bb2f986b0450d53fdbfefc3bf06c0d80648800234100af755acec4f809c39f3e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10723,6 +10752,7 @@ Entropy.14 = 1e1cde834393e00a2136b8924be5600c8bf59dc2d8a9eeae467ede71ee7b75af + Nonce.14 = b6035e96adcb7e8f2e17022e2e4f39ad + Output.14 = 9dde9f29034b6e784be24fe600c39b091568afb4c40c8e05b8b7dc36ca74a1bed38ab15643ca8c6da2f5aa4b7a6a5d5c9920cc31129c84e2fc9b865b3f30b698a143189a3f3b692b3e5641499c949e53e3619cb112f42046a18d5d12dfb3c6932a6a829d07deb17b799519b81e961ff293c0b2d24b629fe906166e330135e4ffd00609462f0f9b89a110084945243972486a0e1aedb2eceec02d402696c89abbc950dcaa72d7b0e00ed8e65c3e9eb1af7535de2da728f901650633242b3368c6 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10803,6 +10833,7 @@ AdditionalInputA.14 = 7112823304b16377182ff9aba920c97ec4d4f23cd472fa9954ded16495 + AdditionalInputB.14 = ba183a035635d9617bd71b59fccd561f1c78a7589c7fb3fedf41dc2e6d5015c9 + Output.14 = 94e577e5c4f66be345c6be7038b02fcfb4070d5bf74f8004b59c279cce961dcf5bfdce2f01e007790cf770587a68d0d24ef0fcd1a148fca6920e707289e58b81fa4a58b5a018a358d336a20daef30b2881844838e51c56f11533b25c77b9c6c6bb2c0657350f011b24db6c60a84232dbcd218a816563737585c1ca6152ff13304ca86dff20f9f9596aaa21448f2c6e620eee58f69338e3b675d29b478f34f0e60dfe7f12f02e6181d19185f7dc945210d86d31e85eae03161e947fec0f0fc91d + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -10868,6 +10899,7 @@ Nonce.14 = 67f50628067bc401648926d7567711cb + PersonalisationString.14 = 5f8cb19e3c86b179ffb8812db791e8bbe6b0caff958715dd9e3368a2d48f65d7 + Output.14 = f178a20d27725759c839e7fabb63bd101c3352f582524ff088ccaf6f0546ecbd3d5165f1e3cacbb49ede115b8f6c8db3aa9720692efda124138d29eac17637b84977384fb88e81289ed5ec960e6e98fdc71d03ef0bbc05ac7682acdc62888b49fdbb442080687f902b5a313ac88d364b13871b20f684cf1acbfa229fa203607a0a37b4e1685d13a508da9f48dcd83f26751a2284044f93e18b2a206a1887d77c4b76e821952b376f19fcf53d83f704e3ec3b5c3cb4c390b213d57dbe4852914b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -12123,6 +12155,7 @@ AdditionalInputA.14 = 2cc9f137fcd8c2d526d70093fe11f90a0a36bc9764a4c5609072e181a2 + AdditionalInputB.14 = e40361245b91880e308fb777c28bbfaea5982e45fecb7757bb1c9de2df9dc612 + Output.14 = 66ad048b4d2d003223c64dd9827cc22ed3ec8fcb61209d199619177592e9b89226be30b1930bdd749f30ed09da52abaa2e599afaf91903e7a2b59ffb8fd470e6604485a27c200d375feff621118595a7a3057b7e31eadc0687b1008c3cb2c7435a5704b1a1a6a3487d60fd14793c31486af765ce2ce182de88112445dd5ff11b256cfda07018b95f97edbab4e4c39ca097c42f9dce80cd3f32677f3c224a86b315d02e377dca8f3785e9748ffdbe3fcaa3b0c6bf001b63b57426836358e9b315c6718e0b74fb82b9bf3df700a641ab9411d1b9fba42309a84bef67a14204f3160ed16a5497fe211aa1f5d3ae4b858b6d445f1d094543d0107ce04ef1d1ba33ab + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12173,6 +12206,7 @@ Entropy.14 = 42623115c0a43edeab391ee8ac84c2b3b1bebba8a6040cd1 + Nonce.14 = b79f5c377be52381210c1c2c + Output.14 = a59dcfa9585b1080cee51ee493fabc22394ccd0949e3a4d4e5b8d60e1137288d20f65e7f1ddc1345869e1af62562d6c11044bb65d11dc0071a04a2cd0eab76718ec9a67d4482acbc82ac27685b98c50064b41e120a35e5ca57ed1bed6963fdd03e26865ddd3217d67cdddbc990c5833c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12253,6 +12287,7 @@ AdditionalInputA.14 = 450a2109e7d83a3ab2e628ab35af4dce8ce7205de7c5f365 + AdditionalInputB.14 = 60d0ce5e11413c321535d849da56c3d9bf6222a3d2cf77e9 + Output.14 = 27397574a1ad91ef6f332c954c0d5802cb9c90926ab05c116586995bd795a2f1b4706487da86282e33d0b44dcb7a58c8c4a2874ed4646a1e963b7d26b62e0a5e0a5bb60ec6e07ea6b7b7fe1194c3ca4371736e595707ca7fb56bc924089e66b137c47f9dde74b5de3687aebc2f5c2a39 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12318,6 +12353,7 @@ Nonce.14 = f2435f70e075f8044d4235cb + PersonalisationString.14 = 80fa0ec5a3a1b46cd639ae19c137239ba8113db33984c593 + Output.14 = e547f6d8cd665204f8ebf6d64ecaa23fcc59c1682eab3190bc76ad4981d68810833f1212965def4868883529c0bae4a2345da6a0e6a7e766d16022c6f371db8ad089d9227e3a85168d080c3ff2bdd604e7f8404a16268bd66d70f5fb164cee60f1af97bdb6e1d72059d7028a13ec83f5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12413,6 +12449,7 @@ AdditionalInputA.14 = 81356bf7d3122bd65b5d96d2ca68875e1d77b36edb8e92b3 + AdditionalInputB.14 = 1f185d4aeca1d95ba4c8e7867df64296525e00db7da61e88 + Output.14 = 8032e92efc35ace508d8a10f36a6e7110cd0b087cf853409e83dbc554633380e9793b7657a23a931e34347fe0ba34c2abdef6a8505e44da62fee97a9543b9e6dd6538726ec2cc6f6d19382562a4a438a2b0756fa66b48628af292e2f53e49edfae3ccc48a95f24c940a90d1abfdd6d0b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12463,6 +12500,7 @@ Entropy.14 = 3879ca720aaebb2a29c99c0aa21d63308b44677f2bbe6056 + Nonce.14 = 2642dd7030605b3608f4513e + Output.14 = b7ddc2d0295a550e44103ffe7e6e1771cd488fa2ea32b091076085284edb870220e02ba6facdf27d8b34209048d0aa4cce4556c074fc7ec2c3691b95aac3f47c3b42bee3c2e35da17b040188d47b7effef8ac471a669f29e6c4b97ff6836cb9fd8954f57309a97e9a697e061010525a1 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12543,6 +12581,7 @@ AdditionalInputA.14 = 13998df6bfa51c2708775384f01cfe8f4755b6fe4b3c2fd8 + AdditionalInputB.14 = 8d25383b6d04285fb699c644bfc9b7fc72de41c733f35b27 + Output.14 = 3f408ca372917703ecb3449ea55de7a969a5ba184eee8f30fb19b99ae827c66b13f29d4d3a0236aefdaca63c28bb71595d3dc1fc20f1e7ba1b1c9bdb7c2122bd8e443b00b5339508c315ebbfc9bc3c7bebaaf83312325bae696a576b3c92931eef6b4eab6bd90c140295f47994ec6e34 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12608,6 +12647,7 @@ Nonce.14 = ddb5c0cd2b4b640898c2fd1a + PersonalisationString.14 = a096d62f947314691cfb647cc2f331af834cbcdd5918f099 + Output.14 = dc9175fb05854708739c3da005592ada29d408ed6162dd278ee457bd3304e4f7011355da2302df1d0d190ef846cadaccfa5325d3f71c407ab2434d65d815dafa6ca15f7e701a104225a839f2fa9874ad49bbdbee576b1bc71ace28c825095510890861c851bb79e2e2e922c3ac22fcde + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12703,6 +12743,7 @@ AdditionalInputA.14 = 2bc060710fe3d92760adc274b878de0df82804e840cd098d + AdditionalInputB.14 = de879de9c03efe5a68a12da7a06003ffbbea0a9c53f5e0bb + Output.14 = 4968c67d2f830b591531d620b6c40de4e9a15dc97c70b8b059023033bea376953cc5fb415d823d55d5b02b17c2ac60a1c8ee7473d25e94888fae15c6a7770b75565fe505a117c734d0c7d0386cff907a893da3a83d45f51bec9d95670374524b4f59e45a04c88d1756ed854fa9f65693 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12753,6 +12794,7 @@ Entropy.14 = 7ce7dd98c93953a8b60d395a68f03b8919931031e8f68bb9 + Nonce.14 = 1c217188f9c7980b8b03b41b + Output.14 = 58884a4316fe8104459bb339a4bac08d95461ad8e58f333eae5ceeecbf2d375e8fbb82eb1d29890ee0c56037bbbac8cd8e202d7ef05ed7126a15064699b9dfd4523782aabc6eaf21f1727d02c1311f5812c4b4294827a75f1cd6e6dcc73ba45ea8fc5f2647dff725f5fd9bc64d7b21ec + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12833,6 +12875,7 @@ AdditionalInputA.14 = e73890b772747a356ee1527501410eb5cddef015a8d6fbd7 + AdditionalInputB.14 = 9145caf79d0b85bb7874c2dc82d52bcca68225a18de258cb + Output.14 = 4ce4c45336ed4bdf4004f326a049c195c26ff11aadde90d7d035ce277a5b158577a7e9971063ee9c0b5063ab1f20c90f619137c2f4713831d18f2237e1a3d522af9a585e5f43f07d911b8b977f6c644784c9c02238b9fcd0f663c8bc1913f783c200b388b4ecf30246c7120adf3db79b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12898,6 +12941,7 @@ Nonce.14 = 2b884a75ff571f92ba1eb965 + PersonalisationString.14 = 273f3885354c0a8296b0862e19157fbad69578ec121cecbb + Output.14 = b60362ddfbb4fc41f4f5ef353fc0fd8f31e139876a3af0e69f9049aca46a5989ee3a1ebb6cf14f525c3d8a944f4e88e030e020ef6551289c93f5c6ca2f6bc495cdf49ac91bb86e4766ccbace5f7aba008390d2b6dfd416d63ebfe07f5d583b8f9916ebb54620953d0b73c136de06f520 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -12993,6 +13037,7 @@ AdditionalInputA.14 = 69720682d68b7043c331b889ce6d3d83aa3d33846e9ddc86 + AdditionalInputB.14 = 350c63e7b01ecff4aa171f157c71f89a55637c2cac0253e8 + Output.14 = 63fc9293971bc8dc151bcc2df20e4b5c7604138e4df49fed323c9f1cdeade3d5d1c8bc89e507e5da1f38c1f76d968ee45ba53a3da35e693e00afd683817ee7da5cd2b0a657ac6cf95913c859c6b4a15449fe9045a3af03cc198cf10b2deb67c5c3e9cf9a40b8251de19c6cf3114bfe22 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -13043,6 +13088,7 @@ Entropy.14 = e03af342db03da30e2b0e5b8ed76c2562194417fbf6be645 + Nonce.14 = 6a9a5188dabd510894073f76 + Output.14 = 7963276f1054db251369a0b91d854fabaa3dd5b2343ef4306cf897bf964fc8b885908c4ada163b929a19c948ac89c8480170eb59b9a8d7d2d30ddfd1248e2c1795c69da81fe72d6361d34754f88eeffca2c31859bc8940d6662abe2622fdfcc28a1764355aaf46a2e00e50606af2b6be + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -13123,6 +13169,7 @@ AdditionalInputA.14 = 9b6c491387a2394b94bfa8b077cd43bac49117e94afb9616 + AdditionalInputB.14 = 7c04bea824d8aa7b19facfeb3a676eb51c31d7b92f0ca1ac + Output.14 = 332b884c8edcb260c535a218001d421e190d8b9c6b856fbc5a4ab45f92149487f8563138312a42487969370440675f5bc9b21a75d2a8386867fdf861c8650e26af47c5efd81d9fc39cbcd44ab0f4cb10325fed6f5b7ce5d8111ff71e5d78c7d1f53410e5ba492b9f68ca55325ea8b318 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -13188,6 +13235,7 @@ Nonce.14 = 9dcc6c4317ff492d0d7dec5b + PersonalisationString.14 = 7d30c5a4aa169c6dce156a8eaf000f9be0f8681e3282dbae + Output.14 = 550a9ad9e45ba359d463c1e084777bfb2ee25ff791070a87f01adc04cd1a7e9e6ef334e477fb5cadd82381e0add8a39ffc222150f17b8bb0d3b1cd80948c0a5ee09a84ccfff6c9ac33e6831d1a84182edac6bcc25fe357a708f78db9a88daf553914cdf0bc7a9b0527597f73707fec8e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -13283,6 +13331,7 @@ AdditionalInputA.14 = 1b8725447ec539ea4a13c47b323f1d6f435ba7e624dcf5af + AdditionalInputB.14 = 86d30af40a7a395764b8b69f2656954c7c3f1c30b2b703b0 + Output.14 = 2fb2f24b2c38f217232dc22ecc7380b8240b05d2c7bc0e3dfdad268c8c10912a92595d70dd98e7ecdbdc6d7bce6c72cdebd7e121d75de8b6795b660be9096a1f24a97e9c5344c35f04451dbd8d9808c7a84c6fbafab6d060026490d492060f052fbf21a3bfa2a8e4a40db58672ca52ce + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13333,6 +13382,7 @@ Entropy.14 = 9021c403eada5eac222dc48e1437b6de48ca31b9e7e76fc5f60653a3d901308a + Nonce.14 = 503b4bbc0ca538983285857a573f6166 + Output.14 = bca7456257568a178877bca602d331161828a4ed0758d1ec3febcc21717cc4142e5481dc9756c56099cb043130345689156cb96e1664ad007c461ef8b5b0fa7d18508541f528a43fe8c719f3a269ff2821ca655980579dfc2c794da673b8c9234d561b833855efc91b4747ea5135a1a05017543f5780f2cde8b472787173ec50 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13413,6 +13463,7 @@ AdditionalInputA.14 = 439ba9ee252edb11b09fd765266b220077ab641cd7ed42b7cedc96b399 + AdditionalInputB.14 = 18e1dab1f2af82b8912be6791b003d7b0d66ce76a78cc17b753055b7b48cd2e9 + Output.14 = 5af9e042af202c9584bb69cb54738c0352ef2c9b9483d6fc8efd525ca38e62f535f2ed5658770e8cc5d53d9f1964b8a55d871c78250851491441c924701a52175410f52b162ebfe3991a72472d8842248402a666d726ea71437fc4a521543a323d501a6942ec4b7fb77ce462face53a2ab9b1b9fcccfe2346adf36027c48293e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13478,6 +13529,7 @@ Nonce.14 = ef68efad369ca5fe791ad438cf9dbbd2 + PersonalisationString.14 = 012ff5b08fe14fad65ebad5f15d74fd72d8577115e5e91262043e85a13a3043b + Output.14 = 1779c05411254dc5ff714eb56332cdf9a378a160bf0a20ca2da9e4c3b4e3c425d2f08dc969bd4924560c8caf9686b27720307af8246e6cef20fcbc00cb1f137b6efe9902f9944c1384bf917675a52b7b816795327afc4896182a78d4664b98196f89c466d5fe1e2a54122035863c8bd61461b2ef9e7b469492ff63364b013dfb + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13573,6 +13625,7 @@ AdditionalInputA.14 = 77d998ddfd7ab7577ca9f51d6cfbec955aaf9f88cbb3ae32db7f7c4609 + AdditionalInputB.14 = 9ebaa09e7057ad7cfbf02e8f3143ef7b7c1dd6158f641815ecdf8e4a65c17f19 + Output.14 = 161efdc30cdd124d4d6b3d43798dd79bac70f494c3ebaca111cfa3d9343bdb73ac0def00776486584f932cab74ee12a391cbf4890b10044f7de6c73f973e43837a43b7c47a1a9a36d7e62f9b7ce40064994a610b92d68c6d37aa5d9d92c3d858770ffb8fbd87324b49101bade3f2014bcae7deffc1e4f6a1a91ddfe7e6aa33cd + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13623,6 +13676,7 @@ Entropy.14 = 0653c409e957302f6eb62bbc4f42b30942ff7860e7c38dfb2fd26b164e83a713 + Nonce.14 = 273f7eab3dc9bf11216d5216bd12478d + Output.14 = 51dfe9851da8d7d5add3dae413d8bab8bc7d1fcecea00795ffadce047d5243ae36f29f3611fb8cb66e98717a98735384aa6a310696356cb48f4672b2ddccf86eb44777c1616338792629b6cc6ec2b66dbacc1a6b66bd9364914f1f43277f6f43e13145fcdb73a4aca6b784f9084d22c967033651da610e9a85b1eb7513683dc9 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13703,6 +13757,7 @@ AdditionalInputA.14 = ca73cf447f2fc3984a9de0290fd9a984a8460ac715cddd9e8ed99aafd6 + AdditionalInputB.14 = 21dd9cb8e146954a9745fabe039f6f52ba8200f575e9bbe19c703b8864f34e93 + Output.14 = f1b153ae274a380c28668f1ee2c8c3a91f5380d41bd611d974e4e419a37debe664d0b706722184fd3e805f2ff05554bde7219023d1f62a52970aedf4d77e7b4604cac2a804e7b9353c087752f7f185991b10910724d0fd06dc6526d6102c8d0ee8c32f6692c2786d3b715bf3860539689e3f415855ddc37bbb6750972f3a45ca + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13768,6 +13823,7 @@ Nonce.14 = 10818cc50b58ccb660d65ff705041a37 + PersonalisationString.14 = 2756a89e79266d6d86bbd865708321f529b023d0cb5ee5d9888c37db33dd5164 + Output.14 = 7b3d778ee1623b08875305d5761ce2cf44ef1bab87c7d0f29c862c40d3da31240e7450d827909b6b131a9b0e9ad68d5c02caebf4f3b0b7d7ac1cc58e353ba68e7ac9eefc3de1310cf9bf5f4b854ef3fc36e940d4fc50072845a83c38a7d4372c191b900d11d11a907a50607c348951ccfeba4efc30377e4a965056e4e84eeb02 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13863,6 +13919,7 @@ AdditionalInputA.14 = 764b81871036cf65802c4e9659e25b8039be84bad1b121b536d2ffc269 + AdditionalInputB.14 = 28d46df3c254e5cc199e14b45bb1e2f85a5da03f49dd76b5a16b76723d5b9855 + Output.14 = 94e1fa76f879eb9840cd50853565f43cd7b0545705bd9a35494668bef7d7e7085b48a455b38fcf10f145f28a599c58e2f88c2855f2437a17d7333d243a1c25b76bebc6a94f7abc3fabe4c78041d9b3eaf675c11970b14cfc6ff20c8b23852b2733ef8d8416a920617a9b271beeabdb0462e5d23fd68b56f58e3554e81493c5a5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13913,6 +13970,7 @@ Entropy.14 = 3bb1f6cabc56a02643eb767cc6e5bb3a5bd765555e4e27159ec905012f58de22 + Nonce.14 = cc37cc9b20a2e4de0bdf8ccc3261eb90 + Output.14 = 28f20b9a94340aaa6ca98174b5929ce3329d81bebd67faf5e30d12f775748c34c848bcda26cac8b4a9b34c7c92c9984a6f5a85269583358e985c2b372a887f9e3f0f3920dd512def27d818522ed1a49e96d00a5aeb41bafd152144a8b6f93426e73d6e8ef7a8a5381bc464b24061080af02aac51fdc52f404e1349b7d04daef8 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -13993,6 +14051,7 @@ AdditionalInputA.14 = 2be009fb81ff22c5c2e15c988cdac8f21a6f17a4277fb1df773bbbcc39 + AdditionalInputB.14 = 0c869f061049dbaea48af93272c5b321977659a79f8bf0a5c6d68b982ef44b88 + Output.14 = cd9e8213591ed7e30743ba0dbae5f08a4021845d961040c5188093d518c3135048ea8ff052fd66fa83bf98c06d39c6cb522dbc938b6824f51488197159666369e7a9444e04b7ce5832bd6db1b3cebf8c0f7bf865bfc3cf60d2a2c0ef06abf7737590fba097c29fed234369cf9f064b142ca30e3941093904945021372c20d90e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -14058,6 +14117,7 @@ Nonce.14 = 704e8e29c7aac1d8cbe97bd7305f8cb3 + PersonalisationString.14 = 631c5d0240b8d9800211ee6c97a5ae77405a354ac25705f22d405e17a52109cb + Output.14 = 9ee855e661d4293fdd7353492c711b39625ead90849ae5808b1f67c55cabe17ae13f0f18c0954341d6a2d24b899785642c0b29bb1b81fe098a17f8701e8820cacf6c00a8dab2e96e7f8593e188aae48385ede7bb5ed5ffa3f19053663383d666d38eea377d121e0b55ee58ee8fbf1e49c42a4d3d48fb0c9247c6b94c6539f4cf + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -14153,6 +14213,7 @@ AdditionalInputA.14 = cf6884bb4cf7c08ea954cc2d2389eaaaaaa3bf9ab1dd74372c20bb3e12 + AdditionalInputB.14 = 2b30cc597b280e704632ed1cd2bbbbba7a9953deaa809848eb937b6b1a44b91f + Output.14 = 4de8e3c529bda0753a9ba237633be4c844308c233d6e58995c339cc006c7d4789b5f1a6314637b9749621fae3982c5a748d58c080e12118d4442bb55732da53daeca71d3d033b10a2a807848babb822a346524b4a41e9d85941730b21c0e80a9871c9d9aab0e6d0269258b57fcbf7d703794bd2e5f3d7b3da9d3cf2dc2073653 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -14203,6 +14264,7 @@ Entropy.14 = 043872fa9f0c4d97e2c6824b778a4fb0debae214d3358a5aa01c0092c9dab6a1 + Nonce.14 = 0fc8d529a37083c2efe84aba8c8abbc0 + Output.14 = 22e8eb6b4d11657a66cba93f89b519bcce87a9bfa5ee22cd3cfef6180cb8ca842e8d408257b8140fabbf1dd65085ae62fb8b1d2a679dc0bb0a82ecd3b8bbc05782a20a6345554a1f5467e9811e0fce41a786c805ce2882f8b4d972b9a37eedbf828a381d34bab95efc47233846f8b5c701563033253323eda41effad5fe37d3a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -14283,6 +14345,7 @@ AdditionalInputA.14 = 585a4b6736338ba663522b438ab9255782c39b36e6b253186e821ae969 + AdditionalInputB.14 = 2581ca0314c9a224b09c0c2e677e1df1c215cae0760d3ba03d1053156e9c3155 + Output.14 = e244109b937e9a71caa70d627ec8280210c86676b4ea842c6a4569e5da0b25c1ab3794ade3344e2185641c77df4d3011962e8312aa7c2013e4373204d861e27e88ede82873d5d45ae5700ddf0ae7d523e96df236a249ffc6e009e231b77d64f07f395e57b19a4d2961a6046c910d0b8ac3d882129ec3e337be4cf2d9ef041a8f + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -14348,6 +14411,7 @@ Nonce.14 = b2328815495d926dc8ff075d5834bc20 + PersonalisationString.14 = 4c539b94823c6c7883b071ac395203bfb5117b6f9d5db7cf4063132e6a2a3cb8 + Output.14 = 4f6035946d4305290485c7aea10bbceb99b841770dbf5529e31ad51b0ce138344ac0b193a5074234adab8887a51d9448a2cc637a543372ed93885975b8de342c6a12a1ca8f3d053ced1dd2c7d6a3fabf6ea7860071c035f0fd54ee5775ae3a5d457d4af9e034ed337d79e9fd52c2ad051388dda50aa78d37403f33d52d30f6be + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -15605,6 +15669,7 @@ AdditionalInputA.14 = c9a1481cd25c537ba57750d594afd25f + AdditionalInputB.14 = 51e29804f9d079f3074ec398320b2a70 + Output.14 = cb3cd4510de88f8081d8989c2679f76387b7d2cda286b75d659a3ab7c3b2ac77ea00366e7531c1c9f4f8e60c845c5d2a5e05fc999621d011deac3f28cb447a37c2ee815f7f5be3a571d153475d6497a3 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -15655,6 +15720,7 @@ Entropy.14 = 71acb71235e88e3aa6d8bbf27ccef8ef28043ebe8663f7bc + Nonce.14 = f49cb642b3d915cf03b90e65 + Output.14 = 144aeb56a11cb648b5ec7d40c2816e368426690db55b559f5633f856b79efe5f784944144756825b8fd7bf98beb758efe2ac1f650d54fc436a4bcd7dfaf3a66c192a7629eea8a357eef24b117a6e7d578797980eaefcf9a961452c4c1315119ca960ad08764fe76e2462ae1a191baeca + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -15735,6 +15801,7 @@ AdditionalInputA.14 = 03015311cddd0961ec7a74cb84d835c058a69b964f18a1c1 + AdditionalInputB.14 = 5e0d99e0e7c57769a43ea771c467fb5e2df6d06dae035fd6 + Output.14 = 72e8ca7666e440ac6a84ab6f7be7e00a536d77315b119b49e5544bf3ead564bd06740f09f6e20564542e0d597ac15a43b5fb5a0239a3362bc3a9efe1ce358ddd9d4f30b72e12ed9d78340c66b194beb4b12e973213931b9cfd0ccbdf540d2c36ce074e2beac7a4ddac59e06e4c7178d3 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -15800,6 +15867,7 @@ Nonce.14 = e8c5220ae48b0ca1412e9c74 + PersonalisationString.14 = a0a1d6d3887f7ff9f13c85d6ae5af2c840fd85989b7e50b3 + Output.14 = 14f629aee43f71b61d467ccc37de8eb6110ccdc65fff57ddd2e66707bb768e5de5df5467ccd55002815d306adc7b7d6b5d87c20d2922bf5fd3790282608457b69720be7d7affcdfecd173a741c7fc99f5f30f981b1bc102977a61f1515b923ba53cd87a37faaac12e0af613ba0972a0c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -15895,6 +15963,7 @@ AdditionalInputA.14 = 875e5bc9548917a82b6dc95200d92bf4218dba7ab316a5fe + AdditionalInputB.14 = 4d3f5678b00d47bb9d0936486de60407eaf1282fda99f595 + Output.14 = 90969961ef9283b9e600aead7985455e692db817165189665f498f219b1e5f277e586b237851305d5205548b565faeb02bb7b5f477c80ba94b0563e24d9309d2957a675848140f5601f698459db5899b20dda68f000ccb18dcd39dfae49955b8478fd50bb59d772045beb338622efa5a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -15945,6 +16014,7 @@ Entropy.14 = 30efbec33ef98a928e9441af3caabb34cdad892669e88130 + Nonce.14 = f77b7e0fcca6f8733e0bb0cc + Output.14 = 85f5368cb9f44474af6c4a159477c5cdd05eb0c0a37847bbb07e9a9c8f633ef2c3727d017f1bbfa89dba056062202f5824b3a493ab53a2a5fcf796d944577f1393d35f2a284453b2cbd8eaf35b9bae7b87c156cdf9cd0a2fc94ddb0d4842e3ab4b6c97089cac0e32bdeb32dd8233fd6e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16025,6 +16095,7 @@ AdditionalInputA.14 = 5c15fa9dc77d6fec5f7a4a3e4a315c05de2b5e46efe54934 + AdditionalInputB.14 = fb65ede490ee01a1c100ad5e23a20f91b45adf1ddc15c590 + Output.14 = 98cb3191831dc79334e8e37d5246600f822aaa40964b91f345b9df90929db1b7bdea96dae9aeb88d05fade5ae6c29aa8eeec7fdc96e654c5ea41ea01e3104ca4d287bb03005feab0bd1f85e556bb6bc46a2227b14fd94f9e6cfd0341cfce951851feb967968d6cc818f364345b715bbf + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16090,6 +16161,7 @@ Nonce.14 = 46f8ee037b927ec766de0aba + PersonalisationString.14 = e6299e0eb5826e498d873ac02892f01e02f6632101fcc090 + Output.14 = d86bfd8f9d80eda3bd43850ea6edab2ba4f69ac8eea623fd6bbd5c0c920620f8cc136b0170f0310a156271981a9cf7629e1b8f0759de1e99e20a0930ce3bb7dd2d88bc9172a56108cdd736dc529a6b99862bed7d543bdceeebf450020762652d520105f5c5cc3c9a6ebb64af2a7e82b0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16185,6 +16257,7 @@ AdditionalInputA.14 = 82f895626afb606f335f5f050f0fdf3b45275e0b451774f2 + AdditionalInputB.14 = d423d43240cb6461402a7755f247573f24fab496e00b2e5d + Output.14 = b32c753900d4a0a0650d35d0fc918b3aa5f253d4381598ed475147f32c8b002bc08678e45bed1b9b519cb9729972886f85e581c75d3c2c9fd6ced929be29aa3befcd1d3fabefec590ca55612c1a0409446a01398d0e4775a548d118a32f29b0dc29530329d2a7656e5d3ef66db2b9726 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16235,6 +16308,7 @@ Entropy.14 = c617061099a17392c3092d27728b35e59eb45814e9df9fa5 + Nonce.14 = e1634c0d96cf91c53b063450 + Output.14 = f08234ed8621f1f551cf49ea60140313a71341f6886c484a06e74e64aba6f8ffc2cf1edd34cd93e836ab033fb0893e52e01da9b3104fe49584a45447c136222b1c1f1d3cf406a80ed9d782d2ae277790eefc5c06f954e654f7f283ddea79d2160cca1f63d0ad00eae9e882de34ba4083 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16315,6 +16389,7 @@ AdditionalInputA.14 = 857ce19dd6e8a45be185875f1a98911062045553e8d28ac2 + AdditionalInputB.14 = b5f1998f0fa38145edb86ae4d569ef4dc2e0aac0a815d3b1 + Output.14 = 8f0d978b24bae2a0665beaddfa61e8896ed7976432bc4f7c444699e30b8da1ecbab8990bab9d0d72ef6f6b0b27ede12dc171a43a14092d57e3999cee71b1356da5f29b17fec227ca2a4887bd990fa33e1e01c8a9f900ffbeb300cc5ce9d7d2e25a44fafc07e34acd61d425e0d36fb0f4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16380,6 +16455,7 @@ Nonce.14 = fc382061e29c4047c6f05dde + PersonalisationString.14 = 9b2eaa4c2a229cd2bc5de218aff95f6e5fbc7ef150bdb50a + Output.14 = ad49119d6b4f25ba34050920fc503d3d0d331ac2535d916a58d781317fcc2b1117618e9105ce192651ea9e19fa6756975d207c662f2b464416d849cb67b9af52abeb84f80863943af99c7916e78317a091ba90714ec8620f661b41d648c15c06e822329cd7f145446c5c3630a4243281 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16475,6 +16551,7 @@ AdditionalInputA.14 = c9aac7bd9f15385facc344dedcfa754bc9f4f30277a3555a + AdditionalInputB.14 = 42de701acf5622b30e7672bf7115043a9912c1758c1b316f + Output.14 = 972ccd5aa60966bac39aa9c891c7c513244efbfe3446fde6806cee991851f1e4b3d4a4a0c04b57242deb4f53d27040879562fc5b32621b46a642f3c84063c5195faf9b78ed92145821ae554d58325b03d60e11461adaa8ac87876559e1cbe47f7b5c33a8311294b0e54a44c97d4d2c9d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16525,6 +16602,7 @@ Entropy.14 = 47f141d1d0142d53c10628d2d1dd77aafc11ffe45f29b126 + Nonce.14 = a1e958e036afd40059ce9639 + Output.14 = 2096935329ffd975154c38a2c22e30ef12b7acbacd39868032d6eb31a596e617fc7e05026b3dae231f256ea94dd4ea4f05734eaa7916be6f846b0304ff0de389f3390e51641103e7dedee99e56d9455c80a7e10edfd2147a50b3864b05443a1646fccde2197af1d1d72ae3c2d4594218 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16605,6 +16683,7 @@ AdditionalInputA.14 = 49a758a4e0a8ce69aa2e5f9b7940c6fbcbfc4fdc91165e4d + AdditionalInputB.14 = 9c8ebc02c3d92d33112a15747b6367b8d6db3447cb9be2af + Output.14 = 70cf10825dab6c1abcc1532a1b2bccd96f0638d02eedb40a7ebf97093f5d0295b6bc74d9e48290ab39260d684effcb401427a4ca62b971e5a31f06c14a9f8e3851c3e79dfe129ecf8a8e185ee58667e2b692474a0d5f0a39f9d794adf1cd71c1266563dde24dc944661acbf849fe69fa + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -16670,6 +16749,7 @@ Nonce.14 = 82dfae196513724ae269204e + PersonalisationString.14 = 6e01d897ae919812b8408f82edffcfed8db6df2e2cbebd95 + Output.14 = 6e9bebf2e54d8da4e8ede97ce463239245ff1b021acf4441312ddba96d1f3d750bf2b9583a8aee76e2ee36a56d8e2fd4e11377d15ba3ad0876fd467c375a744240de0a7b38974e0e7b27c3917ce4e22f2bc78861f6f8b1fb42edbb1b0cb869fe5169527064cf2f38c0154082af5457bd + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -17925,6 +18005,7 @@ AdditionalInputA.14 = 9ba9285889d50c27bdeb4a830a5b3120931a53980b30643557444718cb + AdditionalInputB.14 = 0f8716df331067b8ccf0e5b90ff79dd0f962acc69fc5f89c593bbb84e3501ae2 + Output.14 = 9d2c0053a0fd3f9be1fe33db214f6f2d54aca573e0642bd269f1b1ca23c42a1e85c73449830673cca14feab4d2686814edbd90c325e0fbcd5a2d7ca75334dbb113a13a0bb4e838f6724c74dddfca8c2bfb903c362d3ea82acd60d01749f6dc01fcd6708009a58ee9cc57a0d089095efae66aaea68ac247cf6aa8808d1038a109 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -17975,6 +18056,7 @@ Entropy.14 = fd54cf77ed35022a3fd0dec88e58a207c8c069250066481388f12841d38ad985 + Nonce.14 = 91f9c02a1d205cdbcdf4d93054fde5f5 + Output.14 = f6d5bf594f44a1c7c9954ae498fe993f67f4e67ef4e349509719b7fd597311f2c123889203d90f147a242cfa863c691dc74cfe7027de25860c67d8ecd06bcd22dfec34f6b6c838e5aab34d89624378fb5598b9f30add2e10bdc439dcb1535878cec90a7cf7251675ccfb9ee37932b1a07cd9b523c07eff45a5e14d888be830c5ab06dcd5032278bf9627ff20dbec322e84038bac3b46229425e954283c4e061383ffe9b0558c59b1ece2a167a4ee27dd59afeeb16b38fbdb3c415f34b1c83a75 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18055,6 +18137,7 @@ AdditionalInputA.14 = 809639f48ebf6756a530e1b6aad2036082b07b13ed3c13e80dc2b6ea56 + AdditionalInputB.14 = 3395902e0004e584123bb6926f89954a5d03cc13c3c3e3b70fd0cbe975c339a7 + Output.14 = 4a5a29bf725c8240ae6558641a6b8f2e584db031ef158124c4d1041fe56988fdaee91ca13925fee6d5e5748b26cc0275d45ef35abb56ad12e65aa6fe1d28a198f5aa7938fca4794c1a35f9a60a37c7360baf860efd20398c72a36b3c4805c67a185e2f099f034b80d04008c54d6a6e7ec727b1cace12e0119c171a02515ab18ea3d0a3463622dd88027b40567be96e5c301469b47d83f5a2056d1dc9341e0de101d6d5f1b78c61cc4a6bfd6f9184ebde7a97ccf53d393f26fd2afcae5ebedb7e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18120,6 +18203,7 @@ Nonce.14 = afafaf2ad7e6449308e176be01edbc59 + PersonalisationString.14 = ddb4ced192f52bdfa17aa82391f57142ac50e77f428fa191e298c23899611aad + Output.14 = b978826b890ce8a264bf1ad1c486aaf5a80aa407428c0201dd047fa1b26e9ea9ff25a9149215b04c2f32b65e007e0059a8efe11481926925061c748678835c0066f596352123f0b883e0c6ab027da2486244da5e6033953af9e41eec02f15bebdb4e1215d964905e67c9e3945ec8177b8c4869efc70a165719b8e1f153c41744d44d3c56a15822d522e69bd277c0c0435fa93e5e1bc49bc9d02aee058a01a04580a6cad821e9f85cf764fc70dfae494cbfa924eab0eff7842e3541bc29156f6b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18215,6 +18299,7 @@ AdditionalInputA.14 = 9574ca51f21865c2fb0efc75cc9d90ec5e9c43104979cd64d00ea5544e + AdditionalInputB.14 = c0df840a18d7584b62c70b2f057bf824168edb673cb517cd9dac89a0fc80c9b4 + Output.14 = b31e50202f883a8563cf129a0d5f8a33abad79d8ec8a97167ed7fca778e5892480617cdf50b5e51547f7ec1bede35020a311572c61e33e9c82968e8f69586daea3dc19063bea56503f8ca482918d229949acd6f1c52cccdc5f7f4cd43602a72a5375f3aabfd2834ee0494823beada2daeccbed8d46984d1756fe2207ca92186b506115f6de7d840c0b3b658e4d422dbf07210f620c71545f74cdf39ff82de2b0b6b53fbfa0cf58014038184d34fc9617b71ccd22031b27a8fc5c7b338eeaf0fc + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18265,6 +18350,7 @@ Entropy.14 = 5f28c73baaabbc09e8260df3b3577c21f2f02be057bf49d2e73098ed5ff67f89 + Nonce.14 = 8c2f85b546903d8d4c10fe4549c3f673 + Output.14 = 1563c678f1b072813888970996af33c2a6b70b8dfd2e146c46df0616509382062fc9c72d223ebd555f4d8892aafd7b3b61619559fe3d3e7b5e83c07f422eeac912ca7d8858a2d25b966a8b34348b8ebcf44a4651edb9cf5a886e383b01423322ab3002edc8c936aef869d7638f38ca6688c308d2a17fea0ded21901d8e9f1ff8508762cb1dc7e700970938a0ece74c1c2d1801230ea785165d62a7ab0d6d59caf36b30be8e2e1f691210373b7a2866e32ba4b49b6a2f9cc9b80aa1340ef5c76f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18345,6 +18431,7 @@ AdditionalInputA.14 = b5d9cb4b3709adf297462f1aa8875c9f84bc39e323b8fe1c0df269344e + AdditionalInputB.14 = 5e47728cc468e0d2c6b6a90a20f83a9f0565716af54844552988f1d8c3a83eb7 + Output.14 = 548c3496135ecfa1119098ea2d862d421af024a844c37a02142e2545e4ff1038f4b73c7f6b7d0fba8f92f292cf5ca8fd57dbe7ce129423e0ddeb1dffe89252dd6b50495c88f350bb77e08c8be409064f7e9cb751aeb779eae30b7c471dc41365f128d22474a7e90a9953e948642001f8e6ba8f91d250d8b4c6407892cd96b12e5d94e4d7608e6c11604357436c8d1cc07a21aeb58d396f413a31f72af1ac06864ba68c04e0c25971c1315f5a8c5c04fe252105fc822452d0cf66f86af13d613e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18410,6 +18497,7 @@ Nonce.14 = d28f752f6e466e3fd9595fd380fa14b6 + PersonalisationString.14 = 232727310fdaac541b182497e5240dc2623a36b4efa7a912ab3ffaf9939c2336 + Output.14 = 3bc26201261930bf3dc164d25287e41efb47c07c8c5c0adf3e86613435df202116331cfccd4e07c9ef008c62d4199d937221a17dc97be2043270ecc605d3d48c609cbce3aecba3557dddb304f440250b2c9fd78838483e2d5a2b22015b97869b891f9e42afe21df5fbb8dfc9061468c70c63a14b6dcad9ccdeced41d021dc0ff47821415e8793d34377258d9d6629b9e396b9d6b8bb7fc22e03ecfd4890d16912001cb7ed002e33a595052ddf7b991c5607ab93c220b2122783d51a8372a223d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18505,6 +18593,7 @@ AdditionalInputA.14 = 50ceb01860d60ed119f101d5c573b5db00402dbb03885a09e8d326156f + AdditionalInputB.14 = 01e09092bc892916c29f7b515823f244d147d4b16976cebd6a76a37ef6e62998 + Output.14 = 6f1379c44d8131924c9a78286e80ebb34604ad78b531e795cc30c4f0aee422e4052f201ba226bc0c2aa3ec341fcbb5a87e24b91c36be7dda62addba6960df1289372e9677ce030555a9bd1691f559b8ff787dafa35cff5dfd66a2abd83f81552a82ba6ca7d21c438483e60fd77f93bc109f5be802035412c2af2873f5cb186b77dc055c0e0b27b16b1ef37de0b81fe63c4074a7cc8c3d27f71a992b5468351ef8b84a7b3e8f12458ff670d1381d879feeb1cd3b93436580c86bc2c33f27448d4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18555,6 +18644,7 @@ Entropy.14 = 57050c5fe58b2a2a0eba0d3b9c08a9b285e1180d2a297e0a9ad20740c6fa9f00 + Nonce.14 = fc309209936c569a1367d45b212a9a50 + Output.14 = 288668476b39814edbce5ed91951cec398ba2dc3bad76048df5fb1a2a680519c217ec4d57adc0251e1f8892a866b142e0953353bc2dd207aa2703f81814d26a60daedfe94d97de6043ed5f3bd957b7516681827f7a36d1b2a87b692c67aba050bc38b5e84f65f07d70cc34549f01aa390c5fc8dd01304fee7378e62549738e3f710ee6a4e32db3f472e1c2ef1e803e57a8ea992f389f0823c922bcea8b00ab844e071579170baae90839ffd5e00844ec343b02db090847cd323f8a68f0dce64e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18635,6 +18725,7 @@ AdditionalInputA.14 = a633f5f05ed8b09b70683a9f9a8e998ebf843b68a039dc3aa40cf30a5f + AdditionalInputB.14 = 9a57c6be8c1d992bcbd599952bd94a755d7ad686698991d189afd11cb88b9f53 + Output.14 = ae0fd8a1bf6f2f53f9e81ecf6f40ff6a36fef58a3f157b6a435403e48da4e88cab7871bfe2233b92afd228bfe3117d7cff0798225a901663d51f0491109b9c631dd6d32c5bec2da321b8e64ebaced87a27f17f67082df944fa94acc6c557fa6816001642e38b7d776c631212b782f71aed6db760f90e0de8e81baaf4d419170362932e6c319dab948749b331aae41b4cb3267da37c9233c36d65d5482c8940387498453b226af485a37ea16bd9e4f938618f70aec97e8c1430a8d8b6aae396e9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18700,6 +18791,7 @@ Nonce.14 = e1609138b91637917ec170fa3c3fb278 + PersonalisationString.14 = 230db2e57b87e910cbab26fbac7fa93a65c07c1ec004c74637e346c2db63288f + Output.14 = fa58f2e96776b4aa079dbfb49d81d8abfcc30d459caeb45dec4f1766fdc3b234d52cdc5337ea770e71a28cc42c82cbefce896d1fecea5a5290300208aa79b5ff97d2091498d749b66a9e5b2da7b774567ae9f83b87a8417b1bd089935e575b16618ffe8ec04b91fc9315968dc395fa2bb8776133d3ede95aa89ae675881b26ca831fa5fe6cba800d2fed1d509353e8cba6f007cf3c5e0b9424cc034e1c817d5f7326764f5ed1d17ddf8900977a0172dfab50bf4819a67e4c1af4704f59eda3bc + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18795,6 +18887,7 @@ AdditionalInputA.14 = 32f618446311f03a0038dae07e85e19006a55b69501d764c241f683be5 + AdditionalInputB.14 = d64a97650e2f25362fd711c7abb5635672e16a02a1dd5ed8a181762e86f4f5be + Output.14 = 54ee53e6d18e974913ec235a37a706868f217af33b25e8e5369d90071be1d01035ca331b8514f3d6186a9ec62b1e7808b7fa22859eea21e4b8113ef770772561eff7f8b6ac22125d002f6ba9f53b235f7d85dd5b601787201ee1423de5d971b2e758b3955a048b50f118c01122a8e657f69a63843bea00a46c4fc2ebbae36adaebfe3e6c9b1c82e498d3fe48d332ac1bf31ab4c80830086c8ee4b1ea190f8e269f74cd760f5a29d244064d09c1bc30832482d5205e35604a388250a7a196ec74 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18845,6 +18938,7 @@ Entropy.14 = 9168436a8600415b83062125de0ce6a998090216dea7374af08e6d3becba054b + Nonce.14 = 94206c91dcdf9c7c3f3571c703013419 + Output.14 = ef12bd2b6dea20cd197ea9eabd98eec1a2943619cd2a96dd16a6c5485435e00c59570ff14d7d9fc09c99ade0e5ec12a84c0a8ccd5677fa9b92295eb2a620e8a0400bc9ad8a1ac1aa4969d8d04b77ad59b81d95cad75358698107dc8a2ff42adbd679ab29cc29cd6ea756f4c4e60c271c3134c48b5d5aedecf011e73c2663ad1cafe57120cc70137370760c350f4e9c0b8e9b01c9acaaeb56094434f4f87c67a5b5f674783204ab0d0598c06f0802a05ec97073c005f3c9f772fe0bb449c1cad0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18925,6 +19019,7 @@ AdditionalInputA.14 = eb9e19bb6eb7b714dc4d56243897916364dae7bb3861a4697d7d3f2b14 + AdditionalInputB.14 = 156d12c7a1d0af2cb9f2d0610cedd9ed3b982e77bf4a9dc1ef0f71284b751ca4 + Output.14 = d3b0b0ac5150afdb3d9de12d2c8a7d45109436ed9c316aef1d1fc5bfba1cd37cd750841146dd08320539eb1678962e990f7b7662b44b918447e173672b873b8ab0348306cf6ae2bcc6756036870745436571763efde334dec5be7bb9920629a36cc5db66e8824695cabecb8bf092858e095a2a520eff140f483ec528131c850a8eaa48d8c997fbc810401ca378666d84020fd34af77fbe1152523e979560708fb15f3b7981e333ad4ee8c2fb6021a562f339616823cac5998cd919f82d43f41f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -18990,6 +19085,7 @@ Nonce.14 = 733bf048e5b112426979a9879b6a0c10 + PersonalisationString.14 = 58d91008875f51d541c6fbd626a49a798dc51d9cf2e8588808e74953392800e7 + Output.14 = 1794335e21606d706dc89ace28c60a15c0c9f108f5ac882b103eb62e225de749285e5fb0be98a5bdc26e3c998ae418306380941d78acb7c81b91ef41cecab328332ac7404ace0ea858e7835534f778cab3e3e4eff043742e4f7d4d5725bcdca0b6be7ddbf79e57fcd1d5a4279f074a599abac2cd281ec6784e29d9399f5ffa8def3252acacc59844c0c24c20d029a89b4407e0b5cbe9a8d51241dd36bb82c400ec4571dd1baf831d58fed3dde4ac7f961be6ebc18af6bfa922a32b81ea11334a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -20245,6 +20341,7 @@ AdditionalInputA.14 = 06df99a38f4222b9e7e1e3f4a6f488c1dfeafe847129d54c93bccb1649 + AdditionalInputB.14 = 3977a9671024bf0150752ba10c9f6432773bb71aaaa9d23d1ab72b90b7f0e088 + Output.14 = cd4fa86fb559475f4cf4a60f111d3d0f71646d3d25111889332f2451eda96390c607a0178e1e79e8124c7626ecaa9822495e5341dc6f24818f97951bb29434c7c48d05838fcf3b43b8314827d3acc8fbe2c4ae2ab066626c25c32a760002cb1d980169f7691bee5e329ff1ff4938d3bdaae583f3561499563198a5eb69e73f6b963a5d072d23e07b0ce48cd04b31f9ea349c2cae355ba478e26a5fa33d8f03af84235fb1743d30910f5557194e3609494019bd705f8cdbf3d1b4dafaa09c9d8037d2e0ba0f96948d4302e981162c34c12c2fabe1a42da517b7e5a1f796980371420cb305d0a316bee56767ce1aca9260231839b92fa26fd75846d9304427da27 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20295,6 +20392,7 @@ Entropy.14 = 0cac1d970c06da6f224d49e5affec0fe338d0b375b66687b + Nonce.14 = 1fb1df257951ce8fc0cf12a5 + Output.14 = 7d6e2be5aa574b0edff39ea938e94143ed92b287262891dd2a6c9193b0237e8fbe10056e15785bd818e548452792a31c728acc14ce2bce9295d3776885018a57c8580a8e7df9a34ea960e0b39af4510711320528fa7a0badc6e25a0eead8cb091c404f626343c63d40044055ee9f9e35 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20375,6 +20473,7 @@ AdditionalInputA.14 = 38ead8a466e462f5c0617822c23294cdba07a80fd51dc241 + AdditionalInputB.14 = cacc9efb209c71b123498182d25081aab8f0159bed1fc0c6 + Output.14 = c200766d5caf72e64a77a7fcae1ae3d14681e33767ba2ba7faca26209fdcb59c7202c381b18adba07ef0ceef443d9e1c5888366bfd953d614bb184370b45ea2b44a251e381fd2bdb80bf4bb8dfe011e1b143032bae9ce82c2869537e70d36622bf23476163a2dace9ba863a5f0e3d303 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20440,6 +20539,7 @@ Nonce.14 = 7e2f3e4427d00de41ae92bf6 + PersonalisationString.14 = 2e8bc8edcdb3dfdd451542fbc68481b30964fdf8a6ca77cb + Output.14 = df949beb9b33d2c1522cf6fdb3206cb10b58411ba9e28a4096cda7662b69d23e0da2be9557b9a3b5a8d67db4d616ae9fda3a7e0a8516196568f7a81474c0264993b141f14066fbfc29da724e447f6e503385944e902510f0b3971f7bffc6a6a202ff88d8113bb222b104055f427fe770 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20535,6 +20635,7 @@ AdditionalInputA.14 = 23a781948449d82ee235d0495ca48d61aeb399d7e2ea68b8 + AdditionalInputB.14 = b52421e5b0e5281920da6975ee18d74ceebdd5d5de05c018 + Output.14 = c878a886e24e20a8b7e22e41ebb33a2b6e9a0168f4c72bebb78f0955c8449592e91c6a2f1ba5554c9459bf2702e67470c1df0b5125d651facc0a9339a2b7c921a51bc7203020f085c9231b3acd850ebfef0d0e13dc8bcfecf1f9853930ecd9b262cecaff0e2bed9e3b5b53343b733766 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20585,6 +20686,7 @@ Entropy.14 = 04c61e5cbd79804118267ee1c76db36b71b042bf60a1c891 + Nonce.14 = b833be09092d4755ee6118f6 + Output.14 = 0c4663313750b12daaeee80cb28f097cbe6f50df2022f9ff02a51fb373da42411c5856a136e9645e99e69aee273726d146e3ef4e546273eeca52b43c068887148b7197143f5b9a4c55d4b0544907ee9ad2f181d1b37742d1479d39e78e47505603550d2b28bc1d151a50bbac140988ec + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20665,6 +20767,7 @@ AdditionalInputA.14 = fa3bc697a6bd8ce341735365ad6e214d1e53e8d6d0a2c206 + AdditionalInputB.14 = bea0650424d1f26e75a49ae2dc529f1fdc552e3a0aa50948 + Output.14 = 4a718257296a3a99f199a5a24decf8f3e6209a4a7fb0b24913393c8309826ffcd6c47208ea6879921424ca55e63a7e5bc63a030cc48be7648da78fc9f314dacb2b8568635e5b14a94bb06a709a2f023a86a871dfd708204c911d94ef3690b3634e58de03fb20091d628bec834a760dd4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20730,6 +20833,7 @@ Nonce.14 = 4b729a67449bb5675a1f9d1f + PersonalisationString.14 = 9160b7c96fd367dd7d378e82be11ad1827c7661d76bc1fb4 + Output.14 = 1d7ab4500d99a18b8be2ffb8177c869059e25f1ffbddb36694fa8561da1d71f86a38accb1926339f6dff71ea8ed104c3518e62b00e520c51a096c1c62469e56b139e6384e982588e748a8074dccc51d558d944868e2b8e1dbd68bd83c663447590430ebe15c64aba4669d1a4a784d8c5 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20825,6 +20929,7 @@ AdditionalInputA.14 = c375af43c11115e995f47212f81cf3cdca5801d184d82235 + AdditionalInputB.14 = d2eea45f69c6d82dc3a7bb3be69d595c86c5ea5b4aee6001 + Output.14 = 907452bdf42eb168195313eefd090a2fe1be8b668b8ec7153a4ed4c07e6979244282e976decef02ffd4fd92b0d7b90bfc453cfd81a823dc162dde29dfa926f20e395d7432e0aea61c72e05c1673180bee3b47fa171cfba98864fc2bf83878e37c7dc019d465788aa1500ab3db8997d3c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20875,6 +20980,7 @@ Entropy.14 = b37ca70fd13538ef74c5a3c7ef00a78705919446954ec43f + Nonce.14 = 3ecbdff8cf33b50788dba82f + Output.14 = 1bcbccc535fbdc8617575d46ea5a9cef2622995dee19aa4b998325dd8d0935957170f6b18219354cd2759ba53c9c1f380586070db0c89979a581ce1e00ce38855e123dc3a2dc9ce74bc3b6e27c9603fb87c09a1d90bb540d267d456f5457daf0920a13119a2b805f9b97b154f80f4bbf + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -20955,6 +21061,7 @@ AdditionalInputA.14 = 9fcab4a8d0d1036a6210d56a894f861fbfacd4b20c081f38 + AdditionalInputB.14 = e279bf650f812b8931662e59a0da7ab799c193da1f6eef1d + Output.14 = b3ec81a3cc8dfa4e1ea17d33566a4444bae9969244e7a8970eab02afc8797b5fc85b6614ab009625b81fbe078bfa4db78ced2d8b3f1e3342b477a3fb42cec7d44546585621bb8310075808aaddef32ede3e668e626711fdfaf2569721bf645edeaf74a9826aadf0a9cea9893aab4fe3c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -21020,6 +21127,7 @@ Nonce.14 = 98ec3ae036755323042c08da + PersonalisationString.14 = e6f24d96c8d11cc68e72f56ee7e345c5a0083509821fdf17 + Output.14 = f5a9d375a58d1b337d245d29b7a9e352cbb0fc950276e042d075a71f4bc43b65b063bff299c670adfc46db39c4303adbbfebcea1df964c27d33cbfe4d46567475abff4f357252ff7d05ed4ac34e6ed14c33c192909426654d604736f3bb0ba01aa5e0454d60dfe8aa5b2df3a52df22d4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -21115,6 +21223,7 @@ AdditionalInputA.14 = ec35738bedab1835d07ec7a6d9a5e6e0bf8a3283541b3216 + AdditionalInputB.14 = 689957f9c2c58f1ff34899bd0c295bbfacdd149ab378428a + Output.14 = 6eebecbac4dd64b170cf6aa84788f643755ad5c6c731b63bbba3b2bdc2694f1fd42fb077b4309a0cb09b5ed1107fee2379272351ca9221069530762e4c8ac4c142c30167a32ac2b82b728d57bef95d620cd1b7a2ab5c1a6fac2cc90e0f6cd003ef526485c8bf0dbc9baa7c1f0d6f763c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -21165,6 +21274,7 @@ Entropy.14 = 2fe6d7ec78f76820cd88c41a5a958c399c7ad1619406caca + Nonce.14 = 1ed975755cad5e4c475c5945 + Output.14 = e34b31db083e58516cd60ead2e5b0d39e4a2bb47c2436531c0e700e484c27d3d233d10d1ea6c58148149751f24155fcd258f384d61000da88106a0205d693e4ddfbb5c35f101ff15e531e9ac4a988c16302a962146a3aba9af5c505697cf9aeb7bdb8c49c281458acc33ad4010122aa5 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -21245,6 +21355,7 @@ AdditionalInputA.14 = 17c87a351e940e261e8806e2548da44a751c550ff5f0257a + AdditionalInputB.14 = 7e3bb28f266786ae38c24876087fe35c7e43222382270380 + Output.14 = c943c9ff0cde86a62756465e6bf4fc9dc25447157537831c975782dad82f3e33e6e7790b41c158713b8978a6967bfadda9e15ef43922b3f93c8ccd0cfa834fbc6776f3c1b6369b4f25b1cd1189f8b8efc31be2dc151d3608eb2189a4f39c0f0a3deba00ffc97299c11c46885b424a7b2 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -21310,6 +21421,7 @@ Nonce.14 = 4fb71fac56d2aa35d7fa44d1 + PersonalisationString.14 = ad66fd02b6f6e30ce521ae0d783236c75cd3699696475ac7 + Output.14 = 4b2df98ad411407c1dff07b5c08e97ab501fc20ad191794dab73e9b4dce62470b3c70d75f07848f436f16a8c63ac31a75525bd928b5c76218099ec940e3ad193eecdbad834557e92602d7daa6e3eedcbccbc4d0829c8e1c7e59adb95ce928bb138870566eb27e4725191a9ebed50304c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -21405,6 +21517,7 @@ AdditionalInputA.14 = 30a66bba0f4d6c249e271de8927b6ba1e99fefbf3386934f + AdditionalInputB.14 = 1ebe06fd88f8f914ea8f590483994fbf227613e7f49ff18a + Output.14 = 38b4e2bf6aaf771df03b3bc37a959955dec83f07af4bcd995957a31991c5ee18b5bcb7754f3bf6293665dff2b4769d081d9be6393803e2c62a73ed8ce4adb17b36c1e0deb8ff6106308be9019cd179a92feeb184d93a9348d3b14a70bf13fd74d12cc427496803b7fc041f87c630756c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -21455,6 +21568,7 @@ Entropy.14 = 7f422e735bdf349e4f51787571ffe061ec7e9181fa0b6a342e36611da25c1a15 + Nonce.14 = b09d8dc6997bcb567cfd788d0e06483c + Output.14 = b83bb6e99b0a5237242711e27779d05d2157402856f9653542f1ce52b1a7463e13d5c92309a06d8a78773ad70504b64ff070c2e6afa4ec3662f2729cb7552235b79c18e08354e334474f238ee74feb7e892d5701543f418cd7f2f5533437d9901dcc54687816f16eb7341b1707c6310a2085dbf387044a78fed850b42fe9d8b4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -21535,6 +21649,7 @@ AdditionalInputA.14 = 5722b092a5a0195f14b5f236885538cc7a514e997876c06f634926c695 + AdditionalInputB.14 = 6e4f341a0524dd1085aad0b6c956057893f737704ca2fd8eaae6231e9691688f + Output.14 = a757af53227bd8555853ee2e643256074be9904d2fabb0ca86a645b0ed1905731cfbfdb7eefc83938fb576d7e5da8135300f8e934dca521637ed10e5e791e18e82c48085f511476452237ceb930e0307e228886d36aeb83d8e25ba23b38dce6dbc335de90b63db4021d6ebba5dfb6d8044a2bb7bb20aca679cde16406c8c4746 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -21600,6 +21715,7 @@ Nonce.14 = 06b7b75d18365f4957489a09204b2672 + PersonalisationString.14 = 9e32f001033eba3bede220d4f351ce110e6ee2eb0b099ce54f9606a21d80b1ea + Output.14 = 508333114a0abd5fe10327daa0f1342c66569d912a64d8ae89227d0d8ed5b4052cf84f0c38927d88dc0d7c476e747965adc9579a4603a36566a1730f55ed7b100c1695f060674484781682ee629167f7adce89885ff04d722d960d0297d2abf79bd3338126c2d356a91bfa588f80db7ea365bf181fa5370c478a04d05a515b78 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -21695,6 +21811,7 @@ AdditionalInputA.14 = 5b2d2bf0653e3c075c469de5e2a093193e700abff9792a9f3bc0d143fb + AdditionalInputB.14 = 976c765df6b57f0eed8661587045826c329f4f1994020de30fdd835912f72fe0 + Output.14 = d8275a104f1dad7412637d12fabf9dd1b06592850cd48a3f38304789911efe8f08970b8f90fa021b04039cd3d1ca573c1586e7ef586f4c623dfc559efc0f2c89e4136b59f0f5706a74679d1c95886a5ad05b9a850043cdb19d806d617b2f640f715351cff6920c47f96a42b872a512a7b2e99e4d0c2230861b16f3b38deb9b58 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -21745,6 +21862,7 @@ Entropy.14 = df6edf960abe3aef5f50741907c0171906c0837ba3bfaa3a1044fcc4f19ed21f + Nonce.14 = ff2558bec3e5377c12697c908d629952 + Output.14 = 9d68c2674eac76f3ccabe1c6c0bad96d5fbdcb1629c939e397eefbcd2ec2f25803fbb9aa72db952f7fedcb290da99f34c0fdd637c37dde1446d475a61c38c3fc5c1ebf9541d136cb02a43b2646df7ee4bd0d9191157dac92a33f401f089ae15618624fc0baf707409aa2f80cd5d0676612c2667aa420acc6e016e6ba3f63c686 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -21825,6 +21943,7 @@ AdditionalInputA.14 = 4bf2c816e2c3e9721d192a670153d620aded035ffa214cb0d7638432c3 + AdditionalInputB.14 = 06f515395ad7c3d025af7df781b49b62f068ec9398f6dab31ead6f917c663de0 + Output.14 = 1e70791e6a8ce753f959ab75d1225b44452ce7aed0fb53b56208b3f26419f004983c452d724c483b4f9b70d2d84734ce8ec0258d8edfac639b355204e14b5b7bc1d3aee6ddd9f5da54c6cb086d16ce381c2d5cefbceae3afd56c13441d80c7e6081aa68ff57f21d460370de9ae713c17ab14a81f0895e9e492af7c437d7a5799 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -21890,6 +22009,7 @@ Nonce.14 = 2c4c4f3a953e551746f7e258821d24f6 + PersonalisationString.14 = 676a9304a3f744c62c7f5048f2137982c89860577cfcaf0d855514436ff8eff2 + Output.14 = 7bde8a5a34538655ab2ca26d0447eff3c6da298b3fa53ff0526eeeebaa4a876b60e47ca544ae30ccb00176ff84920bb4e4a4ebc3cf74b9cf8cd8ff9f7b11266a3c9bf918c458760bca6368ddfb3522edbc61ad14f2b638294e51d82e617d8c0c631aefbba50dbcd1a0a88963c3d63959909ce2cc669924d7163b01cac468c0d9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -21985,6 +22105,7 @@ AdditionalInputA.14 = c168776136197bc3877c824461994a4cb020b61ad1630bd8f38d0db211 + AdditionalInputB.14 = 4f54082a1b9e6cdc8599e1639865c00fd758f403adba5cb74a37e2b20f29b654 + Output.14 = b48984588cb54f78610e05c8a7ce12c630934f5ed2e4cee21e523fc65a7b8412189ac51823ecdf493844a859aa87f3e84645f22f0914245043f7b86287a85db97697bcc84684b072162c2fa636569df83fe85f1ae25204786bfdcf5eb85006d09a4d97b162248daa8ccbff9eca28b7bce9fdbddcb8679ba50b6648cb3bfe9af1 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -22035,6 +22156,7 @@ Entropy.14 = abc502a99b7c3cf14262f6b036925a9904105b019592a2a6be26d71fc42c7444 + Nonce.14 = 40a212f9e1a5aa54f2c7ed4ccf631c9a + Output.14 = 0e747d83e2104367beca697db9b6bb994061d82aae7b1564f6a0911a1f599084a7ca7c94e232908d41df93a6b416e76146a53b490afb552124fc0c2087cc45de96390565b58f913b5dddbc55dcdd2617ea27858ae7c7748b31d832fec0fafe84594ad7b693cf972daa9521ad4134867339536ed5cdf02a758e40d5d96802f4fa + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -22115,6 +22237,7 @@ AdditionalInputA.14 = 2a8cf10885a141125dae18c40f7bcb7e09c1b2726e22a7f776e4735279 + AdditionalInputB.14 = 7c2db5278d2336764d274bf9624db7eecad2db11c6622831e47338ea3ef02ad7 + Output.14 = 08ed2c3aa35812485ea8aa0b16149ee4f3207a0368be2035e202797939dd2a1c1db1ab244434edd783c7574bf48fc99f93827a1fee91cd1db1cad53512b6931d2d63018045b2a50a9b523a6ee212fbcb21ffa57ef998b4ce24e5f2f875a8ff3a45d8602cd56cfefd2f61f73d00dc33304a464f4fc1f7dd311b516a8da4e91151 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -22180,6 +22303,7 @@ Nonce.14 = d5aa1d24b7c7564f6836f626bcc6d32b + PersonalisationString.14 = 4ef1e00dcda9e893d066ce48cd291258a29e0a234796c30a6465079cbc3d3aa4 + Output.14 = 43da46cb7b737ff7617715e3a8aa4c42d8cf1b62f32ea97d035514a10798f5bcaab550eab684cfbd5c8d3e1ce6d9fb026812e647ae6a50d3d8da8e9e2f1d5f7fe550e7e0b88e146925f2aa64690e1a5a5de152f6421837c15337efa80fdedb0a4754268bb83fcf0281b05b3885dc64b87f1da61b1ab219779ef44a1399b992ac + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -22275,6 +22399,7 @@ AdditionalInputA.14 = f8dbd6a405435595b2520bec5026075514955a666e4ca34b7d0339b0a0 + AdditionalInputB.14 = d9536bdf1c3944d4d239b6dd13750c16a2780d943d4cb5fbbe418189a7d65432 + Output.14 = b5e12e5082c09fbdda81d1a2229ef9bd46db84e62ecbcd1a2c4e88557f8ed3b5af740fac2bddaaf441b66084ce2239adfc9d02f001cd23470535f13ee6ed73256adf902b359930093ffb293a7c007074582a356529ea3ed9a5ac0a1a3f62df5fe09d27f5a7ac6abdf1fbd5f5e5da70da5e3037fb062d0817b077b56457238108 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -22325,6 +22450,7 @@ Entropy.14 = d233eed6e4a43436e4418ac071bf9ec00d463d0568cfaf7b4174f96c1f6b8564 + Nonce.14 = ea8e646e88f7fd6c8e590155df15558d + Output.14 = 314dca793ee1eb0dbe48bedc324b557966ac7a17b900bc4167ab4b65fe6b34ae625c200c4e21428ed258fe28b99c31cc4e8f9eb93a793c3e33fb0b75a2595a3201d939dddfa27911ad6f731894e16692343f25de291da89570a257a95cccb42f7d9820afa9b35d16664f95a2099ac929683b7480a4d1e34291853047ced3302a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -22405,6 +22531,7 @@ AdditionalInputA.14 = 46cc09705223bd3c01fa037d9a19dd2465bc612f519e51d33fbc845742 + AdditionalInputB.14 = a9f78f79d034d46086bbe5c8883dc2a34a1a17414aad2c767a3b3f23dfc9b637 + Output.14 = 2674afd329d03ad3b1bb8157c3100a312e29bd72b55139c408afe7f2c9e6d53df2cb8b829b7351a80cca8f0b59d60f6454ba60b154f654a09aa82a63fb28ceab9435cb6022934a0599a4c3a005bccdaa8bdaf8246ca654692a6c038cc82fea477fabdf3d6a0975e952ce3feb7fe8c4510b8c5347b21da5431cfee69e9dd2d8c4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -22470,6 +22597,7 @@ Nonce.14 = 4788964160bb81d6f6c2675008b05410 + PersonalisationString.14 = c56e284ac65798010eb7bd39ffdf49bc25fc2e663e90ff93f73c97e65ea82935 + Output.14 = 683493fb3c6ba0ae0c42009beb39fc37a9d235fb3fa00648ce4d60b4d6bdecdbaa1e2ca0c0fc80c53f6f8ceab31c3c42764b8f23c4cda91743be33e0a77fe5a4297701bdec6b2a5712e76c64bb8b7e03a257c140cd8aafef046b049303679a7904f029444d92d673107bdbf769fc1130429ff64b527b0ce2420e2c70e8998ee8 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -32177,6 +32305,7 @@ AdditionalInputA.14 = fc54b5339b37eb6889cfd7c185070bd0 + AdditionalInputB.14 = f6a783d6d42e5ad5abb0a996bddfa04c + Output.14 = 683faa732c4551604c8865b5f777571c7d3cf1a60124c59b91283da0cda9b21761d1c17c81856958c6d590436c73594bb36f46c2f89237d8c7a7ddd2c58394c983f8f6c000d77566f2a1d89bac054bdb + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32227,6 +32356,7 @@ Entropy.14 = 08a325accfe119fa807a95e8cc2cd8ff041ccad8e2c4cf49 + Nonce.14 = c85baec1c2d1f3f189eecad5 + Output.14 = 2567712d6fd3b52364b508bb2e4ae18e34b155dbe99fef9acbe21346715d36c538dc380a5e5900e0ebde76c779006fabe2b3f171fa63fa0f5ba264748278549c9beb26db701c8fab7adfdf48eb63e48ca6f3be8f17131c5e9145f5dadb00fe666a651d2b1b9e785fd444b05d4efa8ccc + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32307,6 +32437,7 @@ AdditionalInputA.14 = ae701404440c584e27266a12318c1793b6a112d96e6a6749 + AdditionalInputB.14 = 53861747c9627e9244679d58e2dc8cfd8a72d1bab611dfd1 + Output.14 = 665481033912ca7d87caa56af2612338768b044953b02b9a50e0244bb805ca007648f71ccf923030e56baa13a88111fe211091a54744aa5d82abe97775878059dedc6272e7c7a5392d1fb443b770ee7f5dd05a3f2bba4cab1cf473d02648d4f8acce91ef167e3ac00c1c9324ca074486 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32372,6 +32503,7 @@ Nonce.14 = e41f19a969494a2293ad0542 + PersonalisationString.14 = f67bda6553b5e4b89e309cb48a336b78460aff498846c2e9 + Output.14 = 44d544ac910b7668ba9c5524e388957520fdbf11383808a5a8008d119aff7e1e2bbe63b4cbff19455f20f3dc79ab0a83dcf0e403728f2a2b2a9f3b98930d9f285641da3b6b9a9467b2701ce1ecac82bad8214bb618c40999f5023dc2d97dc1a53a0296d44f6fc9d49db00959c89e9f5e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32467,6 +32599,7 @@ AdditionalInputA.14 = 6a7418d4ffc40e11859f33189d5a8327042ec268b004ade8 + AdditionalInputB.14 = 97beb8c47434a23efe536287d776edda7ed7cae84c0c7e35 + Output.14 = 1fe94acb5f5cb7e4a8edf5be61673bdc066288538dbd0ac29ce2d43f7b890028e48131e6b3a7cfbb42772b63f2fac8c0472418653ee2ebcdfa5ec08683e7d4a9cb2c67cf7e22c2ddc779c6d9971b29347e6688113294c902a5d62c1fc35595e091cb10e5a895d7c3697056659ae457d1 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32517,6 +32650,7 @@ Entropy.14 = a71c303bf17e128c8e0aa07fb61ccc1f40fdb487a955fd95 + Nonce.14 = d3ca16fb12ae4709d411e5c5 + Output.14 = 61a51fe1eca4cf947bbf2a77d643e7963ca2c587e0eacc8f7fab3b3f0e166197a4d15184cec4f0858de2773d8becb339bbb18ab2c10c8b246ca66dce48e2a0938fe1ab122b4930d603b937491ddd3d10abac731957f2e1e030eef33f7f311ed782b06697914145e266d0b967914d638a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32597,6 +32731,7 @@ AdditionalInputA.14 = e098f0e076a3f40fd970f5d221944f0040ef4a18d88dbe6c + AdditionalInputB.14 = d7eb01dfd7c13fece92d35133c3be71efba145d7353c6d69 + Output.14 = f03074a219ef31d395451ebc8534e4f2cd2dbfebbd9257507979ecec79a5f76359f2d6b4653b31704ae5a49f884db91ac335ddc6d11768cac7850734e76734b63b71ff12f3f8d42cd404009e7f4b66bc0a639a9354ebd754c17f3cc65704e698d9bc0640919c386e96760f3c36d8789e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32662,6 +32797,7 @@ Nonce.14 = 838d1c69d8408cf0134f54e1 + PersonalisationString.14 = f08a964b386eeadc4bbe57164d3b3a0c7c0068c49c9bc5ad + Output.14 = d8af077476875fca2ef9f04013976c3c278d30592361b923bab2f7e3c8af4affac5408c390b4989da254eeb97ccdabf32f5e246739d0e532a6ea317e7dda02bae5051ca97a445f5e0696a041e5f9f2c077b26e575d749cae344859864aa00f262c1c41b2964b78f72f9cb98abce103f9 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32757,6 +32893,7 @@ AdditionalInputA.14 = fa0823db6808a3de1a7dcc081c01cca840f68b005d473bfe + AdditionalInputB.14 = d3054fa2bdec7c63dc009ecccf25c1116380ac25f82a9085 + Output.14 = 556e90c95c1abcdde027fb2b88cf191f0686830ecf3fbf89de51c9bd735726131472a17f307263d57c03bd5ecd9ceba6cd5759b06594bf901418e2421fcef4b72678614079cdf4d25fa0b74985380552d2bbf478290445066e3f4a40a2e2b0792a685b769ffdb27721b1faa484e9c783 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32807,6 +32944,7 @@ Entropy.14 = 2a55ddbf673f4e12538e61cd2bfda6f0316277661f553c38 + Nonce.14 = a0c71049f5c75c23cc11c7ca + Output.14 = a88e6cc37617929bee1e14f74ee363d1e05fee618fc1eb1f8abaff42c571048032c84ef0ec7a6d8ad7e6c5a4a6e90d714d76643eca063287929032fe75a2b63fb1f83ab36a7fa12a12d7332459bba56b017654bc0fc29beae1897863a63276208f9d11a32780a627135b271efda4f4f0 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32887,6 +33025,7 @@ AdditionalInputA.14 = 65e70309f7386d1a0aaa53da65263d5263bc5eaff0d5f3d8 + AdditionalInputB.14 = abb8cd0ce0560309d2424d2f3fdce7af085e6c14699b4799 + Output.14 = 8188a498ef9e0fd52a77c3a44f1c7edccf9248590aebc52cb9ba7b5cddffe867b26309f032a78c0ab751741fdd9bd77d4bd17be90dd045f6f8b45826c9900028f68138cf1ca8e18b253b8eb73ae04f2e156d51a792abdc6524e4f45e4ed0b06ab3b0c94bc5e1ed58f917c17f72161d31 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -32952,6 +33091,7 @@ Nonce.14 = 1ffb77244697c3d67a564d06 + PersonalisationString.14 = 62865bf0f5af2146440d74e5ac8787cbedc544de16db24f1 + Output.14 = 1a74f62cc6bb05ff956d1af526926b937a84352830a78c7ecd2ad9c39a796f29f640d188ded8bda0e66ba81c941fed5e82f3c78543d9fca14335459ad9d573362f6b5d69861cb94c0bb055723ba5416b1fe08e74f27f23cdec9db05b50b01a20f0337cafec896f5f7412e1dbe7307e0c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -33047,6 +33187,7 @@ AdditionalInputA.14 = 1a6853817be281e26796430dc90f014f6fde64cbef16e58d + AdditionalInputB.14 = bdfa703974a758cd4eb00661e0f4663f4e574cc7be6906e9 + Output.14 = 23c9f591ec9abea9f9eb89ab8d705a1e570fd2888772db5d6fc6e418a34e32d78fe49be8d4d8288fa397b57afd49c07b715e276c68a2eb8f3e63f67de21d8ad23fbbdcfa03b201952fae49928ce4da66cb70638398bfdba4db7635c8c726a3cdac22c98ae776e881edd60b69f0b38e4c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -33097,6 +33238,7 @@ Entropy.14 = 7c8a961f01c1888456ae6042caf338c3ab8b5be28b34d15b + Nonce.14 = 61edc22b49e518eaa9e4e04d + Output.14 = 9d2eb0a41f7b03ccae8e4e3c61628e6710f5999f3991f04ba90fb3007275d07ff169d325ab26f3446e585c2d454ff8f6cd4a520190afbc06f30ec9b49668b09de45a116b171c210f5f888cf3c273c803044b17a16b06b44bc39344f2b2acb2f21f4b0a7abafec8c8d406d26477db9b7b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -33177,6 +33319,7 @@ AdditionalInputA.14 = 71b5b9e9b813b5f69e8fa9fa7f588217268581b7d135fd7b + AdditionalInputB.14 = e5b06d8f12539d36c665cf129c1c42e3b7e88edce1650870 + Output.14 = 64595391a02ff750b46418274b8366bbca0e9c52c95bbdfa65882b76395887a018faa276f3fd6c8dbccdb964755e36508897cdac977037d0978f2752d1dc68bde3ba1edc94787c1c8cfe42c2347052da30ba7f1e06b44c10805196e7bb048cf572fda62b4a28fc189702b1e575b008ef + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -33242,6 +33385,7 @@ Nonce.14 = a16783ada78fa029ca3fe31b + PersonalisationString.14 = b20dae78f254b07fe3eeb7c793334f3f432930353fe7f221 + Output.14 = 081803927779c7b2039681db542c965fe48dc3cfde712a361e77da9aaf9f21cf38e18b4e8e5ae5a365910ada327b05630abe87858163713fd8c2988975eca44ee3725370f1c68117e58c2164605524102f22f3ea55f21f7e8fccd9861c59973d71c0aaca574480be6ec8e1fb9a163680 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -34497,6 +34641,7 @@ AdditionalInputA.14 = 228522e58e65d50dfd176e8ff1749faa70fc2c82eda25b0748ddc5d41f + AdditionalInputB.14 = 7af60c47b4cd146a39887c9b812a1dd814d74c398609bbbfb57e73da9caff57a + Output.14 = 9528c88f0aea3fc03bb8a9061e159a06d78a2a654408808aa4d0e73ab1a51e5aa85e8bcae72d34784ff6f513193e183d556ddac5675314f2b5cfe392d1526056afe32d7c03e09ba2bdf3b10e228b0f600a61cccd9e7bf14dccf13b16a838e60909785307e6905d510d9888eaab169fa601558fc952aa8559d270ecd386d7fbd7 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -34547,6 +34692,7 @@ Entropy.14 = c0509068d88167921812103b67e734698d68718ecf42cd99e0f55836c162d450 + Nonce.14 = 71a50d2db258ea35ba69b5716bf68a14 + Output.14 = f66c05713ebe804b4273103997d260adbe8a7d0f6b2bb862b867ca59874ab9e0898102664af2a8db24a7ccb4637269ac67d5e834941303acab9076ebfa04cef64f73480afb6808f11e6ab1a9deae514f5db1c90c59ce988cc1d04012640a40173362de2689f88647268c665ca44f57534c9ad9b8316b9cd1d5a14942e94e90607acf6ad37a2398979e56e9c227c1803f90844d6140f10d0baf20dd789d808a647b4df54d2136d967461383dd4db9dc154dd89cd282a2766dd6086bf3825d095c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -34627,6 +34773,7 @@ AdditionalInputA.14 = 25d2ad9eecd3bb8bb60769942abd16edf0ba777f2541a4b0e80fdd70fc + AdditionalInputB.14 = 608c5789b5a2a6c11c7df095be8c81968c0bdbc6296026ab65195bdc5a297366 + Output.14 = e1c600294a86393b7067b6e77ca83e68d28a6b76f6f81007183be65a50fd2f1adf6eec5a64cc753c5bd0ebc12387bde8c6ec10e6ec7e603f09d4ae624cc5423b5bd53da4f0af064e14a7d176369f1726fdcf6468ee15ffd7db3be48d196601506c71e2f443a768e03ebc35245d254bb87a392508ab07c95bce84ba81058ca1545289c9d8142aa0858c9cd5ba54ee2bb75cebb5b74e0d099ee458752d11ed70122aed1254609a715ddf2720798c9194ae4a7424e2c518ce7a8277ec79da86263a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -34692,6 +34839,7 @@ Nonce.14 = aadd62dbd7b34bf2021ea74a2788b17b + PersonalisationString.14 = cc3308e380672a955620fba59999ec4fcabf1b7f63089a124cc1f65d58b691e3 + Output.14 = 6c39f49bb51765dbae1de8325e7a6f8f8aec031dbdd94b83d5c4e062848eb4e01e3912784f817ee16f9c2dd0129eacd3f7b8d5bb4cf9a4a2ef823b0505c2ac8e4a1ec30812e98564aebaec14ff710a77c1904ab1fa3fef3c3d09f2d55b047a8db860322fab6d939093385838ec6d11667ca843f69268ba1fb7edc462fcc285adc9b4b97f0f717c28ac1b6f371d90baa86e8728051dfe9b68f15dd31a6da35194253545a5d667df6a1322f6b73ba661c7407608fa42e1b894bd1b6e7641749977 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -34787,6 +34935,7 @@ AdditionalInputA.14 = 0d81d8c5af9885d1b30d2174429bcc6979bdb2b82e6fd3ccdfe93f36fa + AdditionalInputB.14 = c63866629ed771e53d2fe2d5c21e98ebde295c3fc3896fb67279427c61a89eb7 + Output.14 = b369b226dd535dbdab45ff8f13735214f9abe6d11463a44804b838d2932112ce6799341505b7b5bab423a3794c37f383b06be1fe21f5c7da97b333a41fb67908dbeeb2450a3581ef71870c964c976f039ee856fa507e9de948c4c097a64070b23cfa09ab7506a8ec4fc38a38ce21fbee3f3c1ef3ab598f5da202f35b90f422af31688402509c38ac25359409d2b61958390d28ca2d8b5dea99ae26c90978f01d7a482c12e134a81de0bf6c9f39e32a8b597ec7b7a05a805ebc7ce260c381f189 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -34837,6 +34986,7 @@ Entropy.14 = 5b50064163ae6238f462461472ad2ac9acc300316e140abd9cd6edb87b8ffa09 + Nonce.14 = 581d145675384210801d9c75d4d19624 + Output.14 = de0ace4f4a728c681a0b326298142fe79cbff2ce5230e6c1ca3e2808692d02e4845867763cb9e93acb983aa54659be6f9baf210048baf7ea4f062bd7e3d9a6d5e7dccf427422b9dd93d392ffc810dfe185bbee253c3208e22a83c9804501321c6cc0357d22859487a3eaba53444f4027843699d5a78214c431ea741bba73bd29550925443cfa5f494372bd0e482e3ab4eace1b60187b6db588c0d252c8da3e0d6dd3e475040817ca2c85b1149d8447a52c111f05d7c14a0f6b7b6ea4f60aed3e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -34917,6 +35067,7 @@ AdditionalInputA.14 = 80bb70930ef2015949b53d787630f5de93d93f98c577ca4632266e1bb1 + AdditionalInputB.14 = b6afd2c00be2eaed5c1991909e89029db0b04598115fae5118cc215298e0528b + Output.14 = c20bd78d9c396fc8fb408361e1dd4827ed3231617a73cd8848e493927207ea23e6efecd4fae36aff74b5235067543c7eb44c290122f9167a0ec4c6a530ecb0936fd683fbd866b73afb712b2f20ccc981b3f70faec4f4fda62e956c7d04cf578b06259b0f3c044e6dc68baf91e6149efa70b2ad2b81c8e14d1a994887193e53bdb5986a23d0412e989c447689a71b283934e50c25e10bdef0b22ce7368840cf761e32aebc07d7b51da16dad4c332926a4cc9853ac8db36b4b01bb36746a28f527 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -34982,6 +35133,7 @@ Nonce.14 = 3432a2e2263728e375ab973bb5842d40 + PersonalisationString.14 = ccfee35071757d5141f55a481b7c44a584c5e537c636d4d0ba10dc3c88adf6a2 + Output.14 = 72a77d1c5dea9d00c349d4e5a9e6dff63ef6cb80b7998ef62e7a1fdc2267057d07fafb993e8df868821c6cf76430f3b7ff24a527f7e41fda6d560a773d05bc003f7e1ed5085f6da3785dd999a4763894455febf7618750bad4e30d8f52f3a072af30d57df5afda08ae7cebdcb659e6cdeaff52b47d4dc571e28315ff0e38538baf436e02d157b64afc6d50e6a4c5842aff1e7573888c6ff9beaf4f91aed988f03032388940c4f54afda05bf55ef6fc8c673f01ab545838574f3bd4f22865cfd6 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -35077,6 +35229,7 @@ AdditionalInputA.14 = 0facad642bc0004f946e3fdd149a4c0e52475c9e832c85b228bff6f2a4 + AdditionalInputB.14 = 19d477a7dd45a0b733e6c301a4fd44ddf65d4fe0a0435b57e319e31de4797427 + Output.14 = 2a48844f6919ed43a2b0b64a1d28707fd3265b418e0673190b49a606358062c1a54a6071c845adc6ad74193d746668f890423ebb971a63cedae3241005432c8f3fa3fe7f98d5912da34dabcfeb17c03ee8881de7b2ef04fa2147b78532eb0ce7d9244d717697138f116341c7b9e99f15728207f6a73c651b8940582f9f926253420a853ae18132093183a6073e3bc85633b75e1c6cec9323ed4142d0c8ca0dd5ab2ff2e6b304ab8cfe4aa98ac64951d836e074169d375ebeae8498f11bd02c05 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -35127,6 +35280,7 @@ Entropy.14 = 3b6dde5f550d482d30eee2288bff802241ef20ec15696e614b7268f7c574eb1f + Nonce.14 = b8d8984703ca7f942951fca97129135a + Output.14 = 36d0cce70eb5aaccf9b172fccf68e01eb8ac8b1f2652cdd238f4b070c8f2d9a128418badb38d5d5fabe28b59d15cd432010716fa6a48071114b2168cd29028386171594291118e54fbf5b61ae3fbbf9a21ebe73a4aba482c7cdc5ea1a4f21a0f1b38812cefff9bae78c2b95f417dc0cda010079b637f825dcba059d154f5a53050db773250013a1f051de9f7882433d2054ef2adf9b7b57c67173c06ad16cac6bdf74a10bcc666f7d4a091a78131c5ed76fb733791278b6ee0f55302c4b122a4 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -35207,6 +35361,7 @@ AdditionalInputA.14 = c6a3bc83220c7708eb7fff5787ecba27e48c894e15302e0ee7f4e5f09b + AdditionalInputB.14 = 39b854a1c487e24e1ed58916d8012277fafd6e7b6175c4be43927cfac9958404 + Output.14 = f7d2f39a513f6c4eab993fa440b769ce09a15476e06ceda47969be05f53ec7f8409de284749cdcfac07fe7df66b1b6bd39389401909f3a84538d041e1c038a289869e51bce8bac13a0f786cb091628f0a3a7f7f9a2f620c98889688d46a2a037fbc1b2a4fff40800eaccf98a0bc1452ff1f53f040daa94e17dcd6acef97192c74075d064be5a97205ad97f693257d96c04e78654a694e90b80a5234a25d1c7ceef360d53e768067335097c4aa8f126a31882eff8e55cee05eba4b4325c203f4b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -35272,6 +35427,7 @@ Nonce.14 = a684932ea2337296cc3d150174a47ce0 + PersonalisationString.14 = b2c0af9038c2ef79ca8263a047bb9293a44ecdb457fb45945996157dcd199cec + Output.14 = 316fbc32ecc1dfa778b13921b1d624f9231c0ecca03e17fde750b1e31e76b1c330ea5bd62ca76150f231ac4aa96b06f845db2d03b65cdaba4c160b288a121eb144058f65a751e22151f91b90131e6756356e7f90d880ce754cf965f439189eb8bedf86c58e1fc2751e65637930c42552fdf81acfa1d4515ad49dc532b2a10b2b11209425ed1cf43c991b4a7c49bf6e701990fddc420608d74c3636829e4683c4e77a8151708d82ef8fb81b3655670fd4d242e357831bc091f30e6d139d5e5ba5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -35367,6 +35523,7 @@ AdditionalInputA.14 = fa32817ad83c85b594976eafab28fe25c45aa74d0ab4750b33dbfd8836 + AdditionalInputB.14 = 2e5cb3c7c9503e019b3383eb6264d6000160c3c99ee5700e7a92433da1c01f56 + Output.14 = a7571c1afd3d1dc1d3b28dbab54fe3514a0ec74ccf999376a963a3820474cdd67b190551ad5b24f4376633b4964490f79a94059a55b967f8dbe58eb20d70f1fdac91565bd8daf5223abfa13b132a140acd33e36f29fe1b107f62e6c45a679247b80c0aa050f1c2d3195629baef7422b72fb3cfbb82a2e4dd1966b1cc27b8e6df1907fbd6320f25594e1eff912cd9685755473b908e06fd30c4359258be0580e6bb2f986b0450d53fdbfefc3bf06c0d80648800234100af755acec4f809c39f3e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -35417,6 +35574,7 @@ Entropy.14 = 1e1cde834393e00a2136b8924be5600c8bf59dc2d8a9eeae467ede71ee7b75af + Nonce.14 = b6035e96adcb7e8f2e17022e2e4f39ad + Output.14 = 9dde9f29034b6e784be24fe600c39b091568afb4c40c8e05b8b7dc36ca74a1bed38ab15643ca8c6da2f5aa4b7a6a5d5c9920cc31129c84e2fc9b865b3f30b698a143189a3f3b692b3e5641499c949e53e3619cb112f42046a18d5d12dfb3c6932a6a829d07deb17b799519b81e961ff293c0b2d24b629fe906166e330135e4ffd00609462f0f9b89a110084945243972486a0e1aedb2eceec02d402696c89abbc950dcaa72d7b0e00ed8e65c3e9eb1af7535de2da728f901650633242b3368c6 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -35497,6 +35655,7 @@ AdditionalInputA.14 = 7112823304b16377182ff9aba920c97ec4d4f23cd472fa9954ded16495 + AdditionalInputB.14 = ba183a035635d9617bd71b59fccd561f1c78a7589c7fb3fedf41dc2e6d5015c9 + Output.14 = 94e577e5c4f66be345c6be7038b02fcfb4070d5bf74f8004b59c279cce961dcf5bfdce2f01e007790cf770587a68d0d24ef0fcd1a148fca6920e707289e58b81fa4a58b5a018a358d336a20daef30b2881844838e51c56f11533b25c77b9c6c6bb2c0657350f011b24db6c60a84232dbcd218a816563737585c1ca6152ff13304ca86dff20f9f9596aaa21448f2c6e620eee58f69338e3b675d29b478f34f0e60dfe7f12f02e6181d19185f7dc945210d86d31e85eae03161e947fec0f0fc91d + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -35562,6 +35721,7 @@ Nonce.14 = 67f50628067bc401648926d7567711cb + PersonalisationString.14 = 5f8cb19e3c86b179ffb8812db791e8bbe6b0caff958715dd9e3368a2d48f65d7 + Output.14 = f178a20d27725759c839e7fabb63bd101c3352f582524ff088ccaf6f0546ecbd3d5165f1e3cacbb49ede115b8f6c8db3aa9720692efda124138d29eac17637b84977384fb88e81289ed5ec960e6e98fdc71d03ef0bbc05ac7682acdc62888b49fdbb442080687f902b5a313ac88d364b13871b20f684cf1acbfa229fa203607a0a37b4e1685d13a508da9f48dcd83f26751a2284044f93e18b2a206a1887d77c4b76e821952b376f19fcf53d83f704e3ec3b5c3cb4c390b213d57dbe4852914b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -36817,6 +36977,7 @@ AdditionalInputA.14 = 2cc9f137fcd8c2d526d70093fe11f90a0a36bc9764a4c5609072e181a2 + AdditionalInputB.14 = e40361245b91880e308fb777c28bbfaea5982e45fecb7757bb1c9de2df9dc612 + Output.14 = 66ad048b4d2d003223c64dd9827cc22ed3ec8fcb61209d199619177592e9b89226be30b1930bdd749f30ed09da52abaa2e599afaf91903e7a2b59ffb8fd470e6604485a27c200d375feff621118595a7a3057b7e31eadc0687b1008c3cb2c7435a5704b1a1a6a3487d60fd14793c31486af765ce2ce182de88112445dd5ff11b256cfda07018b95f97edbab4e4c39ca097c42f9dce80cd3f32677f3c224a86b315d02e377dca8f3785e9748ffdbe3fcaa3b0c6bf001b63b57426836358e9b315c6718e0b74fb82b9bf3df700a641ab9411d1b9fba42309a84bef67a14204f3160ed16a5497fe211aa1f5d3ae4b858b6d445f1d094543d0107ce04ef1d1ba33ab + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -36867,6 +37028,7 @@ Entropy.14 = 42623115c0a43edeab391ee8ac84c2b3b1bebba8a6040cd1 + Nonce.14 = b79f5c377be52381210c1c2c + Output.14 = a59dcfa9585b1080cee51ee493fabc22394ccd0949e3a4d4e5b8d60e1137288d20f65e7f1ddc1345869e1af62562d6c11044bb65d11dc0071a04a2cd0eab76718ec9a67d4482acbc82ac27685b98c50064b41e120a35e5ca57ed1bed6963fdd03e26865ddd3217d67cdddbc990c5833c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -36947,6 +37109,7 @@ AdditionalInputA.14 = 450a2109e7d83a3ab2e628ab35af4dce8ce7205de7c5f365 + AdditionalInputB.14 = 60d0ce5e11413c321535d849da56c3d9bf6222a3d2cf77e9 + Output.14 = 27397574a1ad91ef6f332c954c0d5802cb9c90926ab05c116586995bd795a2f1b4706487da86282e33d0b44dcb7a58c8c4a2874ed4646a1e963b7d26b62e0a5e0a5bb60ec6e07ea6b7b7fe1194c3ca4371736e595707ca7fb56bc924089e66b137c47f9dde74b5de3687aebc2f5c2a39 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37012,6 +37175,7 @@ Nonce.14 = f2435f70e075f8044d4235cb + PersonalisationString.14 = 80fa0ec5a3a1b46cd639ae19c137239ba8113db33984c593 + Output.14 = e547f6d8cd665204f8ebf6d64ecaa23fcc59c1682eab3190bc76ad4981d68810833f1212965def4868883529c0bae4a2345da6a0e6a7e766d16022c6f371db8ad089d9227e3a85168d080c3ff2bdd604e7f8404a16268bd66d70f5fb164cee60f1af97bdb6e1d72059d7028a13ec83f5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37107,6 +37271,7 @@ AdditionalInputA.14 = 81356bf7d3122bd65b5d96d2ca68875e1d77b36edb8e92b3 + AdditionalInputB.14 = 1f185d4aeca1d95ba4c8e7867df64296525e00db7da61e88 + Output.14 = 8032e92efc35ace508d8a10f36a6e7110cd0b087cf853409e83dbc554633380e9793b7657a23a931e34347fe0ba34c2abdef6a8505e44da62fee97a9543b9e6dd6538726ec2cc6f6d19382562a4a438a2b0756fa66b48628af292e2f53e49edfae3ccc48a95f24c940a90d1abfdd6d0b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37157,6 +37322,7 @@ Entropy.14 = 3879ca720aaebb2a29c99c0aa21d63308b44677f2bbe6056 + Nonce.14 = 2642dd7030605b3608f4513e + Output.14 = b7ddc2d0295a550e44103ffe7e6e1771cd488fa2ea32b091076085284edb870220e02ba6facdf27d8b34209048d0aa4cce4556c074fc7ec2c3691b95aac3f47c3b42bee3c2e35da17b040188d47b7effef8ac471a669f29e6c4b97ff6836cb9fd8954f57309a97e9a697e061010525a1 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37237,6 +37403,7 @@ AdditionalInputA.14 = 13998df6bfa51c2708775384f01cfe8f4755b6fe4b3c2fd8 + AdditionalInputB.14 = 8d25383b6d04285fb699c644bfc9b7fc72de41c733f35b27 + Output.14 = 3f408ca372917703ecb3449ea55de7a969a5ba184eee8f30fb19b99ae827c66b13f29d4d3a0236aefdaca63c28bb71595d3dc1fc20f1e7ba1b1c9bdb7c2122bd8e443b00b5339508c315ebbfc9bc3c7bebaaf83312325bae696a576b3c92931eef6b4eab6bd90c140295f47994ec6e34 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37302,6 +37469,7 @@ Nonce.14 = ddb5c0cd2b4b640898c2fd1a + PersonalisationString.14 = a096d62f947314691cfb647cc2f331af834cbcdd5918f099 + Output.14 = dc9175fb05854708739c3da005592ada29d408ed6162dd278ee457bd3304e4f7011355da2302df1d0d190ef846cadaccfa5325d3f71c407ab2434d65d815dafa6ca15f7e701a104225a839f2fa9874ad49bbdbee576b1bc71ace28c825095510890861c851bb79e2e2e922c3ac22fcde + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37397,6 +37565,7 @@ AdditionalInputA.14 = 2bc060710fe3d92760adc274b878de0df82804e840cd098d + AdditionalInputB.14 = de879de9c03efe5a68a12da7a06003ffbbea0a9c53f5e0bb + Output.14 = 4968c67d2f830b591531d620b6c40de4e9a15dc97c70b8b059023033bea376953cc5fb415d823d55d5b02b17c2ac60a1c8ee7473d25e94888fae15c6a7770b75565fe505a117c734d0c7d0386cff907a893da3a83d45f51bec9d95670374524b4f59e45a04c88d1756ed854fa9f65693 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37447,6 +37616,7 @@ Entropy.14 = 7ce7dd98c93953a8b60d395a68f03b8919931031e8f68bb9 + Nonce.14 = 1c217188f9c7980b8b03b41b + Output.14 = 58884a4316fe8104459bb339a4bac08d95461ad8e58f333eae5ceeecbf2d375e8fbb82eb1d29890ee0c56037bbbac8cd8e202d7ef05ed7126a15064699b9dfd4523782aabc6eaf21f1727d02c1311f5812c4b4294827a75f1cd6e6dcc73ba45ea8fc5f2647dff725f5fd9bc64d7b21ec + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37527,6 +37697,7 @@ AdditionalInputA.14 = e73890b772747a356ee1527501410eb5cddef015a8d6fbd7 + AdditionalInputB.14 = 9145caf79d0b85bb7874c2dc82d52bcca68225a18de258cb + Output.14 = 4ce4c45336ed4bdf4004f326a049c195c26ff11aadde90d7d035ce277a5b158577a7e9971063ee9c0b5063ab1f20c90f619137c2f4713831d18f2237e1a3d522af9a585e5f43f07d911b8b977f6c644784c9c02238b9fcd0f663c8bc1913f783c200b388b4ecf30246c7120adf3db79b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37592,6 +37763,7 @@ Nonce.14 = 2b884a75ff571f92ba1eb965 + PersonalisationString.14 = 273f3885354c0a8296b0862e19157fbad69578ec121cecbb + Output.14 = b60362ddfbb4fc41f4f5ef353fc0fd8f31e139876a3af0e69f9049aca46a5989ee3a1ebb6cf14f525c3d8a944f4e88e030e020ef6551289c93f5c6ca2f6bc495cdf49ac91bb86e4766ccbace5f7aba008390d2b6dfd416d63ebfe07f5d583b8f9916ebb54620953d0b73c136de06f520 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37687,6 +37859,7 @@ AdditionalInputA.14 = 69720682d68b7043c331b889ce6d3d83aa3d33846e9ddc86 + AdditionalInputB.14 = 350c63e7b01ecff4aa171f157c71f89a55637c2cac0253e8 + Output.14 = 63fc9293971bc8dc151bcc2df20e4b5c7604138e4df49fed323c9f1cdeade3d5d1c8bc89e507e5da1f38c1f76d968ee45ba53a3da35e693e00afd683817ee7da5cd2b0a657ac6cf95913c859c6b4a15449fe9045a3af03cc198cf10b2deb67c5c3e9cf9a40b8251de19c6cf3114bfe22 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37737,6 +37910,7 @@ Entropy.14 = e03af342db03da30e2b0e5b8ed76c2562194417fbf6be645 + Nonce.14 = 6a9a5188dabd510894073f76 + Output.14 = 7963276f1054db251369a0b91d854fabaa3dd5b2343ef4306cf897bf964fc8b885908c4ada163b929a19c948ac89c8480170eb59b9a8d7d2d30ddfd1248e2c1795c69da81fe72d6361d34754f88eeffca2c31859bc8940d6662abe2622fdfcc28a1764355aaf46a2e00e50606af2b6be + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37817,6 +37991,7 @@ AdditionalInputA.14 = 9b6c491387a2394b94bfa8b077cd43bac49117e94afb9616 + AdditionalInputB.14 = 7c04bea824d8aa7b19facfeb3a676eb51c31d7b92f0ca1ac + Output.14 = 332b884c8edcb260c535a218001d421e190d8b9c6b856fbc5a4ab45f92149487f8563138312a42487969370440675f5bc9b21a75d2a8386867fdf861c8650e26af47c5efd81d9fc39cbcd44ab0f4cb10325fed6f5b7ce5d8111ff71e5d78c7d1f53410e5ba492b9f68ca55325ea8b318 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37882,6 +38057,7 @@ Nonce.14 = 9dcc6c4317ff492d0d7dec5b + PersonalisationString.14 = 7d30c5a4aa169c6dce156a8eaf000f9be0f8681e3282dbae + Output.14 = 550a9ad9e45ba359d463c1e084777bfb2ee25ff791070a87f01adc04cd1a7e9e6ef334e477fb5cadd82381e0add8a39ffc222150f17b8bb0d3b1cd80948c0a5ee09a84ccfff6c9ac33e6831d1a84182edac6bcc25fe357a708f78db9a88daf553914cdf0bc7a9b0527597f73707fec8e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -37977,6 +38153,7 @@ AdditionalInputA.14 = 1b8725447ec539ea4a13c47b323f1d6f435ba7e624dcf5af + AdditionalInputB.14 = 86d30af40a7a395764b8b69f2656954c7c3f1c30b2b703b0 + Output.14 = 2fb2f24b2c38f217232dc22ecc7380b8240b05d2c7bc0e3dfdad268c8c10912a92595d70dd98e7ecdbdc6d7bce6c72cdebd7e121d75de8b6795b660be9096a1f24a97e9c5344c35f04451dbd8d9808c7a84c6fbafab6d060026490d492060f052fbf21a3bfa2a8e4a40db58672ca52ce + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38027,6 +38204,7 @@ Entropy.14 = 9021c403eada5eac222dc48e1437b6de48ca31b9e7e76fc5f60653a3d901308a + Nonce.14 = 503b4bbc0ca538983285857a573f6166 + Output.14 = bca7456257568a178877bca602d331161828a4ed0758d1ec3febcc21717cc4142e5481dc9756c56099cb043130345689156cb96e1664ad007c461ef8b5b0fa7d18508541f528a43fe8c719f3a269ff2821ca655980579dfc2c794da673b8c9234d561b833855efc91b4747ea5135a1a05017543f5780f2cde8b472787173ec50 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38107,6 +38285,7 @@ AdditionalInputA.14 = 439ba9ee252edb11b09fd765266b220077ab641cd7ed42b7cedc96b399 + AdditionalInputB.14 = 18e1dab1f2af82b8912be6791b003d7b0d66ce76a78cc17b753055b7b48cd2e9 + Output.14 = 5af9e042af202c9584bb69cb54738c0352ef2c9b9483d6fc8efd525ca38e62f535f2ed5658770e8cc5d53d9f1964b8a55d871c78250851491441c924701a52175410f52b162ebfe3991a72472d8842248402a666d726ea71437fc4a521543a323d501a6942ec4b7fb77ce462face53a2ab9b1b9fcccfe2346adf36027c48293e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38172,6 +38351,7 @@ Nonce.14 = ef68efad369ca5fe791ad438cf9dbbd2 + PersonalisationString.14 = 012ff5b08fe14fad65ebad5f15d74fd72d8577115e5e91262043e85a13a3043b + Output.14 = 1779c05411254dc5ff714eb56332cdf9a378a160bf0a20ca2da9e4c3b4e3c425d2f08dc969bd4924560c8caf9686b27720307af8246e6cef20fcbc00cb1f137b6efe9902f9944c1384bf917675a52b7b816795327afc4896182a78d4664b98196f89c466d5fe1e2a54122035863c8bd61461b2ef9e7b469492ff63364b013dfb + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38267,6 +38447,7 @@ AdditionalInputA.14 = 77d998ddfd7ab7577ca9f51d6cfbec955aaf9f88cbb3ae32db7f7c4609 + AdditionalInputB.14 = 9ebaa09e7057ad7cfbf02e8f3143ef7b7c1dd6158f641815ecdf8e4a65c17f19 + Output.14 = 161efdc30cdd124d4d6b3d43798dd79bac70f494c3ebaca111cfa3d9343bdb73ac0def00776486584f932cab74ee12a391cbf4890b10044f7de6c73f973e43837a43b7c47a1a9a36d7e62f9b7ce40064994a610b92d68c6d37aa5d9d92c3d858770ffb8fbd87324b49101bade3f2014bcae7deffc1e4f6a1a91ddfe7e6aa33cd + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38317,6 +38498,7 @@ Entropy.14 = 0653c409e957302f6eb62bbc4f42b30942ff7860e7c38dfb2fd26b164e83a713 + Nonce.14 = 273f7eab3dc9bf11216d5216bd12478d + Output.14 = 51dfe9851da8d7d5add3dae413d8bab8bc7d1fcecea00795ffadce047d5243ae36f29f3611fb8cb66e98717a98735384aa6a310696356cb48f4672b2ddccf86eb44777c1616338792629b6cc6ec2b66dbacc1a6b66bd9364914f1f43277f6f43e13145fcdb73a4aca6b784f9084d22c967033651da610e9a85b1eb7513683dc9 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38397,6 +38579,7 @@ AdditionalInputA.14 = ca73cf447f2fc3984a9de0290fd9a984a8460ac715cddd9e8ed99aafd6 + AdditionalInputB.14 = 21dd9cb8e146954a9745fabe039f6f52ba8200f575e9bbe19c703b8864f34e93 + Output.14 = f1b153ae274a380c28668f1ee2c8c3a91f5380d41bd611d974e4e419a37debe664d0b706722184fd3e805f2ff05554bde7219023d1f62a52970aedf4d77e7b4604cac2a804e7b9353c087752f7f185991b10910724d0fd06dc6526d6102c8d0ee8c32f6692c2786d3b715bf3860539689e3f415855ddc37bbb6750972f3a45ca + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38462,6 +38645,7 @@ Nonce.14 = 10818cc50b58ccb660d65ff705041a37 + PersonalisationString.14 = 2756a89e79266d6d86bbd865708321f529b023d0cb5ee5d9888c37db33dd5164 + Output.14 = 7b3d778ee1623b08875305d5761ce2cf44ef1bab87c7d0f29c862c40d3da31240e7450d827909b6b131a9b0e9ad68d5c02caebf4f3b0b7d7ac1cc58e353ba68e7ac9eefc3de1310cf9bf5f4b854ef3fc36e940d4fc50072845a83c38a7d4372c191b900d11d11a907a50607c348951ccfeba4efc30377e4a965056e4e84eeb02 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38557,6 +38741,7 @@ AdditionalInputA.14 = 764b81871036cf65802c4e9659e25b8039be84bad1b121b536d2ffc269 + AdditionalInputB.14 = 28d46df3c254e5cc199e14b45bb1e2f85a5da03f49dd76b5a16b76723d5b9855 + Output.14 = 94e1fa76f879eb9840cd50853565f43cd7b0545705bd9a35494668bef7d7e7085b48a455b38fcf10f145f28a599c58e2f88c2855f2437a17d7333d243a1c25b76bebc6a94f7abc3fabe4c78041d9b3eaf675c11970b14cfc6ff20c8b23852b2733ef8d8416a920617a9b271beeabdb0462e5d23fd68b56f58e3554e81493c5a5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38607,6 +38792,7 @@ Entropy.14 = 3bb1f6cabc56a02643eb767cc6e5bb3a5bd765555e4e27159ec905012f58de22 + Nonce.14 = cc37cc9b20a2e4de0bdf8ccc3261eb90 + Output.14 = 28f20b9a94340aaa6ca98174b5929ce3329d81bebd67faf5e30d12f775748c34c848bcda26cac8b4a9b34c7c92c9984a6f5a85269583358e985c2b372a887f9e3f0f3920dd512def27d818522ed1a49e96d00a5aeb41bafd152144a8b6f93426e73d6e8ef7a8a5381bc464b24061080af02aac51fdc52f404e1349b7d04daef8 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38687,6 +38873,7 @@ AdditionalInputA.14 = 2be009fb81ff22c5c2e15c988cdac8f21a6f17a4277fb1df773bbbcc39 + AdditionalInputB.14 = 0c869f061049dbaea48af93272c5b321977659a79f8bf0a5c6d68b982ef44b88 + Output.14 = cd9e8213591ed7e30743ba0dbae5f08a4021845d961040c5188093d518c3135048ea8ff052fd66fa83bf98c06d39c6cb522dbc938b6824f51488197159666369e7a9444e04b7ce5832bd6db1b3cebf8c0f7bf865bfc3cf60d2a2c0ef06abf7737590fba097c29fed234369cf9f064b142ca30e3941093904945021372c20d90e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38752,6 +38939,7 @@ Nonce.14 = 704e8e29c7aac1d8cbe97bd7305f8cb3 + PersonalisationString.14 = 631c5d0240b8d9800211ee6c97a5ae77405a354ac25705f22d405e17a52109cb + Output.14 = 9ee855e661d4293fdd7353492c711b39625ead90849ae5808b1f67c55cabe17ae13f0f18c0954341d6a2d24b899785642c0b29bb1b81fe098a17f8701e8820cacf6c00a8dab2e96e7f8593e188aae48385ede7bb5ed5ffa3f19053663383d666d38eea377d121e0b55ee58ee8fbf1e49c42a4d3d48fb0c9247c6b94c6539f4cf + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38847,6 +39035,7 @@ AdditionalInputA.14 = cf6884bb4cf7c08ea954cc2d2389eaaaaaa3bf9ab1dd74372c20bb3e12 + AdditionalInputB.14 = 2b30cc597b280e704632ed1cd2bbbbba7a9953deaa809848eb937b6b1a44b91f + Output.14 = 4de8e3c529bda0753a9ba237633be4c844308c233d6e58995c339cc006c7d4789b5f1a6314637b9749621fae3982c5a748d58c080e12118d4442bb55732da53daeca71d3d033b10a2a807848babb822a346524b4a41e9d85941730b21c0e80a9871c9d9aab0e6d0269258b57fcbf7d703794bd2e5f3d7b3da9d3cf2dc2073653 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38897,6 +39086,7 @@ Entropy.14 = 043872fa9f0c4d97e2c6824b778a4fb0debae214d3358a5aa01c0092c9dab6a1 + Nonce.14 = 0fc8d529a37083c2efe84aba8c8abbc0 + Output.14 = 22e8eb6b4d11657a66cba93f89b519bcce87a9bfa5ee22cd3cfef6180cb8ca842e8d408257b8140fabbf1dd65085ae62fb8b1d2a679dc0bb0a82ecd3b8bbc05782a20a6345554a1f5467e9811e0fce41a786c805ce2882f8b4d972b9a37eedbf828a381d34bab95efc47233846f8b5c701563033253323eda41effad5fe37d3a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -38977,6 +39167,7 @@ AdditionalInputA.14 = 585a4b6736338ba663522b438ab9255782c39b36e6b253186e821ae969 + AdditionalInputB.14 = 2581ca0314c9a224b09c0c2e677e1df1c215cae0760d3ba03d1053156e9c3155 + Output.14 = e244109b937e9a71caa70d627ec8280210c86676b4ea842c6a4569e5da0b25c1ab3794ade3344e2185641c77df4d3011962e8312aa7c2013e4373204d861e27e88ede82873d5d45ae5700ddf0ae7d523e96df236a249ffc6e009e231b77d64f07f395e57b19a4d2961a6046c910d0b8ac3d882129ec3e337be4cf2d9ef041a8f + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -39042,6 +39233,7 @@ Nonce.14 = b2328815495d926dc8ff075d5834bc20 + PersonalisationString.14 = 4c539b94823c6c7883b071ac395203bfb5117b6f9d5db7cf4063132e6a2a3cb8 + Output.14 = 4f6035946d4305290485c7aea10bbceb99b841770dbf5529e31ad51b0ce138344ac0b193a5074234adab8887a51d9448a2cc637a543372ed93885975b8de342c6a12a1ca8f3d053ced1dd2c7d6a3fabf6ea7860071c035f0fd54ee5775ae3a5d457d4af9e034ed337d79e9fd52c2ad051388dda50aa78d37403f33d52d30f6be + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -40299,6 +40491,7 @@ AdditionalInputA.14 = c9a1481cd25c537ba57750d594afd25f + AdditionalInputB.14 = 51e29804f9d079f3074ec398320b2a70 + Output.14 = cb3cd4510de88f8081d8989c2679f76387b7d2cda286b75d659a3ab7c3b2ac77ea00366e7531c1c9f4f8e60c845c5d2a5e05fc999621d011deac3f28cb447a37c2ee815f7f5be3a571d153475d6497a3 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -40349,6 +40542,7 @@ Entropy.14 = 71acb71235e88e3aa6d8bbf27ccef8ef28043ebe8663f7bc + Nonce.14 = f49cb642b3d915cf03b90e65 + Output.14 = 144aeb56a11cb648b5ec7d40c2816e368426690db55b559f5633f856b79efe5f784944144756825b8fd7bf98beb758efe2ac1f650d54fc436a4bcd7dfaf3a66c192a7629eea8a357eef24b117a6e7d578797980eaefcf9a961452c4c1315119ca960ad08764fe76e2462ae1a191baeca + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -40429,6 +40623,7 @@ AdditionalInputA.14 = 03015311cddd0961ec7a74cb84d835c058a69b964f18a1c1 + AdditionalInputB.14 = 5e0d99e0e7c57769a43ea771c467fb5e2df6d06dae035fd6 + Output.14 = 72e8ca7666e440ac6a84ab6f7be7e00a536d77315b119b49e5544bf3ead564bd06740f09f6e20564542e0d597ac15a43b5fb5a0239a3362bc3a9efe1ce358ddd9d4f30b72e12ed9d78340c66b194beb4b12e973213931b9cfd0ccbdf540d2c36ce074e2beac7a4ddac59e06e4c7178d3 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -40494,6 +40689,7 @@ Nonce.14 = e8c5220ae48b0ca1412e9c74 + PersonalisationString.14 = a0a1d6d3887f7ff9f13c85d6ae5af2c840fd85989b7e50b3 + Output.14 = 14f629aee43f71b61d467ccc37de8eb6110ccdc65fff57ddd2e66707bb768e5de5df5467ccd55002815d306adc7b7d6b5d87c20d2922bf5fd3790282608457b69720be7d7affcdfecd173a741c7fc99f5f30f981b1bc102977a61f1515b923ba53cd87a37faaac12e0af613ba0972a0c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -40589,6 +40785,7 @@ AdditionalInputA.14 = 875e5bc9548917a82b6dc95200d92bf4218dba7ab316a5fe + AdditionalInputB.14 = 4d3f5678b00d47bb9d0936486de60407eaf1282fda99f595 + Output.14 = 90969961ef9283b9e600aead7985455e692db817165189665f498f219b1e5f277e586b237851305d5205548b565faeb02bb7b5f477c80ba94b0563e24d9309d2957a675848140f5601f698459db5899b20dda68f000ccb18dcd39dfae49955b8478fd50bb59d772045beb338622efa5a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -40639,6 +40836,7 @@ Entropy.14 = 30efbec33ef98a928e9441af3caabb34cdad892669e88130 + Nonce.14 = f77b7e0fcca6f8733e0bb0cc + Output.14 = 85f5368cb9f44474af6c4a159477c5cdd05eb0c0a37847bbb07e9a9c8f633ef2c3727d017f1bbfa89dba056062202f5824b3a493ab53a2a5fcf796d944577f1393d35f2a284453b2cbd8eaf35b9bae7b87c156cdf9cd0a2fc94ddb0d4842e3ab4b6c97089cac0e32bdeb32dd8233fd6e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -40719,6 +40917,7 @@ AdditionalInputA.14 = 5c15fa9dc77d6fec5f7a4a3e4a315c05de2b5e46efe54934 + AdditionalInputB.14 = fb65ede490ee01a1c100ad5e23a20f91b45adf1ddc15c590 + Output.14 = 98cb3191831dc79334e8e37d5246600f822aaa40964b91f345b9df90929db1b7bdea96dae9aeb88d05fade5ae6c29aa8eeec7fdc96e654c5ea41ea01e3104ca4d287bb03005feab0bd1f85e556bb6bc46a2227b14fd94f9e6cfd0341cfce951851feb967968d6cc818f364345b715bbf + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -40784,6 +40983,7 @@ Nonce.14 = 46f8ee037b927ec766de0aba + PersonalisationString.14 = e6299e0eb5826e498d873ac02892f01e02f6632101fcc090 + Output.14 = d86bfd8f9d80eda3bd43850ea6edab2ba4f69ac8eea623fd6bbd5c0c920620f8cc136b0170f0310a156271981a9cf7629e1b8f0759de1e99e20a0930ce3bb7dd2d88bc9172a56108cdd736dc529a6b99862bed7d543bdceeebf450020762652d520105f5c5cc3c9a6ebb64af2a7e82b0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -40879,6 +41079,7 @@ AdditionalInputA.14 = 82f895626afb606f335f5f050f0fdf3b45275e0b451774f2 + AdditionalInputB.14 = d423d43240cb6461402a7755f247573f24fab496e00b2e5d + Output.14 = b32c753900d4a0a0650d35d0fc918b3aa5f253d4381598ed475147f32c8b002bc08678e45bed1b9b519cb9729972886f85e581c75d3c2c9fd6ced929be29aa3befcd1d3fabefec590ca55612c1a0409446a01398d0e4775a548d118a32f29b0dc29530329d2a7656e5d3ef66db2b9726 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -40929,6 +41130,7 @@ Entropy.14 = c617061099a17392c3092d27728b35e59eb45814e9df9fa5 + Nonce.14 = e1634c0d96cf91c53b063450 + Output.14 = f08234ed8621f1f551cf49ea60140313a71341f6886c484a06e74e64aba6f8ffc2cf1edd34cd93e836ab033fb0893e52e01da9b3104fe49584a45447c136222b1c1f1d3cf406a80ed9d782d2ae277790eefc5c06f954e654f7f283ddea79d2160cca1f63d0ad00eae9e882de34ba4083 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -41009,6 +41211,7 @@ AdditionalInputA.14 = 857ce19dd6e8a45be185875f1a98911062045553e8d28ac2 + AdditionalInputB.14 = b5f1998f0fa38145edb86ae4d569ef4dc2e0aac0a815d3b1 + Output.14 = 8f0d978b24bae2a0665beaddfa61e8896ed7976432bc4f7c444699e30b8da1ecbab8990bab9d0d72ef6f6b0b27ede12dc171a43a14092d57e3999cee71b1356da5f29b17fec227ca2a4887bd990fa33e1e01c8a9f900ffbeb300cc5ce9d7d2e25a44fafc07e34acd61d425e0d36fb0f4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -41074,6 +41277,7 @@ Nonce.14 = fc382061e29c4047c6f05dde + PersonalisationString.14 = 9b2eaa4c2a229cd2bc5de218aff95f6e5fbc7ef150bdb50a + Output.14 = ad49119d6b4f25ba34050920fc503d3d0d331ac2535d916a58d781317fcc2b1117618e9105ce192651ea9e19fa6756975d207c662f2b464416d849cb67b9af52abeb84f80863943af99c7916e78317a091ba90714ec8620f661b41d648c15c06e822329cd7f145446c5c3630a4243281 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -41169,6 +41373,7 @@ AdditionalInputA.14 = c9aac7bd9f15385facc344dedcfa754bc9f4f30277a3555a + AdditionalInputB.14 = 42de701acf5622b30e7672bf7115043a9912c1758c1b316f + Output.14 = 972ccd5aa60966bac39aa9c891c7c513244efbfe3446fde6806cee991851f1e4b3d4a4a0c04b57242deb4f53d27040879562fc5b32621b46a642f3c84063c5195faf9b78ed92145821ae554d58325b03d60e11461adaa8ac87876559e1cbe47f7b5c33a8311294b0e54a44c97d4d2c9d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -41219,6 +41424,7 @@ Entropy.14 = 47f141d1d0142d53c10628d2d1dd77aafc11ffe45f29b126 + Nonce.14 = a1e958e036afd40059ce9639 + Output.14 = 2096935329ffd975154c38a2c22e30ef12b7acbacd39868032d6eb31a596e617fc7e05026b3dae231f256ea94dd4ea4f05734eaa7916be6f846b0304ff0de389f3390e51641103e7dedee99e56d9455c80a7e10edfd2147a50b3864b05443a1646fccde2197af1d1d72ae3c2d4594218 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -41299,6 +41505,7 @@ AdditionalInputA.14 = 49a758a4e0a8ce69aa2e5f9b7940c6fbcbfc4fdc91165e4d + AdditionalInputB.14 = 9c8ebc02c3d92d33112a15747b6367b8d6db3447cb9be2af + Output.14 = 70cf10825dab6c1abcc1532a1b2bccd96f0638d02eedb40a7ebf97093f5d0295b6bc74d9e48290ab39260d684effcb401427a4ca62b971e5a31f06c14a9f8e3851c3e79dfe129ecf8a8e185ee58667e2b692474a0d5f0a39f9d794adf1cd71c1266563dde24dc944661acbf849fe69fa + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -41364,6 +41571,7 @@ Nonce.14 = 82dfae196513724ae269204e + PersonalisationString.14 = 6e01d897ae919812b8408f82edffcfed8db6df2e2cbebd95 + Output.14 = 6e9bebf2e54d8da4e8ede97ce463239245ff1b021acf4441312ddba96d1f3d750bf2b9583a8aee76e2ee36a56d8e2fd4e11377d15ba3ad0876fd467c375a744240de0a7b38974e0e7b27c3917ce4e22f2bc78861f6f8b1fb42edbb1b0cb869fe5169527064cf2f38c0154082af5457bd + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 0 +@@ -42619,6 +42827,7 @@ AdditionalInputA.14 = 9ba9285889d50c27bdeb4a830a5b3120931a53980b30643557444718cb + AdditionalInputB.14 = 0f8716df331067b8ccf0e5b90ff79dd0f962acc69fc5f89c593bbb84e3501ae2 + Output.14 = 9d2c0053a0fd3f9be1fe33db214f6f2d54aca573e0642bd269f1b1ca23c42a1e85c73449830673cca14feab4d2686814edbd90c325e0fbcd5a2d7ca75334dbb113a13a0bb4e838f6724c74dddfca8c2bfb903c362d3ea82acd60d01749f6dc01fcd6708009a58ee9cc57a0d089095efae66aaea68ac247cf6aa8808d1038a109 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -42669,6 +42878,7 @@ Entropy.14 = fd54cf77ed35022a3fd0dec88e58a207c8c069250066481388f12841d38ad985 + Nonce.14 = 91f9c02a1d205cdbcdf4d93054fde5f5 + Output.14 = f6d5bf594f44a1c7c9954ae498fe993f67f4e67ef4e349509719b7fd597311f2c123889203d90f147a242cfa863c691dc74cfe7027de25860c67d8ecd06bcd22dfec34f6b6c838e5aab34d89624378fb5598b9f30add2e10bdc439dcb1535878cec90a7cf7251675ccfb9ee37932b1a07cd9b523c07eff45a5e14d888be830c5ab06dcd5032278bf9627ff20dbec322e84038bac3b46229425e954283c4e061383ffe9b0558c59b1ece2a167a4ee27dd59afeeb16b38fbdb3c415f34b1c83a75 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -42749,6 +42959,7 @@ AdditionalInputA.14 = 809639f48ebf6756a530e1b6aad2036082b07b13ed3c13e80dc2b6ea56 + AdditionalInputB.14 = 3395902e0004e584123bb6926f89954a5d03cc13c3c3e3b70fd0cbe975c339a7 + Output.14 = 4a5a29bf725c8240ae6558641a6b8f2e584db031ef158124c4d1041fe56988fdaee91ca13925fee6d5e5748b26cc0275d45ef35abb56ad12e65aa6fe1d28a198f5aa7938fca4794c1a35f9a60a37c7360baf860efd20398c72a36b3c4805c67a185e2f099f034b80d04008c54d6a6e7ec727b1cace12e0119c171a02515ab18ea3d0a3463622dd88027b40567be96e5c301469b47d83f5a2056d1dc9341e0de101d6d5f1b78c61cc4a6bfd6f9184ebde7a97ccf53d393f26fd2afcae5ebedb7e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -42814,6 +43025,7 @@ Nonce.14 = afafaf2ad7e6449308e176be01edbc59 + PersonalisationString.14 = ddb4ced192f52bdfa17aa82391f57142ac50e77f428fa191e298c23899611aad + Output.14 = b978826b890ce8a264bf1ad1c486aaf5a80aa407428c0201dd047fa1b26e9ea9ff25a9149215b04c2f32b65e007e0059a8efe11481926925061c748678835c0066f596352123f0b883e0c6ab027da2486244da5e6033953af9e41eec02f15bebdb4e1215d964905e67c9e3945ec8177b8c4869efc70a165719b8e1f153c41744d44d3c56a15822d522e69bd277c0c0435fa93e5e1bc49bc9d02aee058a01a04580a6cad821e9f85cf764fc70dfae494cbfa924eab0eff7842e3541bc29156f6b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -42909,6 +43121,7 @@ AdditionalInputA.14 = 9574ca51f21865c2fb0efc75cc9d90ec5e9c43104979cd64d00ea5544e + AdditionalInputB.14 = c0df840a18d7584b62c70b2f057bf824168edb673cb517cd9dac89a0fc80c9b4 + Output.14 = b31e50202f883a8563cf129a0d5f8a33abad79d8ec8a97167ed7fca778e5892480617cdf50b5e51547f7ec1bede35020a311572c61e33e9c82968e8f69586daea3dc19063bea56503f8ca482918d229949acd6f1c52cccdc5f7f4cd43602a72a5375f3aabfd2834ee0494823beada2daeccbed8d46984d1756fe2207ca92186b506115f6de7d840c0b3b658e4d422dbf07210f620c71545f74cdf39ff82de2b0b6b53fbfa0cf58014038184d34fc9617b71ccd22031b27a8fc5c7b338eeaf0fc + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -42959,6 +43172,7 @@ Entropy.14 = 5f28c73baaabbc09e8260df3b3577c21f2f02be057bf49d2e73098ed5ff67f89 + Nonce.14 = 8c2f85b546903d8d4c10fe4549c3f673 + Output.14 = 1563c678f1b072813888970996af33c2a6b70b8dfd2e146c46df0616509382062fc9c72d223ebd555f4d8892aafd7b3b61619559fe3d3e7b5e83c07f422eeac912ca7d8858a2d25b966a8b34348b8ebcf44a4651edb9cf5a886e383b01423322ab3002edc8c936aef869d7638f38ca6688c308d2a17fea0ded21901d8e9f1ff8508762cb1dc7e700970938a0ece74c1c2d1801230ea785165d62a7ab0d6d59caf36b30be8e2e1f691210373b7a2866e32ba4b49b6a2f9cc9b80aa1340ef5c76f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43039,6 +43253,7 @@ AdditionalInputA.14 = b5d9cb4b3709adf297462f1aa8875c9f84bc39e323b8fe1c0df269344e + AdditionalInputB.14 = 5e47728cc468e0d2c6b6a90a20f83a9f0565716af54844552988f1d8c3a83eb7 + Output.14 = 548c3496135ecfa1119098ea2d862d421af024a844c37a02142e2545e4ff1038f4b73c7f6b7d0fba8f92f292cf5ca8fd57dbe7ce129423e0ddeb1dffe89252dd6b50495c88f350bb77e08c8be409064f7e9cb751aeb779eae30b7c471dc41365f128d22474a7e90a9953e948642001f8e6ba8f91d250d8b4c6407892cd96b12e5d94e4d7608e6c11604357436c8d1cc07a21aeb58d396f413a31f72af1ac06864ba68c04e0c25971c1315f5a8c5c04fe252105fc822452d0cf66f86af13d613e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43104,6 +43319,7 @@ Nonce.14 = d28f752f6e466e3fd9595fd380fa14b6 + PersonalisationString.14 = 232727310fdaac541b182497e5240dc2623a36b4efa7a912ab3ffaf9939c2336 + Output.14 = 3bc26201261930bf3dc164d25287e41efb47c07c8c5c0adf3e86613435df202116331cfccd4e07c9ef008c62d4199d937221a17dc97be2043270ecc605d3d48c609cbce3aecba3557dddb304f440250b2c9fd78838483e2d5a2b22015b97869b891f9e42afe21df5fbb8dfc9061468c70c63a14b6dcad9ccdeced41d021dc0ff47821415e8793d34377258d9d6629b9e396b9d6b8bb7fc22e03ecfd4890d16912001cb7ed002e33a595052ddf7b991c5607ab93c220b2122783d51a8372a223d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43199,6 +43415,7 @@ AdditionalInputA.14 = 50ceb01860d60ed119f101d5c573b5db00402dbb03885a09e8d326156f + AdditionalInputB.14 = 01e09092bc892916c29f7b515823f244d147d4b16976cebd6a76a37ef6e62998 + Output.14 = 6f1379c44d8131924c9a78286e80ebb34604ad78b531e795cc30c4f0aee422e4052f201ba226bc0c2aa3ec341fcbb5a87e24b91c36be7dda62addba6960df1289372e9677ce030555a9bd1691f559b8ff787dafa35cff5dfd66a2abd83f81552a82ba6ca7d21c438483e60fd77f93bc109f5be802035412c2af2873f5cb186b77dc055c0e0b27b16b1ef37de0b81fe63c4074a7cc8c3d27f71a992b5468351ef8b84a7b3e8f12458ff670d1381d879feeb1cd3b93436580c86bc2c33f27448d4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43249,6 +43466,7 @@ Entropy.14 = 57050c5fe58b2a2a0eba0d3b9c08a9b285e1180d2a297e0a9ad20740c6fa9f00 + Nonce.14 = fc309209936c569a1367d45b212a9a50 + Output.14 = 288668476b39814edbce5ed91951cec398ba2dc3bad76048df5fb1a2a680519c217ec4d57adc0251e1f8892a866b142e0953353bc2dd207aa2703f81814d26a60daedfe94d97de6043ed5f3bd957b7516681827f7a36d1b2a87b692c67aba050bc38b5e84f65f07d70cc34549f01aa390c5fc8dd01304fee7378e62549738e3f710ee6a4e32db3f472e1c2ef1e803e57a8ea992f389f0823c922bcea8b00ab844e071579170baae90839ffd5e00844ec343b02db090847cd323f8a68f0dce64e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43329,6 +43547,7 @@ AdditionalInputA.14 = a633f5f05ed8b09b70683a9f9a8e998ebf843b68a039dc3aa40cf30a5f + AdditionalInputB.14 = 9a57c6be8c1d992bcbd599952bd94a755d7ad686698991d189afd11cb88b9f53 + Output.14 = ae0fd8a1bf6f2f53f9e81ecf6f40ff6a36fef58a3f157b6a435403e48da4e88cab7871bfe2233b92afd228bfe3117d7cff0798225a901663d51f0491109b9c631dd6d32c5bec2da321b8e64ebaced87a27f17f67082df944fa94acc6c557fa6816001642e38b7d776c631212b782f71aed6db760f90e0de8e81baaf4d419170362932e6c319dab948749b331aae41b4cb3267da37c9233c36d65d5482c8940387498453b226af485a37ea16bd9e4f938618f70aec97e8c1430a8d8b6aae396e9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43394,6 +43613,7 @@ Nonce.14 = e1609138b91637917ec170fa3c3fb278 + PersonalisationString.14 = 230db2e57b87e910cbab26fbac7fa93a65c07c1ec004c74637e346c2db63288f + Output.14 = fa58f2e96776b4aa079dbfb49d81d8abfcc30d459caeb45dec4f1766fdc3b234d52cdc5337ea770e71a28cc42c82cbefce896d1fecea5a5290300208aa79b5ff97d2091498d749b66a9e5b2da7b774567ae9f83b87a8417b1bd089935e575b16618ffe8ec04b91fc9315968dc395fa2bb8776133d3ede95aa89ae675881b26ca831fa5fe6cba800d2fed1d509353e8cba6f007cf3c5e0b9424cc034e1c817d5f7326764f5ed1d17ddf8900977a0172dfab50bf4819a67e4c1af4704f59eda3bc + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43489,6 +43709,7 @@ AdditionalInputA.14 = 32f618446311f03a0038dae07e85e19006a55b69501d764c241f683be5 + AdditionalInputB.14 = d64a97650e2f25362fd711c7abb5635672e16a02a1dd5ed8a181762e86f4f5be + Output.14 = 54ee53e6d18e974913ec235a37a706868f217af33b25e8e5369d90071be1d01035ca331b8514f3d6186a9ec62b1e7808b7fa22859eea21e4b8113ef770772561eff7f8b6ac22125d002f6ba9f53b235f7d85dd5b601787201ee1423de5d971b2e758b3955a048b50f118c01122a8e657f69a63843bea00a46c4fc2ebbae36adaebfe3e6c9b1c82e498d3fe48d332ac1bf31ab4c80830086c8ee4b1ea190f8e269f74cd760f5a29d244064d09c1bc30832482d5205e35604a388250a7a196ec74 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43539,6 +43760,7 @@ Entropy.14 = 9168436a8600415b83062125de0ce6a998090216dea7374af08e6d3becba054b + Nonce.14 = 94206c91dcdf9c7c3f3571c703013419 + Output.14 = ef12bd2b6dea20cd197ea9eabd98eec1a2943619cd2a96dd16a6c5485435e00c59570ff14d7d9fc09c99ade0e5ec12a84c0a8ccd5677fa9b92295eb2a620e8a0400bc9ad8a1ac1aa4969d8d04b77ad59b81d95cad75358698107dc8a2ff42adbd679ab29cc29cd6ea756f4c4e60c271c3134c48b5d5aedecf011e73c2663ad1cafe57120cc70137370760c350f4e9c0b8e9b01c9acaaeb56094434f4f87c67a5b5f674783204ab0d0598c06f0802a05ec97073c005f3c9f772fe0bb449c1cad0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43619,6 +43841,7 @@ AdditionalInputA.14 = eb9e19bb6eb7b714dc4d56243897916364dae7bb3861a4697d7d3f2b14 + AdditionalInputB.14 = 156d12c7a1d0af2cb9f2d0610cedd9ed3b982e77bf4a9dc1ef0f71284b751ca4 + Output.14 = d3b0b0ac5150afdb3d9de12d2c8a7d45109436ed9c316aef1d1fc5bfba1cd37cd750841146dd08320539eb1678962e990f7b7662b44b918447e173672b873b8ab0348306cf6ae2bcc6756036870745436571763efde334dec5be7bb9920629a36cc5db66e8824695cabecb8bf092858e095a2a520eff140f483ec528131c850a8eaa48d8c997fbc810401ca378666d84020fd34af77fbe1152523e979560708fb15f3b7981e333ad4ee8c2fb6021a562f339616823cac5998cd919f82d43f41f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -43684,6 +43907,7 @@ Nonce.14 = 733bf048e5b112426979a9879b6a0c10 + PersonalisationString.14 = 58d91008875f51d541c6fbd626a49a798dc51d9cf2e8588808e74953392800e7 + Output.14 = 1794335e21606d706dc89ace28c60a15c0c9f108f5ac882b103eb62e225de749285e5fb0be98a5bdc26e3c998ae418306380941d78acb7c81b91ef41cecab328332ac7404ace0ea858e7835534f778cab3e3e4eff043742e4f7d4d5725bcdca0b6be7ddbf79e57fcd1d5a4279f074a599abac2cd281ec6784e29d9399f5ffa8def3252acacc59844c0c24c20d029a89b4407e0b5cbe9a8d51241dd36bb82c400ec4571dd1baf831d58fed3dde4ac7f961be6ebc18af6bfa922a32b81ea11334a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 0 +@@ -44939,6 +45163,7 @@ AdditionalInputA.14 = 06df99a38f4222b9e7e1e3f4a6f488c1dfeafe847129d54c93bccb1649 + AdditionalInputB.14 = 3977a9671024bf0150752ba10c9f6432773bb71aaaa9d23d1ab72b90b7f0e088 + Output.14 = cd4fa86fb559475f4cf4a60f111d3d0f71646d3d25111889332f2451eda96390c607a0178e1e79e8124c7626ecaa9822495e5341dc6f24818f97951bb29434c7c48d05838fcf3b43b8314827d3acc8fbe2c4ae2ab066626c25c32a760002cb1d980169f7691bee5e329ff1ff4938d3bdaae583f3561499563198a5eb69e73f6b963a5d072d23e07b0ce48cd04b31f9ea349c2cae355ba478e26a5fa33d8f03af84235fb1743d30910f5557194e3609494019bd705f8cdbf3d1b4dafaa09c9d8037d2e0ba0f96948d4302e981162c34c12c2fabe1a42da517b7e5a1f796980371420cb305d0a316bee56767ce1aca9260231839b92fa26fd75846d9304427da27 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -44989,6 +45214,7 @@ Entropy.14 = 0cac1d970c06da6f224d49e5affec0fe338d0b375b66687b + Nonce.14 = 1fb1df257951ce8fc0cf12a5 + Output.14 = 7d6e2be5aa574b0edff39ea938e94143ed92b287262891dd2a6c9193b0237e8fbe10056e15785bd818e548452792a31c728acc14ce2bce9295d3776885018a57c8580a8e7df9a34ea960e0b39af4510711320528fa7a0badc6e25a0eead8cb091c404f626343c63d40044055ee9f9e35 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45069,6 +45295,7 @@ AdditionalInputA.14 = 38ead8a466e462f5c0617822c23294cdba07a80fd51dc241 + AdditionalInputB.14 = cacc9efb209c71b123498182d25081aab8f0159bed1fc0c6 + Output.14 = c200766d5caf72e64a77a7fcae1ae3d14681e33767ba2ba7faca26209fdcb59c7202c381b18adba07ef0ceef443d9e1c5888366bfd953d614bb184370b45ea2b44a251e381fd2bdb80bf4bb8dfe011e1b143032bae9ce82c2869537e70d36622bf23476163a2dace9ba863a5f0e3d303 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45134,6 +45361,7 @@ Nonce.14 = 7e2f3e4427d00de41ae92bf6 + PersonalisationString.14 = 2e8bc8edcdb3dfdd451542fbc68481b30964fdf8a6ca77cb + Output.14 = df949beb9b33d2c1522cf6fdb3206cb10b58411ba9e28a4096cda7662b69d23e0da2be9557b9a3b5a8d67db4d616ae9fda3a7e0a8516196568f7a81474c0264993b141f14066fbfc29da724e447f6e503385944e902510f0b3971f7bffc6a6a202ff88d8113bb222b104055f427fe770 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45229,6 +45457,7 @@ AdditionalInputA.14 = 23a781948449d82ee235d0495ca48d61aeb399d7e2ea68b8 + AdditionalInputB.14 = b52421e5b0e5281920da6975ee18d74ceebdd5d5de05c018 + Output.14 = c878a886e24e20a8b7e22e41ebb33a2b6e9a0168f4c72bebb78f0955c8449592e91c6a2f1ba5554c9459bf2702e67470c1df0b5125d651facc0a9339a2b7c921a51bc7203020f085c9231b3acd850ebfef0d0e13dc8bcfecf1f9853930ecd9b262cecaff0e2bed9e3b5b53343b733766 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45279,6 +45508,7 @@ Entropy.14 = 04c61e5cbd79804118267ee1c76db36b71b042bf60a1c891 + Nonce.14 = b833be09092d4755ee6118f6 + Output.14 = 0c4663313750b12daaeee80cb28f097cbe6f50df2022f9ff02a51fb373da42411c5856a136e9645e99e69aee273726d146e3ef4e546273eeca52b43c068887148b7197143f5b9a4c55d4b0544907ee9ad2f181d1b37742d1479d39e78e47505603550d2b28bc1d151a50bbac140988ec + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45359,6 +45589,7 @@ AdditionalInputA.14 = fa3bc697a6bd8ce341735365ad6e214d1e53e8d6d0a2c206 + AdditionalInputB.14 = bea0650424d1f26e75a49ae2dc529f1fdc552e3a0aa50948 + Output.14 = 4a718257296a3a99f199a5a24decf8f3e6209a4a7fb0b24913393c8309826ffcd6c47208ea6879921424ca55e63a7e5bc63a030cc48be7648da78fc9f314dacb2b8568635e5b14a94bb06a709a2f023a86a871dfd708204c911d94ef3690b3634e58de03fb20091d628bec834a760dd4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45424,6 +45655,7 @@ Nonce.14 = 4b729a67449bb5675a1f9d1f + PersonalisationString.14 = 9160b7c96fd367dd7d378e82be11ad1827c7661d76bc1fb4 + Output.14 = 1d7ab4500d99a18b8be2ffb8177c869059e25f1ffbddb36694fa8561da1d71f86a38accb1926339f6dff71ea8ed104c3518e62b00e520c51a096c1c62469e56b139e6384e982588e748a8074dccc51d558d944868e2b8e1dbd68bd83c663447590430ebe15c64aba4669d1a4a784d8c5 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45519,6 +45751,7 @@ AdditionalInputA.14 = c375af43c11115e995f47212f81cf3cdca5801d184d82235 + AdditionalInputB.14 = d2eea45f69c6d82dc3a7bb3be69d595c86c5ea5b4aee6001 + Output.14 = 907452bdf42eb168195313eefd090a2fe1be8b668b8ec7153a4ed4c07e6979244282e976decef02ffd4fd92b0d7b90bfc453cfd81a823dc162dde29dfa926f20e395d7432e0aea61c72e05c1673180bee3b47fa171cfba98864fc2bf83878e37c7dc019d465788aa1500ab3db8997d3c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45569,6 +45802,7 @@ Entropy.14 = b37ca70fd13538ef74c5a3c7ef00a78705919446954ec43f + Nonce.14 = 3ecbdff8cf33b50788dba82f + Output.14 = 1bcbccc535fbdc8617575d46ea5a9cef2622995dee19aa4b998325dd8d0935957170f6b18219354cd2759ba53c9c1f380586070db0c89979a581ce1e00ce38855e123dc3a2dc9ce74bc3b6e27c9603fb87c09a1d90bb540d267d456f5457daf0920a13119a2b805f9b97b154f80f4bbf + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45649,6 +45883,7 @@ AdditionalInputA.14 = 9fcab4a8d0d1036a6210d56a894f861fbfacd4b20c081f38 + AdditionalInputB.14 = e279bf650f812b8931662e59a0da7ab799c193da1f6eef1d + Output.14 = b3ec81a3cc8dfa4e1ea17d33566a4444bae9969244e7a8970eab02afc8797b5fc85b6614ab009625b81fbe078bfa4db78ced2d8b3f1e3342b477a3fb42cec7d44546585621bb8310075808aaddef32ede3e668e626711fdfaf2569721bf645edeaf74a9826aadf0a9cea9893aab4fe3c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45714,6 +45949,7 @@ Nonce.14 = 98ec3ae036755323042c08da + PersonalisationString.14 = e6f24d96c8d11cc68e72f56ee7e345c5a0083509821fdf17 + Output.14 = f5a9d375a58d1b337d245d29b7a9e352cbb0fc950276e042d075a71f4bc43b65b063bff299c670adfc46db39c4303adbbfebcea1df964c27d33cbfe4d46567475abff4f357252ff7d05ed4ac34e6ed14c33c192909426654d604736f3bb0ba01aa5e0454d60dfe8aa5b2df3a52df22d4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45809,6 +46045,7 @@ AdditionalInputA.14 = ec35738bedab1835d07ec7a6d9a5e6e0bf8a3283541b3216 + AdditionalInputB.14 = 689957f9c2c58f1ff34899bd0c295bbfacdd149ab378428a + Output.14 = 6eebecbac4dd64b170cf6aa84788f643755ad5c6c731b63bbba3b2bdc2694f1fd42fb077b4309a0cb09b5ed1107fee2379272351ca9221069530762e4c8ac4c142c30167a32ac2b82b728d57bef95d620cd1b7a2ab5c1a6fac2cc90e0f6cd003ef526485c8bf0dbc9baa7c1f0d6f763c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45859,6 +46096,7 @@ Entropy.14 = 2fe6d7ec78f76820cd88c41a5a958c399c7ad1619406caca + Nonce.14 = 1ed975755cad5e4c475c5945 + Output.14 = e34b31db083e58516cd60ead2e5b0d39e4a2bb47c2436531c0e700e484c27d3d233d10d1ea6c58148149751f24155fcd258f384d61000da88106a0205d693e4ddfbb5c35f101ff15e531e9ac4a988c16302a962146a3aba9af5c505697cf9aeb7bdb8c49c281458acc33ad4010122aa5 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -45939,6 +46177,7 @@ AdditionalInputA.14 = 17c87a351e940e261e8806e2548da44a751c550ff5f0257a + AdditionalInputB.14 = 7e3bb28f266786ae38c24876087fe35c7e43222382270380 + Output.14 = c943c9ff0cde86a62756465e6bf4fc9dc25447157537831c975782dad82f3e33e6e7790b41c158713b8978a6967bfadda9e15ef43922b3f93c8ccd0cfa834fbc6776f3c1b6369b4f25b1cd1189f8b8efc31be2dc151d3608eb2189a4f39c0f0a3deba00ffc97299c11c46885b424a7b2 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -46004,6 +46243,7 @@ Nonce.14 = 4fb71fac56d2aa35d7fa44d1 + PersonalisationString.14 = ad66fd02b6f6e30ce521ae0d783236c75cd3699696475ac7 + Output.14 = 4b2df98ad411407c1dff07b5c08e97ab501fc20ad191794dab73e9b4dce62470b3c70d75f07848f436f16a8c63ac31a75525bd928b5c76218099ec940e3ad193eecdbad834557e92602d7daa6e3eedcbccbc4d0829c8e1c7e59adb95ce928bb138870566eb27e4725191a9ebed50304c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 0 +@@ -46099,6 +46339,7 @@ AdditionalInputA.14 = 30a66bba0f4d6c249e271de8927b6ba1e99fefbf3386934f + AdditionalInputB.14 = 1ebe06fd88f8f914ea8f590483994fbf227613e7f49ff18a + Output.14 = 38b4e2bf6aaf771df03b3bc37a959955dec83f07af4bcd995957a31991c5ee18b5bcb7754f3bf6293665dff2b4769d081d9be6393803e2c62a73ed8ce4adb17b36c1e0deb8ff6106308be9019cd179a92feeb184d93a9348d3b14a70bf13fd74d12cc427496803b7fc041f87c630756c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46149,6 +46390,7 @@ Entropy.14 = 7f422e735bdf349e4f51787571ffe061ec7e9181fa0b6a342e36611da25c1a15 + Nonce.14 = b09d8dc6997bcb567cfd788d0e06483c + Output.14 = b83bb6e99b0a5237242711e27779d05d2157402856f9653542f1ce52b1a7463e13d5c92309a06d8a78773ad70504b64ff070c2e6afa4ec3662f2729cb7552235b79c18e08354e334474f238ee74feb7e892d5701543f418cd7f2f5533437d9901dcc54687816f16eb7341b1707c6310a2085dbf387044a78fed850b42fe9d8b4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46229,6 +46471,7 @@ AdditionalInputA.14 = 5722b092a5a0195f14b5f236885538cc7a514e997876c06f634926c695 + AdditionalInputB.14 = 6e4f341a0524dd1085aad0b6c956057893f737704ca2fd8eaae6231e9691688f + Output.14 = a757af53227bd8555853ee2e643256074be9904d2fabb0ca86a645b0ed1905731cfbfdb7eefc83938fb576d7e5da8135300f8e934dca521637ed10e5e791e18e82c48085f511476452237ceb930e0307e228886d36aeb83d8e25ba23b38dce6dbc335de90b63db4021d6ebba5dfb6d8044a2bb7bb20aca679cde16406c8c4746 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46294,6 +46537,7 @@ Nonce.14 = 06b7b75d18365f4957489a09204b2672 + PersonalisationString.14 = 9e32f001033eba3bede220d4f351ce110e6ee2eb0b099ce54f9606a21d80b1ea + Output.14 = 508333114a0abd5fe10327daa0f1342c66569d912a64d8ae89227d0d8ed5b4052cf84f0c38927d88dc0d7c476e747965adc9579a4603a36566a1730f55ed7b100c1695f060674484781682ee629167f7adce89885ff04d722d960d0297d2abf79bd3338126c2d356a91bfa588f80db7ea365bf181fa5370c478a04d05a515b78 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46389,6 +46633,7 @@ AdditionalInputA.14 = 5b2d2bf0653e3c075c469de5e2a093193e700abff9792a9f3bc0d143fb + AdditionalInputB.14 = 976c765df6b57f0eed8661587045826c329f4f1994020de30fdd835912f72fe0 + Output.14 = d8275a104f1dad7412637d12fabf9dd1b06592850cd48a3f38304789911efe8f08970b8f90fa021b04039cd3d1ca573c1586e7ef586f4c623dfc559efc0f2c89e4136b59f0f5706a74679d1c95886a5ad05b9a850043cdb19d806d617b2f640f715351cff6920c47f96a42b872a512a7b2e99e4d0c2230861b16f3b38deb9b58 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46439,6 +46684,7 @@ Entropy.14 = df6edf960abe3aef5f50741907c0171906c0837ba3bfaa3a1044fcc4f19ed21f + Nonce.14 = ff2558bec3e5377c12697c908d629952 + Output.14 = 9d68c2674eac76f3ccabe1c6c0bad96d5fbdcb1629c939e397eefbcd2ec2f25803fbb9aa72db952f7fedcb290da99f34c0fdd637c37dde1446d475a61c38c3fc5c1ebf9541d136cb02a43b2646df7ee4bd0d9191157dac92a33f401f089ae15618624fc0baf707409aa2f80cd5d0676612c2667aa420acc6e016e6ba3f63c686 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46519,6 +46765,7 @@ AdditionalInputA.14 = 4bf2c816e2c3e9721d192a670153d620aded035ffa214cb0d7638432c3 + AdditionalInputB.14 = 06f515395ad7c3d025af7df781b49b62f068ec9398f6dab31ead6f917c663de0 + Output.14 = 1e70791e6a8ce753f959ab75d1225b44452ce7aed0fb53b56208b3f26419f004983c452d724c483b4f9b70d2d84734ce8ec0258d8edfac639b355204e14b5b7bc1d3aee6ddd9f5da54c6cb086d16ce381c2d5cefbceae3afd56c13441d80c7e6081aa68ff57f21d460370de9ae713c17ab14a81f0895e9e492af7c437d7a5799 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46584,6 +46831,7 @@ Nonce.14 = 2c4c4f3a953e551746f7e258821d24f6 + PersonalisationString.14 = 676a9304a3f744c62c7f5048f2137982c89860577cfcaf0d855514436ff8eff2 + Output.14 = 7bde8a5a34538655ab2ca26d0447eff3c6da298b3fa53ff0526eeeebaa4a876b60e47ca544ae30ccb00176ff84920bb4e4a4ebc3cf74b9cf8cd8ff9f7b11266a3c9bf918c458760bca6368ddfb3522edbc61ad14f2b638294e51d82e617d8c0c631aefbba50dbcd1a0a88963c3d63959909ce2cc669924d7163b01cac468c0d9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46679,6 +46927,7 @@ AdditionalInputA.14 = c168776136197bc3877c824461994a4cb020b61ad1630bd8f38d0db211 + AdditionalInputB.14 = 4f54082a1b9e6cdc8599e1639865c00fd758f403adba5cb74a37e2b20f29b654 + Output.14 = b48984588cb54f78610e05c8a7ce12c630934f5ed2e4cee21e523fc65a7b8412189ac51823ecdf493844a859aa87f3e84645f22f0914245043f7b86287a85db97697bcc84684b072162c2fa636569df83fe85f1ae25204786bfdcf5eb85006d09a4d97b162248daa8ccbff9eca28b7bce9fdbddcb8679ba50b6648cb3bfe9af1 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46729,6 +46978,7 @@ Entropy.14 = abc502a99b7c3cf14262f6b036925a9904105b019592a2a6be26d71fc42c7444 + Nonce.14 = 40a212f9e1a5aa54f2c7ed4ccf631c9a + Output.14 = 0e747d83e2104367beca697db9b6bb994061d82aae7b1564f6a0911a1f599084a7ca7c94e232908d41df93a6b416e76146a53b490afb552124fc0c2087cc45de96390565b58f913b5dddbc55dcdd2617ea27858ae7c7748b31d832fec0fafe84594ad7b693cf972daa9521ad4134867339536ed5cdf02a758e40d5d96802f4fa + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46809,6 +47059,7 @@ AdditionalInputA.14 = 2a8cf10885a141125dae18c40f7bcb7e09c1b2726e22a7f776e4735279 + AdditionalInputB.14 = 7c2db5278d2336764d274bf9624db7eecad2db11c6622831e47338ea3ef02ad7 + Output.14 = 08ed2c3aa35812485ea8aa0b16149ee4f3207a0368be2035e202797939dd2a1c1db1ab244434edd783c7574bf48fc99f93827a1fee91cd1db1cad53512b6931d2d63018045b2a50a9b523a6ee212fbcb21ffa57ef998b4ce24e5f2f875a8ff3a45d8602cd56cfefd2f61f73d00dc33304a464f4fc1f7dd311b516a8da4e91151 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46874,6 +47125,7 @@ Nonce.14 = d5aa1d24b7c7564f6836f626bcc6d32b + PersonalisationString.14 = 4ef1e00dcda9e893d066ce48cd291258a29e0a234796c30a6465079cbc3d3aa4 + Output.14 = 43da46cb7b737ff7617715e3a8aa4c42d8cf1b62f32ea97d035514a10798f5bcaab550eab684cfbd5c8d3e1ce6d9fb026812e647ae6a50d3d8da8e9e2f1d5f7fe550e7e0b88e146925f2aa64690e1a5a5de152f6421837c15337efa80fdedb0a4754268bb83fcf0281b05b3885dc64b87f1da61b1ab219779ef44a1399b992ac + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -46969,6 +47221,7 @@ AdditionalInputA.14 = f8dbd6a405435595b2520bec5026075514955a666e4ca34b7d0339b0a0 + AdditionalInputB.14 = d9536bdf1c3944d4d239b6dd13750c16a2780d943d4cb5fbbe418189a7d65432 + Output.14 = b5e12e5082c09fbdda81d1a2229ef9bd46db84e62ecbcd1a2c4e88557f8ed3b5af740fac2bddaaf441b66084ce2239adfc9d02f001cd23470535f13ee6ed73256adf902b359930093ffb293a7c007074582a356529ea3ed9a5ac0a1a3f62df5fe09d27f5a7ac6abdf1fbd5f5e5da70da5e3037fb062d0817b077b56457238108 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -47019,6 +47272,7 @@ Entropy.14 = d233eed6e4a43436e4418ac071bf9ec00d463d0568cfaf7b4174f96c1f6b8564 + Nonce.14 = ea8e646e88f7fd6c8e590155df15558d + Output.14 = 314dca793ee1eb0dbe48bedc324b557966ac7a17b900bc4167ab4b65fe6b34ae625c200c4e21428ed258fe28b99c31cc4e8f9eb93a793c3e33fb0b75a2595a3201d939dddfa27911ad6f731894e16692343f25de291da89570a257a95cccb42f7d9820afa9b35d16664f95a2099ac929683b7480a4d1e34291853047ced3302a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -47099,6 +47353,7 @@ AdditionalInputA.14 = 46cc09705223bd3c01fa037d9a19dd2465bc612f519e51d33fbc845742 + AdditionalInputB.14 = a9f78f79d034d46086bbe5c8883dc2a34a1a17414aad2c767a3b3f23dfc9b637 + Output.14 = 2674afd329d03ad3b1bb8157c3100a312e29bd72b55139c408afe7f2c9e6d53df2cb8b829b7351a80cca8f0b59d60f6454ba60b154f654a09aa82a63fb28ceab9435cb6022934a0599a4c3a005bccdaa8bdaf8246ca654692a6c038cc82fea477fabdf3d6a0975e952ce3feb7fe8c4510b8c5347b21da5431cfee69e9dd2d8c4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -47164,6 +47419,7 @@ Nonce.14 = 4788964160bb81d6f6c2675008b05410 + PersonalisationString.14 = c56e284ac65798010eb7bd39ffdf49bc25fc2e663e90ff93f73c97e65ea82935 + Output.14 = 683493fb3c6ba0ae0c42009beb39fc37a9d235fb3fa00648ce4d60b4d6bdecdbaa1e2ca0c0fc80c53f6f8ceab31c3c42764b8f23c4cda91743be33e0a77fe5a4297701bdec6b2a5712e76c64bb8b7e03a257c140cd8aafef046b049303679a7904f029444d92d673107bdbf769fc1130429ff64b527b0ce2420e2c70e8998ee8 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 0 +@@ -58071,6 +58327,7 @@ AdditionalInputB.14 = b07198a49bc854cfc9d6d7466fe24948 + EntropyPredictionResistanceB.14 = 7b558b48f3c891a77fed293881775118 + Output.14 = 878d26fb57589d42497b869564a1dac5adf1b83615f9ab9fc30b5140f79e3b7f525f1eff2e68002801939aa0728432efad829b5b12491404fb50f2584a3bdea8785e79390501978704a667ec5d04da56 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -58151,6 +58408,7 @@ EntropyPredictionResistanceA.14 = e734a035d71399a60be221b8c383044fc83506429a7eaf + EntropyPredictionResistanceB.14 = 51325a5d10137cd3ef2c6cd2290593a73361b298b9fc0099 + Output.14 = 12b008fd1ebb36ee67678a8b90ebd4ae333451aac2961d2ecf0d3fe2321fa520543452505e1e6216921ac380ddd88c51fc8b6b873b77b73b38558163845e2bf67661c05896da0efbd6c0faf0e363103abce11ab27da19c21564d8ec067802a0000e61fc33f43c12b854b85d6166a3a3a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -58261,6 +58519,7 @@ AdditionalInputB.14 = dc30a416e609cd52562109d22960e1295e3fc6eb66709704 + EntropyPredictionResistanceB.14 = 849864c63ae33d51a3b2e282325729df0d01b4b6efe4d2b0 + Output.14 = f2206a4e8008a5b32a3a3e271e9673031f536eda568fc2cf7013b4b342af76bf4ebdf867e7f2e2e89fbf2f63cb6e096671d360eb72223e96d9bacdc2195138770870557b88e770b7a439094e2eba6b529e54a25c75237c4b4fcbd06efa77f6174ba64071d2c3caf13fc1fad0c0cf005a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -58356,6 +58615,7 @@ EntropyPredictionResistanceA.14 = e0b1ad06619cc7e6b06fa369846d0718061e4ac707d1a7 + EntropyPredictionResistanceB.14 = 2941e7b99738be35a340fbf29bb443547f3128e5435ae876 + Output.14 = 07a627ee351cd794c19148459821ee504770bfdc07399fede63f1e22c3d76a57ae1da3c66403d789a8f2f4a0f071dec3fa102bcaf791222d2b0de7cc5b9d8f59b6b23d441b006eec851856c8abb152b84828a88f06e1f4cb257dbe00ce4d4868532782b06da28f923bf8e3f38d4ba50a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -58481,6 +58741,7 @@ AdditionalInputB.14 = ae204b086225c6659bd8c2487b1b91310c3d65c6a18a8081 + EntropyPredictionResistanceB.14 = f69f38c433c8f892d4aa3d1c7b97903711b6e0f5445ca61b + Output.14 = e4b3c801cee482f2d70a92fa7d4d2b9b19a1827287ea50698de61f82a095246dbc3abf102510c3fd413d6a8a9b9c88b186a177c14e013672fe3056722ee69fc3a49679f9d1cc0707ebb29297472343884dd6637bf094af5dd40bd1be4a269cf4fa65c163347ecd0fb6935eda690402ac + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -58561,6 +58822,7 @@ EntropyPredictionResistanceA.14 = babb7e1e29089815ef8d794611a3164b54617f8edcae51 + EntropyPredictionResistanceB.14 = 06ab40819ac75f8609d7759fdecd3274d231781c939516ba + Output.14 = 80abf3d122e8917731a3ad6c8cc0495aa302d521384a155707f1302fd2c14ff9b8d6a12027b05cfb050fc45baee976715aa9cc606b943c785001c0431175278ed18d3b4c99bb7380598db4e9462e472ed9ede95c2e357f37152d1a76a60fbef4f97751fd111d9b965645de5c823d64bb + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -58671,6 +58933,7 @@ AdditionalInputB.14 = 32460d6c3eb7912389edb486462038fe90505f7bd5d8e46d + EntropyPredictionResistanceB.14 = 31b1b8fd7753800a1d3c3849ccb22a7c28ea4cec21e71c91 + Output.14 = 77e3b89a60d91cfbbdac8215a3fcc000ae61a86016cefd998de3561ff76e188eda8910c08e964fdac58e3bb30f4af464b92812e15178a97d3215699f21b9775d3d4b11fb16541eeda2956937e43bd4e928f3856bced91c2e9a3c741f89894912cdec7acdb0652542fd08acb6d6ce2c66 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -58766,6 +59029,7 @@ EntropyPredictionResistanceA.14 = 7a40b0bd455f5eed4ea7fef036c5b044425ef2138b18f1 + EntropyPredictionResistanceB.14 = 33bd20a02d78688da2b43f2222894d508f63851fa8217b6e + Output.14 = 1d0bcbbddc32be27ad0408c93d49f328832dd15beafaf969fa8f991b18faf1cf4cd1ae7103cf94135c1fa9beaef66f75d825cd9c3a16697337d746069a94aa8881e9ca841fc61fadc3701fec3fe65f750240c7da05884828ac3cb87289567c4e491ddb3f1ca5cdc08b5fcd3d8f91136a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -58891,6 +59155,7 @@ AdditionalInputB.14 = 528bc69e8fc2c45ad8006dc7a865ca73c31a679adbcb0656 + EntropyPredictionResistanceB.14 = 97bbf5c91c830c627a1dfb629a0f40943655d70ef97fe922 + Output.14 = d9cafae3bfbcfe622c82f137700f959f79ea11d07631abc26beb2d846e375a2b21165db0c568e1ae54d03c26f0ecdfa2564bf5c3c6c902abba3b2ff994ce191caba7e89b129c303e5169f4ec2e415a90523efc792e6aa2caf5ef583d286285f7d4900d79fce6afdd184d9993f85cd6d6 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -58971,6 +59236,7 @@ EntropyPredictionResistanceA.14 = 58e89c98a93710a6856da202b373749dcf3f60c16fe067 + EntropyPredictionResistanceB.14 = bebbc0ee84a187340613ff138c5abc0aab2e86f57f337712 + Output.14 = 13949feb41c811c6894809f16ab5b34be3fe3753416a8fceb0c6de131167d0bf60409b753385307b71e2622a46a42f1561b4793c6f0394fda66115c95dce20753a9caec5aa5263f6581db8195bb7de7e4b13761fd43eff13741849b8556247f08a58c9b180269f213eba0476c7fd3394 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -59081,6 +59347,7 @@ AdditionalInputB.14 = 15f279e7677894af10821b9cc0ddc9238b318dc9020b05e5 + EntropyPredictionResistanceB.14 = 878d41b7c5951930acb26a23c06501b88d1474796e536225 + Output.14 = 8f96cd7a4e6363be72a9b45bdf8253fb47d0b50ddb3c5dfc8825f2c44366106b1094cc65d60d86542c25830a3d0f247326fbb941053df81a1d0789318563b870a81f9e554d8349b669f528d6889247d23896186c620b93b239c1d18861cfde3c123c80b4e9d5e338bd83bc2e97135ee2 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -59176,6 +59443,7 @@ EntropyPredictionResistanceA.14 = 62b1fbffc1d23ec871ec6c85c76f1bae9ec7b7cf85eeff + EntropyPredictionResistanceB.14 = ad80381072e85622e48978527ee673151fcc036c0096094e + Output.14 = c5d7cf9f1f83f497ef8c48eb81898ad1616c00cf2788a32c5878c3ea868eb3848cfc2961c8095f9c65052ba063707ea69f9d6ad9c4ac9858fb2470543dc4d2d2fb3eab11994e6ce387809c3e7595ede565ae549b25070f7ffdc630ee0ef8ac9835dbcc5cb5c9570143006ac691265a89 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -59301,6 +59569,7 @@ AdditionalInputB.14 = 6abc274f05fc74ffe1a0bac13cffb199eb87d66b385fb675 + EntropyPredictionResistanceB.14 = b3a9b4f5f51dc337d12d34dddf231ca21dd98f0775a53ae7 + Output.14 = 86732afa068efb5fdadf94ac34ec595eba831694cae1dc892e9c028ca78f950afbe78191457a115f3c444e5735bdbc40d787294de99043c96ce49176fd17d721f5b467943219437f3e1bea373fcad275e64bd35cd4aacd1f3c126bcb59b50d905bf40966dcbd474978abe1899bf0c4a7 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -59381,6 +59650,7 @@ EntropyPredictionResistanceA.14 = 058a109cc72dd766556a142a2d59acbc036cc86d476fb9 + EntropyPredictionResistanceB.14 = 97f27faad6528c42dcd97c1313c0e9043a043e0ab0b58395 + Output.14 = 3f5095a28e5674becd4b895d8918a36ba3cbf44f09c8c80b155f217e9b783b4ba99bf3ef183371bc3c5a654e3dc2346b605463abe63313cbf0919693965712366574e175d910e263f5086ee862672bd9c59a461f2d66a9b397570c86a09e2e4eab77aa139133789424482e94b9ba63d4 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -59491,6 +59761,7 @@ AdditionalInputB.14 = 3d9654ec477ddb9d1928cf286f599736d51eb35af1eb3738 + EntropyPredictionResistanceB.14 = b8de4fffb86a4c7af05d85f7855aec4c8b463676b9b9eca4 + Output.14 = 33f691da4b3f351aa15acebafdc181da1a57883f0ded8b7223ab9c1b80e913644f850e3511e901175c7be68c96dc2b6175f69ea91218bf09dfd8b91a79e7499c8386746c260f29a22c6a000659e8aeee4c83f1484d5c09677f15d3bc045a2ddbf0b72c179dfe260e5054a75fd11c6867 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -59586,6 +59857,7 @@ EntropyPredictionResistanceA.14 = 4afd7a280d8eb867f842e2e84f2c84d78749aa25c1201e + EntropyPredictionResistanceB.14 = 7d3e4a62634e7c6f74610ae4aacc62ca147fd1699c5b246e + Output.14 = 5c89bce4759878a3fe7b510c1b0c5ebfb2b085f89c3c4fa8cf6755cb51ba16dcc516402783d7870296f848bc285a5100a548e51cab01cd60638ecf2ecdf63f6d1c793aec14c4b179880687022acb9c90907e53fcede69d26f68a53815a6746c5bb80ecb22bc7d134da3412ba7c31477b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -61351,6 +61623,7 @@ AdditionalInputB.14 = ced31f7e0dae5bb5c043e246b29473e2fd39512ead4569eee3e3803314 + EntropyPredictionResistanceB.14 = c73832534681ede37e03846d3c841767297d246c689241d2e775be7ec996293d + Output.14 = 60c234cfafb468033bf195e578ce266e1465326a96a9e03f8b893670ef62754d5e80d553a1f84950208b9343079f2ef856e9c570618597b5dc82a2daeaa3fd9b2fd2a0d71bc62935ccb83da0679805a0e31efee4f0e513b08317faca935e382948d272db763e6df32510ff1b99fff8c60eb0dd292ebcbbc80a016ed3b00e4eab + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -61431,6 +61704,7 @@ EntropyPredictionResistanceA.14 = a835812aff799db76764365d3cfce7a70d168ca8a363e7 + EntropyPredictionResistanceB.14 = 6cc406628d2fa0771f896079d052d057f60b334e620315f2cb3e658b1323e7ac + Output.14 = 36c2e433e06280c1219c2f2992985e74117d35aafbeefb6468d9576fc4a23f97f131874c0c4c18b9cc6028f881eb42f0e011f2c19bb60db5f5eb65114365c659790a3f423f986eb5ccec70118e48e7ecb40e40c31a6c4b8752e8fc841df65ee68c6343579bf95e10ff99486d9793eb6a92471622b3d60297d9b0faa9e7d925d3ec9cc05bc9853c18930a5f64a8aa9e139baa625665aacd443f1469d11a6c24a3e079b952cc8b5f75ddc9fb7d96b8b14cf255c2fe7619212f281364bcd8958bd2 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -61541,6 +61815,7 @@ AdditionalInputB.14 = d8e5e99dd1498f4cbf4224e4c7ac40aa7e077521ff5abfb836d8483d6a + EntropyPredictionResistanceB.14 = cc122d075bde2cb4ce5e48d72d5f6fb99529262118b01cca6639fff83adcb977 + Output.14 = bbc4a9e2c9ee0e3f1e55e77cbb8d0ff902bf5d6853a5aed3fc0de3275da712b031a723ce201448e3d15360e5471f11bbd30029c6574db47d9d3275a8559294695b4ab832d656defecc9d6086a01895f74f67ad0643e77cccf92ff358440f3efdca3cb816687e940b7e30bf50795f111175a7a564333b21b32a0b9d26b093c396dcdcf3203e8ecd902c3de0ab0c82ac4c1d68f77da85383e60b3ac403b8ea339a97088539aa0004e3a7fb39a827aa0d27eb308d8ae29c07cb5b0495cedb839863 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -61636,6 +61911,7 @@ EntropyPredictionResistanceA.14 = 54ca39bb5d569901c657e36d0a8e103551e25f9a3a40a3 + EntropyPredictionResistanceB.14 = 9c2962c0e03e96c94b9a616fdd52b1f04945597b372ed5c69469b29b3bfa71cc + Output.14 = 96cd0e64c1dfbf51e067b2eafd896d30580f46e29ecc1e51cc662e0acecad5529d2bb177d60c02e7cf415777a85feece50113942eed54a5b328cbc007a72a0db1500f17e5fa1cbd1231a8608dc25f64e1e078d7e0b4c49ba34e4659b9642f79acd108de0c92e52af86a4a82f23df12826f8f44a88cd99f576897896d17d7ab19ad02be4660b8a5840552cc73b5e24e76705485c70ca57b07eac35765ccc51d0795abc229aadc0101a056e047d7514c9d9294ef9458d5f7f5328673defb3c5aac + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -61761,6 +62037,7 @@ AdditionalInputB.14 = 9d015ac36aa25905ab1ad61c4c5ced15620306935c548b63f6274d0e69 + EntropyPredictionResistanceB.14 = 462b911da3ed588f1e57e952379c76f4c32b1db3f85fce3315904d38bdd5ca9d + Output.14 = 1beaa2df060fcbb134e8af0f7e1c4e6073fa23deac0a774825978a42083b18c559de8ddd6652dc89abfd8006ba18d9bb9f579f611fe02984870f160e4f4516d6a708253e3c57896a0c9491b7c218e4131d29d31ff331c411c157ba071289a0004d3ee5fc6bc0e8aaf4bb934f48521c5c30aea79fc752720c3cdf67517abae2b936a75b669edd0f86d0d9d01bfb91033c431a4f8c2822f4f055c39a8451c3169dd63597ed1710915d5ed1fb8af25e2db01fe1cf60b8ed59ff0af91282db367afb + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -61841,6 +62118,7 @@ EntropyPredictionResistanceA.14 = 523aa2f18ed872566ae4fa9061a83dbe1e213fe141e84d + EntropyPredictionResistanceB.14 = 101ca246a89f650b9f6e3282a908d51742e4f2b9a0fa987e9c8f8be89f3d7ce7 + Output.14 = 2a34c78d5ebc24dfb34250a1a2601f044e15969ea37e791110261f86d1c7e8c60b60cb4515649cb277526d4cca4bc6d31f14b42dc4da15044deb36cd9040a73e5f32806270cd503af2c7a6af85d2c9b91480df5677d9c2da368621dc7dbab8ca1ec634246fd55120058a7c0e16dc934e69fbe890a16a2b759b9d10c23fb57a188d906585c87c26a70cfa69aa7609c3a4226494b9498e6bafe0632ce06a82ee60b7bf275edc4ac862e3a2bc7683cd2258663d1cf2d0fa95ca75ee9dd85bcd42a0 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -61951,6 +62229,7 @@ AdditionalInputB.14 = af0921fd29ae0315837039a4ecd285de2d6e04f97bd6b18a480ff31c3e + EntropyPredictionResistanceB.14 = 028ae7d410cadffbb1a8dd1a26649c51abda3729d64ef24049157b8250c532fa + Output.14 = c4552eee3b4b58c5ac306a607e3047bedb0fc06f921f28f859324ffae46d95b5a235d32dbf68b6093498a02270ac6988c13467481553996e6ad080b5b7dee800807e9e8776d0f338fd2dcfa74716a9663c3984fff72167afdc5a5292a85663d1b243b96e7ea070021fce1f269de1f5ccb60c8f3755a7b7c9f36dd5fa5894ccb3838d568507a9bcc418a82eed820b6c35ee66c40ad9bc718ef73fd7f8c956cbcbc173b9ac0d7f3f40ff37da2d4572a8901d84c216e1ef2b90bd531aa9238af339 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -62046,6 +62325,7 @@ EntropyPredictionResistanceA.14 = 0ef1d45b978c565be7e64b9e455e02636ce9d2981bab7d + EntropyPredictionResistanceB.14 = cfe1c350d349c38b6f4568e2f1ca53493be77597271ecedc5ed578abf1f94096 + Output.14 = 49c4c52a81741d2eb583eb6038c1c686b84ec9e8a882d1ef509777a5bb431eb9ae711412afd5ceaeea212c2dbbb17652881b20b2517f1b720eb528274f937b4c41c4991730bbc7979d305859fd1fed523af128347f9fb3e3df22afc4be9f43ab6c5529f720b766cb519700ac83e83668083199f02c5ec80d29621d6c41394a927839bcccd802fc00839923a482ab82061bc96798046c20a11429f266195820862b8e242b083b12567c17e0423d01a7f77f5d4d035eb75c797019d798b54148ec + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -62171,6 +62451,7 @@ AdditionalInputB.14 = 64d3689e23425f428b99b64736cc26c475f72fbc564f86f99ec4e22440 + EntropyPredictionResistanceB.14 = 1dd8eded094fc0baea87df0317255fb06ca6e3470c9d1d52e5b238513ddf93ec + Output.14 = e52e2c91e99f31080afc7398ed67f4b7ca0b48e9db242815524b192c7bec24b4aa2aaa3449ed5c49053273b8f30773784c27355c238c7c3c8b8085a5b2917a46862fb0d7cb0b52d62e630f7fb55be54977a15d3e82ba09a7d26e270384ed5b0a381920ea2c9c6a2da7a123f811a066c81eb3b8b92d7bfd62007a19a13725566d35b0c811b4f4a951f3fa83cc7809c623c9af5317054ee1567109d3772965eb3cf6e2c399d89e5fd59c5aa1391d149a09d002ff7e6d1efbad2624c71d01ec184d + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -62251,6 +62532,7 @@ EntropyPredictionResistanceA.14 = 32822d7374b2a24cc00a9217ff5dd17c6962d40d9c739d + EntropyPredictionResistanceB.14 = 98f2d35e46d162b562842886552bb854212fb652431058cc02e9963c07128406 + Output.14 = 73f40fdf6550d37fd7c9f64221e7d0447cdf6911e5aeb7b80ea6307a3f97b7d4d6e42eff11e8c53d18504a6b8c735d9d89c6e1f0fff47f2dc3ad823229cd0bb811c50aca7f3f8b7890df6da7ea279e3f0582a580ac18c3a42b10e5be088c90d3aced0418c6183b0ce11957052c9e48a8e30f12e1e5deaf68d29e4809e7fed178b541c80930b6b3b782121b99c41ccb98046147a6e08294e2f8a9a215ff77b4f6729a0585a554014c60b36ba29db8de4cb11f3e20b4bb2406d03f7f1d4601ea23 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -62361,6 +62643,7 @@ AdditionalInputB.14 = 4d60a3f6c5fad0b57ee38f5ccc9c83843344dcce4f5dc056d813eb9fca + EntropyPredictionResistanceB.14 = 50915e1d171a23bb7328650449a6845c181ad304b5415e05e4bb8f6820a7adc9 + Output.14 = 08071e75400f6f225a1801359983a0fb4d6fdd1bc74f8a78d9f54b1027df0b4167acfbced55ad735a99ece966bd1e79a71ffb62c4526b8afe1a276976d9b3b765b9533f50e750651596ca53a24af1606a2cf6aab27ab3026437b7a03a0507c1913e6ae1718d6d69c7e09f808cf97c73a6195550a0f4cb426df27362b0f005226bd54e0df9c5e5038c75da6f8f77bd5fa35b9a3324b0aea322f5e48c203ee228483ac0f56a67dedcd1d706b8f0a69fa7946f1177a313241066b5324249faa7cf8 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -62456,6 +62739,7 @@ EntropyPredictionResistanceA.14 = fd31acdbc71e112a4db2ceff387d4b6db1e7c714e89390 + EntropyPredictionResistanceB.14 = 754a7e0ea6eb9e18483e0ed7045ae6f7ccc6cc626ddc1cc2b317ee78782c6e19 + Output.14 = 978543a7389db3122a01947a9a8ede689a4fba9c0d72b74e1aec38ec6fda8e7b519e5ce91eee5c532c9df49c8a36a64818230c5535d262061e96cbdb9e7bef5d7330a2989c3d3012727a18d2c96931b66f48bb0bf6cefcf783c65b0e094e44b0227e3e898215aa3afa2a71dfd832c6e11b3522940cea0482b5f24a90d12e5aea53bad0d028abaa4c45c54828272a9ce543e8cd7ad10a3daf15055e3999e94a62a7281ddf1dff41ad3e30c19ab8c50c759607203ed67c153a33f52130670d1f1a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -62581,6 +62865,7 @@ AdditionalInputB.14 = d56dffe6e68ff34c828ed6daa6957db8f8f1eb0683f6788ebc4d7ba42e + EntropyPredictionResistanceB.14 = caaee38a60aa69e7fbf710f0d03ac18ed70bf50590dc7854e2ba78edf2f6a826 + Output.14 = bd2334cb3356a211a759fbad57708e815889f3961b4c6a0f5475792d1f0db772af058bc44ab716d02f11e37bbc74f59ef046d01f99056eb4366435b23bcd92f5c761d22551e66ce180defd47fc43afc361bb2ec8a3c92727bd63329f1397bd5ac689709b529fafb7a8a70437790384213a3f1b27c6086fee25cbc3c0a2874c8a85dfe7022a5ca7365e9a715bd0904dfc999eba168466766316fd196a1fa139e37cfa30be486b0fa1ca03602becbbe97869535913b1f9e00b12f4f2085794c0d2 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -62661,6 +62946,7 @@ EntropyPredictionResistanceA.14 = 957544da181d9451e52bad53ecc6e598e94e55434ba806 + EntropyPredictionResistanceB.14 = c8c9ed877603789c92d8dbcccd10bf34e26fd34804178db31a6ec0486fdf44a8 + Output.14 = 10e2ef2c3bf4836f072688eede8aad92da8ba7cc06bb2af2243fc2e7ccf9f9489a7ccfda36b2d91420df270ea9402b9716b95db186aa1859fa0e9a5cc389dbd7ad94490818fa34804a773d8dfe054cfa663267b8d21dd58cc199d7d3f7fa1abe54ef8d4cb2fb0f72a02537b0901c03b848c491784afd314d92b409b51a8ce88a3b7907e36170bcb1004a65c49785e9c14d6ad8871d6474d890b3f1599550d41c0b7a9b39c7e30a8932ce5a832137f77b97081088a8fce641e03875102e51b9da + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -62771,6 +63057,7 @@ AdditionalInputB.14 = cb7cd7e4239a550b8f65366cbb39c50c551d83976a01ce82aba7517530 + EntropyPredictionResistanceB.14 = 2ff81fd74a033d6333f732f4cefbf021a90b42c9daa6830c2ab2899b64a05320 + Output.14 = 932fac5d00f0026d0c439912ea5714fbca4385d25e8a3dd42440087bc3114ae946f32c7d7a22a0a699ce8b840b6edf5975d70961cb91f8aacc3dd826dc6e88bc780eaff13c80abcc8461d6fbd53122fe8574295ee67a624108d4aba3cf333c58316ce811194c9db18b2c1d897f385a3d7732a86d867a361b9f7f502421f12f53e97f0ebed34e03039bc903c104025e2b0bfd76f1bc70597946f97c0815fd1b7043e007a3542d0c2a8250935d0e705e8854d4f2b991bd8e11b446e0bcbaa4d695 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -62866,6 +63153,7 @@ EntropyPredictionResistanceA.14 = 44d6b1c7d7e951ce59f1cd023717a4a06eb3b55e78e64f + EntropyPredictionResistanceB.14 = 6ce1aaedda5818985583c96218d19d63c23aaf9ab6614556a5d3df0c3c5a3fcd + Output.14 = a2a7bcb7752b27516c35c2a42c912462205c267120c0ae06e6413ec13a93563443a81f7f68694d8212237adfd474e765dd00c73a350d793202e6899492a135876d06eb30630527b2064c310bf65fe2f8bb0ecb53367658603775caf3c8fa9afbe38d09e67bfb73eee11f216e4619f2008c739d1637ecb046b459d5ce49defd273d0c238d0468742a023a00a50aaeab976b66abddca704ce7ccff7ed754cd0380c963b0e044b7477acb6bce83c4567638ae740e329c062bdfdfe5386a1958da8e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -64631,6 +64919,7 @@ AdditionalInputB.14 = cf2040e9046a69dd9638de941f0090b7535c51cfa9f1c7bb2a56a33232 + EntropyPredictionResistanceB.14 = b871611f8fcb8c860a72c4fd406d4939335a031e0de9f2d436d4736b6b060c2d + Output.14 = 2d990f0de43d3a4b2930542c27ad27458e8865ca6b8f27fd7a969cf4e2a0323e38fe6f505a2dba488ea6b04365209c6db786cbbf0a7c73b4fd56d24987719db0fdba1a3f07149521dcf5b7759c610da22d151057acefe70df1ccaeb67a975159b8996aca93d7a48096926db4381bbce481277d7ab27cbc0388f0b7cedbbfb8421cb1dc5f2a9c677f62acf96ab25e7e406ce82f5b96bcb471afbdf4b3f5a6fbcb8da45d2258e350e77d4633b0c1da691662dd869909dcfd7c8ed0f54ba7af0f9c038eb32d32b705e51b35bb3c2eeff010bb47ee326c2318b5bcda963c2dad419c5923e368d9b28f25b048a87bdba0a90d98c24c81b6dbde0f58054a41a8293a65 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -64711,6 +65000,7 @@ EntropyPredictionResistanceA.14 = c6e791bf03cb41dd67d8d0e6afc88cdb3243c6d8c99ec6 + EntropyPredictionResistanceB.14 = 4b107f56ea9cf896bc58a6409dfab2fa65adf930488f634e + Output.14 = 9c25b3a34af68768dc47e8521b70dd52bd3243c8c4ca911fc32b6a191e4abb7a56c2ae535ee17899ddd7d3011386c60d4dd1c7a0f3bbc27224e1471e061675d28d726a6463d45612b6b1913136be596255ee2f1cac4f24400bc50ed41a30e4c4dc1a32524617e51ce2fe41a829d164c4 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -64821,6 +65111,7 @@ AdditionalInputB.14 = 67333be1a1d8ccfeaf0bb6836abc101f9be86f6584168b71 + EntropyPredictionResistanceB.14 = bc9be23eb198d7a9c821bf848dc659b6c5c7b001b388078f + Output.14 = 9d45b149af6ddd8231aef5d6ac48dc80cea748f860edbb447c3e181be541c0cc384bd2b3d39a7dbda865cbae5da0e6e9e4230728a819e1dfb9b7ac9b6610ea5fc42554b357f4f4b2d48ece49fb86127d5669cb4d361be9fb22c658264a850bd927252ce83ad57e7373689acbb1b2c266 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -64916,6 +65207,7 @@ EntropyPredictionResistanceA.14 = 1faaa87f7d4767c15792faaeff52c850e7d1779819fbee + EntropyPredictionResistanceB.14 = 79cf8e36b1ea35077793e4dfe4e4cc736fc8071c72ec9ee3 + Output.14 = 356c2bc25223d3f536b075f7052d29e1f36c3dcef8b09811f3bcc18fcd78fb10115b6779bec0dfedf1563eb9024fd38e9083c1a7b748b05d61c99c14b7a57ebb121b5ca9a83e6bfbd4be01a24185de86a9baca5c9e8b1f59424bf77b9457e3829de9c44ab10c5966dc59ba5884493980 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65041,6 +65333,7 @@ AdditionalInputB.14 = 74b7046dee3b978038195a4ede2e8a0ffd3b8c490c4ea36f + EntropyPredictionResistanceB.14 = 52f143079094332e20460b6bd1b5a5872348ddd626053d3a + Output.14 = 58d2c19cd4ad3ebd48e3520d23395b4566e65981aebf6f143f46733d4fdf23e2fe0243674778fe5c5ad1fa4e9389305d3e7c1b99d7f7e163c9ef87a35d34732629ca8d87b7b8878ec95662dd9ccb43b0d2ccee2f4f3c4037925f264fa03b534da0751f45b2df1cb653c379cac512ee5d + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65121,6 +65414,7 @@ EntropyPredictionResistanceA.14 = 2520f0af49912e6973e81e5d3ea1b140664209e1050784 + EntropyPredictionResistanceB.14 = da19f29b28f43ff72e579a4a21d979dbf399f0123695227e + Output.14 = c79b9cb6955eaf7d0354ea81b1e54f3bb7855edea5040fa6ea2f18566210372f9f7b4d08208931c321ea09f44390dcb4939373e96fe3a417b2804b6af94aebc65fb31e7e9faa4113cb4bc1294fbfd19eb078eb300e599beb0a8afd05f10dcbbca84a27dc86a12a998a74d6f532f38e39 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65231,6 +65525,7 @@ AdditionalInputB.14 = 9b0214621496003a5e48ca25fb008bb7ac7cb9192ccabdd4 + EntropyPredictionResistanceB.14 = 9764e49ef04c1c164bec335e2ecd98ff0f8b7959c4af9ef0 + Output.14 = 8e4a6f42f812bcb71891f6abcb4c19f179f44d6d7ca0be8f84ea4de6227e31f60ba600c0dce0c0cdd6bba0deea6d860b3ee204be73421044cdeb59f3b42a5e4db94e2d06af91e1f2ccea73eeaea40262a5c74b7fe76979bf67510c86c4c5fc55569b6244fd15a49db2768c884102e106 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65326,6 +65621,7 @@ EntropyPredictionResistanceA.14 = 3e5b6735d467912273c38536f7a1be160b1edca1af6dc1 + EntropyPredictionResistanceB.14 = 0dec0880ce8e6ef894b9396ef56fd678435ed5b6b39d4918 + Output.14 = 5dbf5d3b2fe59054ab29bd747ac3dfc4026799f493b65a49a528bdd1dfe26ee50f7d8b4a69f96488095d09209f2657d98d2625adfb769188e5fcba1472d8364611e34dbce5160adb642bff5919b54e8ef3c6bf8de8fa0f651fed3878ecee371e312bf71688093a7a625239fb861cd8d8 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65451,6 +65747,7 @@ AdditionalInputB.14 = c7c8c48d9ab3014e6f94a3ce3e8df9768b3c60f478a5edbf + EntropyPredictionResistanceB.14 = 00b456fef04acd6dadb600fe9b2735a5d53dc58e9cd3f963 + Output.14 = 6c1d21ef77388dae905c338b72894c8fa3a066d6255e7760eeb307d264948f979a343a25209a3a7d1b6944d013b05142c3fdc155d63ccdf626437298d0a9f0715d6dfd81acc7e45129b6a3b442e8c36527470466f74712b03d03ff1f4cadfa8e2c348639d82919cc9a3e288fc15751c9 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65531,6 +65828,7 @@ EntropyPredictionResistanceA.14 = f9902e3d878151db3849537f186a7b2fcbcd10576aab5e + EntropyPredictionResistanceB.14 = 9787f601b4a6244569468fe586a67e2e7733ec0f1e2405ed + Output.14 = 8338c7e93fc15595aa5828c90f064f37221439c1e6d9c51a0986fe9f3e9b719f0a05c9dda87f3f88543b2ec0005ec343b62a3929ef720fb269e8dd1cdec36a8a2b867876752b8aa23d6878d0e9f3a27b06a7782a58ce68fe80cbfe6b5795e7da0c34499dd153b202c5432e37e03638f8 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65641,6 +65939,7 @@ AdditionalInputB.14 = 69b3ec5d555f1c338f45a72c56ba8f714894c069e47d329e + EntropyPredictionResistanceB.14 = 9a0350c1885b5f69fdd13e8324b8730f27c92dd96c87916c + Output.14 = b4a922cfedb084156cc73d5bacf1a78090935fb1a5368e02d1bfcd22ff497defc9784e16b14e19777c50f0db895c3a61fde6f97988315e427b4323c9c0ddee5eefe49677b37bbea5a6c9d43cd7c3279c7502154e8b551538e10c8bdd0cf35ac9379931f0bd7acfa82291702648612815 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65736,6 +66035,7 @@ EntropyPredictionResistanceA.14 = 80b2cc6b2d460340d5915e109e434d05ab4861378d65ea + EntropyPredictionResistanceB.14 = 42a0f1f0e9a911d0e12948a235d1a125e9462d5bcb605b98 + Output.14 = 38df6537e3bf2a8ce577da82336ccb234dcfa6fae8bec62c1ee38be0f9014f49695e4200389a55291a95b97ebd09ccb7c392320fda66797ab1979ed0ea56772456f36ee287bd683c190c438b1ee0c4c262ebc4b2e5d036b3f50f0630da695b271c3cf746162258a4920be29c25dcf201 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65861,6 +66161,7 @@ AdditionalInputB.14 = e201d55a78452ed3401d92c27247db4801b572b389b2fe61 + EntropyPredictionResistanceB.14 = d50ec469c29891aff7289644413e0bae6954075854c1e475 + Output.14 = 1bc3d11462d9e2ae029afa1b7db585d17c1de83fa1e7d7d9e9e7c015fd85a369edce029a3eb111dec4a2efda8e35bc5d412d31fe2d0d0a35f629609c2aaaaec7fba121a164f4ab20fd65b8bff2ca6f52f171ed2879f129b0bc2ba7dddb0c387a8748ddd2321681655cb2821523bb2510 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -65941,6 +66242,7 @@ EntropyPredictionResistanceA.14 = d6734f3b3b76bdd8715f1cbc24df30bc8062a0276d954d + EntropyPredictionResistanceB.14 = c6947a5c4932e357cd296aa8153614ceab7a6c479ba1cf30 + Output.14 = 19f1b2ab68854e65d92318b4e09c74a379c76c096ee460355a977ca08788a8ac83bbe817a8ae4eaaa795a09a49f572fdb471d8f5d2de060016b1b0422905af24018457acc9ded76b66d204ed5d1bb66d77270bc23ae5528a6a05aadd3eb1a194bfd42c88273def6fc24ef677d326c586 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -66051,6 +66353,7 @@ AdditionalInputB.14 = add443f0f3064aa799c6fcbc729416a494ace56d2a29eebd + EntropyPredictionResistanceB.14 = 19b708e95dfcfe56f171ddcc411c63bc2e742cb45873a019 + Output.14 = 29fcc98bb0b08c965dc5ec7de8dbf7a16d234eeaaa262f5ece8f2a1d843940bc663b4f892ca1481155573c4a6754f8b7b398fe12a81409ed7f6165bd16f2ac031d809e6535dcd3561586c038df4aa735c5efa36224b2235d05c12555151b1ddfc2121e806ddb484d19e9db631383e969 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -66146,6 +66449,7 @@ EntropyPredictionResistanceA.14 = d9b643ef8cb569c2eaeeacb3d8be9a0b2c93c60f8e1129 + EntropyPredictionResistanceB.14 = 213994f4f3e9382b9b6c0247e74a930043a563d0dc67d05c + Output.14 = 991659b877318d688fb40a862e4a089f74e60948f853ccc57588ca14a51c8a8af65c7c1e0a5fa1393a2f96d23cf0e6f829141cdbc4229c5576b07a915a59bcae554cc50e6f38264757e29117273792cd9ec6e89a82713db07af8562c24aa80e64f2723e8885ddf3435d96581881ccf9c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -66271,6 +66575,7 @@ AdditionalInputB.14 = a00aa12c4a26030b79897e04d0171bbce1cd7257e0cce379 + EntropyPredictionResistanceB.14 = aa9b3dba7376b0a21d34ee6ac8939a625dbfec172a108c4c + Output.14 = 54fb778fcfc5549e190271dc12389f42ea8128df55e6193e03073888b4be31e2d7a78845c47362c4e96b41fce503fb970f9176bdb9b5d664c386898a0e44ffe12f9480699b7d566d697a4f520268f62e460359a39d091f4c372ad33ef0eef58622f488c9348ab5fd693d4edece794b12 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -66351,6 +66656,7 @@ EntropyPredictionResistanceA.14 = bc9fa0d6596cd2b1e020a0f23fadcdbd5ed8730e9187c5 + EntropyPredictionResistanceB.14 = 671405ac5614d316a8f289b50eeff5467be8960feccc46b7eda7d3038f09321a + Output.14 = c8784cdcf893010849f094a0de5d3325a69b425a8c7b788f96ed2d8209434f9731bec3c590e8982c22b46ab9f28d169933c1ca2c4e4b99a9bbbd74e2182097a7c0e29e84a63363eb3c0b7b9cd730cd0bde121006aa11542b968f4963e84830219c359771a3ab03298e5c0b8a207387668308e2158fd06add5309defc8cb2c0e8 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -66461,6 +66767,7 @@ AdditionalInputB.14 = 7a63a39a4db6161824113f32ca5c4588edaefccb08894b2ba52b6659e0 + EntropyPredictionResistanceB.14 = c20c5ba1aea693d375097d19b3cfc2b06c9c876e980131387374899d4ab48385 + Output.14 = 818ab1aeac3dd58e54ab686b04e3686a37a1202a19979a3620d1aea5e425472af381677a363ae190acfdbb0372c7ea2d5248cf27b18327e13b91507fc28b9d3e804ca0e618d867b3d892173a19c5918326e6fda277d5a3a34bba1425f4a6c9543f66dec79bc909b3d082c6067df73966d1b8f8a16d07005732e0cc00f9b212a8 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -66556,6 +66863,7 @@ EntropyPredictionResistanceA.14 = a21a3a1e4a6e4ff4c646ee1b19ae20f956cd174001cac1 + EntropyPredictionResistanceB.14 = 5f673e1dba2a9c526ebf62d4383da60fd194bee81d405dd719f0cdfd0624a79d + Output.14 = 718c2bd08da84f897864d2c2a91cab5e6b66251ce71886969271b3b88885cce8f01e2e0bbddb0f5826c68445c8d56964c7f2b641b7f8498dbc293875a422b65bb7aec20b154064b336ebb06dc861fa7e69d683dba33d8a6f71c2b2c76e030db66fcacead182c0f316395c3dd4586a38d56157d8b4138f3039acfaa599df1a096 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -66681,6 +66989,7 @@ AdditionalInputB.14 = 4a5a23362f631c0b155fb802990f855d684a1d3f54073c7bef2515ee3c + EntropyPredictionResistanceB.14 = 73189d6afce0d5724c50cbe257a1494c7e78dd5b3d7509c5509d795d6abea851 + Output.14 = 8c64782c4b34cb5e2ac304ad773adc7a76ff2fe1f43202b01e28aed52ff96b651765d642d5313146f322f3cb067cc274918babc2b35255f048ee74b4c87a4e1c465e3e1098b1053747343123ae5ecb652520d0fb20db17379388249a2d92cabcea7140162f2d9cc17daf718eaaeb8e8a69197689ab206f68fc468982c8f89e73 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -66761,6 +67070,7 @@ EntropyPredictionResistanceA.14 = e0975b46c5421742148647c5ea8ca534bf23b9cad38fdb + EntropyPredictionResistanceB.14 = 92632b542fbe20c00c8071037c15a2434cc23b3b6ba800dc9e419e105c1a4c4c + Output.14 = b457c370a8bd4451f4185f7c925b90365ecdf0cf1a4e809967ca9218fc7350447c32d25bb3ac36d8d0de69e2f8d6e7f0276cde6d9a615d5644654be11ccae2a556d331310494ecdb961468ed6283dfd9342be478f0e3d5bbcfcbfbfab86625a3fab5c43296bfe1fd9218ec5cac2da563adef29084fb7906a7284da44872a957a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -66871,6 +67181,7 @@ AdditionalInputB.14 = 0eb21b9dd429b7ccf6183587400ff57ccb84e13513a553c83bd18695eb + EntropyPredictionResistanceB.14 = e65beb2bb257e5b9770af1404e58743540ce7d6338089906464de3350c481f59 + Output.14 = 30ad11bfc18d3fa9c7ca2adf01bca76f8f2513c2aab3e830b1ec8892cd6544ad9e25f2c8369a034a25962634fe86e833aa32baa24ea608c91818994601be78ab1fa772cd80b6eb3006c4c2d4b0b1268f7d8759b7e0193e15a69f7e13def2e4af35536d92c1b8dfe3b7ac72104543a8e99585bad53728899fc5cd4ffa509b4b79 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -66966,6 +67277,7 @@ EntropyPredictionResistanceA.14 = ca849cd2397ed598a1f4a5fe1ac34d9bd72ba79cf44b89 + EntropyPredictionResistanceB.14 = bf75a707fe7d86993dfa00386ce07f94898f484a9f936d47e4923bd6bd8e2121 + Output.14 = 63fd0934c1c510ed19955471552a645ebc7ffcb90ec904994fcbe89ad938ca0b6ac3c0bf958d453af8ef7b4cdfa1bf20a5e79a68d1801a91dbe63ca254d8088d7d508971d203fd9dd4fb4fdcd9e8f1f25e899912dee3f59ee1815efe0959c7e4ae06453ae9031a8cc94ae38d7d634fc46233ed8d11ea8e20e326841d3cb40680 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -67091,6 +67403,7 @@ AdditionalInputB.14 = ca63db9ef242fc5132d291600fbfe99b72649a2c51080bf46501286c27 + EntropyPredictionResistanceB.14 = aa1d3e08e011aecbeb852bd054066d44b5f66a71682427d9a49deb6fd43ac6a3 + Output.14 = c44e0709fe70b56c0d612f354f796e33f6008e8dd9346ce75894e3a09186fe54b4a7988060e48488a329387bf1bbde11de1525f14caa0af8d6e4d4b32b5dce06d71b368d5cf181535557accfbd9ae55d4b844479a8c959fd0ef0739f1fcccfa2d4e053194b90b8ab9fa4135db408018c3d4895c44cfefc05951d1cffb8da24e5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -67171,6 +67484,7 @@ EntropyPredictionResistanceA.14 = 3b12c8af1e7f747f5307c4a0e7af0efa7a34039b4f2c5f + EntropyPredictionResistanceB.14 = 90e07e1b5ea4915b23d18d52dd1a5d79ed0feaaf4c3b9176ae92c85f28c5ef0a + Output.14 = 6c2ad7e3738c856374ab4b7a56ef4b3e1aea65f69fd6fffdc0fc06c585eeca2761fda70234b844b37ee8fdd43f8f58b5f73accc0943b8da2544f3a7ea7e7107786d9de4f457519fc80782d0ce64e5b33c82b6935f80d0e1e241ed1c119621d43ce1d18fc016b136ca1eb7907c6fdc14f77d807cd0ff1a1ffef73f6eab009b02c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -67281,6 +67595,7 @@ AdditionalInputB.14 = 5138951ad6b555496eb1005bc403f5937dae4e05f1254d7ae2406a3f81 + EntropyPredictionResistanceB.14 = 9eaeba16579b23aa55adb7f2b33430e5f9006c6247944b16cca7f36ce6eb0cb2 + Output.14 = 60cb8d3a0d921d6895033f75330a82de2121abcc7f0ca1391687a510ee79c7e99154483f20ceee8cd85c6be7dabf93ca5c535b42980dbca8b308375f44ea3c1682d0edb7391e468898eca762b39b2ca5beeba498881e116e45429b49ae3936e1d11baace14b11c64aaa17f4c830ed62df0d66ccf0093c73f705e32067904ce8a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -67376,6 +67691,7 @@ EntropyPredictionResistanceA.14 = 5dd6463be2b566208350dd70f0d7132cf2249ff1069c97 + EntropyPredictionResistanceB.14 = b59a5c1e855d888a76aef8a2bdc0e6701eb7cf7d6d0da08c9e9764ac31311d3b + Output.14 = 69fd03a37b267d6f2a9f338ba844a69f700089f3348c7dce12497ed6637e294b9b958ab36f85d986b1f311400d2e58bf5251cfda4c6e173e0a0eb0c25b529057e458951e8a9ca233f578ede226fcbc16fc95b9421f4db1b939e77110d1e7ba0d486aad8d62f0e417ef3a5f39145d05423113d8901493b866c3dff2a213ab8dff + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -67501,6 +67817,7 @@ AdditionalInputB.14 = cba2a6a01cc09238e9a8e9fe56663a8eb4ebc186f4927042f7f19bc8e8 + EntropyPredictionResistanceB.14 = 4c691865c160d187f5c3654e3fa2eca8e818b2f6ead070dc69b2585d5d4589cf + Output.14 = 004e5ce98e6f7a64a98ae577c3c702b8aa489148edb61e57cbb980c2383723918bc380e07944049631a8f88044a7954570086cb972c6653ebfa49a5c174f8fbb788005aeb7bbfba2039eb495cad2c23836f94bb6029f3ae3dc2dd8525aef77614d3bf5ad62c48ac56c1cf1155653243d4d10da4c4ad9e8fde33802d46026212a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -67581,6 +67898,7 @@ EntropyPredictionResistanceA.14 = e67d0f28c142a83bab1572b0b44c83f0fd9ff3ccc2efbf + EntropyPredictionResistanceB.14 = 5b7ae1170e439d0f9b8d5279fb29da66fe280483e0dbfb6e289d63b80c0e9662 + Output.14 = 4168445948f0108eee7c346820bde513375c403736ac22b6b51a0237ce84c9f6ec3f85be5e5af9f1a23123692794704825c4e1935ccf790413725fc44ff64c457a58a700265c04dfd9674ecf952af9105b0b62e9f2867aa15cc18077063f1be603a4fdb0060a272aae224bacd1f45d172c8fe03ae1b4dc4616bb47be9ca6fb3c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -67691,6 +68009,7 @@ AdditionalInputB.14 = e5cbbe21f36bdb46d389a479bc23ed7162ccc9fd07e3c15b2af38da548 + EntropyPredictionResistanceB.14 = 524506ce82bc8e9813b12258b87eef1021c3df39de0b377529c3614a88a5ef9b + Output.14 = 942432679f040520258501966ea68fb5044cb44c4d02b0eee3041d3e43e3c283e76d4bab79305d16888b42581ee087dde5e2b0e2c3bfc7d1122c2fc450729343a45331df3cbf7b9a4253a5f8550d37672a73a75b3cc8abd68f98803643b6eb69ec95cf55c2cfa037b69523afdd045c740708f1f7403621c8074d497e0efe689e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -67786,6 +68105,7 @@ EntropyPredictionResistanceA.14 = 711415888490d7ff523e9883f6bf0226dc6d446901fb41 + EntropyPredictionResistanceB.14 = e15d421f53c1c843c847b2abace780caad977a337d81469d973ddae6aecdd1a2 + Output.14 = 79071920bd431dc5156b6f03932ae2aa4dfa06a61994bd07ed65cea1ec8c08416c7ee5c045f0fc63b4ca237e85d29d8987b65f3e9ad22a984aad16676a9a0b50af959f19b57863c43fd316516cc7d8516bd4705193be20d3ffa42f843905ad64a5288c875f55a8996ecb239700136b6a57a43f2c6dcb11af5e8fba3597fd8870 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -69553,6 +69873,7 @@ AdditionalInputB.14 = a0ee5a3a9a8c5eccb62b9e7ed45d04d8 + EntropyPredictionResistanceB.14 = c588bc21bfe29ac749639bcce28f17fb + Output.14 = b519ee28f38bcc0305ac49eeaaf9f27eb6af797ac95e13431d1f5611e89930bb2c362a9abbf4fb8d89605e5db756fadaea2f36e953751006361b94f89c893e2505b77e41ba27eb9d56d9124111e7c12d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -69633,6 +69954,7 @@ EntropyPredictionResistanceA.14 = cdc10e50c630ccb235579a72b6eb4502fe146aabdab62a + EntropyPredictionResistanceB.14 = 5c820ea46bb9091054d75a892a83c3850da0a31c15e0d021 + Output.14 = e32c0798b2040620fbc5d2a44ec7fa8038444c1910fd4a24312c8c8eadb57a78606449cf05ac51a3bc4d58ce78742c1be3a0fab6e3f5ebc92b82b5d5d64ce29e8c2787ace0f4e718a7f6cb669a0a43ba1aee0d9aef55cb7c6f5dff57c8acfe883ffd8a496d44afe06803e4c9ff62df04 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -69743,6 +70065,7 @@ AdditionalInputB.14 = 4505c0664e59bb4388020470838bb098c4ae1338c268adf2 + EntropyPredictionResistanceB.14 = fc4ef2906cf36c6c8897b802200a83e60d16f7fb064abd2a + Output.14 = 4f9c3c60ee32042735cc539b9a23d04c2bc6bcd68db04a58240305f165bccebbb98e0f4796b283a0d78bdaccfcc8daf19f21a72945be07996bbb0b606643c7753f76ee6371292d3e681468b714e16bc32db14ad6d777677137ebd3731186ea72b840b8c4ae79ecb2c61352ea056d2d6a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -69838,6 +70161,7 @@ EntropyPredictionResistanceA.14 = 90e391a33dc21281372589e2a667cdbbe4267710d5244f + EntropyPredictionResistanceB.14 = 42c959b7272b39e5cdf67701d47665b61782541e94aa224f + Output.14 = 4402afee12048c1c6a44624d2df026798930ec732884899ffd20d17f1c8d7c221cf5edac8679a21ee11b177ecfd61927d4ccbb175ee6b49cc6f371450904c2666aaf2e6cb36cd55cae3af772beb80955cf67b4e8be1fce11250a39693ecb7f8ac05aa23b949ac74bc9a67060cd60cc77 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -69963,6 +70287,7 @@ AdditionalInputB.14 = 764705681b7781573af811fa7751dbc27d667af7a1e59dce + EntropyPredictionResistanceB.14 = 76a59ae38c88631a066fa85d24dfc9b2547caae598cd0fa7 + Output.14 = ba4a0583d8d6c5b4216a0875cfad594485858dc7f9ef265d4ed0c0f0fbfcaaf5ae318df2d7fc530301813d9f49826030625f7ea02d0630b3573c486b1fa0ef4269cbfb6fb86675c11fb7c0570cf7ff4fc7affdb00625ac453c23c229a4ea5f540c66f031ab3462f7d12659eec990501f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70043,6 +70368,7 @@ EntropyPredictionResistanceA.14 = 85ef26b185a0aa99aa8761981cf02a634b62f47baccf27 + EntropyPredictionResistanceB.14 = 2e9d56a2fb6ca0bef9a286d23e7d38457790f97f2b7ea5fc + Output.14 = 5c7bb6bedc97cd38837beb0d963d76a953d4c53827e24ffeb278acce8350c43fa6e289672fe6452b769b921937ea8059cac8326332966d3490f57b8fa89aa86deeb3edcdc108d1899eaaa2d568d78e26b8ed674282ce16a0cc03f3c3b1da6d5c73afe8f392b32151e938d99c94bf8152 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70153,6 +70479,7 @@ AdditionalInputB.14 = a05a3af78f164652504f38cbb262a93f5fbe72c55e28aa55 + EntropyPredictionResistanceB.14 = 0dedd1d3b74beb9c3ed9a6af24ba4a8fab11aed95d829a11 + Output.14 = 4e6dc09aabcb0fdfded4f1d6ac2339add1b5d7528c3676203b09341a1cf70f0e838301f7a78dfe6960daa674517162f4819a37027845c260186325846604db350969ca2abbabf713159669260b80de6e42bc33a64c796280402da8b3c3bf6e8255a11b82b046f1b3800cad132c2c0cc6 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70248,6 +70575,7 @@ EntropyPredictionResistanceA.14 = e5f524fde813bd2478fee8dbbb6284f3863b43a8cdb2f8 + EntropyPredictionResistanceB.14 = 178f885705e506129a137c64daab8870149344d82990e454 + Output.14 = cc687b9fc638af68d71c2e12ff8727f2cb2eef42a888216af09167ee23f5b432ba896ccd508afae8670dac9fae348eff0f8db63c3fe86f6a1e2d97f9b11813a56ddc1d5c99cdf79afb5d281fd1682dfada3c608ac1cd8ed28e70e21d3ecf7c13c410e8e657d7d0714aabef78795e46d1 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70373,6 +70701,7 @@ AdditionalInputB.14 = 29729358e5e488ac8924536a8806d242952da8ade0d4e4ab + EntropyPredictionResistanceB.14 = 0a0148aa002eb800291d3bb5fedcc8a6b80897ce459710f5 + Output.14 = c97f446cd3d9c96f63782925178e879b3fdf0d46a2e67d2489a39c55ded3330d70a7be34128f3e8ea442989ba7ad90ccf7f66bfe1f7c1b17585cfb5786d764a44e39bc021e06a193254ec26b7b93e33fb883408756e651176a098a4b75b3ca48ffc4b66f0f5519592d529500dfb30287 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70453,6 +70782,7 @@ EntropyPredictionResistanceA.14 = 3ef188e76f0d26d790b51c9eea46b0a9d15fd631f044dc + EntropyPredictionResistanceB.14 = b2d0c40fc7c3e6fa3fa030d54f4548cc664ad604eb9ebf7a + Output.14 = 966790327a7fd7dad98fbfc5c86d8d678d28dccab766dbe0a10bf917b59e85cfafc1a948b0abcd89fe6cbd30352e8c672a849b2b6b598b495719303d17b22f879361078e1dfc13052879e7fb8613a0d5fe764377e98e8c4d41faf8aac94ebd299caea002a93f5e56b6a78e6869190c33 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70563,6 +70893,7 @@ AdditionalInputB.14 = b4c6dec979f2875bd6ab575c884b9c82a7f87b0e8536fc63 + EntropyPredictionResistanceB.14 = 812de24e2801b83b5938cf87ccd697d29e1e47dbb773e8ae + Output.14 = 42e656b2bd89c6b87eeeb4cbc88da7b7ea63f2d0e34ccfda69f1306982727b65248742030974bc2013af0fc0e04792ac57a6b33f7a0e1c106b4877abcc43649ea67c7706c2c6a32341ab03f35ef5429b634c546ad46e9f4ed65835246047ec510de96d544dcf5cfd5cf38b1191844699 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70658,6 +70989,7 @@ EntropyPredictionResistanceA.14 = f3519a57f18c23306e613cd6701a63b476750bc86a2c3e + EntropyPredictionResistanceB.14 = 970a0425e52d2ec2cfdaf196d46e132483021785e3be083d + Output.14 = 92e7614f08b0bd0356849559567fcc18f467f7ef0d31801c9d38d48adfb1a49d464abca4764e5a9da227d20dea34e9d05535de6daba95db7ae42ad94155f795c06ba3241e897ffdcdb1c0cb1ed2767bc8b1259359e70739b52f87c947fc0ed293990fc1a9d452c18afaf5586a7a4e828 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70783,6 +71115,7 @@ AdditionalInputB.14 = f7bd5c7a7e998407efc71f4bc2a6c811edf1687b019ceb9e + EntropyPredictionResistanceB.14 = 84f15292035fcbd61337c733fed157b3e7db3097c2a3bd9c + Output.14 = d59bde2388f07c18be829b8fd08376a93af24145700238175859ee3f89a7dba009c628d749c9ad72abfa3609dd0a5d38ef1abf261225b988db1d3d3183b5c5ffcc19303f4eea88df2df4b65df1ad28796e9ef1340731ad6c3bef33043c90880e3ed5b8b336d5d125b89df17028983f4d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70863,6 +71196,7 @@ EntropyPredictionResistanceA.14 = d16361e926630ea7eab852d3fbaacd4ed8bcd4437311da + EntropyPredictionResistanceB.14 = 15d2ef5b010ae9f49d738919580a99985fa6e749f4f25e4b + Output.14 = a34007c66a63071fd9b88fcac4e0438961458595c5fa9d39453af1a8260a5810461f55cc8bc9135b24713c82d9a8f7caa720ece42a7a94ba9142c7f25120f2cb57265a83e2a40129357234dff36f320935a2e88559a334e33044d6e6694a9485ffc243fde57a28958975d40342d17c0e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -70973,6 +71307,7 @@ AdditionalInputB.14 = 6a59ff9e4710c11794930434f5084196353fb44fd07b2e25 + EntropyPredictionResistanceB.14 = 7b9f7f89a03e06aaf45b165d68c6275db97352d04c8fc977 + Output.14 = 7f72c56664a786385db6206c39a8fcc6d2ad278abb7270961c79f17f3123b62ac1118a814fc8d22d2f2c0219cf12879bc688056f39d79849c6eb4f3bf2d48939372313d46c6f816205e71a162c8ac3373f39905c19b1003183a14f1a993851a2f9a961bcf3fdeb656d7190c7ed5348ba + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -71068,6 +71403,7 @@ EntropyPredictionResistanceA.14 = 40da9bf2a3adce3bed58d5ca64411ace999f0dd1be0849 + EntropyPredictionResistanceB.14 = caa117803af0fe7ded86e010dd37e4945fb8b32256663cfa + Output.14 = e1468e54df5d693ae5094982e155a74033e4079dd1086d45a91ee213b3ab4486640dac0342e6aa82f76569ae9d395f5161d82d27a7c6a8573e3f42e7c57ae6bed8a45a177dd35a999e322a3538a9b8cec51df28eac49ca8a7022200963aa0d4d66868c1cb8dd90a1564cbbf8bf26778f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-224 + PredictionResistance = 1 +@@ -72833,6 +73169,7 @@ AdditionalInputB.14 = 666ab44b022bd295bb6b516390e14c1a7e746acb6437e33b203779116f + EntropyPredictionResistanceB.14 = fb25b91fb031adb53b1d175a68a9202abdd6b3da5d658b7d3d5e815e62d440a5 + Output.14 = b02cd3e20a39877aa2b5288236990b77e0e9e21987583fbabd6ddd9ae2c5316fa51602d06ae57a55a784dcb163504014a21a1ac2290b6232e8e97d186e6f6a8508f7eb6958a0ffff454f91e1c0b2831a594d31445918c92268b380c017f9911e81c82ae23449976252add67ea901463848696eb31453189fa88d2c999b6d9d81 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -72913,6 +73250,7 @@ EntropyPredictionResistanceA.14 = c5650c33f68b5d33502b1f55e06fe2c1169fb34688a092 + EntropyPredictionResistanceB.14 = 25be4cf15692e3e6ad0ab6ffb22cf3f77b00333517ecb2239c9b81e59a72d087 + Output.14 = 41f335cf727ffec9ebfe7cb348d11cdb4e5e49a9a047d8342a6656e5d235219a5d80715166698cc1f16e34f743811b820e6ea55c2bdd0db1b97ea2269fbf60c739feed818282f447bfe2bd0b9a7c479144f0016703aff450abbd87a50e5e5af0d2d9469175542737bd116de2a73acbb74d9f0077a227704f271fe0696f071914dcb9c0f0191fee35eb66248eb17991b538649457d5d5f9d4bb9cd81c33a14d2becce003c143c9cfe39ccac51048ef169f6a22143eca721d04f6e147749a44a75 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73023,6 +73361,7 @@ AdditionalInputB.14 = 301f91c659f73b618cb46a4343772f1eee9fb4949ec6328109823749bd + EntropyPredictionResistanceB.14 = 24a71d39e627d5efaa1e8f3e5f70114bb03b71ce54e4f8d34e838106b2467cca + Output.14 = 34c532082926e6d530b3a58282eb4666ac7374e8befaa4999dfc9f409e40ff966652295d2940db97061800583bc7d47b053553ad29c89ee61803c1089d30592270d2927031353592d4aa71f59a4bf3f2147cb406322367544c38fa5a3c8ccb534bd884355b06145db62161260162091c795874a2e99e01292a2e39e107738818a211750f858edbe0c2ea4734ad14f1c45bcc9f733f027616926558587f7332be55044dfd6fcdb628ff7d7d581820a217bc64aa092e450722686e0cb291eca45b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73118,6 +73457,7 @@ EntropyPredictionResistanceA.14 = fd947b0a21e580e6c2dbfbd44d01f5fb4a51dcd2199df9 + EntropyPredictionResistanceB.14 = 815302e016aad33254d308c5457f368965c15b6204e191c2a252e4fe88dfb978 + Output.14 = 34f550231d31c1b3a3db331d341ada3b987120d94e431831eea67e8d208f9cf1800549d445fc7befbdcc2488cc7f4340560d574fcd2396e9ecc9a232f1015cfb26db451623fe47ec8bacee1756573e74e519adc62b23ce86fc191ea5e13da9c7a14496426c6c53dfa7c7ccdb67d6164dbe88cbbe7f48d4971993003ab24f3eff18bd52c2661992e8f8da93bfdd28f01fc32edb439ad130352463084041e9871c431ba26c676ecd7812991833113cbbe687651e93aeb22a6a44cffc7a3fb214b2 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73243,6 +73583,7 @@ AdditionalInputB.14 = 5a7434648de82a3552e12aff800093776ca3e86565b29c0b3ad6c0bc31 + EntropyPredictionResistanceB.14 = 2d6b77ff7e612c7c40cd5231eece4018c5b3c0d8181ab44703f7a04c0a1c7c5e + Output.14 = cfc79a89a0a55dc9c6c6eccdfab5a9935335e806b73bab7f5eff5f9fea6aa3f47bf31f06d987a94e2bc2a4a6144ebe94d6f5aa8fcaabbf86a37c8d412207864322d3057b89fef358740c5962cf9e7c37072847fcaa6db693a5238ef270e8414e2b29448bbcc37dceaa75479c2ac5fee2d6fe9ed68516f6dbd90135ddcae8a12d1c1595e0edc34ea2bf00bee7ae773c240c2bc1ed828b7ff91a676891173eec1dabeecb2184df9186c3bd833e349351481655bda91bc0f4e419fb78e426de6b39 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73323,6 +73664,7 @@ EntropyPredictionResistanceA.14 = 6cc5f9e579d80eb1e93876513892307c462383f1b5e591 + EntropyPredictionResistanceB.14 = 2672d3be2c1b741a8a60662e24e2bd6a674def98b16994189c08d7972d275f6b + Output.14 = e7f7f113778234b68dbef00b74b656a52eed3cf3aadab8e5d96d1daa5c253f5ffdcbddbc8dac0acf43a7e2a18303a6ca389db0bd0c5118a869e7e06115df5315ab9962a782281c5c46823d1067a8a5cef28c7ab7aaa70c069841875f02f294e557158da3adfc6c11407d5dc3c783332b4d3e25001b5b1e48dbb45a5ec0c8fbc0343f8d73963b7928e501f5dae8716746a835e121ac748243c90d3d3ba22e11cffd76f53a6e372546e0fd333e46df1056197e5a44a8b69e5b923637212635e6d4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73433,6 +73775,7 @@ AdditionalInputB.14 = c81910a207597a0657cb06cb89897f9ca67aaa5e3289159fab1f36cb2f + EntropyPredictionResistanceB.14 = 0fe27d8d5ab415f1332cf42f7a6eb23033a9c5eed085b3646ac3fd288de95b63 + Output.14 = 080c95ae4f89185591db9f06e68ec25774ebb1fe9e5cf9acb4a6190341d40c78c1b92dfcfc142bd8719da2d09d879875e5eae3a0f7e4030a61904e45dc5f059e550e85f4f2e081f2b7ff22c47eff29944d5f17396cd1712070a2e1c565253a032e15432489c093561ff61b2729ad785e7d3da276a860d40ffec5f766997260ca2f0bfac1a3d20da5602357d9b8c92c97f8830fc1c93ecc68ad2edf2a559a7f52325ee7c7f9c85205016af24e0833fbd54bac2f6bf42266d3b90c0431783b8a75 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73528,6 +73871,7 @@ EntropyPredictionResistanceA.14 = 0877707fdad56cc9c9de7e9fdb0c0314316ebd529920e9 + EntropyPredictionResistanceB.14 = 208e73cb7f1d5cedab1c8b3b53e0e8677e3ef4664cab9a305fec6dc0246256bd + Output.14 = 97d899881e4f6bd01a6030d211643b3c4d27dd7df30956495497b8748998c7bfd74373293f1c992ca303f0d59e46ca98f97acb101113bf97682ff75de95fcbd9c511f798ff76d7a17ded50948aa2ffa15013e1d486de1368c5ff009a2c0ad062fb9045f89d8867aaf8799089bc9b7eebd5a9069690076538a589483c7af29c48b6726982ccecce027b87b1ded6875015195c60604d2e564ee3014d9114f5a2d900829d449a69ae4dc23e5df063c103260163509bfc38690f8d274c620b53feba + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73653,6 +73997,7 @@ AdditionalInputB.14 = 30dd5a23a1cc9acb87060b151274df28882f3d442d1b9ee6ca58dc118f + EntropyPredictionResistanceB.14 = d980c14049c6d9e9bfa9340c92ba188091416e7eab2849f347f72840d79f9f59 + Output.14 = 97db825c1019bdd33f0f67b32adb6490a8f38e96fa34658f93edaf6d000ca806bbf7fe6af0b5b17c9e850a6dc41f8899355849f04e58ba0f75872021cfa7cc4410160324312fe8a7b6e9d8f42778a1b8496d9f0bb40eb336039ea3f762147fdef0d53603591b0fdb9f4d0b345c8f1cdbaecca96e5411a960933f52ba9b3457a0058ac464cb30118ce65f027e8a7584cf9eba11754ad3d26d3600a3af3bbaa9caff6ad4a28a8a76abff9c5d710530270cbd9972b90bc767ad7e76eca03dd13549 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73733,6 +74078,7 @@ EntropyPredictionResistanceA.14 = bd108a354d8b8448d8add8059b0c40ce026bbd85209c87 + EntropyPredictionResistanceB.14 = baddefae7c08ddd069296022aaedf0eb70e44df7a1aa04a030bca6cf9ad89211 + Output.14 = 8360787a7febcd2965a605f03a76a46bc3b842097936c0df13fb778feeeb3f7c12af610fc1d845ef71d5b4b834f1659004834c107e084de52e2303fd81930eec8aea7fa86893e58ae764f1894965b04bd8bb65a308e4f38d390ab11d93dc77c69e86650bdc20e7a3fc616a996f4a4bd5668d31c6155644867ad93e31f8d78f512a99b6b368350c53adc5de36fc13052e600dffeeaefd06b2a4b969782c046087ac07a4e02aa5302e499ac11e26116186f32d4169454eec4eb29f2e75e544a0e9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73843,6 +74189,7 @@ AdditionalInputB.14 = 8316fb114ead33f4d6cf236cc711432f42a699c1c8207865428de36375 + EntropyPredictionResistanceB.14 = e4e9129ee1cc84738d8eb8db7404da8c0f9f16a5dfe1b2cd99ed2b08bfe635ad + Output.14 = 18daf46771e8acd38c2cb82aa837a239a145c48c303dc26feef47d5cd74b01cd53546fe54e300bd3212e1c13c1bf3a9d17165c89399539c07e30816ab1c7bd1b598e1b07cfd4ad0785cf6f6a5b835d8f212c825a4ed2d7821bb29255428c468c84ec2e609cfe23f79468f60b236ed228b5252a95bd4c0bfef62f2b640c7823e32d72e5f1bddd56835e0b8428ceafada24efe0de582678545de63cbdeee77d6b3929d83d9b5db2134349444926c6fdf2422c786a67e017a8f98659b9c80ce95ef + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -73938,6 +74285,7 @@ EntropyPredictionResistanceA.14 = 7a7721ea04f0e15f08ac5bc6f52ba3cc2c9f62f0bd8adb + EntropyPredictionResistanceB.14 = b38c8a67366b0aa435d71cb0050039a98447b1a40a0eeec63b33eb6b37e2edda + Output.14 = f5fd860edbe302d1448ff77d56b368c4eb156490aaf07a640a87a7036201fb816bf24066b7caa9cdd709da7234882939e717298193f9dcd634c8975dd95ab56c38e8407db56dd8713b0c85842f85516640d3faa7b5e12a390ddf0d4d80c96a407b9a2a4767fdcf9c37d504134dfe0a90c8b10ec9bbcdbc56e54180022461c69379c7aed3f5732e1e56d03d078bd8b6e7c621f518a631f0eb493d5b747877a9cfcd06e61674a2f5295a91830b5dae43e30c1e72fc8c91528acd13566b723acd6d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -74063,6 +74411,7 @@ AdditionalInputB.14 = 9fd99df9cba9f0cd2445ad2d4b2c6d34c112d882b7c364b1d52f47d880 + EntropyPredictionResistanceB.14 = 3c2b67fcb3929cbfe60ea272a0295c1a59c631ba2f9619c0c93337646731a8df + Output.14 = cb3c238037a3165f17d416dc04fa07a41eeb7041afb26f5d02de1ae45a9ddf37eef688c9c29ac05fa9dfc35947123cb3db0125f5bd5453f4e48a3b2cb027465ca74f9952456d3bb0efdbc047f96a201e78d813ee37e213240eac293479444723d63148333d93dd7cf81b2e19a7c6feb217c32b25a4cd184a8bf7c2aaac149744cc53134d38eb4a2bcdec0d69950171847fa97d0766a19c3f96e9076520d25b1741a9c4fa31bcfd6b3ad8e4aad6f0c33751d128b9bdf4975e0819985c3b00dcb0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -74143,6 +74492,7 @@ EntropyPredictionResistanceA.14 = d5029f8d6b538542043669856f1f443d1b0cba26f5a075 + EntropyPredictionResistanceB.14 = e184b0afcf6bc3bf9c121b0df5aeb8f8fb94eeab939de04b5deea470ab94de15 + Output.14 = 86c8cd6a92b103b0d88e54be7d4c1a9f8e2ebfebeb66cd812298fcfef3a7eb84dd84d0683a12497716c4325e8105b39c9841dca2d60da1dc875b904839b18d1681805d058faa0ae897bdcea8528b8e99bc6899f96ce635f3176a645224d668afedaef3d65336b91c78cbb7f0a5090e95938e15f0e43d827bc22a4cc714aac95d69b90553b06a9f3a76cdc0e04d0f6e24a91ef5468bee2f77b631d5a5bd95d74eb91be516027c86a17240611746aa99c6c84003aad7b809c0ae72f221c564c8ca + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -74253,6 +74603,7 @@ AdditionalInputB.14 = 1161d440c1db4c8bbef4967dbb70d8054c1713dac5c1bf62866e1f0327 + EntropyPredictionResistanceB.14 = 5cf03ac2109ac324991b13b84b25d44bf6edd86f634a2358c3eccc9e3f477ee9 + Output.14 = e0793def2fb3674f7401517bc0645973b7f97091c3b96b3bdcebd96b882ed393ed38f7b7f5a6e381dad287f642c99e9cc6b6eb090092e468c96d743b20c7c71371a1c64637256d041211300213a9aa330c05e80db3456de1d55e6d7e3aa3d7a501450ec24c74da213b7184f4ee481c416f6b7e0877d947393921b72a6636d642c8d33b9e57a35efa2490d37f8fe584644e0c19a54941248fbbd2fa31310a4592926db7092f5e8b3ad1111454e04705f79e46f4f6e4d109f4c0fc67a253550bb4 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -74348,6 +74699,7 @@ EntropyPredictionResistanceA.14 = b35a6d3ba1b4b3d62389ff2dfe1a8a9ff527d4fd3b2cba + EntropyPredictionResistanceB.14 = 325043f919f312cac2102d97cdc26a58637120c01c09448be861dd97751e8672 + Output.14 = 32ccfedd45cd80172e146ce0982f6046a96735237e6df0033eb5d61d134383efe454da37a8ff31689613a808ef649f5eada3214ea50ff21b673bd407662006c157f98a36418bfe72493134f6d8e2b5276610d6626977cb725d43a526ab523ddb97ce76e6802c60da568402ed854bb9e1af9cc74f123493b19b765aed7dca28bfed8bfaa58601c1f2d1e1b782b83337cd42c0c304e7415da0ddffc9078d42fe6b59e5454dfcd71d59cdd453303018c28015d88c914b62d8c3fcb94eaf5654b02d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-384 + PredictionResistance = 1 +@@ -76113,6 +76465,7 @@ AdditionalInputB.14 = b969d2503e5dea21ce90fe8ce89cf9e6e9165313fbf44286ca91a689b4 + EntropyPredictionResistanceB.14 = 0735d5d8322df6f7568e2bb29a8d63461d8b28ed9af5f7323ab96292c31cb59f + Output.14 = 7ecd4eef593d3c8c2ad90851d17501e666cf22ade15471b3739882cfbf0b03acdb6b83288f22f4a6246fccb608c98cb906a5e9a42fdfbefa52e968e903d175b90f51369d21bd8f408a723768d6de02606a15f37e9a16469146de7340d8c6e58d293a2fce0de7217f7a16e9bb7000f54f35b5b58ab24c0dea43508f52a718eeb46be9618461afcbfc2ea4ad3a38ccb180db88a0fcdfb2d883f82e27fc119a249e668ced1e33dd66ba23ddd0ecef668e91d17654ba13dccb5f8b858f44171f4629ad4a91459b6c257eb20cfeb814e289518947d94f9827514aaad7036bc19cb0b73857b1d9ca3ef069d2d20eb5ada8505fcf404052d9889138cf51e137e70468f1 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -76193,6 +76546,7 @@ EntropyPredictionResistanceA.14 = f80eee174bd5b1b8abdcbec30c62b3aa85ade4d9a43e2a + EntropyPredictionResistanceB.14 = a150d5528a5f79914074a783738af08eae5c95b49f407929 + Output.14 = 88ff82264427067d717027de8edc886c01c782379ccb937cd6434703d4f0ab13acb4142149372fffc793813733ebdc9058c85d900f4e442a2369c16057e4dec1a75f5c5858d2fd1d69a48227b293a953b24fe38adda48f080a9cc5666e299ce301d2f230ad5581fb05aa78a00dd35a9d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -76303,6 +76657,7 @@ AdditionalInputB.14 = ee19a759562c231ecfc777c588087e790d5e170956b11c08 + EntropyPredictionResistanceB.14 = 4a004a5c4a0ec328a0ff26ac0aca82ce35ee9064add86094 + Output.14 = ae21ee878e4664c73f22e88ec4a646c0192b5c52a7bebb7b17a94a7c4630568b81da000983bf0d1a96e96432175a214ce7bc9332bb7e99f2a81e588ee4c1120c1eb22cc6b24a386ac5a11c4d63de4f20bfc8d9e4094613730f900ad7b54498954040a1fe7b53cd2a0989b3bf8946aa1e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -76398,6 +76753,7 @@ EntropyPredictionResistanceA.14 = 4f0d9e7c269ab360dbdf47e9ea7d655c204dce80082451 + EntropyPredictionResistanceB.14 = 8290ade448d2d83445b96ac682366659b228f952faa1f9a3 + Output.14 = 0d6bd0196ae2b3af4a750e4ea529b353979b30ab1bd05e96bf3c6f0c40b527ad07d90db5a1f392fef1d33bac5cc2a47cf4d9f20b8388a922d869f073e65ce6340cf30d45645a03a951dadbe81cffdcd145a32519658d0efe9f28175871b45cd6ca16e4efbd37802a1b88682819e5800a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -76523,6 +76879,7 @@ AdditionalInputB.14 = 4e29e32346671af3b726d7030ccf470f72ca369687b489dc + EntropyPredictionResistanceB.14 = 21d5eebf3f54780f046fe2cffb2cc9b52eed850d1b44d675 + Output.14 = abc8ffaebfda52cf3a9bc037b965f9e97ba7aafbe1575efe8fa7182229d58a2d1282776225af0ea87dd79de7b210f654388c718f8dfe22aedbb4cfe92a964664904b960f2577f43f6c48783a8423788de7aa693ed859c8269e3c8b8b59eca1659c0473aae8b0a444d4aaff23991709cb + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -76603,6 +76960,7 @@ EntropyPredictionResistanceA.14 = 02496883d50bc28e037a370890edab9be1a69e003e70a7 + EntropyPredictionResistanceB.14 = db072d2518f7b6b73292f7e167bec9cf5fcbeb265c316ae5 + Output.14 = cc01e951f15bdcfe94288a0de84ce187bad281683773f1b8341efecba656d62528ba91ca864c440b085be142dc565c1b7a326dfc9ac47a84623c2cff20b6c047d2f39e3db0b02fab4c1ac82e63bcc06b032c16f6e9ddd8c60f03f5b55cc40acb3b5e2de6ae3938f0e2fe21d72134346d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -76713,6 +77071,7 @@ AdditionalInputB.14 = cad366cc562a45f74fda0bf6fd3eafc0f3dd59c666b33881 + EntropyPredictionResistanceB.14 = acbf8dcb97c61718c9cc8adeca8873e31b794086d7b84cc3 + Output.14 = a6ddaf00876c5bf50d7a2f5b986a770685f64ef54e2273c51ec1e594378fcd08f16316d1589f1c5948f524b3fd57d40b4ad732ae06f3bfb5359e6282105bc70fdddc9d1920c5092cabcf0c8ec14642d50be19de439ffafdedf3ec9e0672eb7754814eeea09430d65ba181525c616c31d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -76808,6 +77167,7 @@ EntropyPredictionResistanceA.14 = d1c3175c4853102ed4b306eea013cc448d325938c52940 + EntropyPredictionResistanceB.14 = c0139e13d5d7c5bbf9c2394973d00487d49d4241ae7e90cc + Output.14 = df70ba5809a640b8fa1ab712d6ea7048f8609944d63bf4fa958556ae020d95a9011ddf0041a75b708a372a486e9ca8e0d2c361e4f75171710ab42d49ba3c0b6dfc4b3614b3577ddca5adbfb2d096acc4a72bdf1c6113cf6f0bfb5e8f1d69ef0a4a4edae75ccafd614ae1e718f60e3196 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -76933,6 +77293,7 @@ AdditionalInputB.14 = a3c2f11654592e478c8ac1a1fce2224627ca37bd0efb44ab + EntropyPredictionResistanceB.14 = f986d7f33aad227e98d9087fe30c34f1c18b42f85d56b72c + Output.14 = b1fad8f7950787c949b41dbc5581069f0920058614c3ea7bf1edf3812027a4c989d8b029e08c4ee77c76c4457aaa3d89dc775c6c60bb125dfb969729fe669152a173256b4d2181e84bbc63bcad8ae645f4371682a39ae65d00f004e344ddff5374b257d8881f63d4ab960017258815c1 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -77013,6 +77374,7 @@ EntropyPredictionResistanceA.14 = 42d19ff5c985c31c955a0aed5ed02581ffbf2a0ae62d78 + EntropyPredictionResistanceB.14 = 7f9af6a606c9b315c04faf5ce3c0412092edb19f9463784c + Output.14 = 219072e8b6d939f75ab90edc91ade50b8e40f2c1fae68aa5fb5bb297506ebc5f18d20492b55fd73ec118e6d74e4796c1dd28d50f903dca70960ba66b33b0a6c3d06e2ba79eada96b613324914b19224f0c710af7793722687f9d464093fc651a5d613b03c6d71bcad9bf2c74a4844718 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -77123,6 +77485,7 @@ AdditionalInputB.14 = ecced4ace2d11cb2e02c253d81d15ecfaf555a51189d2051 + EntropyPredictionResistanceB.14 = cff57ef512d7da05e7ea7d197c797962099c64ad89f52a24 + Output.14 = 40f8480b22c24bde9c66f91761b1ecf25a6486024315b58028ddb8a88088f7deffc671a9465671c370f7877527e72c4259669890abc4efbdbb09550a84fa2f60a41d74c9d7960d5fa05e9f66ecd5ac344970aacc23ab1361d364eb697abfd6cd621773f4ea7ec2dc7795cc533abe664a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -77218,6 +77581,7 @@ EntropyPredictionResistanceA.14 = 4de293b3ea5c26925d39d5376ed5fd43b9b775b80c6cac + EntropyPredictionResistanceB.14 = 4e7f27a772fb8de77031b24cc514c06086de59989856694c + Output.14 = c1ec91ec7585ffc05d765d0a9e30f62bcdc115426af9947eab68b6c9a88e6a11890704b623eb7acaec77bc6988da9246e10aa3eaf65380f3083bbecd4a41ccb09879ed9c46669a78102b7822b157d0d2a3bf09b452300ccac217db03b455382d8990e3bdd9a2a6461b19dfdfbad5910a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -77343,6 +77707,7 @@ AdditionalInputB.14 = b87bf3d164ac955913ae4a780ac654d9a67c37c8df1f79c7 + EntropyPredictionResistanceB.14 = e2b5224119118410592ae0b238dfd75ad576b3eaa1848313 + Output.14 = cbf31760cbefcebf50289b9ad8e9443cde14fd6beee80c0bae83cdf77deb6e9c77ddcd0316667373b28b9431857e6e7cdccd8b6906927f66b362452325339a035b23baca8ce1697663e4879cc2084fceed28e9bbb2dbb91f868ba7626f6b7e5ea87eaa48ca50f9b76ac2c74b39bc9a86 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -77423,6 +77788,7 @@ EntropyPredictionResistanceA.14 = d931a0cbda3985a34b0a2eac42e9bc5ead10520de4e7d1 + EntropyPredictionResistanceB.14 = 518e2480b742f9c30098a6d543d1669678084b3208b5375b + Output.14 = ef57d91db4d94aef743f1528e0c27b69654e3a854fb7479d25a8796b06c85884f328db9a09deb9be55cdeb9cca2a5a00ba56e28d2fa0057ef1ccb00b22a0a747bf15e7b303b990bf2fc3903f96cc55e69d8808c9da93231e5e859f7ec9edc9961dfc9b30b30ce0f43a3d65da93a82377 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -77533,6 +77899,7 @@ AdditionalInputB.14 = 51f6a64ad57705cbae6b92cdeb622a0701f5500e6ad7eb0a + EntropyPredictionResistanceB.14 = d5f8c2ba94bd849bd1434ff9d0b72517a7e6d381f13387a0 + Output.14 = 15d882c8ec0a8ff1544813ba2a6cebe81281117628fc4e79371b7e84027d0d9322a76e42c733c73ba90c4b204bbe329a4ff344c3fd8204e0c220154ca9cd04c80457cebc33f9466c33358fe1c05d49bf83d174f8abf530b46b701c0ba24b081dda46ae38f58815a996fe878fa6884845 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -77628,6 +77995,7 @@ EntropyPredictionResistanceA.14 = 7ac8115615a29c535ce9b45d3e57d6f9ab0e6d4a021fe9 + EntropyPredictionResistanceB.14 = f6ab8840edeb3c20d7bddf7fdaa5c980c58bfd116551d1ae + Output.14 = a85a3ede0e85ce593be2a2a2c650d49a740e9b8f07c24348d2bd968c917d442ed8de8a0d8ec8ff09ff86e6f279159001382cdb92f4625d12365443881df226c9a3833ba051a92f29fb55b788ab4b2d01958b9c067b43bb86c4e547b24e609e0d86aa3b75ea8d73e2c90092a50bcc6ce9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/224 + PredictionResistance = 1 +@@ -77753,6 +78121,7 @@ AdditionalInputB.14 = f0431c9d8925aaaf8f28d112773e5f5fed7feff633c9b056 + EntropyPredictionResistanceB.14 = 5e27635c34a1b793b2b1f23c9a72eb3e58c6ad63ac752dda + Output.14 = 20a84f074794921d7c1ba7463c4cd5f165ef6ff003555a69a71d529ea8177b3b4845898f031428b320b9dc59b16260d80baab34e7cc6daba5463cb496e4a6588ca5f3547412e63d36d560d9549f87a3ca346968f4dfdda3d0cf9b82384b3e830a8368c659c5aea26b03c4bbb8bbd3878 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -77833,6 +78202,7 @@ EntropyPredictionResistanceA.14 = 33fd3300d120786b2f756459b222b72728c1b2c53d09aa + EntropyPredictionResistanceB.14 = 96aa233b407f0cb14d6ecf2a243efcd7c1b7ed3fede97dfeb269cf8331189412 + Output.14 = 6a34b428c4ff416d3ae907318928663ac8683ef6328d37b19bd2c179aeb7e56a73c6ed096ebfeb85a263f2c868fb4a2d977d5d41fe12b135b1c9017555b36a9f6775a43c42be37a78eb067f520f091ccd94b38c62fa7d48c494b05b072fee34ba262a4fe1a70c98fea2fae40513723a52d6ea44f5fa168f4c03ae2c73d793ef0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -77943,6 +78313,7 @@ AdditionalInputB.14 = 2563ad078ad8eda919ed40a81b634073064c22f2b21926bbd9cc1d7c2a + EntropyPredictionResistanceB.14 = 45ddc44189bbcd60713c40e811d6b2acdd1659c670f715703f5b80eb4152311f + Output.14 = c2554fc1931b72acd98e4949707802ab471c4f2eb62813f87f137e698cf89a13fa7366a97b49587d9a0c4d42a62eb0bce27e2ce0e67324739c49eb180216beb51fc82d45b7900fa1c2d3db3a0c781ef93ee57f6a186a61e0f0fd25a8d8d2d9170bd18714cfc1a6e7fb6dc992579cfb0306de5b67c01522b3ea3955d63a775cce + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78038,6 +78409,7 @@ EntropyPredictionResistanceA.14 = e43ba5b540971c4f02f0212bbc0ba521f3e64a627c1d0a + EntropyPredictionResistanceB.14 = 3ca4a33a72e7aed850e64984c28407327d94e6858a65d42b16f985d010b783bd + Output.14 = 2567b74d4d1eeceb6321817f5ada210954643e1212b766bf2eb84d2ce6231c58e346ed57824c409f3c73de40395608a7d3c52708f07ee7e721b7c42ccce5b0baae67364e1cffb7fb0e363eadf3415c99bdc7b730b8c66201da1f8a2290cbd6165912484def03a96b237b793b76b76043cf9fadcd5e66ea94e6110c4b2b025232 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78163,6 +78535,7 @@ AdditionalInputB.14 = 7978071c7a648cf7f02c9cdf544d6ff9dbe3c5636f73fe50deb7e89695 + EntropyPredictionResistanceB.14 = aaf9320ee7c103d51512232305aab44b946a73ddb13270f42903a37f84c9da01 + Output.14 = cf5ed4b6208a0db15373d472e240dee04a34e630000f9751cf8d3f15dd6a4fa3a4602ec539dbb1811978493f920e84b2e3ac78bcfd619b6c4e7e0072381a7bc150a91b31a0280dd843ca1c4332ba0757d6f6f0f2f830a623cb78011dec8c4d844f71427b09be4e9fdff4bc1cf3a72a773e06121cd8792232d387170a66ca384b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78243,6 +78616,7 @@ EntropyPredictionResistanceA.14 = f124c88bad32cf4ff49ccc4271c7f4046f277c0b1fc73c + EntropyPredictionResistanceB.14 = c32b11359b7ed121c87b85716c2ce83aebdd46cd4c19168ad3930be351ea1ff9 + Output.14 = 9f382e0382f2e6b3ba85ace2cec7301ea6f7d0d3b0895937033df9f710471e468b8162492d18ab45ca809e8aa2f37c15ec599d4b2774947b90c269bc2f8553e639f21e1c371f7a49edb4cb4e51bd1e9fd7d66e3b313ce227373dd2548870378206b4b5fd0d22c48ce03a72003be53ec378d9eab25bc432c7a8bd0eed89adf941 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78353,6 +78727,7 @@ AdditionalInputB.14 = df48314d76c0d698923dabd3d23024ac2aa5fd236ad3c6e3b4cf2244a8 + EntropyPredictionResistanceB.14 = 3387fb65c8c1dd5e3d4f64bebb45da1a7e288a22e16f2fbb882dc2f9534717e5 + Output.14 = 31998e0784579bc7aaf5130b747eb295a089a12c1844406aa18c06f19607a2e497adf5352e10c145b3cd2a2532389f771af3028042605f0abe705f8540561c4e376d405c6f2dc23b3d3fe0c14790beea99705e69fac2518154613680012c5a140d45fba7e381f55c61ec7f3850dc586bb1f3cf928685a9d60e06fd93eb1fd8cb + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78448,6 +78823,7 @@ EntropyPredictionResistanceA.14 = bf2e966737aaa8abbccaa45ac5371db4c4dd0bf2b3c9f1 + EntropyPredictionResistanceB.14 = f316f2613b068f607c2fb5218e037c5ab1d80b7d75fda419a7e0caedcfd7ce1a + Output.14 = 36e385da783dd146364fead3dc2dc71bdaa6d30c6ab5f94e007b1ced51b2f45947c57652e305204a0cad2ba7b43056461aed10132d89aea8f9ec7ccf0e7487aa2d97fc40f65b399df732b03f8e6834903c60e2e5d6f5ab1b3a034b3eaaa73936770324ea02bd2830e6b26e00d7b49022ce0454afcecbfb912511cd13090d9693 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78573,6 +78949,7 @@ AdditionalInputB.14 = b395f988467a2a5f4f3ddef792f16f2461886caf9d6f12c4d643d20775 + EntropyPredictionResistanceB.14 = 22f2693142e42848bf4c00f65337ec2405cd22bc06c6d035a5acec0a5b7d5d9a + Output.14 = 3edeba227da675e1b9e684317e54c4537691f9a412102a21e32e699ff0c6e95655d3342e94daf37dd08114d16b45328795e24d7381195711792226769975167ccdd10df89410e485c880865676a081ce6a61641fc805d6d06cb4aebbc731de0a7df69ed1107da07821d64e9f8bc124f094bb799fe50a001914a47221a45ca2c9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78653,6 +79030,7 @@ EntropyPredictionResistanceA.14 = dac0795c36fd9cb6eff0cd7137190d573dde7148fc19c2 + EntropyPredictionResistanceB.14 = 1a29a4fb16a73c2c187c6d1b5a1a1394b63b6878abcfffeb94aab5dcd593037b + Output.14 = 835efa36b1ff38ed845f3c2e8f5ec0f89a60f7def6d36f8577192625fb89cb634be535a791e28b1c27320e40f594b1705e712e43856a1a5aba0e98b987fd1b5e6ca78458c98b3f8de449f4f23d0dbfe374e8241a2f12b6cdaeaa896b9953c32d756fc2b70e1edcde45aaab0df6e816fe0d04b2cec88ea159dadbae9b1eed3125 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78763,6 +79141,7 @@ AdditionalInputB.14 = a908058d07b69a7e7f53869d81128e47303fffa4f0400b3bee7acc4e45 + EntropyPredictionResistanceB.14 = 040c9859c26e54e9d5f92485888bb67acc5092ce679e6a54730ffebaa0fac226 + Output.14 = 3caf4baa5fab5bed4d50b0b4ace9c2ec8c21a1e952d81ebcf23a6cfbd177f53168a876f7e5b7d2c63cd7bba4a1b61b3ef59e1cf87b353ff64c7f798fb0c5d6e375fc1e8653f8d22be965abcc87f178e4023d1ef85baa278faa1eb205e4c05219222f543c5b9ac6a86b00071e34a7b2b9c6983f8ab6f187295f5095b801466a76 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78858,6 +79237,7 @@ EntropyPredictionResistanceA.14 = c689be45ecddc94daaf823c6ddd6491b028ace5c25c407 + EntropyPredictionResistanceB.14 = 2f81e665f02331531ca37635b8664ba5641b8a200031677aba00253f8f1fe035 + Output.14 = 9bfdeef565b0979be0f88e3b9e283433bd1fa2333662445302aa84332aa601a61a5b3d449eb5fe33db385254571eedff49b8d2f49ade41c12133263d447e7edf49998f5c05582504775f5b18bc7a0c075c6bfa4596178d95a019402937712afe69f3ad534fd44259312c63f1970b3d8bd404e758c9e884b19330350020896b37 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -78983,6 +79363,7 @@ AdditionalInputB.14 = a63bd3ef8cfeca1e2552bc111786a992526802e51cd30f0e9e7b7a398a + EntropyPredictionResistanceB.14 = defd0a8320a31b94998e74e0e5e40422e80735b281b9901e9fd1c8ecc50ff2b3 + Output.14 = ffc830d5029f42c1c9aa10d6d90d94abf3bc39269bf4fc4a4ed14435a985cb14da64d79ad4d8951e582b0b793836ef3380dff4d063682a4e8ac8796ca74e74d3933e5111bb92d219b72b28f4198b23446e422aaa7f33ade182801506aec4293fd69c3fc86cf39297867d16b98738740f1b7465043e0eaf7480d1c328ce2b4cfc + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -79063,6 +79444,7 @@ EntropyPredictionResistanceA.14 = 29fa15be2259b4b164b3d232809cd7eeb3c5c24aec81c7 + EntropyPredictionResistanceB.14 = babf7813c6a24d4e68e09025a0d3b0242e9a98779ecdcaa64baf1ef82e8d4a77 + Output.14 = e6528c03849f1535b6f443e30817d3deccc7ea4699fc88ec9d6f3e28e72cc4b199afa5db7ba2da1ffd1a1ce7aa1a15be4892d0d98e27332f6d45ed63a2636073d12b8a99089ac5b55c93aecdb5e584e32ec75e44390016421822158d3596daaca561245bf1b8740d1f3c885be5149505f9591b0679f9b88df45741b767f423ec + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -79173,6 +79555,7 @@ AdditionalInputB.14 = 711bf57411337724960392a9319e580c226abff909e28d4696fcf5f0e7 + EntropyPredictionResistanceB.14 = 9fac27583fbf9335c2a8d7f1edfb99b18ee5f8e58e537749fb674bcb46ef537a + Output.14 = ab08f911c4c87135c3f9de33cda823f91a1a8cdfd10f59b81f77dd2158890634f7c5373bc40e158a7881f62a18b0b553d3f075fb96112a04e39ad6918fb2f139ae6fe11856e6a0f17a2e1c0cf88ac49563c08ba5c9c48ad6a7a99825148132ccf3a9a46b92597d0a971f33e43c5a3746c0d8564e19d1681173f24e22fa54521a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +@@ -79268,6 +79651,7 @@ EntropyPredictionResistanceA.14 = ed3bd1e78d7f3cadcf45170dcbb605913140f68bdf4e36 + EntropyPredictionResistanceB.14 = 214b7501096bf1d7605e9082a9238334ca15522cf2eed77bce6dd3872106dab3 + Output.14 = bdd8721d12e9cafb73070a13d70db1020e95cac5f93037716ae10045007f5ecb8ea90c529e9aa8b0f312a2f81a5086713509e7909bd7081d0c25a33971904e3b90b486c71e185c752311dfa309b53c8cccd9cde63868bced00af0113eeaa77395c717792373ea708973a2f084dfa050cfdd0e73a8c51cc25651cdf8b6b8b3a02 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512/256 + PredictionResistance = 1 +-- +2.38.1 + diff --git a/SOURCES/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch b/SOURCES/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch new file mode 100644 index 0000000..83b5b0a --- /dev/null +++ b/SOURCES/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch @@ -0,0 +1,288 @@ +From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 17 Nov 2022 13:53:31 +0100 +Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov + +The current draft of FIPS 186-5 [1] no longer contains specifications +for X9.31 signature padding. Instead, it contains the following +information in Appendix E: + +> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from +> this standard. + +Since this situation is unlikely to change in future revisions of the +draft, and future FIPS 140-3 validations of the provider will require +X9.31 to be disabled or marked as not approved with an explicit +indicator, disallow this padding mode now. + +Remove the X9.31 tests from the acvp test, since they will always fail +now. + + [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf + +Signed-off-by: Clemens Lang +--- + providers/implementations/signature/rsa_sig.c | 6 + + test/acvp_test.inc | 214 ------------------ + 2 files changed, 6 insertions(+), 214 deletions(-) + +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index 34f45175e8..49e7f9158a 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -1233,7 +1233,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + err_extra_text = "No padding not allowed with RSA-PSS"; + goto cont; + case RSA_X931_PADDING: ++#ifndef FIPS_MODULE + err_extra_text = "X.931 padding not allowed with RSA-PSS"; ++#else /* !defined(FIPS_MODULE) */ ++ err_extra_text = "X.931 padding no longer allowed in FIPS mode," ++ " since it was removed from FIPS 186-5"; ++ goto bad_pad; ++#endif /* !defined(FIPS_MODULE) */ + cont: + if (RSA_test_flags(prsactx->rsa, + RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) +diff --git a/test/acvp_test.inc b/test/acvp_test.inc +index 73b24bdb0c..96a72073f9 100644 +--- a/test/acvp_test.inc ++++ b/test/acvp_test.inc +@@ -1204,13 +1204,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = { + ITM(rsa_siggen0_msg), + NO_PSS_SALT_LEN, + }, +- { +- "x931", +- 2048, +- "SHA384", +- ITM(rsa_siggen0_msg), +- NO_PSS_SALT_LEN, +- }, + { + "pss", + 2048, +@@ -1622,202 +1615,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = { + 0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b, + }; + +-static const unsigned char rsa_sigverx931_0_n[] = { +- 0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad, +- 0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83, +- 0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87, +- 0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6, +- 0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c, +- 0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73, +- 0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10, +- 0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6, +- 0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79, +- 0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7, +- 0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b, +- 0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02, +- 0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41, +- 0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f, +- 0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf, +- 0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d, +- 0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54, +- 0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e, +- 0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04, +- 0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79, +- 0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16, +- 0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e, +- 0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b, +- 0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8, +- 0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89, +- 0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b, +- 0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62, +- 0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73, +- 0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b, +- 0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f, +- 0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77, +- 0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33, +- 0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66, +- 0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4, +- 0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c, +- 0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28, +- 0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8, +- 0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4, +- 0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0, +- 0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07, +- 0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60, +- 0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a, +- 0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e, +- 0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e, +- 0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81, +- 0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a, +- 0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45, +- 0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7, +- +-}; +-static const unsigned char rsa_sigverx931_0_e[] = { +- 0x01, 0x00, 0x01, +-}; +-static const unsigned char rsa_sigverx931_0_msg[] = { +- 0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47, +- 0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd, +- 0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9, +- 0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52, +- 0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41, +- 0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54, +- 0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c, +- 0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf, +- 0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47, +- 0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01, +- 0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f, +- 0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67, +- 0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41, +- 0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd, +- 0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca, +- 0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00, +- +-}; +-static const unsigned char rsa_sigverx931_0_sig[] = { +- 0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb, +- 0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3, +- 0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e, +- 0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00, +- 0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18, +- 0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc, +- 0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5, +- 0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f, +- 0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75, +- 0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74, +- 0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4, +- 0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1, +- 0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19, +- 0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82, +- 0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef, +- 0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5, +- 0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2, +- 0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04, +- 0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf, +- 0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a, +- 0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c, +- 0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d, +- 0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74, +- 0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75, +- 0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd, +- 0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57, +- 0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07, +- 0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05, +- 0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c, +- 0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca, +- 0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57, +- 0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e, +- 0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a, +- 0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e, +- 0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b, +- 0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a, +- 0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10, +- 0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d, +- 0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52, +- 0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f, +- 0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda, +- 0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59, +- 0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37, +- 0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15, +- 0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec, +- 0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0, +- 0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13, +- 0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb, +-}; +- +-#define rsa_sigverx931_1_n rsa_sigverx931_0_n +-#define rsa_sigverx931_1_e rsa_sigverx931_0_e +-static const unsigned char rsa_sigverx931_1_msg[] = { +- 0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8, +- 0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d, +- 0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9, +- 0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3, +- 0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26, +- 0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f, +- 0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2, +- 0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5, +- 0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42, +- 0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59, +- 0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd, +- 0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72, +- 0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45, +- 0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44, +- 0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42, +- 0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55, +-}; +- +-static const unsigned char rsa_sigverx931_1_sig[] = { +- 0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5, +- 0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67, +- 0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95, +- 0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a, +- 0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3, +- 0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69, +- 0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23, +- 0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14, +- 0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75, +- 0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f, +- 0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37, +- 0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef, +- 0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60, +- 0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94, +- 0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93, +- 0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde, +- 0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b, +- 0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99, +- 0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb, +- 0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef, +- 0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6, +- 0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe, +- 0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9, +- 0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63, +- 0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9, +- 0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48, +- 0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd, +- 0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16, +- 0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8, +- 0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54, +- 0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66, +- 0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56, +- 0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99, +- 0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90, +- 0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3, +- 0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25, +- 0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34, +- 0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70, +- 0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75, +- 0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3, +- 0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53, +- 0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c, +- 0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07, +- 0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85, +- 0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab, +- 0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b, +- 0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4, +- 0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d, +-}; +- + static const struct rsa_sigver_st rsa_sigver_data[] = { + { + "pkcs1", /* pkcs1v1.5 */ +@@ -1841,17 +1638,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = { + NO_PSS_SALT_LEN, + FAIL + }, +- { +- "x931", +- 3072, +- "SHA256", +- ITM(rsa_sigverx931_1_msg), +- ITM(rsa_sigverx931_1_n), +- ITM(rsa_sigverx931_1_e), +- ITM(rsa_sigverx931_1_sig), +- NO_PSS_SALT_LEN, +- FAIL +- }, + { + "pss", + 4096, +-- +2.38.1 + diff --git a/SOURCES/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch b/SOURCES/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch new file mode 100644 index 0000000..81a6544 --- /dev/null +++ b/SOURCES/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch @@ -0,0 +1,112 @@ +From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 17 Nov 2022 18:08:24 +0100 +Subject: [PATCH] hmac: Add explicit FIPS indicator for key length + +NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms" +specifies key lengths < 112 bytes are disallowed for HMAC generation and +are legacy use for HMAC verification. + +Add an explicit indicator that will mark shorter key lengths as +unsupported. The indicator can be queries from the EVP_MAC_CTX object +using EVP_MAC_CTX_get_params() with the + OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR +parameter. + +Signed-off-by: Clemens Lang +--- + include/crypto/evp.h | 7 +++++++ + include/openssl/core_names.h | 1 + + include/openssl/evp.h | 3 +++ + providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++ + 4 files changed, 28 insertions(+) + +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index 76fb990de4..1e2240516e 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void); + const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void); + const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void); + ++#ifdef FIPS_MODULE ++/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key ++ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for ++ * HMAC verification. */ ++# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8) ++#endif ++ + struct evp_mac_st { + OSSL_PROVIDER *prov; + int name_id; +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index c019afbbb0..94fab83193 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -173,6 +173,7 @@ extern "C" { + #define OSSL_MAC_PARAM_SIZE "size" /* size_t */ + #define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */ + #define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */ ++#define OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" + + /* Known MAC names */ + #define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC" +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index 49e8e1df78..a5e78efd6e 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -1192,6 +1192,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx, + void *arg); + + /* MAC stuff */ ++# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 + + EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, + const char *properties); +diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c +index 52ebb08b8f..cf5c3ecbe7 100644 +--- a/providers/implementations/macs/hmac_prov.c ++++ b/providers/implementations/macs/hmac_prov.c +@@ -21,6 +21,8 @@ + #include + #include + ++#include "crypto/evp.h" ++ + #include "prov/implementations.h" + #include "prov/provider_ctx.h" + #include "prov/provider_util.h" +@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl, + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), + OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx, +@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[]) + && !OSSL_PARAM_set_int(p, hmac_block_size(macctx))) + return 0; + ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) { ++ int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED; ++ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms ++ * specifies key lengths < 112 bytes are disallowed for HMAC generation ++ * and legacy use for HMAC verification. */ ++ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ return OSSL_PARAM_set_int(p, fips_indicator); ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + return 1; + } + +-- +2.38.1 + diff --git a/SOURCES/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch b/SOURCES/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch new file mode 100644 index 0000000..181fedd --- /dev/null +++ b/SOURCES/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch @@ -0,0 +1,86 @@ +From 754862899058cfb5f2341c81f9e04dd2f7b37056 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 17 Nov 2022 18:37:17 +0100 +Subject: [PATCH] pbkdf2: Set minimum password length of 8 bytes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The Implementation Guidance for FIPS 140-3 says in section D.N +"Password-Based Key Derivation for Storage Applications" that "the +vendor shall document in the module’s Security Policy the length of +a password/passphrase used in key derivation and establish an upper +bound for the probability of having this parameter guessed at random. +This probability shall take into account not only the length of the +password/passphrase, but also the difficulty of guessing it. The +decision on the minimum length of a password used for key derivation is +the vendor’s, but the vendor shall at a minimum informally justify the +decision." + +We are choosing a minimum password length of 8 bytes, because NIST's +ACVP testing uses passwords as short as 8 bytes, and requiring longer +passwords combined with an implicit indicator (i.e., returning an error) +would cause the module to fail ACVP testing. + +Signed-off-by: Clemens Lang +--- + providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c +index 2a0ae63acc..aa0adce5e6 100644 +--- a/providers/implementations/kdfs/pbkdf2.c ++++ b/providers/implementations/kdfs/pbkdf2.c +@@ -35,6 +35,21 @@ + #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF + #define KDF_PBKDF2_MIN_ITERATIONS 1000 + #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) ++/* The Implementation Guidance for FIPS 140-3 says in section D.N ++ * "Password-Based Key Derivation for Storage Applications" that "the vendor ++ * shall document in the module’s Security Policy the length of ++ * a password/passphrase used in key derivation and establish an upper bound ++ * for the probability of having this parameter guessed at random. This ++ * probability shall take into account not only the length of the ++ * password/passphrase, but also the difficulty of guessing it. The decision on ++ * the minimum length of a password used for key derivation is the vendor’s, ++ * but the vendor shall at a minimum informally justify the decision." ++ * ++ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP ++ * testing uses passwords as short as 8 bytes, and requiring longer passwords ++ * combined with an implicit indicator (i.e., returning an error) would cause ++ * the module to fail ACVP testing. */ ++#define KDF_PBKDF2_MIN_PASSWORD_LEN (8) + + static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; + static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free; +@@ -186,9 +201,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + ctx->lower_bound_checks = pkcs5 == 0; + } + +- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) ++ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) { ++ if (ctx->lower_bound_checks != 0 ++ && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } + if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p)) + return 0; ++ } + + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { + if (ctx->lower_bound_checks != 0 +@@ -297,6 +318,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen, + } + + if (lower_bound_checks) { ++ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } + if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); + return 0; +-- +2.38.1 + diff --git a/SOURCES/0085-FIPS-RSA-disable-shake.patch b/SOURCES/0085-FIPS-RSA-disable-shake.patch new file mode 100644 index 0000000..8aa3d45 --- /dev/null +++ b/SOURCES/0085-FIPS-RSA-disable-shake.patch @@ -0,0 +1,113 @@ +From 52b347703ba2b98a0efee86c1a483c2f0f9f73d6 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Wed, 11 Jan 2023 12:52:59 +0100 +Subject: [PATCH] rsa: Disallow SHAKE in OAEP and PSS in FIPS prov + +According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms +must not be used in higher-level algorithms (such as RSA-OAEP and +RSASSA-PSS): + +"To be used in an approved mode of operation, the SHA-3 hash functions +may be implemented either as part of an approved higher-level algorithm, +for example, a digital signature algorithm, or as the standalone +functions. The SHAKE128 and SHAKE256 extendable-output functions may +only be used as the standalone algorithms." + +Add a check to prevent their use as message digest in PSS signatures and +as MGF1 hash function in both OAEP and PSS. + +Signed-off-by: Clemens Lang +--- + crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++ + crypto/rsa/rsa_pss.c | 16 ++++++++++++++++ + 2 files changed, 44 insertions(+) + +diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c +index d9be1a4f98..dfe9c9f0e8 100644 +--- a/crypto/rsa/rsa_oaep.c ++++ b/crypto/rsa/rsa_oaep.c +@@ -73,9 +73,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, + return 0; + #endif + } ++ ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return 0; ++ } ++#endif + if (mgf1md == NULL) + mgf1md = md; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return 0; ++ } ++#endif ++ + mdlen = EVP_MD_get_size(md); + if (mdlen <= 0) { + ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH); +@@ -181,9 +195,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + #endif + } + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return -1; ++ } ++#endif ++ + if (mgf1md == NULL) + mgf1md = md; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return -1; ++ } ++#endif ++ + mdlen = EVP_MD_get_size(md); + + if (tlen <= 0 || flen <= 0) +diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c +index 33874bfef8..e8681b0351 100644 +--- a/crypto/rsa/rsa_pss.c ++++ b/crypto/rsa/rsa_pss.c +@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, + if (mgf1Hash == NULL) + mgf1Hash = Hash; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256")) ++ goto err; ++ ++ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256")) ++ goto err; ++#endif ++ + hLen = EVP_MD_get_size(Hash); + if (hLen < 0) + goto err; +@@ -164,6 +172,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, + if (mgf1Hash == NULL) + mgf1Hash = Hash; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256")) ++ goto err; ++ ++ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256")) ++ goto err; ++#endif ++ + hLen = EVP_MD_get_size(Hash); + if (hLen < 0) + goto err; +-- +2.39.0 + diff --git a/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch b/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch new file mode 100644 index 0000000..20024d3 --- /dev/null +++ b/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch @@ -0,0 +1,116 @@ +From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 17 Nov 2022 19:33:02 +0100 +Subject: [PATCH 1/3] signature: Add indicator for PSS salt length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection +5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the +salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of +the hash function output block (in bytes)." + +It is not exactly clear from this text whether hLen refers to the +message digest or the hash function used for the mask generation +function MGF1. PKCS#1 v2.1 suggests it is the former: + +| Typical salt lengths in octets are hLen (the length of the output of +| the hash function Hash) and 0. In both cases the security of +| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1. +| Bellare and Rogaway [4] give a tight lower bound for the security of +| the original RSA-PSS scheme, which corresponds roughly to the former +| case, while Coron [12] gives a lower bound for the related Full Domain +| Hashing scheme, which corresponds roughly to the latter case. In [13] +| Coron provides a general treatment with various salt lengths ranging +| from 0 to hLen; see [27] for discussion. See also [31], which adapts +| the security proofs in [4][13] to address the differences between the +| original and the present version of RSA-PSS as listed in Note 1 above. + +Since OpenSSL defaults to creating signatures with the maximum salt +length, blocking the use of longer salts would probably lead to +significant problems in practice. Instead, introduce an explicit +indicator that can be obtained from the EVP_PKEY_CTX object using +EVP_PKEY_CTX_get_params() with the + OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR +parameter. + +We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch. +Dmitry Belyavskiy + +Signed-off-by: Clemens Lang +--- + include/openssl/core_names.h | 1 + + include/openssl/evp.h | 4 ++++ + providers/implementations/signature/rsa_sig.c | 18 ++++++++++++++++++ + 3 files changed, 23 insertions(+) + +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 94fab83193..69c59f0b46 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -453,6 +453,7 @@ extern "C" { + #define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \ + OSSL_PKEY_PARAM_MGF1_PROPERTIES + #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE ++#define OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" + + /* Asym cipher parameters */ + #define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index a5e78efd6e..f239200465 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -797,6 +797,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, + __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, + int *outl); + ++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, + EVP_PKEY *pkey); + __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index 49e7f9158a..0c45008a00 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -1127,6 +1127,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + } + } + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED; ++ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { ++ if (prsactx->md == NULL) { ++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED; ++ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) { ++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } else if (prsactx->pad_mode == RSA_NO_PADDING) { ++ if (prsactx->md == NULL) /* Should always be the case */ ++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ return OSSL_PARAM_set_int(p, fips_indicator); ++ } ++#endif ++ + return 1; + } + +@@ -1136,6 +1151,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif + OSSL_PARAM_END + }; + +-- +2.38.1 + diff --git a/SOURCES/0089-PSS-salt-length-from-provider.patch b/SOURCES/0089-PSS-salt-length-from-provider.patch new file mode 100644 index 0000000..8e61747 --- /dev/null +++ b/SOURCES/0089-PSS-salt-length-from-provider.patch @@ -0,0 +1,114 @@ +From 0879fac692cb1bff0ec4c196cb364d970ad3ecec Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 21 Nov 2022 14:33:57 +0100 +Subject: [PATCH 2/3] Obtain PSS salt length from provider + +Rather than computing the PSS salt length again in core using +ossl_rsa_ctx_to_pss_string, which calls rsa_ctx_to_pss and computes the +salt length, obtain it from the provider using the +OSSL_SIGNATURE_PARAM_ALGORITHM_ID param to handle the case where the +interpretation of the magic constants in the provider differs from that +of OpenSSL core. + +Signed-off-by: Clemens Lang +--- + crypto/cms/cms_rsa.c | 19 +++++++++++++++---- + crypto/rsa/rsa_ameth.c | 34 +++++++++++++++++++++------------- + 2 files changed, 36 insertions(+), 17 deletions(-) + +diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c +index 20ed816918..997567fdbf 100644 +--- a/crypto/cms/cms_rsa.c ++++ b/crypto/cms/cms_rsa.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include "crypto/asn1.h" + #include "crypto/rsa.h" + #include "cms_local.h" +@@ -191,7 +192,10 @@ static int rsa_cms_sign(CMS_SignerInfo *si) + int pad_mode = RSA_PKCS1_PADDING; + X509_ALGOR *alg; + EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); +- ASN1_STRING *os = NULL; ++ unsigned char aid[128]; ++ const unsigned char *pp = aid; ++ size_t aid_len = 0; ++ OSSL_PARAM params[2]; + + CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); + if (pkctx != NULL) { +@@ -205,10 +209,17 @@ static int rsa_cms_sign(CMS_SignerInfo *si) + /* We don't support it */ + if (pad_mode != RSA_PKCS1_PSS_PADDING) + return 0; +- os = ossl_rsa_ctx_to_pss_string(pkctx); +- if (os == NULL) ++ ++ params[0] = OSSL_PARAM_construct_octet_string( ++ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) ++ return 0; ++ if ((aid_len = params[0].return_size) == 0) ++ return 0; ++ if (d2i_X509_ALGOR(&alg, &pp, aid_len) == NULL) + return 0; +- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); + return 1; + } + +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c +index c15554505b..61ec53d424 100644 +--- a/crypto/rsa/rsa_ameth.c ++++ b/crypto/rsa/rsa_ameth.c +@@ -637,22 +637,30 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn, + if (pad_mode == RSA_PKCS1_PADDING) + return 2; + if (pad_mode == RSA_PKCS1_PSS_PADDING) { +- ASN1_STRING *os1 = NULL; +- os1 = ossl_rsa_ctx_to_pss_string(pkctx); +- if (!os1) ++ unsigned char aid[128]; ++ size_t aid_len = 0; ++ OSSL_PARAM params[2]; ++ ++ params[0] = OSSL_PARAM_construct_octet_string( ++ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) + return 0; +- /* Duplicate parameters if we have to */ +- if (alg2) { +- ASN1_STRING *os2 = ASN1_STRING_dup(os1); +- if (!os2) { +- ASN1_STRING_free(os1); ++ if ((aid_len = params[0].return_size) == 0) ++ return 0; ++ ++ if (alg1 != NULL) { ++ const unsigned char *pp = aid; ++ if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL) ++ return 0; ++ } ++ if (alg2 != NULL) { ++ const unsigned char *pp = aid; ++ if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL) + return 0; +- } +- X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), +- V_ASN1_SEQUENCE, os2); + } +- X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), +- V_ASN1_SEQUENCE, os1); ++ + return 3; + } + return 2; +-- +2.38.1 + diff --git a/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch b/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch new file mode 100644 index 0000000..efe7751 --- /dev/null +++ b/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch @@ -0,0 +1,338 @@ +From 9cc914ff3e1fda124bdc76d72ebc9349ec19f8ae Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 18 Nov 2022 12:35:33 +0100 +Subject: [PATCH 3/3] signature: Clamp PSS salt len to MD len +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection +5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the +salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of +the hash function output block (in bytes)." + +Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the +default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will +not use more than the digest legth when signing, so that FIPS 186-4 is +not violated. This value has two advantages when compared with +RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when +verifying signatures for maximum compatibility, where +RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will +work for combinations where the maximum salt length is smaller than the +digest size, which typically happens with large digest sizes (e.g., +SHA-512) and small RSA keys. + +Signed-off-by: Clemens Lang +--- + crypto/rsa/rsa_ameth.c | 18 ++++++++- + crypto/rsa/rsa_pss.c | 26 ++++++++++-- + doc/man3/EVP_PKEY_CTX_ctrl.pod | 11 ++++- + doc/man7/EVP_SIGNATURE-RSA.pod | 5 +++ + include/openssl/core_names.h | 1 + + include/openssl/rsa.h | 3 ++ + providers/implementations/signature/rsa_sig.c | 40 ++++++++++++++----- + test/recipes/25-test_req.t | 2 +- + 8 files changed, 87 insertions(+), 19 deletions(-) + +diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c +index 61ec53d424..e69a98d116 100644 +--- a/crypto/rsa/rsa_ameth.c ++++ b/crypto/rsa/rsa_ameth.c +@@ -450,6 +450,7 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) + const EVP_MD *sigmd, *mgf1md; + EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); + int saltlen; ++ int saltlenMax = -1; + + if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) + return NULL; +@@ -457,14 +458,27 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) + return NULL; + if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0) + return NULL; +- if (saltlen == -1) { ++ if (saltlen == RSA_PSS_SALTLEN_DIGEST) { + saltlen = EVP_MD_get_size(sigmd); +- } else if (saltlen == -2 || saltlen == -3) { ++ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { ++ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", ++ * subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in ++ * bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where ++ * hLen is the length of the hash function output block (in bytes)." ++ * ++ * Provide a way to use at most the digest length, so that the default ++ * does not violate FIPS 186-4. */ ++ saltlen = RSA_PSS_SALTLEN_MAX; ++ saltlenMax = EVP_MD_get_size(sigmd); ++ } ++ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { + saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2; + if ((EVP_PKEY_get_bits(pk) & 0x7) == 1) + saltlen--; + if (saltlen < 0) + return NULL; ++ if (saltlenMax >= 0 && saltlen > saltlenMax) ++ saltlen = saltlenMax; + } + + return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen); +diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c +index 33874bfef8..430c36eb2a 100644 +--- a/crypto/rsa/rsa_pss.c ++++ b/crypto/rsa/rsa_pss.c +@@ -61,11 +61,12 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, + * -1 sLen == hLen + * -2 salt length is autorecovered from signature + * -3 salt length is maximized ++ * -4 salt length is autorecovered from signature + * -N reserved + */ + if (sLen == RSA_PSS_SALTLEN_DIGEST) { + sLen = hLen; +- } else if (sLen < RSA_PSS_SALTLEN_MAX) { ++ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { + ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); + goto err; + } +@@ -112,7 +113,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, + ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED); + goto err; + } +- if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) { ++ if (sLen != RSA_PSS_SALTLEN_AUTO ++ && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX ++ && (maskedDBLen - i) != sLen) { + ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED, + "expected: %d retrieved: %d", sLen, + maskedDBLen - i); +@@ -160,6 +163,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, + int hLen, maskedDBLen, MSBits, emLen; + unsigned char *H, *salt = NULL, *p; + EVP_MD_CTX *ctx = NULL; ++ int sLenMax = -1; + + if (mgf1Hash == NULL) + mgf1Hash = Hash; +@@ -172,13 +176,25 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, + * -1 sLen == hLen + * -2 salt length is maximized + * -3 same as above (on signing) ++ * -4 salt length is min(hLen, maximum salt length) + * -N reserved + */ ++ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection ++ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the ++ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of ++ * the hash function output block (in bytes)." ++ * ++ * Provide a way to use at most the digest length, so that the default does ++ * not violate FIPS 186-4. */ + if (sLen == RSA_PSS_SALTLEN_DIGEST) { + sLen = hLen; +- } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) { ++ } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN ++ || sLen == RSA_PSS_SALTLEN_AUTO) { + sLen = RSA_PSS_SALTLEN_MAX; +- } else if (sLen < RSA_PSS_SALTLEN_MAX) { ++ } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { ++ sLen = RSA_PSS_SALTLEN_MAX; ++ sLenMax = hLen; ++ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { + ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); + goto err; + } +@@ -195,6 +211,8 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, + } + if (sLen == RSA_PSS_SALTLEN_MAX) { + sLen = emLen - hLen - 2; ++ if (sLenMax >= 0 && sLen > sLenMax) ++ sLen = sLenMax; + } else if (sLen > emLen - hLen - 2) { + ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + goto err; +diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod +index 3075eaafd6..9b96f42dbc 100644 +--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod ++++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod +@@ -270,8 +270,8 @@ EVP_PKEY_CTX_get_rsa_padding() gets the RSA padding mode for I. + + EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to I. + As its name implies it is only supported for PSS padding. If this function is +-not called then the maximum salt length is used when signing and auto detection +-when verifying. Three special values are supported: ++not called then the salt length is maximized up to the digest length when ++signing and auto detection when verifying. Four special values are supported: + + =over 4 + +@@ -289,6 +289,13 @@ causes the salt length to be automatically determined based on the + B block structure when verifying. When signing, it has the same + meaning as B. + ++=item B ++ ++causes the salt length to be automatically determined based on the B block ++structure when verifying, like B. When signing, the salt ++length is maximized up to a maximum of the digest length to comply with FIPS ++186-4 section 5.5. ++ + =back + + EVP_PKEY_CTX_get_rsa_pss_saltlen() gets the RSA PSS salt length for I. +diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod +index 1ce32cc443..13d053e262 100644 +--- a/doc/man7/EVP_SIGNATURE-RSA.pod ++++ b/doc/man7/EVP_SIGNATURE-RSA.pod +@@ -68,6 +68,11 @@ Use the maximum salt length. + + Auto detect the salt length. + ++=item "auto-digestmax" (B) ++ ++Auto detect the salt length when verifying. Maximize the salt length up to the ++digest size when signing to comply with FIPS 186-4 section 5.5. ++ + =back + + =back +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 69c59f0b46..5779f41427 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -399,6 +399,7 @@ extern "C" { + #define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest" + #define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max" + #define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto" ++#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax" + + /* Key generation parameters */ + #define OSSL_PKEY_PARAM_RSA_BITS OSSL_PKEY_PARAM_BITS +diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h +index a55c9727c6..daf55bc6d4 100644 +--- a/include/openssl/rsa.h ++++ b/include/openssl/rsa.h +@@ -137,6 +137,9 @@ int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); + # define RSA_PSS_SALTLEN_AUTO -2 + /* Set salt length to maximum possible */ + # define RSA_PSS_SALTLEN_MAX -3 ++/* Auto-detect on verify, set salt length to min(maximum possible, digest ++ * length) on sign */ ++# define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX -4 + /* Old compatible max salt length for sign only */ + # define RSA_PSS_SALTLEN_MAX_SIGN -2 + +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index 0c45008a00..1a787d77db 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -191,8 +191,8 @@ static void *rsa_newctx(void *provctx, const char *propq) + prsactx->libctx = PROV_LIBCTX_OF(provctx); + prsactx->flag_allow_md = 1; + prsactx->propq = propq_copy; +- /* Maximum for sign, auto for verify */ +- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; ++ /* Maximum up to digest length for sign, auto for verify */ ++ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; + prsactx->min_saltlen = -1; + return prsactx; + } +@@ -200,13 +200,27 @@ static void *rsa_newctx(void *provctx, const char *propq) + static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) + { + int saltlen = ctx->saltlen; +- ++ int saltlenMax = -1; ++ ++ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection ++ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the ++ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of ++ * the hash function output block (in bytes)." ++ * ++ * Provide a way to use at most the digest length, so that the default does ++ * not violate FIPS 186-4. */ + if (saltlen == RSA_PSS_SALTLEN_DIGEST) { + saltlen = EVP_MD_get_size(ctx->md); +- } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) { ++ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { ++ saltlen = RSA_PSS_SALTLEN_MAX; ++ saltlenMax = EVP_MD_get_size(ctx->md); ++ } ++ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { + saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2; + if ((RSA_bits(ctx->rsa) & 0x7) == 1) + saltlen--; ++ if (saltlenMax >= 0 && saltlen > saltlenMax) ++ saltlen = saltlenMax; + } + if (saltlen < 0) { + ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); +@@ -411,8 +425,8 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, + + prsactx->operation = operation; + +- /* Maximum for sign, auto for verify */ +- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; ++ /* Maximize up to digest length for sign, auto for verify */ ++ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; + prsactx->min_saltlen = -1; + + switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { +@@ -1110,6 +1124,9 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + case RSA_PSS_SALTLEN_AUTO: + value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; + break; ++ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: ++ value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; ++ break; + default: + { + int len = BIO_snprintf(p->data, p->data_size, "%d", +@@ -1297,6 +1314,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + saltlen = RSA_PSS_SALTLEN_MAX; + else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) + saltlen = RSA_PSS_SALTLEN_AUTO; ++ else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) ++ saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; + else + saltlen = atoi(p->data); + break; +@@ -1305,11 +1324,11 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + } + + /* +- * RSA_PSS_SALTLEN_MAX seems curiously named in this check. +- * Contrary to what it's name suggests, it's the currently +- * lowest saltlen number possible. ++ * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. ++ * Contrary to what it's name suggests, it's the currently lowest ++ * saltlen number possible. + */ +- if (saltlen < RSA_PSS_SALTLEN_MAX) { ++ if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); + return 0; + } +@@ -1317,6 +1336,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + if (rsa_pss_restricted(prsactx)) { + switch (saltlen) { + case RSA_PSS_SALTLEN_AUTO: ++ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: + if (prsactx->operation == EVP_PKEY_OP_VERIFY) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, + "Cannot use autodetected salt length"); +diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t +index e615f1b338..35541aed12 100644 +--- a/test/recipes/25-test_req.t ++++ b/test/recipes/25-test_req.t +@@ -199,7 +199,7 @@ subtest "generating certificate requests with RSA-PSS" => sub { + ok(!run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-new", "-out", "testreq-rsapss3.pem", "-utf8", +- "-sigopt", "rsa_pss_saltlen:-4", ++ "-sigopt", "rsa_pss_saltlen:-5", + "-key", srctop_file("test", "testrsapss.pem")])), + "Generating request with expected failure"); + +-- +2.38.1 + diff --git a/SOURCES/0091-FIPS-RSA-encapsulate.patch b/SOURCES/0091-FIPS-RSA-encapsulate.patch new file mode 100644 index 0000000..0e24cf8 --- /dev/null +++ b/SOURCES/0091-FIPS-RSA-encapsulate.patch @@ -0,0 +1,32 @@ +diff -up openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap openssl-3.0.1/providers/implementations/kem/rsa_kem.c +--- openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap 2022-11-22 12:27:30.994530801 +0100 ++++ openssl-3.0.1/providers/implementations/kem/rsa_kem.c 2022-11-22 12:32:15.916875495 +0100 +@@ -264,6 +264,14 @@ static int rsasve_generate(PROV_RSA_CTX + *secretlen = nlen; + return 1; + } ++ ++#ifdef FIPS_MODULE ++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + /* + * Step (2): Generate a random byte string z of nlen bytes where + * 1 < z < n - 1 +@@ -307,6 +315,13 @@ static int rsasve_recover(PROV_RSA_CTX * + return 1; + } + ++#ifdef FIPS_MODULE ++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + /* Step (2): check the input ciphertext 'inlen' matches the nlen */ + if (inlen != nlen) { + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); diff --git a/SOURCES/0092-provider-improvements.patch b/SOURCES/0092-provider-improvements.patch new file mode 100644 index 0000000..b850fc3 --- /dev/null +++ b/SOURCES/0092-provider-improvements.patch @@ -0,0 +1,705 @@ +From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 10 Nov 2022 10:46:32 -0500 +Subject: [PATCH 1/3] Propagate selection all the way on key export + +EVP_PKEY_eq() is used to check, among other things, if a certificate +public key corresponds to a private key. When the private key belongs to +a provider that does not allow to export private keys this currently +fails as the internal functions used to import/export keys ignored the +selection given (which specifies that only the public key needs to be +considered) and instead tries to export everything. + +This patch allows to propagate the selection all the way down including +adding it in the cache so that a following operation actually looking +for other selection parameters does not mistakenly pick up an export +containing only partial information. + +Signed-off-by: Simo Sorce + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19648) + +diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c +index b06730dc7a..2d0238ee27 100644 +--- a/crypto/evp/keymgmt_lib.c ++++ b/crypto/evp/keymgmt_lib.c +@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, + export_cb, export_cbarg); + } + +-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) ++void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ int selection) + { + struct evp_keymgmt_util_try_import_data_st import_data; + OP_CACHE_ELEM *op; +@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) + */ + if (pk->dirty_cnt == pk->dirty_cnt_copy) { + /* If this key is already exported to |keymgmt|, no more to do */ +- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); ++ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); + if (op != NULL && op->keymgmt != NULL) { + void *ret = op->keydata; + +@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) + /* Setup for the export callback */ + import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */ + import_data.keymgmt = keymgmt; +- import_data.selection = OSSL_KEYMGMT_SELECT_ALL; ++ import_data.selection = selection; + + /* + * The export function calls the callback (evp_keymgmt_util_try_import), + * which does the import for us. If successful, we're done. + */ +- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL, ++ if (!evp_keymgmt_util_export(pk, selection, + &evp_keymgmt_util_try_import, &import_data)) + /* If there was an error, bail out */ + return NULL; +@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) + return NULL; + } + /* Check to make sure some other thread didn't get there first */ +- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); ++ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); + if (op != NULL && op->keydata != NULL) { + void *ret = op->keydata; + +@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) + evp_keymgmt_util_clear_operation_cache(pk, 0); + + /* Add the new export to the operation cache */ +- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) { ++ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata, ++ selection)) { + CRYPTO_THREAD_unlock(pk->lock); + evp_keymgmt_freedata(keymgmt, import_data.keydata); + return NULL; +@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking) + } + + OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt) ++ EVP_KEYMGMT *keymgmt, ++ int selection) + { + int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache); + OP_CACHE_ELEM *p; +@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, + */ + for (i = 0; i < end; i++) { + p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i); +- if (keymgmt == p->keymgmt) ++ if (keymgmt == p->keymgmt && (p->selection & selection) == selection) + return p; + } + return NULL; + } + +-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt, void *keydata) ++int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ void *keydata, int selection) + { + OP_CACHE_ELEM *p = NULL; + +@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, + return 0; + p->keydata = keydata; + p->keymgmt = keymgmt; ++ p->selection = selection; + + if (!EVP_KEYMGMT_up_ref(keymgmt)) { + OPENSSL_free(p); +@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) + ok = 1; + if (keydata1 != NULL) { + tmp_keydata = +- evp_keymgmt_util_export_to_provider(pk1, keymgmt2); ++ evp_keymgmt_util_export_to_provider(pk1, keymgmt2, ++ selection); + ok = (tmp_keydata != NULL); + } + if (ok) { +@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) + ok = 1; + if (keydata2 != NULL) { + tmp_keydata = +- evp_keymgmt_util_export_to_provider(pk2, keymgmt1); ++ evp_keymgmt_util_export_to_provider(pk2, keymgmt1, ++ selection); + ok = (tmp_keydata != NULL); + } + if (ok) { +diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c +index 70d17ec37e..905e9c9ce4 100644 +--- a/crypto/evp/p_lib.c ++++ b/crypto/evp/p_lib.c +@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + { + EVP_KEYMGMT *allocated_keymgmt = NULL; + EVP_KEYMGMT *tmp_keymgmt = NULL; ++ int selection = OSSL_KEYMGMT_SELECT_ALL; + void *keydata = NULL; + int check; + +@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) { + if (!CRYPTO_THREAD_read_lock(pk->lock)) + goto end; +- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); ++ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, ++ selection); + + /* + * If |tmp_keymgmt| is present in the operation cache, it means +@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */ + + /* Check to make sure some other thread didn't get there first */ +- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); ++ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection); + if (op != NULL && op->keymgmt != NULL) { + void *tmp_keydata = op->keydata; + +@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + } + + /* Add the new export to the operation cache */ +- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) { ++ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata, ++ selection)) { + CRYPTO_THREAD_unlock(pk->lock); + evp_keymgmt_freedata(tmp_keymgmt, keydata); + keydata = NULL; +@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + } + #endif /* FIPS_MODULE */ + +- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt); ++ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection); + + end: + /* +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index f601b72807..dbbdcccbda 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type, + typedef struct { + EVP_KEYMGMT *keymgmt; + void *keydata; ++ int selection; + } OP_CACHE_ELEM; + + DEFINE_STACK_OF(OP_CACHE_ELEM) +@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata); + + int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, + OSSL_CALLBACK *export_cb, void *export_cbarg); +-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); ++void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ int selection); + OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt); ++ EVP_KEYMGMT *keymgmt, ++ int selection); + int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); +-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt, void *keydata); ++int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ void *keydata, int selection); + void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); + void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, + int selection, const OSSL_PARAM params[]); +-- +2.38.1 + +From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 10 Nov 2022 16:58:28 -0500 +Subject: [PATCH 2/3] Update documentation for keymgmt export utils + +Change function prototypes and explain how to use the selection +argument. + +Signed-off-by: Simo Sorce + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19648) + +diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +index 1fee9f6ff9..7099e44964 100644 +--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod ++++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +@@ -20,12 +20,14 @@ OP_CACHE_ELEM + + int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, + OSSL_CALLBACK *export_cb, void *export_cbarg); +- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); ++ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ int selection); + OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt); ++ EVP_KEYMGMT *keymgmt, ++ int selection); + int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); +- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt, void *keydata); ++ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ void *keydata, int selection); + void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); + void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, + int selection, const OSSL_PARAM params[]); +@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a + given key I via a B interface. This is used as a + helper for L. + ++In all functions that take a I argument, the selection is used to ++constraint the information requested on export. It is also used in the cache ++so that key data is guaranteed to contain all the information requested in ++the selection. ++ + =head1 RETURN VALUES + + evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata() +-- +2.38.1 + +From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 11 Nov 2022 12:18:26 -0500 +Subject: [PATCH 3/3] Add test for EVP_PKEY_eq + +This tests that the comparison work even if a provider can only return +a public key. + +Signed-off-by: Simo Sorce + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19648) + +diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c +index d556551bb6..5e92e72d4b 100644 +--- a/test/fake_rsaprov.c ++++ b/test/fake_rsaprov.c +@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has; + static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query; + static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import; + static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes; ++static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export; ++static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes; + static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load; + + static int has_selection; + static int imptypes_selection; ++static int exptypes_selection; + static int query_id; + ++struct fake_rsa_keydata { ++ int selection; ++ int status; ++}; ++ + static void *fake_rsa_keymgmt_new(void *provctx) + { +- unsigned char *keydata = OPENSSL_zalloc(1); ++ struct fake_rsa_keydata *key; + +- TEST_ptr(keydata); ++ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata)))) ++ return NULL; + + /* clear test globals */ + has_selection = 0; + imptypes_selection = 0; ++ exptypes_selection = 0; + query_id = 0; + +- return keydata; ++ return key; + } + + static void fake_rsa_keymgmt_free(void *keydata) +@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id) + static int fake_rsa_keymgmt_import(void *keydata, int selection, + const OSSL_PARAM *p) + { +- unsigned char *fake_rsa_key = keydata; ++ struct fake_rsa_keydata *fake_rsa_key = keydata; + + /* key was imported */ +- *fake_rsa_key = 1; ++ fake_rsa_key->status = 1; + + return 1; + } + ++static unsigned char fake_rsa_n[] = ++ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" ++ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" ++ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93" ++ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1" ++ "\xF5"; ++ ++static unsigned char fake_rsa_e[] = "\x11"; ++ ++static unsigned char fake_rsa_d[] = ++ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44" ++ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" ++ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" ++ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"; ++ ++static unsigned char fake_rsa_p[] = ++ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" ++ "\x0D"; ++ ++static unsigned char fake_rsa_q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x89"; ++ ++static unsigned char fake_rsa_dmp1[] = ++ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" ++ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"; ++ ++static unsigned char fake_rsa_dmq1[] = ++ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" ++ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" ++ "\x51"; ++ ++static unsigned char fake_rsa_iqmp[] = ++ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" ++ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26"; ++ ++OSSL_PARAM *fake_rsa_key_params(int priv) ++{ ++ if (priv) { ++ OSSL_PARAM params[] = { ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, ++ sizeof(fake_rsa_n) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, ++ sizeof(fake_rsa_e) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d, ++ sizeof(fake_rsa_d) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p, ++ sizeof(fake_rsa_p) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q, ++ sizeof(fake_rsa_q) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1, ++ sizeof(fake_rsa_dmp1) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1, ++ sizeof(fake_rsa_dmq1) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp, ++ sizeof(fake_rsa_iqmp) -1), ++ OSSL_PARAM_END ++ }; ++ return OSSL_PARAM_dup(params); ++ } else { ++ OSSL_PARAM params[] = { ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, ++ sizeof(fake_rsa_n) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, ++ sizeof(fake_rsa_e) -1), ++ OSSL_PARAM_END ++ }; ++ return OSSL_PARAM_dup(params); ++ } ++} ++ ++static int fake_rsa_keymgmt_export(void *keydata, int selection, ++ OSSL_CALLBACK *param_callback, void *cbarg) ++{ ++ OSSL_PARAM *params = NULL; ++ int ret; ++ ++ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) ++ return 0; ++ ++ if (!TEST_ptr(params = fake_rsa_key_params(0))) ++ return 0; ++ ++ ret = param_callback(params, cbarg); ++ OSSL_PARAM_free(params); ++ return ret; ++} ++ + static const OSSL_PARAM fake_rsa_import_key_types[] = { + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), +@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection) + return fake_rsa_import_key_types; + } + ++static const OSSL_PARAM fake_rsa_export_key_types[] = { ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), ++ OSSL_PARAM_END ++}; ++ ++static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection) ++{ ++ /* record global for checking */ ++ exptypes_selection = selection; ++ ++ return fake_rsa_export_key_types; ++} ++ + static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz) + { +- unsigned char *key = NULL; ++ struct fake_rsa_keydata *key = NULL; + +- if (reference_sz != sizeof(key)) ++ if (reference_sz != sizeof(*key)) + return NULL; + +- key = *(unsigned char **)reference; +- if (*key != 1) ++ key = *(struct fake_rsa_keydata **)reference; ++ if (key->status != 1) + return NULL; + + /* detach the reference */ +- *(unsigned char **)reference = NULL; ++ *(struct fake_rsa_keydata **)reference = NULL; + + return key; + } +@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + { + unsigned char *gctx = genctx; + static const unsigned char inited[] = { 1 }; +- unsigned char *keydata; ++ struct fake_rsa_keydata *keydata; + + if (!TEST_ptr(gctx) + || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited))) +@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL))) + return NULL; + +- *keydata = 2; ++ keydata->status = 2; + return keydata; + } + +@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = { + { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import }, + { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, + (void (*)(void))fake_rsa_keymgmt_imptypes }, ++ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export }, ++ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, ++ (void (*)(void))fake_rsa_keymgmt_exptypes }, + { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load }, + { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init }, + { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen }, +@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey, + const OSSL_PARAM params[]) + { + unsigned char *sigctx = ctx; +- unsigned char *keydata = provkey; ++ struct fake_rsa_keydata *keydata = provkey; + + /* we must have a ctx */ + if (!TEST_ptr(sigctx)) + return 0; + + /* we must have some initialized key */ +- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0)) ++ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0)) + return 0; + + /* record that sign init was called */ +@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx, + unsigned char *storectx = loaderctx; + OSSL_PARAM params[4]; + int object_type = OSSL_OBJECT_PKEY; +- void *key = NULL; ++ struct fake_rsa_keydata *key = NULL; + int rv = 0; + + switch (*storectx) { +@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx, + /* The address of the key becomes the octet string */ + params[2] = + OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, +- &key, sizeof(key)); ++ &key, sizeof(*key)); + params[3] = OSSL_PARAM_construct_end(); + rv = object_cb(params, object_cbarg); + *storectx = 1; +diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h +index 57de1ecf8d..190c46a285 100644 +--- a/test/fake_rsaprov.h ++++ b/test/fake_rsaprov.h +@@ -12,3 +12,4 @@ + /* Fake RSA provider implementation */ + OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx); + void fake_rsa_finish(OSSL_PROVIDER *p); ++OSSL_PARAM *fake_rsa_key_params(int priv); +diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c +index 5c398398f4..3b190baa5e 100644 +--- a/test/provider_pkey_test.c ++++ b/test/provider_pkey_test.c +@@ -176,6 +176,67 @@ end: + return ret; + } + ++static int test_pkey_eq(void) ++{ ++ OSSL_PROVIDER *deflt = NULL; ++ OSSL_PROVIDER *fake_rsa = NULL; ++ EVP_PKEY *pkey_fake = NULL; ++ EVP_PKEY *pkey_dflt = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ OSSL_PARAM *params = NULL; ++ int ret = 0; ++ ++ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx))) ++ return 0; ++ ++ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default"))) ++ goto end; ++ ++ /* Construct a public key for fake-rsa */ ++ if (!TEST_ptr(params = fake_rsa_key_params(0)) ++ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", ++ "provider=fake-rsa")) ++ || !TEST_true(EVP_PKEY_fromdata_init(ctx)) ++ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY, ++ params)) ++ || !TEST_ptr(pkey_fake)) ++ goto end; ++ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = NULL; ++ OSSL_PARAM_free(params); ++ params = NULL; ++ ++ /* Construct a public key for default */ ++ if (!TEST_ptr(params = fake_rsa_key_params(0)) ++ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", ++ "provider=default")) ++ || !TEST_true(EVP_PKEY_fromdata_init(ctx)) ++ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY, ++ params)) ++ || !TEST_ptr(pkey_dflt)) ++ goto end; ++ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = NULL; ++ OSSL_PARAM_free(params); ++ params = NULL; ++ ++ /* now test for equality */ ++ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1)) ++ goto end; ++ ++ ret = 1; ++end: ++ fake_rsa_finish(fake_rsa); ++ OSSL_PROVIDER_unload(deflt); ++ EVP_PKEY_CTX_free(ctx); ++ EVP_PKEY_free(pkey_fake); ++ EVP_PKEY_free(pkey_dflt); ++ OSSL_PARAM_free(params); ++ return ret; ++} ++ + static int test_pkey_store(int idx) + { + OSSL_PROVIDER *deflt = NULL; +@@ -235,6 +296,7 @@ int setup_tests(void) + + ADD_TEST(test_pkey_sig); + ADD_TEST(test_alternative_keygen_init); ++ ADD_TEST(test_pkey_eq); + ADD_ALL_TESTS(test_pkey_store, 2); + + return 1; +-- +2.38.1 + +From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 14 Nov 2022 10:25:15 -0500 +Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay + +The providers indication should always indicate that this is not a +legacy request. +This makes a check for engines redundant as the default return is that +legacy is ok if there are no explicit providers. + +Fixes #19662 + +Signed-off-by: Simo Sorce + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19671) +--- + apps/lib/apps.c | 8 -------- + test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 8 deletions(-) + create mode 100755 test/recipes/20-test_legacy_okay.t + +diff --git a/apps/lib/apps.c b/apps/lib/apps.c +index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644 +--- a/apps/lib/apps.c ++++ b/apps/lib/apps.c +@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void) + { + int provider_options = opt_provider_option_given(); + int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL; +-#ifndef OPENSSL_NO_ENGINE +- ENGINE *e = ENGINE_get_first(); +- +- if (e != NULL) { +- ENGINE_free(e); +- return 1; +- } +-#endif + /* + * Having a provider option specified or a custom library context or + * property query, is a sure sign we're not using legacy. +diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t +new file mode 100755 +index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56 +--- /dev/null ++++ b/test/recipes/20-test_legacy_okay.t +@@ -0,0 +1,23 @@ ++#! /usr/bin/env perl ++# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++use warnings; ++ ++use OpenSSL::Test; ++ ++setup("test_legacy"); ++ ++plan tests => 3; ++ ++ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file"); ++ ++ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest"); ++ ++ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1', ++ 'rand.txt'])), "Fail to generate a digest"); +-- +2.38.1 + diff --git a/SOURCES/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/SOURCES/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch new file mode 100644 index 0000000..65bae6f --- /dev/null +++ b/SOURCES/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch @@ -0,0 +1,344 @@ +From 8a2d1b22ede5eeca4d104bb027b84f3ecfc69549 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 May 2023 12:51:59 +0200 +Subject: [PATCH] DH: Disable FIPS 186-4 type parameters in FIPS mode + +For DH parameter and key pair generation/verification, the DSA +procedures specified in FIPS 186-4 are used. With the release of FIPS +186-5 and the removal of DSA, the approved status of these groups is in +peril. Once the transition for DSA ends (this transition will be 1 year +long and start once CMVP has published the guidance), no more +submissions claiming DSA will be allowed. Hence, FIPS 186-type +parameters will also be automatically non-approved. + +In the FIPS provider, disable validation of any DH parameters that are +not well-known groups, and remove DH parameter generation completely. + +Adjust tests to use well-known groups or larger DH groups where this +change would now cause failures, and skip tests that are expected to +fail due to this change. + +Related: rhbz#2169757, rhbz#2169757 +Signed-off-by: Clemens Lang +--- + crypto/dh/dh_backend.c | 10 ++++ + crypto/dh/dh_check.c | 12 ++-- + crypto/dh/dh_gen.c | 12 +++- + crypto/dh/dh_key.c | 13 ++-- + crypto/dh/dh_pmeth.c | 10 +++- + providers/implementations/keymgmt/dh_kmgmt.c | 5 ++ + test/endecode_test.c | 4 +- + test/evp_libctx_test.c | 2 +- + test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++ + test/helpers/predefined_dhparams.h | 1 + + test/recipes/80-test_cms.t | 4 +- + test/recipes/80-test_ssl_old.t | 3 + + 12 files changed, 118 insertions(+), 20 deletions(-) + +diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c +index 726843fd30..24c65ca84f 100644 +--- a/crypto/dh/dh_backend.c ++++ b/crypto/dh/dh_backend.c +@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) + if (!dh_ffc_params_fromdata(dh, params)) + return 0; + ++#ifdef FIPS_MODULE ++ if (!ossl_dh_is_named_safe_prime_group(dh)) { ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines" ++ " were removed from FIPS 186-5"); ++ return 0; ++ } ++#endif ++ + param_priv_len = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN); + if (param_priv_len != NULL +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 0b391910d6..75581ca347 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret) + nid = DH_get_nid((DH *)dh); + if (nid != NID_undef) + return 1; ++ + /* +- * OR +- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param +- * validity tests. ++ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode. + */ +- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params, +- FFC_PARAM_TYPE_DH, ret, NULL); ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines were" ++ " removed from FIPS 186-5"); ++ return 0; + } + #else + int DH_check_params(const DH *dh, int *ret) +diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c +index aec6b85316..9c55121067 100644 +--- a/crypto/dh/dh_gen.c ++++ b/crypto/dh/dh_gen.c +@@ -38,18 +38,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, + int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, + BN_GENCB *cb) + { +- int ret, res; ++ int ret = 0; + + #ifndef FIPS_MODULE ++ int res; ++ + if (type == DH_PARAMGEN_TYPE_FIPS_186_2) + ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); + else +-#endif + ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); ++#else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++#endif + if (ret > 0) + dh->dirty_cnt++; + return ret; +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 4e9705beef..14c0b0b6b3 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -308,8 +308,12 @@ static int generate_key(DH *dh) + goto err; + } else { + #ifdef FIPS_MODULE +- if (dh->params.q == NULL) +- goto err; ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer" ++ " allowed in FIPS mode, since the required" ++ " generation routines were removed from FIPS" ++ " 186-5"); ++ goto err; + #else + if (dh->params.q == NULL) { + /* secret exponent length, must satisfy 2^(l-1) <= p */ +@@ -330,9 +334,7 @@ static int generate_key(DH *dh) + if (!BN_clear_bit(priv_key, 0)) + goto err; + } +- } else +-#endif +- { ++ } else { + /* Do a partial check for invalid p, q, g */ + if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, NULL)) +@@ -348,6 +350,7 @@ static int generate_key(DH *dh) + priv_key)) + goto err; + } ++#endif + } + } + +diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c +index f201eede0d..30f90d15be 100644 +--- a/crypto/dh/dh_pmeth.c ++++ b/crypto/dh/dh_pmeth.c +@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, + prime_len, subprime_len, &res, + pcb); + else +-# endif +- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */ +- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2) + rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params, + FFC_PARAM_TYPE_DH, + prime_len, subprime_len, &res, + pcb); ++# else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++# endif + if (rv <= 0) { + DH_free(ret); + return NULL; +diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c +index 9a7dde7c66..b3e7bca5ac 100644 +--- a/providers/implementations/keymgmt/dh_kmgmt.c ++++ b/providers/implementations/keymgmt/dh_kmgmt.c +@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype) + if ((selection & DH_POSSIBLE_SELECTIONS) == 0) + return 1; /* nothing to validate */ + ++#ifdef FIPS_MODULE ++ /* In FIPS provider, always check the domain parameters to disallow ++ * operations on keys with FIPS 186-4 params. */ ++ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; ++#endif + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { + /* + * Both of these functions check parameters. DH_check_params_ex() +diff --git a/test/endecode_test.c b/test/endecode_test.c +index e3f7b81f69..1b63daaed5 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -80,10 +80,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) + * for testing only. Use a minimum key size of 2048 for security purposes. + */ + if (strcmp(type, "DH") == 0) +- return get_dh512(keyctx); ++ return get_dh2048(keyctx); + + if (strcmp(type, "X9.42 DH") == 0) +- return get_dhx512(keyctx); ++ return get_dhx_ffdhe2048(keyctx); + # endif + + /* +diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c +index 2448c35a14..92d484fb12 100644 +--- a/test/evp_libctx_test.c ++++ b/test/evp_libctx_test.c +@@ -188,7 +188,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn) + + if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) + || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) +- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected)) ++ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected)) + goto err; + + if (expected) { +diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c +index 4bdadc4143..e5186e4b4a 100644 +--- a/test/helpers/predefined_dhparams.c ++++ b/test/helpers/predefined_dhparams.c +@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx) + dhx512_q, sizeof(dhx512_q)); + } + ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx) ++{ ++ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for ++ * non-well-known groups in FIPS mode. */ ++ static unsigned char dhx_p[] = { ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58, ++ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, ++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41, ++ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, ++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02, ++ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, ++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55, ++ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, ++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda, ++ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, ++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82, ++ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, ++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3, ++ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, ++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1, ++ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, ++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32, ++ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, ++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83, ++ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, ++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ static unsigned char dhx_g[] = { ++ 0x02 ++ }; ++ static unsigned char dhx_q[] = { ++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c, ++ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, ++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20, ++ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, ++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01, ++ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, ++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa, ++ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, ++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed, ++ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, ++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1, ++ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, ++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51, ++ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, ++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70, ++ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, ++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19, ++ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, ++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1, ++ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, ++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ ++ return get_dh_from_pg(libctx, "X9.42 DH", ++ dhx_p, sizeof(dhx_p), ++ dhx_g, sizeof(dhx_g), ++ dhx_q, sizeof(dhx_q)); ++} ++ + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx) + { + static unsigned char dh1024_p[] = { +diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h +index f0e8709062..2ff6d6e721 100644 +--- a/test/helpers/predefined_dhparams.h ++++ b/test/helpers/predefined_dhparams.h +@@ -12,6 +12,7 @@ + #ifndef OPENSSL_NO_DH + EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx); ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct); + EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx); +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index cabbe3ecdf..efe56c5665 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -627,10 +627,10 @@ my @smime_cms_param_tests = ( + ], + + [ "enveloped content test streaming S/MIME format, X9.42 DH", +- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, ++ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], +- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), ++ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare + ] +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 8c52b637fc..31ed54621b 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -390,6 +390,9 @@ sub testssl { + skip "skipping dhe1024dsa test", 1 + if ($no_dh); + ++ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1 ++ if $provider eq "fips"; ++ + ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + } +-- +2.40.1 + diff --git a/SOURCES/0101-CVE-2022-4203-nc-match.patch b/SOURCES/0101-CVE-2022-4203-nc-match.patch new file mode 100644 index 0000000..860deac --- /dev/null +++ b/SOURCES/0101-CVE-2022-4203-nc-match.patch @@ -0,0 +1,281 @@ +From c927a3492698c254637da836762f9b1f86cffabc Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Tue, 13 Dec 2022 08:49:13 +0100 +Subject: [PATCH 01/18] Fix type confusion in nc_match_single() + +This function assumes that if the "gen" is an OtherName, then the "base" +is a rfc822Name constraint. This assumption is not true in all cases. +If the end-entity certificate contains an OtherName SAN of any type besides +SmtpUtf8Mailbox and the CA certificate contains a name constraint of +OtherName (of any type), then "nc_email_eai" will be invoked, with the +OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING. + +Reported by Corey Bonnell from Digicert. + +CVE-2022-4203 + +Reviewed-by: Paul Dale +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +--- + crypto/x509/v3_ncons.c | 45 +++++++++++++++++++++++++++++------------- + 1 file changed, 31 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c +index 70a7e8304e..5101598512 100644 +--- a/crypto/x509/v3_ncons.c ++++ b/crypto/x509/v3_ncons.c +@@ -31,7 +31,8 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, + static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); + + static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc); +-static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen); ++static int nc_match_single(int effective_type, GENERAL_NAME *sub, ++ GENERAL_NAME *gen); + static int nc_dn(const X509_NAME *sub, const X509_NAME *nm); + static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns); + static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml); +@@ -472,14 +473,17 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) + { + GENERAL_SUBTREE *sub; + int i, r, match = 0; ++ int effective_type = gen->type; ++ + /* + * We need to compare not gen->type field but an "effective" type because + * the otherName field may contain EAI email address treated specially + * according to RFC 8398, section 6 + */ +- int effective_type = ((gen->type == GEN_OTHERNAME) && +- (OBJ_obj2nid(gen->d.otherName->type_id) == +- NID_id_on_SmtpUTF8Mailbox)) ? GEN_EMAIL : gen->type; ++ if (effective_type == GEN_OTHERNAME && ++ (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox)) { ++ effective_type = GEN_EMAIL; ++ } + + /* + * Permitted subtrees: if any subtrees exist of matching the type at +@@ -488,7 +492,10 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) + + for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) { + sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); +- if (effective_type != sub->base->type) ++ if (effective_type != sub->base->type ++ || (effective_type == GEN_OTHERNAME && ++ OBJ_cmp(gen->d.otherName->type_id, ++ sub->base->d.otherName->type_id) != 0)) + continue; + if (!nc_minmax_valid(sub)) + return X509_V_ERR_SUBTREE_MINMAX; +@@ -497,7 +504,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) + continue; + if (match == 0) + match = 1; +- r = nc_match_single(gen, sub->base); ++ r = nc_match_single(effective_type, gen, sub->base); + if (r == X509_V_OK) + match = 2; + else if (r != X509_V_ERR_PERMITTED_VIOLATION) +@@ -511,12 +518,15 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) + + for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) { + sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); +- if (effective_type != sub->base->type) ++ if (effective_type != sub->base->type ++ || (effective_type == GEN_OTHERNAME && ++ OBJ_cmp(gen->d.otherName->type_id, ++ sub->base->d.otherName->type_id) != 0)) + continue; + if (!nc_minmax_valid(sub)) + return X509_V_ERR_SUBTREE_MINMAX; + +- r = nc_match_single(gen, sub->base); ++ r = nc_match_single(effective_type, gen, sub->base); + if (r == X509_V_OK) + return X509_V_ERR_EXCLUDED_VIOLATION; + else if (r != X509_V_ERR_PERMITTED_VIOLATION) +@@ -528,15 +538,22 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) + + } + +-static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) ++static int nc_match_single(int effective_type, GENERAL_NAME *gen, ++ GENERAL_NAME *base) + { + switch (gen->type) { + case GEN_OTHERNAME: +- /* +- * We are here only when we have SmtpUTF8 name, +- * so we match the value of othername with base->d.rfc822Name +- */ +- return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name); ++ switch (effective_type) { ++ case GEN_EMAIL: ++ /* ++ * We are here only when we have SmtpUTF8 name, ++ * so we match the value of othername with base->d.rfc822Name ++ */ ++ return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name); ++ ++ default: ++ return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; ++ } + + case GEN_DIRNAME: + return nc_dn(gen->d.directoryName, base->d.directoryName); +-- +2.39.1 + +From fe6842f5a5dc2fb66da7fb24bf4343a3aeedd50a Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 13 Dec 2022 19:45:09 +0100 +Subject: [PATCH 02/18] Add testcase for nc_match_single type confusion + +Reviewed-by: Paul Dale +Reviewed-by: Hugo Landau +--- + test/certs/bad-othername-cert.pem | 20 ++++++++++++++++++++ + test/certs/nccaothername-cert.pem | 20 ++++++++++++++++++++ + test/certs/nccaothername-key.pem | 28 ++++++++++++++++++++++++++++ + test/certs/setup.sh | 11 +++++++++++ + test/recipes/25-test_verify.t | 5 ++++- + 5 files changed, 83 insertions(+), 1 deletion(-) + create mode 100644 test/certs/bad-othername-cert.pem + create mode 100644 test/certs/nccaothername-cert.pem + create mode 100644 test/certs/nccaothername-key.pem + +diff --git a/test/certs/bad-othername-cert.pem b/test/certs/bad-othername-cert.pem +new file mode 100644 +index 0000000000..cf279de5ea +--- /dev/null ++++ b/test/certs/bad-othername-cert.pem +@@ -0,0 +1,20 @@ ++-----BEGIN CERTIFICATE----- ++MIIDRDCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0 ++IE5DIENBIG90aGVybmFtZTAgFw0yMjEyMTMxODMzMTZaGA8yMTIyMTIxNDE4MzMx ++NlowMTEvMC0GA1UECgwmTkMgZW1haWwgaW4gb3RoZXJuYW1lIFRlc3QgQ2VydGlm ++aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPgeoakqHk1zYt ++JZpEC0qkJPU/X0lfI+6GY2LHFY9KOSFqqmTXxrUtjQc3SdpQvBZhPuMZ8p82Jid2 ++kkRHnWs0uqX9NtLO923yQalYvP6Mt3fokcYgw/C9b+I/q1PKUyN0kPB6McROguD5 ++Jz2DcEufJBhbpyay1bFjEI2DAQJKDP/U7uH0EA7kH/27UMk0vfvL5uVjDvlo8i6S ++Ul8+u0cDV5ZFJW2VAJKLU3wp6IY4fZl9UqkHZuRQpMJGqAjAleWOIEpyyvfGGh0b ++75n3GJ+4YZ7CIBEgY7K0nIbKxtcDZPvmtbYg3g1tkPMTHcodFT7yEdqkBTJ5AGL7 ++6U850OhjAgMBAAGjdzB1MB0GA1UdDgQWBBTBz0k+q6d4c3aM+s2IyOF/QP6zCTAf ++BgNVHSMEGDAWgBTwhghX7uNdMejZ3f4XorqOQoMqwTAJBgNVHRMEAjAAMCgGA1Ud ++EQQhMB+gHQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEB ++CwUAA4IBAQAhxbCEVH8pq0aUMaLWaodyXdCqA0AKTFG6Mz9Rpwn89OwC8FylTEru ++t+Bqx/ZuTo8YzON8h9m7DIrQIjZKDLW/g5YbvIsxIVV9gWhAGohdsIyMKRBepSmr ++NxJQkO74RLBTamfl0WUCVM4HqroflFjBBG67CTJaQ9cH9ug3TKxaXCK1L6iQAXtq ++enILGai98Byo0LCFH4MQOhmhV1BDT2boIG/iYb5VKCTSX25vhaF+PNBhUoysjW0O ++vhQX8vrw42QRr4Qi7VfUBXzrbRTzxjOc4yqki7h2DcEdpginqe+aGyaFY+H9m/ka ++1AR5KN8h5SYKltSXknjs0pp1w4k49aHl ++-----END CERTIFICATE----- +diff --git a/test/certs/nccaothername-cert.pem b/test/certs/nccaothername-cert.pem +new file mode 100644 +index 0000000000..f9b9b07b80 +--- /dev/null ++++ b/test/certs/nccaothername-cert.pem +@@ -0,0 +1,20 @@ ++-----BEGIN CERTIFICATE----- ++MIIDPjCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 ++IENBMCAXDTIyMTIxMzE4MTgwM1oYDzIxMjIxMjE0MTgxODAzWjAfMR0wGwYDVQQD ++DBRUZXN0IE5DIENBIG90aGVybmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC ++AQoCggEBAN0Dx+ei8CgtRKnDcYiLwX4vrA48at/o/zfX24X/WZZM1o9HUKo1FQBN ++vhESJu+gqPxuIePrk+/L25XdRqwCKk8wkWX0XIz18q5orOHUUFAWNK3g0FDj6N8H ++d8urNIbDJ44FCx+/0n8Ppiht/EYN3aVOW5enqbgZ+EEt+3AUG6ibieRdGri9g4oh ++IIx60MmVHLbuT/TcVZxaeWyTl6iWmsYosUyqlhTtu1uGtbVtkCAhBYloVvz4J5eA ++mVu/JuJbsNxbxVeO9Q8Kj6nb4jPPdGvZ3JPcabbWrz5LwaereBf5IPrXEVdQTlYB ++gI0pTz2CEDHSIrd7jzRUX/9EC2gMk6UCAwEAAaOBjzCBjDAPBgNVHRMBAf8EBTAD ++AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU8IYIV+7jXTHo2d3+F6K6jkKDKsEw ++HwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwLAYDVR0eBCUwI6EhMB+g ++HQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IB ++AQDPI5uZd8DhSNKMvYF5bxOshd6h6UJ7YzZS7K6fhiygltdqzkHQ/5+4yiuUkDe4 ++hOZlH8MCfXQy5jVZDTk24yNchpdfie5Bswn4SmQVQh3QyzOLxizoh0rLCf2PHueu ++dNVNhfiiJNJ5kd8MIuVG7CPK68dP0QrVR+DihROuJgvGB3ClKttLrgle19t4PFRR ++2wW6hJT9aXEjzLNyN1QFZKoShuiGX4xwjZh7VyKkV64p8hjojhcLk6dQkel+Jw4y ++OP26XbVfM8/6KG8f6WAZ8P0qJwHlhmi0EvRTnEpAM8WuenOeZH6ERZ9uZbRGh6xx ++LKQu2Aw2+bOEZ2vUtz0dBhX8 ++-----END CERTIFICATE----- +diff --git a/test/certs/nccaothername-key.pem b/test/certs/nccaothername-key.pem +new file mode 100644 +index 0000000000..d3e300ac2f +--- /dev/null ++++ b/test/certs/nccaothername-key.pem +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdA8fnovAoLUSp ++w3GIi8F+L6wOPGrf6P8319uF/1mWTNaPR1CqNRUATb4REibvoKj8biHj65Pvy9uV ++3UasAipPMJFl9FyM9fKuaKzh1FBQFjSt4NBQ4+jfB3fLqzSGwyeOBQsfv9J/D6Yo ++bfxGDd2lTluXp6m4GfhBLftwFBuom4nkXRq4vYOKISCMetDJlRy27k/03FWcWnls ++k5eolprGKLFMqpYU7btbhrW1bZAgIQWJaFb8+CeXgJlbvybiW7DcW8VXjvUPCo+p ++2+Izz3Rr2dyT3Gm21q8+S8Gnq3gX+SD61xFXUE5WAYCNKU89ghAx0iK3e480VF// ++RAtoDJOlAgMBAAECggEAMFSJlCyEFlER3Qq9asXe9eRgXEuXdmfZ2aEVIuf8M/sR ++B0tpxxKtCUA24j5FL+0CzxKZTCFBnDRIzCyTbf1aOa9t+CzXyUZmP3/p4EdgmabF ++dcl93FZ+X7kfF/VUGu0Vmv+c12BH3Fu0cs5cVohlMecg7diu6zCYok43F+L5ymRy ++2mTcKkGc0ShWizj8Z9R3WJGssZOlxbxa/Zr4rZwRC24UVhfN8AfGWYx/StyQPQIw ++gtbbtOmwbyredQmY4jwNqgrnfZS9bkWwJbRuCmD5l7lxubBgcHQpoM+DQVeOLZIq ++uksFXeNfal9G5Bo747MMzpD7dJMCGmX+gbMY5oZF+QKBgQDs2MbY4nbxi+fV+KuV ++zUvis8m8Lpzf3T6NLkgSkUPRN9tGr95iLIrB/bRPJg5Ne02q/cT7d86B9rpE42w7 ++eeIF9fANezX2AF8LUqNZhIR23J3tfB/eqGlJRZeMNia+lD09a7SWGwrS7sufY1I+ ++JQGcHx77ntt+eQT1MUJ1skF06QKBgQDu4z+TW4QIA5ItxIReVdcfh5e3xLkzDEVP ++3KNo9tpXxvPwqapdeBh6c9z4Lqe3MKr5UPlDvVW+o40t6OjKxDCXczB8+JAM0OyX ++8V+K3zXXUxRgieSd3oMncTylSWIvouPP3aW37B67TKdRlRHgaBrpJT2wdk3kYR4t ++62J1eDdjXQKBgQDMsY0pZI/nskJrar7geM1c4IU5Xg+2aj/lRFqFsYYrC1s3fEd2 ++EYjan6l1vi4eSLKXVTspGiIfsFzLrMGdpXjyLduJyzKXqTp7TrBebWkOUR0sYloo ++1OQprzuKskJJ81P6AVvRXw27vyW8Wtp5WwJJK5xbWq/YXj8qqagGkEiCAQKBgQCc ++RK3XAFurPmLGa7JHX5Hc/z8BKMAZo6JHrsZ6qFiGaRA0U1it0hz5JYfcFfECheSi ++ORUF+fn4PlbhPGXkFljPCbwjVBovOBA9CNl+J6u50pAW4r1ZhDB5gbqxSQLgtIaf +++JcqbFxiG6+sT36lNJS+BO2I3KrxhZJPaZY7z8szxQKBgQDRy70XzwOk8jXayiF2 ++ej2IN7Ow9cgSE4tLEwR/vCjxvOlWhA3jC3wxoggshGJkpbP3DqLkQtwQm0h1lM8J ++QNtFwKzjtpf//bTlfFq08/YxWimTPMqzcV2PgRacB8P3yf1r8T7M4fA5TORCDWpW ++5FtOCFEmwQHTR8lu4c63qfxkEQ== ++-----END PRIVATE KEY----- +diff --git a/test/certs/setup.sh b/test/certs/setup.sh +index b9766aab20..2240cd9df0 100755 +--- a/test/certs/setup.sh ++++ b/test/certs/setup.sh +@@ -388,6 +388,17 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ + "email.1 = good@good.org" "email.2 = any@good.com" \ + "IP = 127.0.0.1" "IP = 192.168.0.1" + ++# Certs for CVE-2022-4203 testcase ++ ++NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \ ++ "Test NC CA othername" nccaothername-key nccaothername-cert \ ++ root-key root-cert ++ ++./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \ ++ ./mkcert.sh geneealt bad-othername-key bad-othername-cert \ ++ nccaothername-key nccaothername-cert \ ++ "otherName.1 = SRVName;UTF8STRING:foo@example.org" ++ + # RSA-PSS signatures + # SHA1 + ./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \ +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index 4613489f57..e6a2bca731 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -29,7 +29,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 162; ++plan tests => 163; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -402,6 +402,9 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), + ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), + "Name constraints nested DNS name excluded"); + ++ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ), ++ "CVE-2022-4203 type confusion test"); ++ + #Check that we get the expected failure return code + with({ exit_checker => sub { return shift == 2; } }, + sub { +-- +2.39.1 + diff --git a/SOURCES/0102-CVE-2022-4304-RSA-time-oracle.patch b/SOURCES/0102-CVE-2022-4304-RSA-time-oracle.patch new file mode 100644 index 0000000..a650715 --- /dev/null +++ b/SOURCES/0102-CVE-2022-4304-RSA-time-oracle.patch @@ -0,0 +1,750 @@ +From 8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 20 Jan 2023 15:03:40 +0000 +Subject: [PATCH 03/18] Fix Timing Oracle in RSA decryption + +A timing based side channel exists in the OpenSSL RSA Decryption +implementation which could be sufficient to recover a plaintext across +a network in a Bleichenbacher style attack. To achieve a successful +decryption an attacker would have to be able to send a very large number +of trial messages for decryption. The vulnerability affects all RSA +padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + +Patch written by Dmitry Belyavsky and Hubert Kario + +CVE-2022-4304 + +Reviewed-by: Matt Caswell +Reviewed-by: Tomas Mraz +--- + crypto/bn/bn_blind.c | 14 - + crypto/bn/bn_local.h | 14 + + crypto/bn/build.info | 2 +- + crypto/bn/rsa_sup_mul.c | 604 ++++++++++++++++++++++++++++++++++++++++ + crypto/rsa/rsa_ossl.c | 19 +- + include/crypto/bn.h | 6 + + 6 files changed, 638 insertions(+), 21 deletions(-) + create mode 100644 crypto/bn/rsa_sup_mul.c + +diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c +index 72457b34cf..6061ebb4c0 100644 +--- a/crypto/bn/bn_blind.c ++++ b/crypto/bn/bn_blind.c +@@ -13,20 +13,6 @@ + + #define BN_BLINDING_COUNTER 32 + +-struct bn_blinding_st { +- BIGNUM *A; +- BIGNUM *Ai; +- BIGNUM *e; +- BIGNUM *mod; /* just a reference */ +- CRYPTO_THREAD_ID tid; +- int counter; +- unsigned long flags; +- BN_MONT_CTX *m_ctx; +- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, +- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +- CRYPTO_RWLOCK *lock; +-}; +- + BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) + { + BN_BLINDING *ret = NULL; +diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h +index c9a7ecf298..8c428f919d 100644 +--- a/crypto/bn/bn_local.h ++++ b/crypto/bn/bn_local.h +@@ -290,6 +290,20 @@ struct bn_gencb_st { + } cb; + }; + ++struct bn_blinding_st { ++ BIGNUM *A; ++ BIGNUM *Ai; ++ BIGNUM *e; ++ BIGNUM *mod; /* just a reference */ ++ CRYPTO_THREAD_ID tid; ++ int counter; ++ unsigned long flags; ++ BN_MONT_CTX *m_ctx; ++ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); ++ CRYPTO_RWLOCK *lock; ++}; ++ + /*- + * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions + * +diff --git a/crypto/bn/build.info b/crypto/bn/build.info +index c4ba51b265..f4ff619239 100644 +--- a/crypto/bn/build.info ++++ b/crypto/bn/build.info +@@ -105,7 +105,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ + bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ + bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \ + bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ +- bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c ++ bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c + SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c + DEFINE[../../libcrypto]=$BNDEF + IF[{- !$disabled{'deprecated-0.9.8'} -}] +diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c +new file mode 100644 +index 0000000000..0e0d02e194 +--- /dev/null ++++ b/crypto/bn/rsa_sup_mul.c +@@ -0,0 +1,604 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "internal/endian.h" ++#include "internal/numbers.h" ++#include "internal/constant_time.h" ++#include "bn_local.h" ++ ++# if BN_BYTES == 8 ++typedef uint64_t limb_t; ++# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 ++typedef uint128_t limb2_t; ++# define HAVE_LIMB2_T ++# endif ++# define LIMB_BIT_SIZE 64 ++# define LIMB_BYTE_SIZE 8 ++# elif BN_BYTES == 4 ++typedef uint32_t limb_t; ++typedef uint64_t limb2_t; ++# define LIMB_BIT_SIZE 32 ++# define LIMB_BYTE_SIZE 4 ++# define HAVE_LIMB2_T ++# else ++# error "Not supported" ++# endif ++ ++/* ++ * For multiplication we're using schoolbook multiplication, ++ * so if we have two numbers, each with 6 "digits" (words) ++ * the multiplication is calculated as follows: ++ * A B C D E F ++ * x I J K L M N ++ * -------------- ++ * N*F ++ * N*E ++ * N*D ++ * N*C ++ * N*B ++ * N*A ++ * M*F ++ * M*E ++ * M*D ++ * M*C ++ * M*B ++ * M*A ++ * L*F ++ * L*E ++ * L*D ++ * L*C ++ * L*B ++ * L*A ++ * K*F ++ * K*E ++ * K*D ++ * K*C ++ * K*B ++ * K*A ++ * J*F ++ * J*E ++ * J*D ++ * J*C ++ * J*B ++ * J*A ++ * I*F ++ * I*E ++ * I*D ++ * I*C ++ * I*B ++ * + I*A ++ * ========================== ++ * N*B N*D N*F ++ * + N*A N*C N*E ++ * + M*B M*D M*F ++ * + M*A M*C M*E ++ * + L*B L*D L*F ++ * + L*A L*C L*E ++ * + K*B K*D K*F ++ * + K*A K*C K*E ++ * + J*B J*D J*F ++ * + J*A J*C J*E ++ * + I*B I*D I*F ++ * + I*A I*C I*E ++ * ++ * 1+1 1+3 1+5 ++ * 1+0 1+2 1+4 ++ * 0+1 0+3 0+5 ++ * 0+0 0+2 0+4 ++ * ++ * 0 1 2 3 4 5 6 ++ * which requires n^2 multiplications and 2n full length additions ++ * as we can keep every other result of limb multiplication in two separate ++ * limbs ++ */ ++ ++#if defined HAVE_LIMB2_T ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ limb2_t t; ++ /* ++ * this is idiomatic code to tell compiler to use the native mul ++ * those three lines will actually compile to single instruction ++ */ ++ ++ t = (limb2_t)a * b; ++ *hi = t >> LIMB_BIT_SIZE; ++ *lo = (limb_t)t; ++} ++#elif (BN_BYTES == 8) && (defined _MSC_VER) ++/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ ++#pragma intrinsic(_umul128) ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ *lo = _umul128(a, b, hi); ++} ++#else ++/* ++ * if the compiler doesn't have either a 128bit data type nor a "return ++ * high 64 bits of multiplication" ++ */ ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ limb_t a_low = (limb_t)(uint32_t)a; ++ limb_t a_hi = a >> 32; ++ limb_t b_low = (limb_t)(uint32_t)b; ++ limb_t b_hi = b >> 32; ++ ++ limb_t p0 = a_low * b_low; ++ limb_t p1 = a_low * b_hi; ++ limb_t p2 = a_hi * b_low; ++ limb_t p3 = a_hi * b_hi; ++ ++ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); ++ ++ *lo = p0 + (p1 << 32) + (p2 << 32); ++ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; ++} ++#endif ++ ++/* add two limbs with carry in, return carry out */ ++static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) ++{ ++ limb_t carry1, carry2, t; ++ /* ++ * `c = a + b; if (c < a)` is idiomatic code that makes compilers ++ * use add with carry on assembly level ++ */ ++ ++ *ret = a + carry; ++ if (*ret < a) ++ carry1 = 1; ++ else ++ carry1 = 0; ++ ++ t = *ret; ++ *ret = t + b; ++ if (*ret < t) ++ carry2 = 1; ++ else ++ carry2 = 0; ++ ++ return carry1 + carry2; ++} ++ ++/* ++ * add two numbers of the same size, return overflow ++ * ++ * add a to b, place result in ret; all arrays need to be n limbs long ++ * return overflow from addition (0 or 1) ++ */ ++static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ limb_t c = 0; ++ ossl_ssize_t i; ++ ++ for(i = n - 1; i > -1; i--) ++ c = _add_limb(&ret[i], a[i], b[i], c); ++ ++ return c; ++} ++ ++/* ++ * return number of limbs necessary for temporary values ++ * when multiplying numbers n limbs large ++ */ ++static ossl_inline size_t mul_limb_numb(size_t n) ++{ ++ return 2 * n * 2; ++} ++ ++/* ++ * multiply two numbers of the same size ++ * ++ * multiply a by b, place result in ret; a and b need to be n limbs long ++ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs ++ * long ++ */ ++static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) ++{ ++ limb_t *r_odd, *r_even; ++ size_t i, j, k; ++ ++ r_odd = tmp; ++ r_even = &tmp[2 * n]; ++ ++ memset(ret, 0, 2 * n * sizeof(limb_t)); ++ ++ for (i = 0; i < n; i++) { ++ for (k = 0; k < i + n + 1; k++) { ++ r_even[k] = 0; ++ r_odd[k] = 0; ++ } ++ for (j = 0; j < n; j++) { ++ /* ++ * place results from even and odd limbs in separate arrays so that ++ * we don't have to calculate overflow every time we get individual ++ * limb multiplication result ++ */ ++ if (j % 2 == 0) ++ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); ++ else ++ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); ++ } ++ /* ++ * skip the least significant limbs when adding multiples of ++ * more significant limbs (they're zero anyway) ++ */ ++ add(ret, ret, r_even, n + i + 1); ++ add(ret, ret, r_odd, n + i + 1); ++ } ++} ++ ++/* modifies the value in place by performing a right shift by one bit */ ++static ossl_inline void rshift1(limb_t *val, size_t n) ++{ ++ limb_t shift_in = 0, shift_out = 0; ++ size_t i; ++ ++ for (i = 0; i < n; i++) { ++ shift_out = val[i] & 1; ++ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); ++ shift_in = shift_out; ++ } ++} ++ ++/* extend the LSB of flag to all bits of limb */ ++static ossl_inline limb_t mk_mask(limb_t flag) ++{ ++ flag |= flag << 1; ++ flag |= flag << 2; ++ flag |= flag << 4; ++ flag |= flag << 8; ++ flag |= flag << 16; ++#if (LIMB_BYTE_SIZE == 8) ++ flag |= flag << 32; ++#endif ++ return flag; ++} ++ ++/* ++ * copy from either a or b to ret based on flag ++ * when flag == 0, then copies from b ++ * when flag == 1, then copies from a ++ */ ++static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ /* ++ * would be more efficient with non volatile mask, but then gcc ++ * generates code with jumps ++ */ ++ volatile limb_t mask; ++ size_t i; ++ ++ mask = mk_mask(flag); ++ for (i = 0; i < n; i++) { ++#if (LIMB_BYTE_SIZE == 8) ++ ret[i] = constant_time_select_64(mask, a[i], b[i]); ++#else ++ ret[i] = constant_time_select_32(mask, a[i], b[i]); ++#endif ++ } ++} ++ ++static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) ++{ ++ limb_t borrow1, borrow2, t; ++ /* ++ * while it doesn't look constant-time, this is idiomatic code ++ * to tell compilers to use the carry bit from subtraction ++ */ ++ ++ *ret = a - borrow; ++ if (*ret > a) ++ borrow1 = 1; ++ else ++ borrow1 = 0; ++ ++ t = *ret; ++ *ret = t - b; ++ if (*ret > t) ++ borrow2 = 1; ++ else ++ borrow2 = 0; ++ ++ return borrow1 + borrow2; ++} ++ ++/* ++ * place the result of a - b into ret, return the borrow bit. ++ * All arrays need to be n limbs long ++ */ ++static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ limb_t borrow = 0; ++ ossl_ssize_t i; ++ ++ for (i = n - 1; i > -1; i--) ++ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); ++ ++ return borrow; ++} ++ ++/* return the number of limbs necessary to allocate for the mod() tmp operand */ ++static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) ++{ ++ return (anum + modnum) * 3; ++} ++ ++/* ++ * calculate a % mod, place the result in ret ++ * size of a is defined by anum, size of ret and mod is modnum, ++ * size of tmp is returned by mod_limb_numb() ++ */ ++static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, ++ size_t modnum, limb_t *tmp) ++{ ++ limb_t *atmp, *modtmp, *rettmp; ++ limb_t res; ++ size_t i; ++ ++ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); ++ ++ atmp = tmp; ++ modtmp = &tmp[anum + modnum]; ++ rettmp = &tmp[(anum + modnum) * 2]; ++ ++ for (i = modnum; i 0; i--, rp--) { ++ v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2); ++ v = v + carry + rp[-1]; ++ carry |= (v != rp[-1]); ++ carry &= (v <= rp[-1]); ++ rp[-1] = v; ++ } ++ ++ /* perform the final reduction by mod... */ ++ carry -= sub(ret, rp, mod, modnum); ++ ++ /* ...conditionally */ ++ cselect(carry, ret, rp, ret, modnum); ++} ++ ++/* allocated buffer should be freed afterwards */ ++static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) ++{ ++ int i; ++ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ limb_t *ptr = buf + (limbs - real_limbs); ++ ++ for (i = 0; i < real_limbs; i++) ++ ptr[i] = bn->d[real_limbs - i - 1]; ++} ++ ++#if LIMB_BYTE_SIZE == 8 ++static ossl_inline uint64_t be64(uint64_t host) ++{ ++ uint64_t big = 0; ++ DECLARE_IS_ENDIAN; ++ ++ if (!IS_LITTLE_ENDIAN) ++ return host; ++ ++ big |= (host & 0xff00000000000000) >> 56; ++ big |= (host & 0x00ff000000000000) >> 40; ++ big |= (host & 0x0000ff0000000000) >> 24; ++ big |= (host & 0x000000ff00000000) >> 8; ++ big |= (host & 0x00000000ff000000) << 8; ++ big |= (host & 0x0000000000ff0000) << 24; ++ big |= (host & 0x000000000000ff00) << 40; ++ big |= (host & 0x00000000000000ff) << 56; ++ return big; ++} ++ ++#else ++/* Not all platforms have htobe32(). */ ++static ossl_inline uint32_t be32(uint32_t host) ++{ ++ uint32_t big = 0; ++ DECLARE_IS_ENDIAN; ++ ++ if (!IS_LITTLE_ENDIAN) ++ return host; ++ ++ big |= (host & 0xff000000) >> 24; ++ big |= (host & 0x00ff0000) >> 8; ++ big |= (host & 0x0000ff00) << 8; ++ big |= (host & 0x000000ff) << 24; ++ return big; ++} ++#endif ++ ++/* ++ * We assume that intermediate, possible_arg2, blinding, and ctx are used ++ * similar to BN_BLINDING_invert_ex() arguments. ++ * to_mod is RSA modulus. ++ * buf and num is the serialization buffer and its length. ++ * ++ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished ++ * we serialize the new structure instead of BIGNUMs taking endianness into account. ++ */ ++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, ++ const BN_BLINDING *blinding, ++ const BIGNUM *possible_arg2, ++ const BIGNUM *to_mod, BN_CTX *ctx, ++ unsigned char *buf, int num) ++{ ++ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; ++ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; ++ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; ++ size_t l_tmp_count = 0; ++ int ret = 0; ++ size_t i; ++ unsigned char *tmp; ++ const BIGNUM *arg1 = intermediate; ++ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; ++ ++ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ ++ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; ++ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); ++ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); ++ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); ++ ++ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) ++ goto err; ++ ++ BN_to_limb(arg1, l_im, l_size); ++ BN_to_limb(arg2, l_mul, l_size); ++ BN_to_limb(to_mod, l_mod, l_mod_count); ++ ++ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); ++ ++ if (blinding->m_ctx != NULL) { ++ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? ++ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); ++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); ++ } else { ++ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? ++ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); ++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); ++ } ++ ++ if ((l_ret == NULL) || (l_tmp == NULL)) ++ goto err; ++ ++ if (blinding->m_ctx != NULL) { ++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); ++ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, ++ blinding->m_ctx->n0[0], l_tmp); ++ } else { ++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); ++ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); ++ } ++ ++ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ ++ if (num < BN_num_bytes(to_mod)) { ++ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); ++ goto err; ++ } ++ ++ memset(buf, 0, num); ++ tmp = buf + num - BN_num_bytes(to_mod); ++ for (i = 0; i < l_mod_count; i++) { ++#if LIMB_BYTE_SIZE == 8 ++ l_buf = be64(l_ret[i]); ++#else ++ l_buf = be32(l_ret[i]); ++#endif ++ if (i == 0) { ++ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); ++ ++ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); ++ tmp += delta; ++ } else { ++ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); ++ tmp += LIMB_BYTE_SIZE; ++ } ++ } ++ ret = num; ++ ++ err: ++ OPENSSL_free(l_im); ++ OPENSSL_free(l_mul); ++ OPENSSL_free(l_mod); ++ OPENSSL_free(l_tmp); ++ OPENSSL_free(l_ret); ++ ++ return ret; ++} +diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c +index 381c659352..7e8b791fba 100644 +--- a/crypto/rsa/rsa_ossl.c ++++ b/crypto/rsa/rsa_ossl.c +@@ -469,13 +469,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BN_free(d); + } + +- if (blinding) +- if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) ++ if (blinding) { ++ /* ++ * ossl_bn_rsa_do_unblind() combines blinding inversion and ++ * 0-padded BN BE serialization ++ */ ++ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, ++ buf, num); ++ if (j == 0) + goto err; +- +- j = BN_bn2binpad(ret, buf, num); +- if (j < 0) +- goto err; ++ } else { ++ j = BN_bn2binpad(ret, buf, num); ++ if (j < 0) ++ goto err; ++ } + + switch (padding) { + case RSA_PKCS1_PADDING: +diff --git a/include/crypto/bn.h b/include/crypto/bn.h +index cf69bea848..cd45654210 100644 +--- a/include/crypto/bn.h ++++ b/include/crypto/bn.h +@@ -114,4 +114,10 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx); + + extern const BIGNUM ossl_bn_inv_sqrt_2; + ++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, ++ const BN_BLINDING *blinding, ++ const BIGNUM *possible_arg2, ++ const BIGNUM *to_mod, BN_CTX *ctx, ++ unsigned char *buf, int num); ++ + #endif +-- +2.39.1 + diff --git a/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch b/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch new file mode 100644 index 0000000..7d86395 --- /dev/null +++ b/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch @@ -0,0 +1,106 @@ +From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 13 Dec 2022 14:54:55 +0000 +Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for + PEM_read_bio_ex + +In the event of a failure in PEM_read_bio_ex() we free the buffers we +allocated for the header and data buffers. However we were not clearing +the ptrs stored in *header and *data. Since, on success, the caller is +responsible for freeing these ptrs this can potentially lead to a double +free if the caller frees them even on failure. + +Thanks to Dawei Wang for reporting this issue. + +Based on a proposed patch by Kurt Roeckx. + +CVE-2022-4450 + +Reviewed-by: Paul Dale +Reviewed-by: Hugo Landau +--- + crypto/pem/pem_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c +index f9ff80162a..85c47fb627 100644 +--- a/crypto/pem/pem_lib.c ++++ b/crypto/pem/pem_lib.c +@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, + + out_free: + pem_free(*header, flags, 0); ++ *header = NULL; + pem_free(*data, flags, 0); ++ *data = NULL; + end: + EVP_ENCODE_CTX_free(ctx); + pem_free(name, flags, 0); +-- +2.39.1 + +From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 13 Dec 2022 15:02:26 +0000 +Subject: [PATCH 05/18] Add a test for CVE-2022-4450 + +Call PEM_read_bio_ex() and expect a failure. There should be no dangling +ptrs and therefore there should be no double free if we free the ptrs on +error. + +Reviewed-by: Paul Dale +Reviewed-by: Hugo Landau +--- + test/pemtest.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/test/pemtest.c b/test/pemtest.c +index a8d2d49bb5..a5d28cb256 100644 +--- a/test/pemtest.c ++++ b/test/pemtest.c +@@ -96,6 +96,35 @@ static int test_cert_key_cert(void) + return 1; + } + ++static int test_empty_payload(void) ++{ ++ BIO *b; ++ static char *emptypay = ++ "-----BEGIN CERTIFICATE-----\n" ++ "-\n" /* Base64 EOF character */ ++ "-----END CERTIFICATE-----"; ++ char *name = NULL, *header = NULL; ++ unsigned char *data = NULL; ++ long len; ++ int ret = 0; ++ ++ b = BIO_new_mem_buf(emptypay, strlen(emptypay)); ++ if (!TEST_ptr(b)) ++ return 0; ++ ++ /* Expected to fail because the payload is empty */ ++ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) ++ goto err; ++ ++ ret = 1; ++ err: ++ OPENSSL_free(name); ++ OPENSSL_free(header); ++ OPENSSL_free(data); ++ BIO_free(b); ++ return ret; ++} ++ + int setup_tests(void) + { + if (!TEST_ptr(pemfile = test_get_argument(0))) +@@ -103,5 +132,6 @@ int setup_tests(void) + ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); + ADD_TEST(test_invalid); + ADD_TEST(test_cert_key_cert); ++ ADD_TEST(test_empty_payload); + return 1; + } +-- +2.39.1 + diff --git a/SOURCES/0104-CVE-2023-0215-UAF-bio.patch b/SOURCES/0104-CVE-2023-0215-UAF-bio.patch new file mode 100644 index 0000000..4140219 --- /dev/null +++ b/SOURCES/0104-CVE-2023-0215-UAF-bio.patch @@ -0,0 +1,187 @@ +From 8818064ce3c3c0f1b740a5aaba2a987e75bfbafd Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 14 Dec 2022 16:18:14 +0000 +Subject: [PATCH 06/18] Fix a UAF resulting from a bug in BIO_new_NDEF + +If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will +be part of an invalid BIO chain. This causes a "use after free" when the +BIO is eventually freed. + +Based on an original patch by Viktor Dukhovni and an idea from Theo +Buehler. + +Thanks to Octavio Galland for reporting this issue. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +--- + crypto/asn1/bio_ndef.c | 40 ++++++++++++++++++++++++++++++++-------- + 1 file changed, 32 insertions(+), 8 deletions(-) + +diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c +index d94e3a3644..b9df3a7a47 100644 +--- a/crypto/asn1/bio_ndef.c ++++ b/crypto/asn1/bio_ndef.c +@@ -49,13 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); + static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, + void *parg); + +-/* unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() */ ++/* ++ * On success, the returned BIO owns the input BIO as part of its BIO chain. ++ * On failure, NULL is returned and the input BIO is owned by the caller. ++ * ++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() ++ */ + BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + { + NDEF_SUPPORT *ndef_aux = NULL; + BIO *asn_bio = NULL; + const ASN1_AUX *aux = it->funcs; + ASN1_STREAM_ARG sarg; ++ BIO *pop_bio = NULL; + + if (!aux || !aux->asn1_cb) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_STREAMING_NOT_SUPPORTED); +@@ -70,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + out = BIO_push(asn_bio, out); + if (out == NULL) + goto err; ++ pop_bio = asn_bio; + +- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); +- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); ++ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 ++ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 ++ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) ++ goto err; + + /* +- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure +- * needs. ++ * Now let the callback prepend any digest, cipher, etc., that the BIO's ++ * ASN1 structure needs. + */ + + sarg.out = out; + sarg.ndef_bio = NULL; + sarg.boundary = NULL; + +- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) ++ /* ++ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the ++ * middle of some partially built, but not returned BIO chain. ++ */ ++ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { ++ /* ++ * ndef_aux is now owned by asn_bio so we must not free it in the err ++ * clean up block ++ */ ++ ndef_aux = NULL; + goto err; ++ } ++ ++ /* ++ * We must not fail now because the callback has prepended additional ++ * BIOs to the chain ++ */ + + ndef_aux->val = val; + ndef_aux->it = it; +@@ -92,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + ndef_aux->boundary = sarg.boundary; + ndef_aux->out = out; + +- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); +- + return sarg.ndef_bio; + + err: ++ /* BIO_pop() is NULL safe */ ++ (void)BIO_pop(pop_bio); + BIO_free(asn_bio); + OPENSSL_free(ndef_aux); + return NULL; +-- +2.39.1 + +From f596ec8a6f9f5fcfa8e46a73b60f78a609725294 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 14 Dec 2022 17:15:18 +0000 +Subject: [PATCH 07/18] Check CMS failure during BIO setup with -stream is + handled correctly + +Test for the issue fixed in the previous commit + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +--- + test/recipes/80-test_cms.t | 15 +++++++++++++-- + test/smime-certs/badrsa.pem | 18 ++++++++++++++++++ + 2 files changed, 31 insertions(+), 2 deletions(-) + create mode 100644 test/smime-certs/badrsa.pem + +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 610f1cbc51..fd53683e6b 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -13,7 +13,7 @@ use warnings; + use POSIX; + use File::Spec::Functions qw/catfile/; + use File::Compare qw/compare_text compare/; +-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/; ++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/; + + use OpenSSL::Test::Utils; + +@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) + + $no_rc2 = 1 if disabled("legacy"); + +-plan tests => 12; ++plan tests => 13; + + ok(run(test(["pkcs7_test"])), "test pkcs7"); + +@@ -972,3 +972,14 @@ ok(!run(app(['openssl', 'cms', '-verify', + + return ""; + } ++ ++# Check that we get the expected failure return code ++with({ exit_checker => sub { return shift == 6; } }, ++ sub { ++ ok(run(app(['openssl', 'cms', '-encrypt', ++ '-in', srctop_file("test", "smcont.txt"), ++ '-stream', '-recip', ++ srctop_file("test/smime-certs", "badrsa.pem"), ++ ])), ++ "Check failure during BIO setup with -stream is handled correctly"); ++ }); +diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem +new file mode 100644 +index 0000000000..f824fc2267 +--- /dev/null ++++ b/test/smime-certs/badrsa.pem +@@ -0,0 +1,18 @@ ++-----BEGIN CERTIFICATE----- ++MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD ++VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY ++DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN ++AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw ++I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A ++/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s ++yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 ++zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB ++lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww ++CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm ++ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW ++eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt ++5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d ++rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv ++yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ ++j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= ++-----END CERTIFICATE----- +-- +2.39.1 + diff --git a/SOURCES/0105-CVE-2023-0216-pkcs7-deref.patch b/SOURCES/0105-CVE-2023-0216-pkcs7-deref.patch new file mode 100644 index 0000000..bbcd594 --- /dev/null +++ b/SOURCES/0105-CVE-2023-0216-pkcs7-deref.patch @@ -0,0 +1,110 @@ +From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 16 Jan 2023 19:45:23 +0100 +Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set + +Fixes CVE-2023-0216 + +Reviewed-by: Shane Lontis +Reviewed-by: Paul Dale +--- + crypto/pkcs7/pk7_lib.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c +index 753f1276e6..936e50da54 100644 +--- a/crypto/pkcs7/pk7_lib.c ++++ b/crypto/pkcs7/pk7_lib.c +@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, + + static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) + { ++ if (p7->d.ptr == NULL) ++ return NULL; + if (PKCS7_type_is_signed(p7)) + return p7->d.sign->cert; + if (PKCS7_type_is_signedAndEnveloped(p7)) +@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) + + static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7) + { ++ if (p7->d.ptr == NULL) ++ return NULL; + if (PKCS7_type_is_signedAndEnveloped(p7)) + return p7->d.signed_and_enveloped->recipientinfo; + if (PKCS7_type_is_enveloped(p7)) +@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7) + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); + const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); +- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7); +- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7); +- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7); ++ STACK_OF(PKCS7_RECIP_INFO) *rinfos; ++ STACK_OF(PKCS7_SIGNER_INFO) *sinfos; ++ STACK_OF(X509) *certs; + +- if (ctx == NULL) ++ if (ctx == NULL || p7->d.ptr == NULL) + return; + ++ rinfos = pkcs7_get_recipient_info(p7); ++ sinfos = PKCS7_get_signer_info(p7); ++ certs = pkcs7_get_signer_certs(p7); ++ + for (i = 0; i < sk_X509_num(certs); i++) + ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq); + +-- +2.39.1 + +From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 16 Jan 2023 19:56:20 +0100 +Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference + +Reviewed-by: Shane Lontis +Reviewed-by: Paul Dale +--- + test/recipes/25-test_pkcs7.t | 7 +++++-- + test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++ + 2 files changed, 8 insertions(+), 2 deletions(-) + create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7 + +diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t +index 37cd43dc6b..d61cd6abad 100644 +--- a/test/recipes/25-test_pkcs7.t ++++ b/test/recipes/25-test_pkcs7.t +@@ -11,11 +11,11 @@ use strict; + use warnings; + + use File::Spec; +-use OpenSSL::Test qw/:DEFAULT srctop_file/; ++use OpenSSL::Test qw/:DEFAULT srctop_file data_file/; + + setup("test_pkcs7"); + +-plan tests => 3; ++plan tests => 4; + + require_ok(srctop_file('test','recipes','tconversion.pl')); + +@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub { + tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"), + -args => ["pkcs7"] ); + }; ++ ++my $malformed = data_file('malformed.pkcs7'); ++ok(run(app(["openssl", "pkcs7", "-in", $malformed]))); +diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 +new file mode 100644 +index 0000000000..e30d1b582c +--- /dev/null ++++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 +@@ -0,0 +1,3 @@ ++-----BEGIN PKCS7----- ++MAsGCSqGSIb3DQEHAg== ++-----END PKCS7----- +-- +2.39.1 + diff --git a/SOURCES/0106-CVE-2023-0217-dsa.patch b/SOURCES/0106-CVE-2023-0217-dsa.patch new file mode 100644 index 0000000..d2db996 --- /dev/null +++ b/SOURCES/0106-CVE-2023-0217-dsa.patch @@ -0,0 +1,404 @@ +From 23985bac83fd50c8e29431009302b5442f985096 Mon Sep 17 00:00:00 2001 +From: slontis +Date: Wed, 11 Jan 2023 11:05:04 +1000 +Subject: [PATCH 10/18] Fix NULL deference when validating FFC public key. + +Fixes CVE-2023-0217 + +When attempting to do a BN_Copy of params->p there was no NULL check. +Since BN_copy does not check for NULL this is a NULL reference. + +As an aside BN_cmp() does do a NULL check, so there are other checks +that fail because a NULL is passed. A more general check for NULL params +has been added for both FFC public and private key validation instead. + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +--- + crypto/ffc/ffc_key_validate.c | 9 +++++++++ + include/internal/ffc.h | 1 + + test/ffc_internal_test.c | 31 +++++++++++++++++++++++++++++++ + 3 files changed, 41 insertions(+) + +diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c +index 9f6525a2c8..442303e4b3 100644 +--- a/crypto/ffc/ffc_key_validate.c ++++ b/crypto/ffc/ffc_key_validate.c +@@ -24,6 +24,11 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params, + BN_CTX *ctx = NULL; + + *ret = 0; ++ if (params == NULL || pub_key == NULL || params->p == NULL) { ++ *ret = FFC_ERROR_PASSED_NULL_PARAM; ++ return 0; ++ } ++ + ctx = BN_CTX_new_ex(NULL); + if (ctx == NULL) + goto err; +@@ -107,6 +112,10 @@ int ossl_ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv, + + *ret = 0; + ++ if (priv == NULL || upper == NULL) { ++ *ret = FFC_ERROR_PASSED_NULL_PARAM; ++ goto err; ++ } + if (BN_cmp(priv, BN_value_one()) < 0) { + *ret |= FFC_ERROR_PRIVKEY_TOO_SMALL; + goto err; +diff --git a/include/internal/ffc.h b/include/internal/ffc.h +index 732514a6c2..b8b7140857 100644 +--- a/include/internal/ffc.h ++++ b/include/internal/ffc.h +@@ -76,6 +76,7 @@ + # define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08 + # define FFC_ERROR_PRIVKEY_TOO_SMALL 0x10 + # define FFC_ERROR_PRIVKEY_TOO_LARGE 0x20 ++# define FFC_ERROR_PASSED_NULL_PARAM 0x40 + + /* + * Finite field cryptography (FFC) domain parameters are used by DH and DSA. +diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c +index 2c97293573..9f67bd29b9 100644 +--- a/test/ffc_internal_test.c ++++ b/test/ffc_internal_test.c +@@ -510,6 +510,27 @@ static int ffc_public_validate_test(void) + if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) + goto err; + ++ /* Fail if params is NULL */ ++ if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res))) ++ goto err; ++ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) ++ goto err; ++ res = -1; ++ /* Fail if pubkey is NULL */ ++ if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res))) ++ goto err; ++ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) ++ goto err; ++ res = -1; ++ ++ BN_free(params->p); ++ params->p = NULL; ++ /* Fail if params->p is NULL */ ++ if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) ++ goto err; ++ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) ++ goto err; ++ + ret = 1; + err: + DH_free(dh); +@@ -567,6 +588,16 @@ static int ffc_private_validate_test(void) + if (!TEST_true(ossl_ffc_validate_private_key(params->q, priv, &res))) + goto err; + ++ if (!TEST_false(ossl_ffc_validate_private_key(NULL, priv, &res))) ++ goto err; ++ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) ++ goto err; ++ res = -1; ++ if (!TEST_false(ossl_ffc_validate_private_key(params->q, NULL, &res))) ++ goto err; ++ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) ++ goto err; ++ + ret = 1; + err: + DH_free(dh); +-- +2.39.1 + +From c1b4467a7cc129a74fc5205b80a5c47556b99416 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 13 Jan 2023 17:57:59 +0100 +Subject: [PATCH 11/18] Prevent creating DSA and DH keys without parameters + through import + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +--- + providers/implementations/keymgmt/dh_kmgmt.c | 4 ++-- + providers/implementations/keymgmt/dsa_kmgmt.c | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c +index 58a5fd009f..c2d87b4a7f 100644 +--- a/providers/implementations/keymgmt/dh_kmgmt.c ++++ b/providers/implementations/keymgmt/dh_kmgmt.c +@@ -198,8 +198,8 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[]) + if ((selection & DH_POSSIBLE_SELECTIONS) == 0) + return 0; + +- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) +- ok = ok && ossl_dh_params_fromdata(dh, params); ++ /* a key without parameters is meaningless */ ++ ok = ok && ossl_dh_params_fromdata(dh, params); + + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = +diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c +index 100e917167..881680c085 100644 +--- a/providers/implementations/keymgmt/dsa_kmgmt.c ++++ b/providers/implementations/keymgmt/dsa_kmgmt.c +@@ -199,8 +199,9 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[]) + if ((selection & DSA_POSSIBLE_SELECTIONS) == 0) + return 0; + +- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) +- ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); ++ /* a key without parameters is meaningless */ ++ ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); ++ + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = + selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; +-- +2.39.1 + +From fab4973801bdc11c29c4c8ccf65cf39cbc63ce9b Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 13 Jan 2023 17:59:52 +0100 +Subject: [PATCH 12/18] Do not create DSA keys without parameters by decoder + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +--- + crypto/x509/x_pubkey.c | 24 +++++++++++++++++++ + include/crypto/x509.h | 3 +++ + .../encode_decode/decode_der2key.c | 2 +- + 3 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c +index bc90ddd89b..77790faa1f 100644 +--- a/crypto/x509/x_pubkey.c ++++ b/crypto/x509/x_pubkey.c +@@ -745,6 +745,30 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) + return key; + } + ++/* Called from decoders; disallows provided DSA keys without parameters. */ ++DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) ++{ ++ DSA *key = NULL; ++ const unsigned char *data; ++ const BIGNUM *p, *q, *g; ++ ++ data = *pp; ++ key = d2i_DSA_PUBKEY(NULL, &data, length); ++ if (key == NULL) ++ return NULL; ++ DSA_get0_pqg(key, &p, &q, &g); ++ if (p == NULL || q == NULL || g == NULL) { ++ DSA_free(key); ++ return NULL; ++ } ++ *pp = data; ++ if (a != NULL) { ++ DSA_free(*a); ++ *a = key; ++ } ++ return key; ++} ++ + int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp) + { + EVP_PKEY *pktmp; +diff --git a/include/crypto/x509.h b/include/crypto/x509.h +index 1f00178e89..0c42730ee9 100644 +--- a/include/crypto/x509.h ++++ b/include/crypto/x509.h +@@ -339,6 +339,9 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub); + + RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length); + int ossl_i2d_RSA_PSS_PUBKEY(const RSA *a, unsigned char **pp); ++# ifndef OPENSSL_NO_DSA ++DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length); ++# endif /* OPENSSL_NO_DSA */ + # ifndef OPENSSL_NO_DH + DH *ossl_d2i_DH_PUBKEY(DH **a, const unsigned char **pp, long length); + int ossl_i2d_DH_PUBKEY(const DH *a, unsigned char **pp); +diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c +index ebc2d24833..d6ad738ef3 100644 +--- a/providers/implementations/encode_decode/decode_der2key.c ++++ b/providers/implementations/encode_decode/decode_der2key.c +@@ -374,7 +374,7 @@ static void *dsa_d2i_PKCS8(void **key, const unsigned char **der, long der_len, + (key_from_pkcs8_t *)ossl_dsa_key_from_pkcs8); + } + +-# define dsa_d2i_PUBKEY (d2i_of_void *)d2i_DSA_PUBKEY ++# define dsa_d2i_PUBKEY (d2i_of_void *)ossl_d2i_DSA_PUBKEY + # define dsa_free (free_key_fn *)DSA_free + # define dsa_check NULL + +-- +2.39.1 + +From 7e37185582995b35f885fec9dcc3670af9ffcbef Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 13 Jan 2023 18:46:15 +0100 +Subject: [PATCH 13/18] Add test for DSA pubkey without param import and check + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +--- + test/recipes/91-test_pkey_check.t | 48 ++++++++++++++---- + .../91-test_pkey_check_data/dsapub.pem | 12 +++++ + .../dsapub_noparam.der | Bin 0 -> 108 bytes + 3 files changed, 49 insertions(+), 11 deletions(-) + create mode 100644 test/recipes/91-test_pkey_check_data/dsapub.pem + create mode 100644 test/recipes/91-test_pkey_check_data/dsapub_noparam.der + +diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t +index 612a3e3d6c..015d7805db 100644 +--- a/test/recipes/91-test_pkey_check.t ++++ b/test/recipes/91-test_pkey_check.t +@@ -11,19 +11,24 @@ use strict; + use warnings; + + use File::Spec; +-use OpenSSL::Test qw/:DEFAULT data_file/; ++use OpenSSL::Test qw/:DEFAULT data_file with/; + use OpenSSL::Test::Utils; + + sub pkey_check { + my $f = shift; ++ my $pubcheck = shift; ++ my @checkopt = ('-check'); + +- return run(app(['openssl', 'pkey', '-check', '-text', ++ @checkopt = ('-pubcheck', '-pubin') if $pubcheck; ++ ++ return run(app(['openssl', 'pkey', @checkopt, '-text', + '-in', $f])); + } + + sub check_key { + my $f = shift; + my $should_fail = shift; ++ my $pubcheck = shift; + my $str; + + +@@ -33,11 +38,10 @@ sub check_key { + $f = data_file($f); + + if ( -s $f ) { +- if ($should_fail) { +- ok(!pkey_check($f), $str); +- } else { +- ok(pkey_check($f), $str); +- } ++ with({ exit_checker => sub { return shift == $should_fail; } }, ++ sub { ++ ok(pkey_check($f, $pubcheck), $str); ++ }); + } else { + fail("Missing file $f"); + } +@@ -66,15 +70,37 @@ push(@positive_tests, ( + "dhpkey.pem" + )) unless disabled("dh"); + ++my @negative_pubtests = (); ++ ++push(@negative_pubtests, ( ++ "dsapub_noparam.der" ++ )) unless disabled("dsa"); ++ ++my @positive_pubtests = (); ++ ++push(@positive_pubtests, ( ++ "dsapub.pem" ++ )) unless disabled("dsa"); ++ + plan skip_all => "No tests within the current enabled feature set" +- unless @negative_tests && @positive_tests; ++ unless @negative_tests && @positive_tests ++ && @negative_pubtests && @positive_pubtests; + +-plan tests => scalar(@negative_tests) + scalar(@positive_tests); ++plan tests => scalar(@negative_tests) + scalar(@positive_tests) ++ + scalar(@negative_pubtests) + scalar(@positive_pubtests); + + foreach my $t (@negative_tests) { +- check_key($t, 1); ++ check_key($t, 1, 0); + } + + foreach my $t (@positive_tests) { +- check_key($t, 0); ++ check_key($t, 0, 0); ++} ++ ++foreach my $t (@negative_pubtests) { ++ check_key($t, 1, 1); ++} ++ ++foreach my $t (@positive_pubtests) { ++ check_key($t, 0, 1); + } +diff --git a/test/recipes/91-test_pkey_check_data/dsapub.pem b/test/recipes/91-test_pkey_check_data/dsapub.pem +new file mode 100644 +index 0000000000..0ff4bd83ed +--- /dev/null ++++ b/test/recipes/91-test_pkey_check_data/dsapub.pem +@@ -0,0 +1,12 @@ ++-----BEGIN PUBLIC KEY----- ++MIIBvzCCATQGByqGSM44BAEwggEnAoGBAIjbXpOVVciVNuagg26annKkghIIZFI4 ++4WdMomnV+I/oXyxHbZTBBBpW9xy/E1+yMjbp4GmX+VxyDj3WxUWxXllzL+miEkzD ++9Xz638VzIBhjFbMvk1/N4kS4bKVUd9yk7HfvYzAdnRphk0WI+RoDiDrBNPPxSoQD ++CEWgvwgsLIDhAh0A6dbz1IQpQwGF4+Ca28x6OO+UfJJv3ggeZ++fNwKBgQCA9XKV ++lRrTY8ALBxS0KbZjpaIXuUj5nr3i1lIDyP3ISksDF0ekyLtn6eK9VijX6Pm65Np+ ++4ic9Nr5WKLKhPaUSpLNRx1gDqo3sd92hYgiEUifzEuhLYfK/CsgFED+l2hDXtJUq ++bISNSHVwI5lsyNXLu7HI1Fk8F5UO3LqsboFAngOBhAACgYATxFY89nEYcUhgHGgr ++YDHhXBQfMKnTKYdvon4DN7WQ9ip+t4VUsLpTD1ZE9zrM2R/B04+8C6KGoViwyeER ++kS4dxWOkX71x4X2DlNpYevcR53tNcTDqmMD7YKfDDmrb0lftMyfW8aESaiymVMys ++DRjhKHBjdo0rZeSM8DAk3ctrXA== ++-----END PUBLIC KEY----- +diff --git a/test/recipes/91-test_pkey_check_data/dsapub_noparam.der b/test/recipes/91-test_pkey_check_data/dsapub_noparam.der +new file mode 100644 +index 0000000000000000000000000000000000000000..b8135f1ca94da914b6829421e0c13f6daa731862 +GIT binary patch +literal 108 +zcmXpIGT>xm*J|@PXTieE%*wz71|F5F-Nv0Bz9(=Kufz + +literal 0 +HcmV?d00001 + +-- +2.39.1 + +From 2ad9928170768653d19d81881deabc5f9c1665c0 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 3 Feb 2023 14:57:04 +0100 +Subject: [PATCH 18/18] Internaly declare the DSA type for no-deprecated builds + +Reviewed-by: Hugo Landau +Reviewed-by: Richard Levitte +(cherry picked from commit 7a21a1b5fa2dac438892cf3292d1f9c445d870d9) +--- + include/crypto/types.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/include/crypto/types.h b/include/crypto/types.h +index 0d81404091..0a75f03a3f 100644 +--- a/include/crypto/types.h ++++ b/include/crypto/types.h +@@ -20,6 +20,9 @@ typedef struct rsa_meth_st RSA_METHOD; + typedef struct ec_key_st EC_KEY; + typedef struct ec_key_method_st EC_KEY_METHOD; + # endif ++# ifndef OPENSSL_NO_DSA ++typedef struct dsa_st DSA; ++# endif + # endif + + # ifndef OPENSSL_NO_EC +-- +2.39.1 + diff --git a/SOURCES/0107-CVE-2023-0286-X400.patch b/SOURCES/0107-CVE-2023-0286-X400.patch new file mode 100644 index 0000000..b3d7a15 --- /dev/null +++ b/SOURCES/0107-CVE-2023-0286-X400.patch @@ -0,0 +1,63 @@ +From 2f7530077e0ef79d98718138716bc51ca0cad658 Mon Sep 17 00:00:00 2001 +From: Hugo Landau +Date: Tue, 17 Jan 2023 17:45:42 +0000 +Subject: [PATCH 14/18] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address + (3.0) + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +--- + CHANGES.md | 19 +++++++++++++++++++ + crypto/x509/v3_genn.c | 2 +- + include/openssl/x509v3.h.in | 2 +- + test/v3nametest.c | 8 ++++++++ + 4 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c +index c0a7166cd0..1741c2d2f6 100644 +--- a/crypto/x509/v3_genn.c ++++ b/crypto/x509/v3_genn.c +@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + return -1; + switch (a->type) { + case GEN_X400: +- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); + break; + + case GEN_EDIPARTY: +diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in +index d00a66a343..c087e3cf92 100644 +--- a/include/openssl/x509v3.h.in ++++ b/include/openssl/x509v3.h.in +@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st { + OTHERNAME *otherName; /* otherName */ + ASN1_IA5STRING *rfc822Name; + ASN1_IA5STRING *dNSName; +- ASN1_TYPE *x400Address; ++ ASN1_STRING *x400Address; + X509_NAME *directoryName; + EDIPARTYNAME *ediPartyName; + ASN1_IA5STRING *uniformResourceIdentifier; +diff --git a/test/v3nametest.c b/test/v3nametest.c +index 6d2e2f8e27..0341995dde 100644 +--- a/test/v3nametest.c ++++ b/test/v3nametest.c +@@ -644,6 +644,14 @@ static struct gennamedata { + 0xb7, 0x09, 0x02, 0x02 + }, + 15 ++ }, { ++ /* ++ * Regression test for CVE-2023-0286. ++ */ ++ { ++ 0xa3, 0x00 ++ }, ++ 2 + } + }; + +-- +2.39.1 + diff --git a/SOURCES/0108-CVE-2023-0401-pkcs7-md.patch b/SOURCES/0108-CVE-2023-0401-pkcs7-md.patch new file mode 100644 index 0000000..7608f56 --- /dev/null +++ b/SOURCES/0108-CVE-2023-0401-pkcs7-md.patch @@ -0,0 +1,150 @@ +From d3b6dfd70db844c4499bec6ad6601623a565e674 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 18 Jan 2023 09:27:53 +0100 +Subject: [PATCH 15/18] pk7_doit.c: Check return of BIO_set_md() calls + +These calls invoke EVP_DigestInit() which can fail for digests +with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write() +or EVP_DigestFinal() from BIO_read() will segfault on NULL +dereference. This can be triggered by an attacker providing +PKCS7 data digested with MD4 for example if the legacy provider +is not loaded. + +If BIO_set_md() fails the md BIO cannot be used. + +CVE-2023-0401 + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +--- + crypto/pkcs7/pk7_doit.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c +index bde9ac4787..5e562fbea5 100644 +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -84,7 +84,11 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg, + } + (void)ERR_pop_to_mark(); + +- BIO_set_md(btmp, md); ++ if (BIO_set_md(btmp, md) <= 0) { ++ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); ++ EVP_MD_free(fetched); ++ goto err; ++ } + EVP_MD_free(fetched); + if (*pbio == NULL) + *pbio = btmp; +@@ -522,7 +526,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) + } + (void)ERR_pop_to_mark(); + +- BIO_set_md(btmp, md); ++ if (BIO_set_md(btmp, md) <= 0) { ++ EVP_MD_free(evp_md); ++ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); ++ goto err; ++ } + EVP_MD_free(evp_md); + if (out == NULL) + out = btmp; +-- +2.39.1 + +From a0f2359613f50b5ca6b74b78bf4b54d7dc925fd2 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 18 Jan 2023 17:07:24 +0100 +Subject: [PATCH 16/18] Add testcase for missing return check of BIO_set_md() + calls + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +--- + test/recipes/80-test_cms.t | 15 ++++++++-- + test/recipes/80-test_cms_data/pkcs7-md4.pem | 32 +++++++++++++++++++++ + 2 files changed, 45 insertions(+), 2 deletions(-) + create mode 100644 test/recipes/80-test_cms_data/pkcs7-md4.pem + +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index fd53683e6b..d45789de70 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -13,7 +13,7 @@ use warnings; + use POSIX; + use File::Spec::Functions qw/catfile/; + use File::Compare qw/compare_text compare/; +-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/; ++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/; + + use OpenSSL::Test::Utils; + +@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) + + $no_rc2 = 1 if disabled("legacy"); + +-plan tests => 13; ++plan tests => 14; + + ok(run(test(["pkcs7_test"])), "test pkcs7"); + +@@ -941,6 +941,17 @@ subtest "CMS binary input tests\n" => sub { + "verify binary input with -binary missing -crlfeol"); + }; + ++# Test case for missing MD algorithm (must not segfault) ++ ++with({ exit_checker => sub { return shift == 4; } }, ++ sub { ++ ok(run(app(['openssl', 'smime', '-verify', '-noverify', ++ '-inform', 'PEM', ++ '-in', data_file("pkcs7-md4.pem"), ++ ])), ++ "Check failure of EVP_DigestInit is handled correctly"); ++ }); ++ + sub check_availability { + my $tnam = shift; + +diff --git a/test/recipes/80-test_cms_data/pkcs7-md4.pem b/test/recipes/80-test_cms_data/pkcs7-md4.pem +new file mode 100644 +index 0000000000..ecff611deb +--- /dev/null ++++ b/test/recipes/80-test_cms_data/pkcs7-md4.pem +@@ -0,0 +1,32 @@ ++-----BEGIN PKCS7----- ++MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG ++SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G ++CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx ++MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ ++KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU ++fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC ++76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz ++BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl ++V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv ++0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9 ++MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR ++M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH ++AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB ++AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS ++EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3 ++IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2 +++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU ++TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC ++e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC ++MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq ++hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp ++RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB ++ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN ++BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B ++AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7 ++kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c ++lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp ++0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk ++Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a ++ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6 ++-----END PKCS7----- +-- +2.39.1 + diff --git a/SOURCES/0109-fips-Zeroize-out-in-fips-selftest.patch b/SOURCES/0109-fips-Zeroize-out-in-fips-selftest.patch new file mode 100644 index 0000000..3cd48df --- /dev/null +++ b/SOURCES/0109-fips-Zeroize-out-in-fips-selftest.patch @@ -0,0 +1,26 @@ +From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 13 Feb 2023 11:01:44 +0100 +Subject: fips: Zeroize `out` in fips selftest + +Signed-off-by: Clemens Lang +Resolves: rhbz#2169314 +--- + providers/fips/self_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index 80d048a847..11a989209c 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +-- +2.39.1 + diff --git a/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch b/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch new file mode 100644 index 0000000..5cb8ce4 --- /dev/null +++ b/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch @@ -0,0 +1,101 @@ +From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 17 Feb 2023 15:31:08 +0100 +Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen + +Implementation Guidance for FIPS 140-3 and the Cryptographic Module +Verification Program, Section C.H requires guarantees about the +uniqueness of key/iv pairs, and proposes a few approaches to ensure +this. Provide an indicator for option 2 "The IV may be generated +internally at its entirety randomly." + +Resolves: rhbz#2168289 +Signed-off-by: Clemens Lang +--- + include/openssl/core_names.h | 1 + + include/openssl/evp.h | 4 +++ + .../implementations/ciphers/ciphercommon.c | 4 +++ + .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ + 4 files changed, 34 insertions(+) + +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 680bfbc7cc..832502a034 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -97,6 +97,7 @@ extern "C" { + #define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */ + /* For passing the AlgorithmIdentifier parameter in DER form */ + #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */ ++#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ + + #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \ + "tls1multi_maxsndfrag" /* uint */ +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index 49e8e1df78..ec2ba46fbd 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags); + void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); + int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); + ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + const unsigned char *key, const unsigned char *iv); + /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, +diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c +index fa383165d8..716add7339 100644 +--- a/providers/implementations/ciphers/ciphercommon.c ++++ b/providers/implementations/ciphers/ciphercommon.c +@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = { + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), ++ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does ++ * not work in ciphercommon.c because it is compiled only once into ++ * libcommon.a */ ++ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), + OSSL_PARAM_END + }; + const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params( +diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c +index ed95c97ff4..db7910eb0e 100644 +--- a/providers/implementations/ciphers/ciphercommon_gcm.c ++++ b/providers/implementations/ciphers/ciphercommon_gcm.c +@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) + || !getivgen(ctx, p->data, p->data_size)) + return 0; + } ++ ++ /* We would usually hide this under #ifdef FIPS_MODULE, but ++ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do ++ * not work here. */ ++ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section C.H requires guarantees about the ++ * uniqueness of key/iv pairs, and proposes a few approaches to ensure ++ * this. This provides an indicator for option 2 "The IV may be ++ * generated internally at its entirety randomly." Note that one of the ++ * conditions of this option is that "The IV length shall be at least ++ * 96 bits (per SP 800-38D)." We do not specically check for this ++ * condition here, because gcm_iv_generate will fail in this case. */ ++ if (ctx->enc && !ctx->iv_gen_rand) ++ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); ++ return 0; ++ } ++ } ++ + return 1; + } + +-- +2.39.1 + diff --git a/SOURCES/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch b/SOURCES/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch new file mode 100644 index 0000000..3868089 --- /dev/null +++ b/SOURCES/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch @@ -0,0 +1,82 @@ +From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 3 Mar 2023 12:22:03 +0100 +Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest + +NIST SP 800-132 [1] section 5.1 says "[t]he length of the +randomly-generated portion of the salt shall be at least +128 bits", which implies that the salt for PBKDF2 must be at least 16 +bytes long (see also Appendix A.2.1). + +The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the +properties of the Password and Salt parameters, as well as the desired +length of the Master Key used in a CAST shall be among those supported +by the module in the approved mode." + +As a consequence, the salt length in the self test must be at least 16 +bytes long for FIPS 140-3 compliance. Switch the self test to use the +only test vector from RFC 6070 that uses salt that is long enough to +fulfil this requirement. Since RFC 6070 does not provide expected +results for PBKDF2 with HMAC-SHA256, use the output from [3], which was +generated with python cryptography, which was tested against the RFC +6070 vectors with HMAC-SHA1. + + [1]: https://doi.org/10.6028/NIST.SP.800-132 + [2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf + [3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md + +Signed-off-by: Clemens Lang + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20429) + +(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956) +--- + providers/fips/self_test_data.inc | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 8ae8cd6f4a..03adf28f3c 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = { + }; + + static const char pbkdf2_digest[] = "SHA256"; ++/* ++ * Input parameters from RFC 6070, vector 5 (because it is the only one with ++ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The ++ * expected output is taken from ++ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md, ++ * which ran these test vectors with SHA-256. ++ */ + static const unsigned char pbkdf2_password[] = { +- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72, +- 0x64 ++ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53, ++ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + static const unsigned char pbkdf2_salt[] = { +- 0x73, 0x61, 0x00, 0x6c, 0x74 ++ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, ++ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, ++ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74 + }; + static const unsigned char pbkdf2_expected[] = { +- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89, +- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87, ++ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8, ++ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, ++ 0x1c + }; + static int pbkdf2_iterations = 4096; +-static int pbkdf2_pkcs5 = 1; ++static int pbkdf2_pkcs5 = 0; + static const ST_KAT_PARAM pbkdf2_params[] = { + ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest), + ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password), +-- +2.39.2 + diff --git a/SOURCES/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/SOURCES/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch new file mode 100644 index 0000000..2e869e2 --- /dev/null +++ b/SOURCES/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch @@ -0,0 +1,80 @@ +From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 6 Mar 2023 12:32:04 +0100 +Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks + +The pbkdf2 implementation in the FIPS provider supports the checks +required by NIST, but allows disabling these checks by setting the +OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate +that the use of this configuration is not approved in FIPS mode. Add an +explicit indicator to provide this indication. + +Resolves: rhbz#2175145 +Signed-off-by: Clemens Lang +--- + providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 3 deletions(-) + +diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c +index aa0adce5e6..6df8c6d321 100644 +--- a/providers/implementations/kdfs/pbkdf2.c ++++ b/providers/implementations/kdfs/pbkdf2.c +@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, + + static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { ++#ifdef FIPS_MODULE ++ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* The lower_bound_checks parameter enables checks required by FIPS. If ++ * those checks are disabled, the PBKDF2 implementation will also ++ * support non-approved parameters (e.g., salt lengths < 16 bytes, see ++ * NIST SP 800-132 section 5.1). */ ++ if (!ctx->lower_bound_checks) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ ++ any_valid = 1; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, +@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +-- +2.39.2 + diff --git a/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch new file mode 100644 index 0000000..e8777f3 --- /dev/null +++ b/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -0,0 +1,148 @@ +From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 17 Mar 2023 15:39:15 +0100 +Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator + +NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key +confirmation (section 6.4.2.3.2), or assurance from a trusted third +party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key +agreement schemes, but explicit key confirmation is not implemented and +cannot be implemented without protocol changes, and the FIPS provider +does not implement trusted third party validation, since it relies on +its callers to do that. A request for guidance sent to NIST did clarify +that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add +an indicator to mark them as unapproved previously and should thus keep +the indicator available. + +This does not affect RSA-OAEP decryption, because it is approved as +a component according to the FIPS 140-3 IG, section 2.4.G. + +Resolves: rhbz#2179331 +Resolves: RHEL-14083 +Signed-off-by: Clemens Lang +--- + include/openssl/core_names.h | 2 ++ + include/openssl/evp.h | 4 +++ + .../implementations/asymciphers/rsa_enc.c | 19 ++++++++++++ + providers/implementations/kem/rsa_kem.c | 29 ++++++++++++++++++- + 4 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 832502a034..e15d208421 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -477,6 +477,7 @@ extern "C" { + #ifdef FIPS_MODULE + #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" + #endif ++#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" + + /* + * Encoder / decoder parameters +@@ -511,6 +512,7 @@ extern "C" { + + /* KEM parameters */ + #define OSSL_KEM_PARAM_OPERATION "operation" ++#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ + + /* OSSL_KEM_PARAM_OPERATION values */ + #define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE" +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index ec2ba46fbd..3803b03422 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); + OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); + # endif + ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, + const char *properties); + int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt); +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 568452ec56..2e7ea632d7 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -452,6 +452,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) + return 0; + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third ++ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but ++ * explicit key confirmation is not implemented here and cannot be ++ * implemented without protocol changes, and the FIPS provider does not ++ * implement trusted third party validation, since it relies on its ++ * callers to do that. A request for guidance sent to NIST resulted in ++ * further clarification which allows OpenSSL to claim RSA-OAEP. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + return 1; + } + +@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), ++ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), + #endif /* FIPS_MODULE */ + OSSL_PARAM_END + }; +diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c +index 882cf16125..b4cc0f9237 100644 +--- a/providers/implementations/kem/rsa_kem.c ++++ b/providers/implementations/kem/rsa_kem.c +@@ -151,11 +151,38 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, + static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + { + PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; ++#ifdef FIPS_MODULE ++ OSSL_PARAM *p; ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (ctx == NULL) ++ return 0; ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third ++ * party (section 6.4.2.3.1) for key agreement or key transport, but ++ * explicit key confirmation is not implemented here and cannot be ++ * implemented without protocol changes, and the FIPS provider does not ++ * implement trusted third party validation, since it relies on its ++ * callers to do that. A request for guidance sent to NIST resulted in ++ * further clarification which allows OpenSSL to claim RSASVE. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ + +- return ctx != NULL; ++ return 1; + } + + static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = { ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + +-- +2.39.2 + diff --git a/SOURCES/0114-FIPS-enforce-EMS-support.patch b/SOURCES/0114-FIPS-enforce-EMS-support.patch new file mode 100644 index 0000000..d10901f --- /dev/null +++ b/SOURCES/0114-FIPS-enforce-EMS-support.patch @@ -0,0 +1,539 @@ +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index e90e5dc03339..f391e756475c 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -1006,6 +1006,7 @@ PROV_R_BN_ERROR:160:bn error + PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed + PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed + PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed ++PROV_R_EMS_NOT_ENABLED:233:ems not enabled + PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak + PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg + PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 173a81d28bbe..5e5be567a578 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -21,11 +21,12 @@ extern "C" { + #define OSSL_PROV_PARAM_CORE_MODULE_FILENAME "module-filename" /* utf8_ptr */ + + /* Well known parameter names that Providers can define */ +-#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ +-#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ +-#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ +-#define OSSL_PROV_PARAM_STATUS "status" /* uint */ +-#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ ++#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ ++#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ ++#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ ++#define OSSL_PROV_PARAM_STATUS "status" /* uint */ ++#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ ++#define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" /* uint */ + + /* Self test callback parameters */ + #define OSSL_PROV_PARAM_SELF_TEST_PHASE "st-phase" /* utf8_string */ +diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h +index 0fdf5440c7cb..3f29369b3f92 100644 +--- a/include/openssl/fips_names.h ++++ b/include/openssl/fips_names.h +@@ -53,6 +53,14 @@ extern "C" { + */ + # define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks" + ++/* ++ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. ++ * This is disabled by default. ++ * ++ * Type: OSSL_PARAM_UTF8_STRING ++ */ ++# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" ++ + # ifdef __cplusplus + } + # endif +diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h +index 3685430f5d3e..bf4dc135f592 100644 +--- a/include/openssl/proverr.h ++++ b/include/openssl/proverr.h +@@ -32,6 +32,7 @@ + # define PROV_R_CIPHER_OPERATION_FAILED 102 + # define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205 + # define PROV_R_DIGEST_NOT_ALLOWED 174 ++# define PROV_R_EMS_NOT_ENABLED 233 + # define PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK 186 + # define PROV_R_ERROR_INSTANTIATING_DRBG 188 + # define PROV_R_ERROR_RETRIEVING_ENTROPY 189 +diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h +index 4a7f85f71186..62e60cc0103f 100644 +--- a/providers/common/include/prov/securitycheck.h ++++ b/providers/common/include/prov/securitycheck.h +@@ -28,3 +28,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md); + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed); + int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); ++int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx); +diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c +index f6144072aa04..954aabe80cfc 100644 +--- a/providers/common/provider_err.c ++++ b/providers/common/provider_err.c +@@ -33,6 +33,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { + "derivation function init failed"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED), + "digest not allowed"}, ++ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_EMS_NOT_ENABLED), "ems not enabled"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK), + "entropy source strength too weak"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG), +diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c +index de7f0d3a0a57..63c875ecd0b7 100644 +--- a/providers/common/securitycheck_default.c ++++ b/providers/common/securitycheck_default.c +@@ -22,6 +22,12 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + return 0; + } + ++/* Disable the ems check in the default provider */ ++int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) ++{ ++ return 0; ++} ++ + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) + { +diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c +index b7659bd395c3..2bc8a5992685 100644 +--- a/providers/common/securitycheck_fips.c ++++ b/providers/common/securitycheck_fips.c +@@ -20,6 +20,7 @@ + #include "prov/securitycheck.h" + + int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); ++int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); + + int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + { +@@ -30,6 +31,11 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ + } + ++int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) ++{ ++ return FIPS_tls_prf_ems_check(libctx); ++} ++ + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) + { +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index b86b27d236f3..b881f46f36ad 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -47,6 +47,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query; + #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) + extern OSSL_FUNC_core_thread_start_fn *c_thread_start; + int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); ++int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); + + /* + * Should these function pointers be stored in the provider side provctx? Could +@@ -82,7 +83,9 @@ typedef struct fips_global_st { + const OSSL_CORE_HANDLE *handle; + SELF_TEST_POST_PARAMS selftest_params; + int fips_security_checks; ++ int fips_tls1_prf_ems_check; + const char *fips_security_check_option; ++ const char *fips_tls1_prf_ems_check_option; + } FIPS_GLOBAL; + + static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) +@@ -94,6 +97,9 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) + fgbl->fips_security_checks = 1; + fgbl->fips_security_check_option = "1"; + ++ fgbl->fips_tls1_prf_ems_check = 1; /* Enabled by default */ ++ fgbl->fips_tls1_prf_ems_check_option = "1"; ++ + return fgbl; + } + +@@ -109,6 +115,7 @@ static const OSSL_PARAM fips_param_types[] = { + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), ++ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_END + }; + +@@ -119,9 +126,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) + * NOTE: inside core_get_params() these will be loaded from config items + * stored inside prov->parameters (except for + * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). +- * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. ++ * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and ++ * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters. + */ +- OSSL_PARAM core_params[8], *p = core_params; ++ OSSL_PARAM core_params[9], *p = core_params; + + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_PARAM_CORE_MODULE_FILENAME, +@@ -151,6 +159,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) + OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, + (char **)&fgbl->fips_security_check_option, + sizeof(fgbl->fips_security_check_option)); ++ *p++ = OSSL_PARAM_construct_utf8_ptr( ++ OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, ++ (char **)&fgbl->fips_tls1_prf_ems_check_option, ++ sizeof(fgbl->fips_tls1_prf_ems_check_option)); + *p = OSSL_PARAM_construct_end(); + + if (!c_get_params(fgbl->handle, core_params)) { +@@ -187,6 +199,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); + if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks)) + return 0; ++ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK); ++ if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_tls1_prf_ems_check)) ++ return 0; + return 1; + } + +@@ -703,6 +718,11 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, + && strcmp(fgbl->fips_security_check_option, "0") == 0) + fgbl->fips_security_checks = 0; + ++ /* Disable the ems check if it's disabled in the fips config file. */ ++ if (fgbl->fips_tls1_prf_ems_check_option != NULL ++ && strcmp(fgbl->fips_tls1_prf_ems_check_option, "0") == 0) ++ fgbl->fips_tls1_prf_ems_check = 0; ++ + ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); + + if (!SELF_TEST_post(&fgbl->selftest_params, 0)) { +@@ -898,6 +918,15 @@ int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx) + return fgbl->fips_security_checks; + } + ++int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx) ++{ ++ FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, ++ OSSL_LIB_CTX_FIPS_PROV_INDEX, ++ &fips_prov_ossl_ctx_method); ++ ++ return fgbl->fips_tls1_prf_ems_check; ++} ++ + void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, + void **cbarg) + { +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index 8a3807308408..2c2dbf31cc0b 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -45,6 +45,13 @@ + * A(0) = seed + * A(i) = HMAC_(secret, A(i-1)) + */ ++ ++/* ++ * Low level APIs (such as DH) are deprecated for public use, but still ok for ++ * internal use. ++ */ ++#include "internal/deprecated.h" ++ + #include + #include + #include +@@ -60,6 +67,7 @@ + #include "prov/providercommon.h" + #include "prov/implementations.h" + #include "prov/provider_util.h" ++#include "prov/securitycheck.h" + #include "e_os.h" + + static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; +@@ -78,6 +86,8 @@ static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, + unsigned char *out, size_t olen); + + #define TLS1_PRF_MAXBUF 1024 ++#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" ++#define TLS_MD_MASTER_SECRET_CONST_SIZE 13 + + /* TLS KDF kdf context structure */ + typedef struct { +@@ -160,6 +170,7 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) + { + TLS1_PRF *ctx = (TLS1_PRF *)vctx; ++ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); + + if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) + return 0; +@@ -181,6 +192,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + #endif /* defined(FIPS_MODULE) */ + ++ /* ++ * The seed buffer is prepended with a label. ++ * If EMS mode is enforced then the label "master secret" is not allowed, ++ * We do the check this way since the PRF is used for other purposes, as well ++ * as "extended master secret". ++ */ ++#ifdef FIPS_MODULE ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ if (ossl_tls1_prf_ems_check_enabled(libctx)) { ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); ++ return 0; ++ } ++ } ++ + return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, + ctx->sec, ctx->seclen, + ctx->seed, ctx->seedlen, +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 3a8242d2d8c8..b0fbb504689e 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -99,6 +99,7 @@ static char *tmpfilename = NULL; + static char *dhfile = NULL; + + static int is_fips = 0; ++static int fips_ems_check = 0; + + #define LOG_BUFFER_SIZE 2048 + static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; +@@ -796,7 +797,7 @@ static int test_no_ems(void) + { + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +- int testresult = 0; ++ int testresult = 0, status; + + if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS1_2_VERSION, +@@ -812,19 +813,25 @@ static int test_no_ems(void) + goto end; + } + +- if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { +- printf("Creating SSL connection failed\n"); +- goto end; +- } +- +- if (SSL_get_extms_support(serverssl)) { +- printf("Server reports Extended Master Secret support\n"); +- goto end; +- } +- +- if (SSL_get_extms_support(clientssl)) { +- printf("Client reports Extended Master Secret support\n"); +- goto end; ++ status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); ++ if (fips_ems_check) { ++ if (status == 1) { ++ printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n"); ++ goto end; ++ } ++ } else { ++ if (!status) { ++ printf("Creating SSL connection failed\n"); ++ goto end; ++ } ++ if (SSL_get_extms_support(serverssl)) { ++ printf("Server reports Extended Master Secret support\n"); ++ goto end; ++ } ++ if (SSL_get_extms_support(clientssl)) { ++ printf("Client reports Extended Master Secret support\n"); ++ goto end; ++ } + } + testresult = 1; + +@@ -10740,9 +10747,24 @@ int setup_tests(void) + && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) + return 0; + +- if (strcmp(modulename, "fips") == 0) ++ if (strcmp(modulename, "fips") == 0) { ++ OSSL_PROVIDER *prov = NULL; ++ OSSL_PARAM params[2]; ++ + is_fips = 1; + ++ prov = OSSL_PROVIDER_load(libctx, "fips"); ++ if (prov != NULL) { ++ /* Query the fips provider to check if the check ems option is enabled */ ++ params[0] = ++ OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, ++ &fips_ems_check); ++ params[1] = OSSL_PARAM_construct_end(); ++ OSSL_PROVIDER_get_params(prov, params); ++ OSSL_PROVIDER_unload(prov); ++ } ++ } ++ + /* + * We add, but don't load the test "tls-provider". We'll load it when we + * need it. +@@ -10816,6 +10838,12 @@ int setup_tests(void) + if (privkey8192 == NULL) + goto err; + ++ if (fips_ems_check) { ++#ifndef OPENSSL_NO_TLS1_2 ++ ADD_TEST(test_no_ems); ++#endif ++ return 1; ++ } + #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) + # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) + ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); +diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +--- openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx 2023-04-17 13:04:21.078501747 +0200 ++++ openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt 2023-04-17 13:11:03.189059638 +0200 +@@ -13,6 +13,7 @@ + + Title = TLS12 PRF tests (from NIST test vectors) + ++Availablein = default + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 + Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc +@@ -21,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3 + Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce + Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf + ++Availablein = fips ++KDF = TLS1-PRF ++Ctrl.digest = digest:SHA256 ++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc ++Ctrl.label = seed:master secret ++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c ++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce ++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++Result = KDF_DERIVE_ERROR ++ + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 + Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf +diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c +--- openssl-3.0.7/ssl/t1_enc.c.noems 2023-05-05 11:15:57.934415272 +0200 ++++ openssl-3.0.7/ssl/t1_enc.c 2023-05-05 11:39:03.578163778 +0200 +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + /* seed1 through seed5 are concatenated */ + static int tls1_PRF(SSL *s, +@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, + } + + err: +- if (fatal) +- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ if (fatal) { ++ /* The calls to this function are local so it's safe to implement the check */ ++ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ else ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ } + else + ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); + EVP_KDF_CTX_free(kctx); +diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/statem/extensions_srvr.c +--- openssl-3.0.7/ssl/statem/extensions_srvr.c.noems 2023-05-05 17:14:04.663800271 +0200 ++++ openssl-3.0.7/ssl/statem/extensions_srvr.c 2023-05-05 17:20:33.764599507 +0200 +@@ -11,6 +11,7 @@ + #include "../ssl_local.h" + #include "statem_local.h" + #include "internal/cryptlib.h" ++#include + + #define COOKIE_STATE_FORMAT_VERSION 1 + +@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s + EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) + { +- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) ++ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { ++ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ return EXT_RETURN_FAIL; ++ } + return EXT_RETURN_NOT_SENT; ++ } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) + || !WPACKET_put_bytes_u16(pkt, 0)) { +diff -up openssl-3.0.7/include/openssl/ssl.h.in.fipsems openssl-3.0.7/include/openssl/ssl.h.in +--- openssl-3.0.7/include/openssl/ssl.h.in.fipsems 2023-07-11 12:35:27.951610366 +0200 ++++ openssl-3.0.7/include/openssl/ssl.h.in 2023-07-11 12:36:25.234754680 +0200 +@@ -412,6 +412,7 @@ typedef int (*SSL_async_callback_fn)(SSL + * interoperability with CryptoPro CSP 3.x + */ + # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) ++# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) + + /* + * Option "collections." +diff -up openssl-3.0.7/ssl/ssl_conf.c.fipsems openssl-3.0.7/ssl/ssl_conf.c +--- openssl-3.0.7/ssl/ssl_conf.c.fipsems 2023-07-11 12:36:51.465278672 +0200 ++++ openssl-3.0.7/ssl/ssl_conf.c 2023-07-11 12:44:53.365675720 +0200 +@@ -387,6 +387,7 @@ static const ssl_conf_cmd_tbl ssl_conf_c + SSL_FLAG_TBL("ClientRenegotiation", + SSL_OP_ALLOW_CLIENT_RENEGOTIATION), + SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), ++ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), + SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), +diff -up openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod +--- openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems 2023-07-12 13:54:22.508235187 +0200 ++++ openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod 2023-07-12 13:56:51.089613902 +0200 +@@ -524,6 +524,9 @@ B: use extended ma + default. Inverse of B: that is, + B<-ExtendedMasterSecret> is the same as setting B. + ++B: allow establishing connections without EMS in FIPS mode. ++This is a RedHat-based OS specific option, and normally it should be set up via crypto policies. ++ + B: use CA names extension, enabled by + default. Inverse of B: that is, + B<-CANames> is the same as setting B. +diff -up openssl-3.0.7/doc/man5/fips_config.pod.fipsems openssl-3.0.7/doc/man5/fips_config.pod +--- openssl-3.0.7/doc/man5/fips_config.pod.fipsems 2023-07-12 15:39:57.732206731 +0200 ++++ openssl-3.0.7/doc/man5/fips_config.pod 2023-07-12 15:53:45.722885419 +0200 +@@ -11,6 +11,19 @@ automatically loaded when the system is + environment variable B is set. See the documentation + for more information. + ++Red Hat Enterprise Linux uses a supplementary config for FIPS module located in ++OpenSSL configuration directory and managed by crypto policies. If present, it ++should have format ++ ++ [fips_sect] ++ tls1-prf-ems-check = 0 ++ activate = 1 ++ ++The B option specifies whether FIPS module will require the ++presence of extended master secret or not. ++ ++The B option enforces FIPS provider activation. ++ + =head1 COPYRIGHT + + Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/SOURCES/0115-CVE-2023-0464.patch b/SOURCES/0115-CVE-2023-0464.patch new file mode 100644 index 0000000..97f3b6d --- /dev/null +++ b/SOURCES/0115-CVE-2023-0464.patch @@ -0,0 +1,195 @@ +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc09e..cba107ca03 100644 +--- a/crypto/x509/pcy_local.h ++++ b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++ /* The number of nodes in the tree */ ++ size_t node_count; ++ /* The maximum number of nodes in the tree */ ++ size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea179..450f95a655 100644 +--- a/crypto/x509/pcy_node.c ++++ b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++ return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +- if (level) { ++ if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +- if (tree) { ++ if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++ tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c +index fa45da5117..f953a05a41 100644 +--- a/crypto/x509/pcy_tree.c ++++ b/crypto/x509/pcy_tree.c +@@ -14,6 +14,17 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined, set it to ++ * a generous default of 1000 nodes. ++ * ++ * Defining this to be zero means unlimited policy tree growth which opens the ++ * door on CVE-2023-0464. ++ */ ++#ifndef OPENSSL_POLICY_TREE_NODES_MAX ++# define OPENSSL_POLICY_TREE_NODES_MAX 1000 ++#endif ++ + static void expected_print(BIO *channel, + X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, + int indent) +@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + return X509_PCY_TREE_INTERNAL; + } + ++ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ ++ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; ++ + /* + * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. + * +@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + if ((data = ossl_policy_data_new(NULL, + OBJ_nid2obj(NID_any_policy), 0)) == NULL) + goto bad_tree; +- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { ++ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { + ossl_policy_data_free(data); + goto bad_tree; + } +@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + * Return value: 1 on success, 0 otherwise + */ + static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, +- X509_POLICY_DATA *data) ++ X509_POLICY_DATA *data, ++ X509_POLICY_TREE *tree) + { + X509_POLICY_LEVEL *last = curr - 1; + int i, matched = 0; +@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); + + if (ossl_policy_node_match(last, node, data->valid_policy)) { +- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) + return 0; + matched = 1; + } + } + if (!matched && last->anyPolicy) { +- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) + return 0; + } + return 1; +@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + * Return value: 1 on success, 0 otherwise. + */ + static int tree_link_nodes(X509_POLICY_LEVEL *curr, +- const X509_POLICY_CACHE *cache) ++ const X509_POLICY_CACHE *cache, ++ X509_POLICY_TREE *tree) + { + int i; + +@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); + + /* Look for matching nodes in previous level */ +- if (!tree_link_matching_nodes(curr, data)) ++ if (!tree_link_matching_nodes(curr, data, tree)) + return 0; + } + return 1; +@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; +- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { ++ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { + ossl_policy_data_free(data); + return 0; + } +@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, + /* Finally add link to anyPolicy */ + if (last->anyPolicy && + ossl_policy_level_add_node(curr, cache->anyPolicy, +- last->anyPolicy, NULL) == NULL) ++ last->anyPolicy, tree, 0) == NULL) + return 0; + return 1; + } +@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; + node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, +- tree); ++ tree, 1); + } + if (!tree->user_policies) { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); +@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) + + for (i = 1; i < tree->nlevel; i++, curr++) { + cache = ossl_policy_cache_set(curr->cert); +- if (!tree_link_nodes(curr, cache)) ++ if (!tree_link_nodes(curr, cache, tree)) + return X509_PCY_TREE_INTERNAL; + + if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff --git a/SOURCES/0116-CVE-2023-0465.patch b/SOURCES/0116-CVE-2023-0465.patch new file mode 100644 index 0000000..3a9acb5 --- /dev/null +++ b/SOURCES/0116-CVE-2023-0465.patch @@ -0,0 +1,179 @@ +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 9384f1da9b..a0282c3ef1 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) + goto memerr; + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +- int i; ++ int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +- for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++ for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + ++ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) ++ cbcalled = 1; + CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, + ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); + } ++ if (!cbcalled) { ++ /* Should not be able to get here */ ++ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ /* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { +diff --git a/test/certs/ca-pol-cert.pem b/test/certs/ca-pol-cert.pem +new file mode 100644 +index 0000000000..244af3292b +--- /dev/null ++++ b/test/certs/ca-pol-cert.pem +@@ -0,0 +1,19 @@ ++-----BEGIN CERTIFICATE----- ++MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 ++IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD ++DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd ++j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz ++n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W ++l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l ++YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ++ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 ++CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD ++VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE ++PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3 ++DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7 ++Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H ++unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ ++7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g ++DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C ++9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx ++-----END CERTIFICATE----- +diff --git a/test/certs/ee-cert-policies-bad.pem b/test/certs/ee-cert-policies-bad.pem +new file mode 100644 +index 0000000000..0fcd6372b3 +--- /dev/null ++++ b/test/certs/ee-cert-policies-bad.pem +@@ -0,0 +1,20 @@ ++-----BEGIN CERTIFICATE----- ++MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg ++Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy ++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY ++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT ++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l ++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 ++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 ++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn ++iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H ++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC ++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w ++bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G ++CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ ++P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs ++YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N ++XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa ++QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx ++wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF ++-----END CERTIFICATE----- +diff --git a/test/certs/ee-cert-policies.pem b/test/certs/ee-cert-policies.pem +new file mode 100644 +index 0000000000..2f06d7433f +--- /dev/null ++++ b/test/certs/ee-cert-policies.pem +@@ -0,0 +1,20 @@ ++-----BEGIN CERTIFICATE----- ++MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg ++Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy ++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY ++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT ++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l ++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 ++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 ++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn ++iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H ++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC ++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w ++bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB ++AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D ++QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl ++CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa ++dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK ++NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk ++D3brBn24UISaFRZoB7jsjok= ++-----END CERTIFICATE----- +diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh +index c3f7ac14b5..a57d9f38dc 100755 +--- a/test/certs/mkcert.sh ++++ b/test/certs/mkcert.sh +@@ -119,11 +119,12 @@ genca() { + local OPTIND=1 + local purpose= + +- while getopts p: o ++ while getopts p:c: o + do + case $o in + p) purpose="$OPTARG";; +- *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2 ++ c) certpol="$OPTARG";; ++ *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2 + return 1;; + esac + done +@@ -146,6 +147,10 @@ genca() { + if [ -n "$NC" ]; then + exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC") + fi ++ if [ -n "$certpol" ]; then ++ exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol") ++ fi ++ + csr=$(req "$key" "CN = $cn") || return 1 + echo "$csr" | + cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ +diff --git a/test/certs/setup.sh b/test/certs/setup.sh +index 2240cd9df0..76ceadc7d8 100755 +--- a/test/certs/setup.sh ++++ b/test/certs/setup.sh +@@ -440,3 +440,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ + + # critical id-pkix-ocsp-no-check extension + ./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00" ++ ++# certificatePolicies extension ++./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert ++./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1" ++# We can create a cert with a duplicate policy oid - but its actually invalid! ++./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1" +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index 2a4c36e86d..818c9ac50d 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -29,7 +29,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 163; ++plan tests => 165; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -516,3 +516,14 @@ SKIP: { + ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])), + 'Mixed key + cert file test'); + } ++ ++# Certificate Policies ++ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"], ++ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", ++ "-explicit_policy"), ++ "Certificate policy"); ++ ++ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"], ++ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", ++ "-explicit_policy"), ++ "Bad certificate policy"); diff --git a/SOURCES/0117-CVE-2023-0466.patch b/SOURCES/0117-CVE-2023-0466.patch new file mode 100644 index 0000000..ef06edf --- /dev/null +++ b/SOURCES/0117-CVE-2023-0466.patch @@ -0,0 +1,27 @@ +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index 75a1677022..43c1900bca 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod ++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -98,8 +98,9 @@ B. + X509_VERIFY_PARAM_set_time() sets the verification time in B to + B. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B. Any existing +@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), + and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation was changed to align with the implementation. ++ + =head1 COPYRIGHT + + Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/SOURCES/0118-CVE-2023-1255.patch b/SOURCES/0118-CVE-2023-1255.patch new file mode 100644 index 0000000..91efb20 --- /dev/null +++ b/SOURCES/0118-CVE-2023-1255.patch @@ -0,0 +1,20 @@ +--- a/crypto/aes/asm/aesv8-armx.pl ++++ b/crypto/aes/asm/aesv8-armx.pl +@@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/); + .align 4 + .Lxts_dec_tail4x: + add $inp,$inp,#16 +- vld1.32 {$dat0},[$inp],#16 ++ tst $tailcnt,#0xf + veor $tmp1,$dat1,$tmp0 + vst1.8 {$tmp1},[$out],#16 + veor $tmp2,$dat2,$tmp2 +@@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/); + veor $tmp4,$dat4,$tmp4 + vst1.8 {$tmp3-$tmp4},[$out],#32 + ++ b.eq .Lxts_dec_abort ++ vld1.32 {$dat0},[$inp],#16 + b .Lxts_done + .align 4 + .Lxts_outer_dec_tail: diff --git a/SOURCES/0120-RSA-PKCS15-implicit-rejection.patch b/SOURCES/0120-RSA-PKCS15-implicit-rejection.patch new file mode 100644 index 0000000..3cb36bb --- /dev/null +++ b/SOURCES/0120-RSA-PKCS15-implicit-rejection.patch @@ -0,0 +1,1354 @@ +diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c +index d25504a03f7..c55511011f6 100644 +--- a/crypto/cms/cms_env.c ++++ b/crypto/cms/cms_env.c +@@ -608,6 +608,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, + if (!ossl_cms_env_asn1_ctrl(ri, 1)) + goto err; + ++ if (EVP_PKEY_is_a(pkey, "RSA")) ++ /* upper layer CMS code incorrectly assumes that a successful RSA ++ * decryption means that the key matches ciphertext (which never ++ * was the case, implicit rejection or not), so to make it work ++ * disable implicit rejection for RSA keys */ ++ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); ++ + if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, + ktri->encryptedKey->data, + ktri->encryptedKey->length) <= 0) +diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c +index 56ed5ea6d68..f64c1fcb2ac 100644 +--- a/crypto/evp/ctrl_params_translate.c ++++ b/crypto/evp/ctrl_params_translate.c +@@ -2201,6 +2201,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { + EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, + OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL }, + ++ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, ++ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, ++ "rsa_pkcs1_implicit_rejection", ++ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER, ++ NULL }, ++ + { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, + EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, + OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, +diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c +index 31b368bda3b..8a46ab471df 100644 +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -163,6 +163,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, + if (EVP_PKEY_decrypt_init(pctx) <= 0) + goto err; + ++ if (EVP_PKEY_is_a(pkey, "RSA")) ++ /* upper layer pkcs7 code incorrectly assumes that a successful RSA ++ * decryption means that the key matches ciphertext (which never ++ * was the case, implicit rejection or not), so to make it work ++ * disable implicit rejection for RSA keys */ ++ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); ++ + if (EVP_PKEY_decrypt(pctx, NULL, &eklen, + ri->enc_key->data, ri->enc_key->length) <= 0) + goto err; +diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c +index 54e2a1c61ca..094a6632b66 100644 +--- a/crypto/rsa/rsa_ossl.c ++++ b/crypto/rsa/rsa_ossl.c +@@ -17,6 +17,9 @@ + #include "crypto/bn.h" + #include "rsa_local.h" + #include "internal/constant_time.h" ++#include ++#include ++#include + + static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding); +@@ -372,8 +375,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BIGNUM *f, *ret; + int j, num = 0, r = -1; + unsigned char *buf = NULL; ++ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0}; ++ HMAC_CTX *hmac = NULL; ++ unsigned int md_len = SHA256_DIGEST_LENGTH; ++ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0}; + BN_CTX *ctx = NULL; + int local_blinding = 0; ++ EVP_MD *md = NULL; + /* + * Used only if the blinding structure is shared. A non-NULL unblind + * instructs rsa_blinding_convert() and rsa_blinding_invert() to store +@@ -382,6 +390,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BIGNUM *unblind = NULL; + BN_BLINDING *blinding = NULL; + ++ /* ++ * we need the value of the private exponent to perform implicit rejection ++ */ ++ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING)) ++ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ + if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) + goto err; + BN_CTX_start(ctx); +@@ -405,6 +419,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + goto err; + } + ++ if (flen < 1) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL); ++ goto err; ++ } ++ + /* make data into a big number */ + if (BN_bin2bn(from, (int)flen, f) == NULL) + goto err; +@@ -471,6 +490,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BN_free(d); + } + ++ /* ++ * derive the Key Derivation Key from private exponent and public ++ * ciphertext ++ */ ++ if (padding == RSA_PKCS1_PADDING) { ++ /* ++ * because we use d as a handle to rsa->d we need to keep it local and ++ * free before any further use of rsa->d ++ */ ++ BIGNUM *d = BN_new(); ++ if (d == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ if (rsa->d == NULL) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); ++ BN_free(d); ++ goto err; ++ } ++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); ++ if (BN_bn2binpad(d, buf, num) < 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ BN_free(d); ++ goto err; ++ } ++ BN_free(d); ++ ++ /* ++ * we use hardcoded hash so that migrating between versions that use ++ * different hash doesn't provide a Bleichenbacher oracle: ++ * if the attacker can see that different versions return different ++ * messages for the same ciphertext, they'll know that the message is ++ * syntethically generated, which means that the padding check failed ++ */ ++ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL); ++ if (md == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ hmac = HMAC_CTX_new(); ++ if (hmac == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (flen < num) { ++ memset(buf, 0, num - flen); ++ if (HMAC_Update(hmac, buf, num - flen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ if (HMAC_Update(hmac, from, flen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ md_len = SHA256_DIGEST_LENGTH; ++ if (HMAC_Final(hmac, kdk, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ + if (blinding) { + /* + * ossl_bn_rsa_do_unblind() combines blinding inversion and +@@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + } + + switch (padding) { +- case RSA_PKCS1_PADDING: ++ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING: + r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); + break; ++ case RSA_PKCS1_PADDING: ++ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); ++ break; + case RSA_PKCS1_OAEP_PADDING: + r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); + break; +@@ -500,6 +597,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + #endif + + err: ++ HMAC_CTX_free(hmac); ++ EVP_MD_free(md); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + OPENSSL_clear_free(buf, num); +diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c +index 5f72fe1735d..04fb0e4ed5e 100644 +--- a/crypto/rsa/rsa_pk1.c ++++ b/crypto/rsa/rsa_pk1.c +@@ -21,10 +21,14 @@ + #include + /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ + #include ++#include ++#include ++#include + #include "internal/cryptlib.h" + #include "crypto/rsa.h" + #include "rsa_local.h" + ++ + int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, + const unsigned char *from, int flen) + { +@@ -271,6 +275,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, + return constant_time_select_int(good, mlen, -1); + } + ++ ++static int ossl_rsa_prf(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const char *label, int llen, ++ const unsigned char *kdk, ++ uint16_t bitlen) ++{ ++ int pos; ++ int ret = -1; ++ uint16_t iter = 0; ++ unsigned char be_iter[sizeof(iter)]; ++ unsigned char be_bitlen[sizeof(bitlen)]; ++ HMAC_CTX *hmac = NULL; ++ EVP_MD *md = NULL; ++ unsigned char hmac_out[SHA256_DIGEST_LENGTH]; ++ unsigned int md_len; ++ ++ if (tlen * 8 != bitlen) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ return ret; ++ } ++ ++ be_bitlen[0] = (bitlen >> 8) & 0xff; ++ be_bitlen[1] = bitlen & 0xff; ++ ++ hmac = HMAC_CTX_new(); ++ if (hmac == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ /* ++ * we use hardcoded hash so that migrating between versions that use ++ * different hash doesn't provide a Bleichenbacher oracle: ++ * if the attacker can see that different versions return different ++ * messages for the same ciphertext, they'll know that the message is ++ * syntethically generated, which means that the padding check failed ++ */ ++ md = EVP_MD_fetch(ctx, "sha256", NULL); ++ if (md == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) { ++ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ be_iter[0] = (iter >> 8) & 0xff; ++ be_iter[1] = iter & 0xff; ++ ++ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ /* ++ * HMAC_Final requires the output buffer to fit the whole MAC ++ * value, so we need to use the intermediate buffer for the last ++ * unaligned block ++ */ ++ md_len = SHA256_DIGEST_LENGTH; ++ if (pos + SHA256_DIGEST_LENGTH > tlen) { ++ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ memcpy(to + pos, hmac_out, tlen - pos); ++ } else { ++ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ } ++ ++ ret = 0; ++ ++err: ++ HMAC_CTX_free(hmac); ++ EVP_MD_free(md); ++ return ret; ++} ++ ++/* ++ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2 ++ * padding from a decrypted RSA message. Unlike the ++ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it ++ * detects a padding error, rather it will return a deterministically generated ++ * random message. In other words it will perform an implicit rejection ++ * of an invalid padding. This means that the returned value does not indicate ++ * if the padding of the encrypted message was correct or not, making ++ * side channel attacks like the ones described by Bleichenbacher impossible ++ * without access to the full decrypted value and a brute-force search of ++ * remaining padding bytes ++ */ ++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ int num, unsigned char *kdk) ++{ ++/* ++ * We need to generate a random length for the synthethic message, to avoid ++ * bias towards zero and avoid non-constant timeness of DIV, we prepare ++ * 128 values to check if they are not too large for the used key size, ++ * and use 0 in case none of them are small enough, as 2^-128 is a good enough ++ * safety margin ++ */ ++#define MAX_LEN_GEN_TRIES 128 ++ unsigned char *synthetic = NULL; ++ int synthethic_length; ++ uint16_t len_candidate; ++ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)]; ++ uint16_t len_mask; ++ uint16_t max_sep_offset; ++ int synth_msg_index = 0; ++ int ret = -1; ++ int i, j; ++ unsigned int good, found_zero_byte; ++ int zero_index = 0, msg_index; ++ ++ /* ++ * If these checks fail then either the message in publicly invalid, or ++ * we've been called incorrectly. We can fail immediately. ++ * Since this code is called only internally by openssl, those are just ++ * sanity checks ++ */ ++ if (num != flen || tlen <= 0 || flen <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ return -1; ++ } ++ ++ /* Generate a random message to return in case the padding checks fail */ ++ synthetic = OPENSSL_malloc(flen); ++ if (synthetic == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ return -1; ++ } ++ ++ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0) ++ goto err; ++ ++ /* decide how long the random message should be */ ++ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths), ++ "length", 6, kdk, ++ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0) ++ goto err; ++ ++ /* ++ * max message size is the size of the modulus size less 2 bytes for ++ * version and padding type and a minimum of 8 bytes padding ++ */ ++ len_mask = max_sep_offset = flen - 2 - 8; ++ /* ++ * we want a mask so lets propagate the high bit to all positions less ++ * significant than it ++ */ ++ len_mask |= len_mask >> 1; ++ len_mask |= len_mask >> 2; ++ len_mask |= len_mask >> 4; ++ len_mask |= len_mask >> 8; ++ ++ synthethic_length = 0; ++ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate); ++ i += sizeof(len_candidate)) { ++ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1]; ++ len_candidate &= len_mask; ++ ++ synthethic_length = constant_time_select_int( ++ constant_time_lt(len_candidate, max_sep_offset), ++ len_candidate, synthethic_length); ++ } ++ ++ synth_msg_index = flen - synthethic_length; ++ ++ /* we have alternative message ready, check the real one */ ++ good = constant_time_is_zero(from[0]); ++ good &= constant_time_eq(from[1], 2); ++ ++ /* then look for the padding|message separator (the first zero byte) */ ++ found_zero_byte = 0; ++ for (i = 2; i < flen; i++) { ++ unsigned int equals0 = constant_time_is_zero(from[i]); ++ zero_index = constant_time_select_int(~found_zero_byte & equals0, ++ i, zero_index); ++ found_zero_byte |= equals0; ++ } ++ ++ /* ++ * padding must be at least 8 bytes long, and it starts two bytes into ++ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check ++ * also fails. ++ */ ++ good &= constant_time_ge(zero_index, 2 + 8); ++ ++ /* ++ * Skip the zero byte. This is incorrect if we never found a zero-byte ++ * but in this case we also do not copy the message out. ++ */ ++ msg_index = zero_index + 1; ++ ++ /* ++ * old code returned an error in case the decrypted message wouldn't fit ++ * into the |to|, since that would leak information, return the synthethic ++ * message instead ++ */ ++ good &= constant_time_ge(tlen, num - msg_index); ++ ++ msg_index = constant_time_select_int(good, msg_index, synth_msg_index); ++ ++ /* ++ * since at this point the |msg_index| does not provide the signal ++ * indicating if the padding check failed or not, we don't have to worry ++ * about leaking the length of returned message, we still need to ensure ++ * that we read contents of both buffers so that cache accesses don't leak ++ * the value of |good| ++ */ ++ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++) ++ to[j] = constant_time_select_8(good, from[i], synthetic[i]); ++ ret = j; ++ ++err: ++ /* ++ * the only time ret < 0 is when the ciphertext is publicly invalid ++ * or we were called with invalid parameters, so we don't have to perform ++ * a side-channel secure raising of the error ++ */ ++ if (ret < 0) ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ OPENSSL_free(synthetic); ++ return ret; ++} ++ + /* + * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 + * padding from a decrypted RSA message in a TLS signature. The result is stored +diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c +index 8b35e5c3c6d..c67b20baf56 100644 +--- a/crypto/rsa/rsa_pmeth.c ++++ b/crypto/rsa/rsa_pmeth.c +@@ -52,6 +52,8 @@ typedef struct { + /* OAEP label */ + unsigned char *oaep_label; + size_t oaep_labellen; ++ /* if to use implicit rejection in PKCS#1 v1.5 decryption */ ++ int implicit_rejection; + } RSA_PKEY_CTX; + + /* True if PSS parameters are restricted */ +@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) + /* Maximum for sign, auto for verify */ + rctx->saltlen = RSA_PSS_SALTLEN_AUTO; + rctx->min_saltlen = -1; ++ rctx->implicit_rejection = 1; + ctx->data = rctx; + ctx->keygen_info = rctx->gentmp; + ctx->keygen_info_count = 2; +@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) + dctx->md = sctx->md; + dctx->mgf1md = sctx->mgf1md; + dctx->saltlen = sctx->saltlen; ++ dctx->implicit_rejection = sctx->implicit_rejection; + if (sctx->oaep_label) { + OPENSSL_free(dctx->oaep_label); + dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); +@@ -345,6 +349,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, + const unsigned char *in, size_t inlen) + { + int ret; ++ int pad_mode; + RSA_PKEY_CTX *rctx = ctx->data; + /* + * Discard const. Its marked as const because this may be a cached copy of +@@ -365,7 +370,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, + rctx->oaep_labellen, + rctx->md, rctx->mgf1md); + } else { +- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); ++ if (rctx->pad_mode == RSA_PKCS1_PADDING && ++ rctx->implicit_rejection == 0) ++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ else ++ pad_mode = rctx->pad_mode; ++ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode); + } + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), ret, 1); +@@ -585,6 +595,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) + *(unsigned char **)p2 = rctx->oaep_label; + return rctx->oaep_labellen; + ++ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION: ++ if (rctx->pad_mode != RSA_PKCS1_PADDING) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); ++ return -2; ++ } ++ rctx->implicit_rejection = p1; ++ return 1; ++ + case EVP_PKEY_CTRL_DIGESTINIT: + case EVP_PKEY_CTRL_PKCS7_SIGN: + #ifndef OPENSSL_NO_CMS +diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in +index b0054ead66f..dd878297987 100644 +--- a/doc/man1/openssl-pkeyutl.pod.in ++++ b/doc/man1/openssl-pkeyutl.pod.in +@@ -240,6 +240,11 @@ signed or verified directly instead of using a B structure. If a + digest is set then the a B structure is used and its the length + must correspond to the digest type. + ++Note, for B padding, as a protection against Bleichenbacher attack, ++the decryption will not fail in case of padding check failures. Use B ++and manual inspection of the decrypted message to verify if the decrypted ++value has correct PKCS#1 v1.5 padding. ++ + For B mode only encryption and decryption is supported. + + For B if the digest type is set it is used to format the block data +@@ -267,6 +272,16 @@ explicitly set in PSS mode then the signing digest is used. + Sets the digest used for the OAEP hash function. If not explicitly set then + SHA1 is used. + ++=item BI ++ ++Disables (when set to 0) or enables (when set to 1) the use of implicit ++rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a ++protection against Bleichenbacher attack, the library will generate a ++deterministic random plaintext that it will return to the caller in case ++of padding check failure. ++When disabled, it's the callers' responsibility to handle the returned ++errors in a side-channel free manner. ++ + =back + + =head1 RSA-PSS ALGORITHM +diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in +index 186e49e5e49..eab34979de3 100644 +--- a/doc/man1/openssl-rsautl.pod.in ++++ b/doc/man1/openssl-rsautl.pod.in +@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, + ANSI X9.31, or no padding, respectively. + For signatures, only B<-pkcs> and B<-raw> can be used. + ++Note: because of protection against Bleichenbacher attacks, decryption ++using PKCS#1 v1.5 mode will not return errors in case padding check failed. ++Use B<-raw> and inspect the returned value manually to check if the ++padding is correct. ++ + =item B<-hexdump> + + Hex dump the output data. +diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod +index 9b96f42dbc9..f7957e95f7f 100644 +--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod ++++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod +@@ -393,6 +393,15 @@ this behaviour should be tolerated then + OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual + negotiated protocol version. Otherwise it should be left unset. + ++Similarly to the B above, since OpenSSL version ++3.1.0, the use of B will return a randomly generated message ++instead of padding errors in case padding checks fail. Applications that ++want to remain secure while using earlier versions of OpenSSL, still need to ++handle both the error code from the RSA decryption operation and the ++returned message in a side channel secure manner. ++This protection against Bleichenbacher attacks can be disabled by setting ++the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0. ++ + =head2 DSA parameters + + EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA +diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod +index 0cd1a6548d0..462265c5a67 100644 +--- a/doc/man3/EVP_PKEY_decrypt.pod ++++ b/doc/man3/EVP_PKEY_decrypt.pod +@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a + return value of -2 indicates the operation is not supported by the public key + algorithm. + ++=head1 WARNINGS ++ ++In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding, ++both the return value from the EVP_PKEY_decrypt() and the B provided ++information useful in mounting a Bleichenbacher attack against the ++used private key. They had to processed in a side-channel free way. ++ ++Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1 ++v1.5 padding doesn't return an error in case it detects an error in padding, ++instead it returns a pseudo-randomly generated message, removing the need ++of side-channel secure code from applications using OpenSSL. ++ + =head1 EXAMPLES + + Decrypt data using OAEP (for RSA keys): +diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod +index 9f7025c4975..36ae18563f2 100644 +--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod ++++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod +@@ -121,8 +121,8 @@ L. + + =head1 WARNINGS + +-The result of RSA_padding_check_PKCS1_type_2() is a very sensitive +-information which can potentially be used to mount a Bleichenbacher ++The result of RSA_padding_check_PKCS1_type_2() is exactly the ++information which is used to mount a classical Bleichenbacher + padding oracle attack. This is an inherent weakness in the PKCS #1 + v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not + possible, the result of RSA_padding_check_PKCS1_type_2() should be +@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be + used to mount a Bleichenbacher attack against any padding mode + including PKCS1_OAEP. + ++You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption ++as they implement the necessary workarounds internally. ++ + =head1 SEE ALSO + + L, +diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod +index 1d38073aead..bd3f835ac6d 100644 +--- a/doc/man3/RSA_public_encrypt.pod ++++ b/doc/man3/RSA_public_encrypt.pod +@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure. + + =back + +-B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 +-based padding modes, not more than RSA_size(B) - 42 for ++When encrypting B must not be more than RSA_size(B) - 11 for the ++PKCS #1 v1.5 based padding modes, not more than RSA_size(B) - 42 for + RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. + When a padding mode other than RSA_NO_PADDING is in use, then + RSA_public_encrypt() will include some random bytes into the ciphertext +@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle + attack. This is an inherent weakness in the PKCS #1 v1.5 padding + design. Prefer RSA_PKCS1_OAEP_PADDING. + ++In OpenSSL before version 3.1.0, both the return value and the length of ++returned value could be used to mount the Bleichenbacher attack. ++Since version 3.1.0, OpenSSL does not return an error in case of padding ++checks failed. Instead it generates a random message based on used private ++key and provided ciphertext so that application code doesn't have to implement ++a side-channel secure error handling. ++ + =head1 CONFORMING TO + + SSL, PKCS #1 v2.0 +diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod +index ac3f6271969..cb770c9e857 100644 +--- a/doc/man7/provider-asym_cipher.pod ++++ b/doc/man7/provider-asym_cipher.pod +@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client. + The negotiated TLS protocol version. See + B on the page L. + ++=item "implicit-rejection" (B) ++ ++Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 ++decryption. When set (non zero value), the decryption API will return ++a deterministically random value if the PKCS#1 v1.5 padding check fails. ++This makes explotation of the Bleichenbacher significantly harder, even ++if the code using the RSA decryption API is not implemented in side-channel ++free manner. Set by default. ++ + =back + + OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() +diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h +index 949873d0ee3..f267e5d9d1c 100644 +--- a/include/crypto/rsa.h ++++ b/include/crypto/rsa.h +@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg); + RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, + OSSL_LIB_CTX *libctx, const char *propq); + ++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ int num, unsigned char *kdk); + int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to, + size_t tlen, + const unsigned char *from, +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index e6c4758a33e..6e4a4f8539d 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -302,6 +302,7 @@ extern "C" { + #define OSSL_PKEY_PARAM_DIST_ID "distid" + #define OSSL_PKEY_PARAM_PUB_KEY "pub" + #define OSSL_PKEY_PARAM_PRIV_KEY "priv" ++#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" + #define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k" + + /* Diffie-Hellman/DSA Parameters */ +@@ -482,6 +483,7 @@ extern "C" { + #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" + #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" + #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" ++#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection" + #ifdef FIPS_MODULE + #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" + #endif +diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h +index bce21258227..167427d3c48 100644 +--- a/include/openssl/rsa.h ++++ b/include/openssl/rsa.h +@@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); + + # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) + ++# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) ++ + # define RSA_PKCS1_PADDING 1 + # define RSA_NO_PADDING 3 + # define RSA_PKCS1_OAEP_PADDING 4 +@@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); + # define RSA_PKCS1_PSS_PADDING 6 + # define RSA_PKCS1_WITH_TLS_PADDING 7 + ++/* internal RSA_ only */ ++# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 ++ + # define RSA_PKCS1_PADDING_SIZE 11 + + # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 3d331ea8dfd..fbafb84f8cb 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -75,6 +75,8 @@ typedef struct { + /* TLS padding */ + unsigned int client_version; + unsigned int alt_version; ++ /* PKCS#1 v1.5 decryption mode */ ++ unsigned int implicit_rejection; + #ifdef FIPS_MODULE + char *redhat_st_oaep_seed; + #endif /* FIPS_MODULE */ +@@ -107,6 +109,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], + RSA_free(prsactx->rsa); + prsactx->rsa = vrsa; + prsactx->operation = operation; ++ prsactx->implicit_rejection = 1; + + switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { + case RSA_FLAG_TYPE_RSA: +@@ -195,6 +198,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++ int pad_mode; + size_t len = RSA_size(prsactx->rsa); + + if (!ossl_prov_is_running()) +@@ -270,8 +274,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, + } + OPENSSL_free(tbuf); + } else { +- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, +- prsactx->pad_mode); ++ if ((prsactx->implicit_rejection == 0) && ++ (prsactx->pad_mode == RSA_PKCS1_PADDING)) ++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ else ++ pad_mode = prsactx->pad_mode; ++ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode); + } + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), 0, 1); +@@ -395,6 +403,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + } + #endif /* defined(FIPS_MODULE) */ + ++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); ++ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) ++ return 0; ++ + return 1; + } + +@@ -406,6 +418,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), + OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), +@@ -543,6 +556,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + return 0; + prsactx->alt_version = alt_version; + } ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); ++ if (p != NULL) { ++ unsigned int implicit_rejection; ++ ++ if (!OSSL_PARAM_get_uint(p, &implicit_rejection)) ++ return 0; ++ prsactx->implicit_rejection = implicit_rejection; ++ } + + return 1; + } +@@ -555,6 +576,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = { + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + OSSL_PARAM_END + }; + +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +index b8d8bb2993e..a3d01eec457 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -253,9 +253,25 @@ Decrypt = RSA-2048 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 + Output = "Hello World" + ++Availablein = default ++# Note: disable the Bleichenbacher workaround to see if it passes ++Decrypt = RSA-2048 ++Ctrl = rsa_pkcs1_implicit_rejection:0 ++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 ++Output = "Hello World" ++ ++Availablein = default ++# Corrupted ciphertext ++# Note: output is generated synthethically by the Bleichenbacher workaround ++Decrypt = RSA-2048 ++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 ++Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff ++ + # Corrupted ciphertext + Availablein = default ++# Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 ++Ctrl = rsa_pkcs1_implicit_rejection:0 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 + Output = "Hello World" + Result = KEYOP_ERROR +@@ -277,6 +297,462 @@ Derive = RSA-2048 + Result = KEYOP_INIT_ERROR + Reason = operation not supported for this keytype + ++# Test vectors for the Bleichenbacher workaround ++ ++PrivateKey = RSA-2048-2 ++-----BEGIN RSA PRIVATE KEY----- ++MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS ++KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC ++Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y ++o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/ +++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F ++EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm ++pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G ++MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp ++aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo ++RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6 ++egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX ++eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe ++z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG ++lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou ++O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw ++93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF ++1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr ++uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb ++3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx ++sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a ++AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL ++9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW ++FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp ++LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM ++FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da ++-----END RSA PRIVATE KEY----- ++ ++# corresponding public key ++PublicKey = RSA-2048-2-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc ++iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO ++jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7 ++SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO ++yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1 ++a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn ++aQIDAQAB ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC ++ ++# RSA decrypt ++ ++# a random positive test case ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 ++Output = "lorem ipsum dolor sit amet" ++ ++Availablein = default ++# a random negative test case decrypting to empty ++Decrypt = RSA-2048-2 ++Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 ++Output = ++ ++Availablein = default ++# invalid decrypting to max length message ++Decrypt = RSA-2048-2 ++Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 ++Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 ++ ++Availablein = default ++# invalid decrypting to message with length specified by second to last value from PRF ++Decrypt = RSA-2048-2 ++Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 ++Output = 0f9b ++ ++Availablein = default ++# invalid decrypting to message with length specified by third to last value from PRF ++Decrypt = RSA-2048-2 ++Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 ++Output = 4f02 ++ ++# positive test with 11 byte long value ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and zero padded ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc ++Output = "lorem ipsum" ++ ++# positive that generates a 0 byte long synthethic message internally ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 ++Output = "lorem ipsum" ++ ++# positive that generates a 245 byte long synthethic message internally ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 ++Output = "lorem ipsum" ++ ++Availablein = default ++# a random negative test that generates an 11 byte long message ++Decrypt = RSA-2048-2 ++Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 ++Output = af9ac70191c92413cb9f2d ++ ++Availablein = default ++# an otherwise correct plaintext, but with wrong first byte ++# (0x01 instead of 0x00), generates a random 11 byte long plaintext ++Decrypt = RSA-2048-2 ++Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f ++Output = a1f8c9255c35cfba403ccc ++ ++Availablein = default ++# an otherwise correct plaintext, but with wrong second byte ++# (0x01 instead of 0x02), generates a random 11 byte long plaintext ++Decrypt = RSA-2048-2 ++Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579 ++Output = e6d700309ca0ed62452254 ++ ++Availablein = default ++# an invalid ciphertext, with a zero byte in first byte of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 ++Output = ba27b1842e7c21c0e7ef6a ++ ++Availablein = default ++# an invalid ciphertext, with a zero byte removed from first byte of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 ++Output = ba27b1842e7c21c0e7ef6a ++ ++Availablein = default ++# an invalid ciphertext, with two zero bytes in first bytes of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 ++Output = d5cf555b1d6151029a429a ++ ++Availablein = default ++# an invalid ciphertext, with two zero bytes removed from first bytes of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 ++Output = d5cf555b1d6151029a429a ++ ++Availablein = default ++# and invalid ciphertext, otherwise valid but starting with 000002, decrypts ++# to random 11 byte long synthethic plaintext ++Decrypt = RSA-2048-2 ++Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955 ++Output = 3d4a054d9358209e9cbbb9 ++ ++Availablein = default ++# negative test with otherwise valid padding but a zero byte in first byte ++# of padding ++Decrypt = RSA-2048-2 ++Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e ++Output = 1f037dd717b07d3e7f7359 ++ ++Availablein = default ++# negative test with otherwise valid padding but a zero byte at the eigth ++# byte of padding ++Decrypt = RSA-2048-2 ++Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f ++Output = 63cb0bf65fc8255dd29e17 ++ ++Availablein = default ++# negative test with an otherwise valid plaintext but with missing separator ++# byte ++Decrypt = RSA-2048-2 ++Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065 ++Output = 6f09a0b62699337c497b0b ++ ++# Test vectors for the Bleichenbacher workaround (2049 bit key size) ++ ++PrivateKey = RSA-2049 ++-----BEGIN RSA PRIVATE KEY----- ++MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD ++rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi ++5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES ++9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp ++j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6 ++3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5 ++1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl ++omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT ++e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo ++DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M ++8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH ++HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP ++wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4 ++dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H ++zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll ++YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J ++qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC +++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL ++ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c ++ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd ++G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3 ++3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP ++G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv ++iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t ++5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k= ++-----END RSA PRIVATE KEY----- ++ ++# corresponding public key ++PublicKey = RSA-2049-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL ++woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI ++XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf ++YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U ++FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr ++w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ ++lwIDAQAB ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC ++ ++# RSA decrypt ++ ++Availablein = default ++# malformed that generates length specified by 3rd last value from PRF ++Decrypt = RSA-2049 ++Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 ++Output = 42 ++ ++# simple positive test case ++Availablein = default ++Decrypt = RSA-2049 ++Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 ++Output = "lorem ipsum" ++ ++# positive test case with null padded ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 ++Output = "lorem ipsum" ++ ++# positive test case with null truncated ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 ++Output = "lorem ipsum" ++ ++# positive test case with double null padded ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 ++Output = "lorem ipsum" ++ ++# positive test case with double null truncated ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 ++Output = "lorem ipsum" ++ ++Availablein = default ++# a random negative test case that generates an 11 byte long message ++Decrypt = RSA-2049 ++Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca ++Output = 1189b6f5498fd6df532b00 ++ ++Availablein = default ++# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) ++Decrypt = RSA-2049 ++Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff ++Output = f6d0f5b78082fe61c04674 ++ ++Availablein = default ++# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) ++Decrypt = RSA-2049 ++Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 ++Output = 1ab287fcef3ff17067914d ++ ++# RSA decrypt with 3072 bit keys ++PrivateKey = RSA-3072 ++-----BEGIN RSA PRIVATE KEY----- ++MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ ++72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS ++N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K ++CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64 ++wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU ++YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5 ++XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P ++ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5 ++CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy ++9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY ++gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J ++pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm ++DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0 ++2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s ++HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC ++Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d ++RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9 ++UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP ++Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ +++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI ++gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv ++StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF ++rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1 ++bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb ++7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm ++IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48 ++Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH ++ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2 ++c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff ++/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O ++to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6 ++ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr ++Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR ++ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo ++G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH ++mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe ++0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw== ++-----END RSA PRIVATE KEY----- ++ ++PublicKey = RSA-3072-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx ++nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd ++vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni ++5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx ++UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx ++7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v ++EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/ ++gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk ++ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC ++ ++Availablein = default ++# a random invalid ciphertext that generates an empty synthethic one ++Decrypt = RSA-3072 ++Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 ++Output = ++ ++Availablein = default ++# a random invalid that has PRF output with a length one byte too long ++# in the last value ++Decrypt = RSA-3072 ++Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271 ++Output = 56a3bea054e01338be9b7d7957539c ++ ++Availablein = default ++# a random invalid that generates a synthethic of maximum size ++Decrypt = RSA-3072 ++Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 ++Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 ++ ++# a positive test case that decrypts to 9 byte long value ++Availablein = default ++Decrypt = RSA-3072 ++Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde ++Output = "forty two" ++ ++# a positive test case with null padded ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 ++Output = "forty two" ++ ++# a positive test case with null truncated ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 ++Output = "forty two" ++ ++# a positive test case with double null padded ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 ++Output = "forty two" ++ ++# a positive test case with double null truncated ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 ++Output = "forty two" ++ ++Availablein = default ++# a random negative test case that generates a 9 byte long message ++Decrypt = RSA-3072 ++Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 ++Output = 257906ca6de8307728 ++ ++Availablein = default ++# a random negative test case that generates a 9 byte long message based on ++# second to last value from PRF ++Decrypt = RSA-3072 ++Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5 ++Output = 043383c929060374ed ++ ++Availablein = default ++# a random negative test that generates message based on 3rd last value from ++# PRF ++Decrypt = RSA-3072 ++Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83 ++Output = 70263fa6050534b9e0 ++ ++Availablein = default ++# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) ++Decrypt = RSA-3072 ++Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 ++Output = 6d8d3a094ff3afff4c ++ ++Availablein = default ++# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) ++Decrypt = RSA-3072 ++Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 ++Output = c6ae80ffa80bc184b0 ++ ++Availablein = default ++# an otherwise valid plaintext, but with zero byte in first byte of padding ++Decrypt = RSA-3072 ++Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 ++Output = a8a9301daa01bb25c7 ++ ++Availablein = default ++# an otherwise valid plaintext, but with zero byte in eight byte of padding ++Decrypt = RSA-3072 ++Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 ++Output = 6c716fe01d44398018 ++ ++Availablein = default ++# an otherwise valid plaintext, but with null separator missing ++Decrypt = RSA-3072 ++Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 ++Output = aa2de6cde4e2442884 ++ + # RSA PSS key tests + + # PSS only key, no parameter restrictions diff --git a/SOURCES/0122-CVE-2023-2650.patch b/SOURCES/0122-CVE-2023-2650.patch new file mode 100644 index 0000000..ba56969 --- /dev/null +++ b/SOURCES/0122-CVE-2023-2650.patch @@ -0,0 +1,30 @@ +diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c +index 01cde00e98..c0e55197a0 100644 +--- a/crypto/objects/obj_dat.c ++++ b/crypto/objects/obj_dat.c +@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + first = 1; + bl = NULL; + ++ /* ++ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: ++ * ++ * > 3.5. OBJECT IDENTIFIER values ++ * > ++ * > An OBJECT IDENTIFIER value is an ordered list of non-negative ++ * > numbers. For the SMIv2, each number in the list is referred to as a ++ * > sub-identifier, there are at most 128 sub-identifiers in a value, ++ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 ++ * > decimal). ++ * ++ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), ++ * i.e. 586 bytes long. ++ * ++ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 ++ */ ++ if (len > 586) ++ goto err; ++ + while (len > 0) { + l = 0; + use_bn = 0; diff --git a/SOURCES/0123-ibmca-atexit-crash.patch b/SOURCES/0123-ibmca-atexit-crash.patch new file mode 100644 index 0000000..893e598 --- /dev/null +++ b/SOURCES/0123-ibmca-atexit-crash.patch @@ -0,0 +1,244 @@ +diff --git a/crypto/context.c b/crypto/context.c +index bdfc4d02a3f0..548665fba265 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -15,6 +15,7 @@ + #include "internal/bio.h" + #include "internal/provider.h" + #include "crypto/ctype.h" ++#include "crypto/rand.h" + + # include + # include +@@ -271,6 +272,20 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) + + return NULL; + } ++ ++void ossl_release_default_drbg_ctx(void) ++{ ++ int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX]; ++ ++ /* early release of the DRBG in global default libctx, no locking */ ++ if (dynidx != -1) { ++ void *data; ++ ++ data = CRYPTO_get_ex_data(&default_context_int.data, dynidx); ++ ossl_rand_ctx_free(data); ++ CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL); ++ } ++} + #endif + + OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx) +diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c +index c453d3226133..f341d915db76 100644 +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -96,6 +96,7 @@ void ossl_rand_cleanup_int(void) + CRYPTO_THREAD_lock_free(rand_meth_lock); + rand_meth_lock = NULL; + # endif ++ ossl_release_default_drbg_ctx(); + rand_inited = 0; + } + +@@ -469,7 +470,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) + return NULL; + } + +-static void rand_ossl_ctx_free(void *vdgbl) ++void ossl_rand_ctx_free(void *vdgbl) + { + RAND_GLOBAL *dgbl = vdgbl; + +@@ -494,7 +495,7 @@ static void rand_ossl_ctx_free(void *vdgbl) + static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = { + OSSL_LIB_CTX_METHOD_PRIORITY_2, + rand_ossl_ctx_new, +- rand_ossl_ctx_free, ++ ossl_rand_ctx_free, + }; + + static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx) +diff --git a/engines/e_dasync.c b/engines/e_dasync.c +index 5a303a9f8528..7974106ae219 100644 +--- a/engines/e_dasync.c ++++ b/engines/e_dasync.c +@@ -139,6 +139,14 @@ static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl); + static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx); + ++static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, ++ void *ptr); ++static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc); ++static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl); ++static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx); ++ + static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + int arg, void *ptr); + static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, +@@ -171,6 +179,12 @@ static const EVP_CIPHER *dasync_aes_128_cbc(void) + return _hidden_aes_128_cbc; + } + ++static EVP_CIPHER *_hidden_aes_256_ctr = NULL; ++static const EVP_CIPHER *dasync_aes_256_ctr(void) ++{ ++ return _hidden_aes_256_ctr; ++} ++ + /* + * Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up + * once only during engine bind and can then be reused many times. +@@ -192,8 +206,10 @@ static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void) + static void destroy_ciphers(void) + { + EVP_CIPHER_meth_free(_hidden_aes_128_cbc); ++ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); + EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); + _hidden_aes_128_cbc = NULL; ++ _hidden_aes_256_ctr = NULL; + _hidden_aes_128_cbc_hmac_sha1 = NULL; + } + +@@ -202,6 +218,7 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + + static int dasync_cipher_nids[] = { + NID_aes_128_cbc, ++ NID_aes_256_ctr, + NID_aes_128_cbc_hmac_sha1, + 0 + }; +@@ -284,6 +301,30 @@ static int bind_dasync(ENGINE *e) + _hidden_aes_128_cbc = NULL; + } + ++ _hidden_aes_256_ctr = EVP_CIPHER_meth_new(NID_aes_256_ctr, ++ 1 /* block size */, ++ 32 /* key len */); ++ if (_hidden_aes_256_ctr == NULL ++ || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_256_ctr,16) ++ || !EVP_CIPHER_meth_set_flags(_hidden_aes_256_ctr, ++ EVP_CIPH_FLAG_DEFAULT_ASN1 ++ | EVP_CIPH_CTR_MODE ++ | EVP_CIPH_FLAG_PIPELINE ++ | EVP_CIPH_CUSTOM_COPY) ++ || !EVP_CIPHER_meth_set_init(_hidden_aes_256_ctr, ++ dasync_aes256_init_key) ++ || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_256_ctr, ++ dasync_aes256_ctr_cipher) ++ || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_256_ctr, ++ dasync_aes256_ctr_cleanup) ++ || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_256_ctr, ++ dasync_aes256_ctr_ctrl) ++ || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_256_ctr, ++ sizeof(struct dasync_pipeline_ctx))) { ++ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); ++ _hidden_aes_256_ctr = NULL; ++ } ++ + _hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new( + NID_aes_128_cbc_hmac_sha1, + 16 /* block size */, +@@ -445,6 +486,9 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + case NID_aes_128_cbc: + *cipher = dasync_aes_128_cbc(); + break; ++ case NID_aes_256_ctr: ++ *cipher = dasync_aes_256_ctr(); ++ break; + case NID_aes_128_cbc_hmac_sha1: + *cipher = dasync_aes_128_cbc_hmac_sha1(); + break; +@@ -779,6 +823,29 @@ static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx) + return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc()); + } + ++static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, ++ void *ptr) ++{ ++ return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0, EVP_aes_256_ctr()); ++} ++ ++static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc) ++{ ++ return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_256_ctr()); ++} ++ ++static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ ++ return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_256_ctr()); ++} ++ ++static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx) ++{ ++ return dasync_cipher_cleanup_helper(ctx, EVP_aes_256_ctr()); ++} ++ + + /* + * AES128 CBC HMAC SHA1 Implementation +diff --git a/include/crypto/rand.h b/include/crypto/rand.h +index 6a71a339c812..165deaf95c5e 100644 +--- a/include/crypto/rand.h ++++ b/include/crypto/rand.h +@@ -125,4 +125,5 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, + size_t ossl_pool_acquire_entropy(RAND_POOL *pool); + int ossl_pool_add_nonce_data(RAND_POOL *pool); + ++void ossl_rand_ctx_free(void *vdgbl); + #endif +diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h +index 1291299b6e50..934d4b089c20 100644 +--- a/include/internal/cryptlib.h ++++ b/include/internal/cryptlib.h +@@ -199,6 +199,8 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, + int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); + const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); + ++void ossl_release_default_drbg_ctx(void); ++ + OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); + int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, + CRYPTO_EX_DATA *ad); +diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t +index 4da1e64cb6da..3f352db9df3a 100644 +--- a/test/recipes/05-test_rand.t ++++ b/test/recipes/05-test_rand.t +@@ -11,9 +11,30 @@ use warnings; + use OpenSSL::Test; + use OpenSSL::Test::Utils; + +-plan tests => 3; ++plan tests => 5; + setup("test_rand"); + + ok(run(test(["rand_test"]))); + ok(run(test(["drbgtest"]))); + ok(run(test(["rand_status_test"]))); ++ ++SKIP: { ++ skip "engine is not supported by this OpenSSL build", 2 ++ if disabled("engine") || disabled("dynamic-engine"); ++ ++ my $success; ++ my @randdata; ++ my $expected = '0102030405060708090a0b0c0d0e0f10'; ++ ++ @randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]), ++ capture => 1, statusvar => \$success); ++ chomp(@randdata); ++ ok($success and $randdata[0] eq $expected, ++ "rand with ossltest: Check rand output is as expected"); ++ ++ @randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]), ++ capture => 1, statusvar => \$success); ++ chomp(@randdata); ++ ok($success and length($randdata[0]) == 32, ++ "rand with dasync: Check rand output is of expected length"); ++} diff --git a/SOURCES/0128-CVE-2023-5363.patch b/SOURCES/0128-CVE-2023-5363.patch new file mode 100644 index 0000000..8610da0 --- /dev/null +++ b/SOURCES/0128-CVE-2023-5363.patch @@ -0,0 +1,318 @@ +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index d2ed3fd378..6a819590e6 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, + return 0; + } + ++#ifndef FIPS_MODULE ++ /* ++ * Fix for CVE-2023-5363 ++ * Passing in a size as part of the init call takes effect late ++ * so, force such to occur before the initialisation. ++ * ++ * The FIPS provider's internal library context is used in a manner ++ * such that this is not an issue. ++ */ ++ if (params != NULL) { ++ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END, ++ OSSL_PARAM_END }; ++ OSSL_PARAM *q = param_lens; ++ const OSSL_PARAM *p; ++ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ /* ++ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for ++ * OSSL_CIPHER_PARAM_IVLEN so both are covered here. ++ */ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ if (q != param_lens) { ++ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); ++ return 0; ++ } ++ } ++ } ++#endif ++ + if (enc) { + if (ctx->cipher->einit == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c +index cfffa21350..2318bf6a68 100644 +--- a/test/evp_extra_test.c ++++ b/test/evp_extra_test.c +@@ -4851,6 +4851,253 @@ static int test_ecx_not_private_key(int tst) + return options; + } + ++static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s, ++ const unsigned char *gcm_iv, size_t gcm_ivlen, ++ const unsigned char *gcm_pt, size_t gcm_pt_s, ++ const unsigned char *gcm_aad, size_t gcm_aad_s, ++ const unsigned char *gcm_ct, size_t gcm_ct_s, ++ const unsigned char *gcm_tag, size_t gcm_tag_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen, tmplen; ++ unsigned char outbuf[1024]; ++ unsigned char outtag[16]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", ""))) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, ++ &gcm_ivlen); ++ ++ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) ++ || (gcm_aad != NULL ++ && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen, ++ gcm_aad, gcm_aad_s))) ++ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, ++ gcm_pt, gcm_pt_s)) ++ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, ++ outtag, sizeof(outtag)); ++ ++ if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params)) ++ || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s) ++ || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s)) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s, ++ const unsigned char *gcm_iv, size_t gcm_ivlen, ++ const unsigned char *gcm_pt, size_t gcm_pt_s, ++ const unsigned char *gcm_aad, size_t gcm_aad_s, ++ const unsigned char *gcm_ct, size_t gcm_ct_s, ++ const unsigned char *gcm_tag, size_t gcm_tag_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen; ++ unsigned char outbuf[1024]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) ++ goto err; ++ ++ if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, ++ &gcm_ivlen); ++ ++ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) ++ || (gcm_aad != NULL ++ && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen, ++ gcm_aad, gcm_aad_s))) ++ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, ++ gcm_ct, gcm_ct_s)) ++ || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s)) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, ++ (void*)gcm_tag, gcm_tag_s); ++ ++ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)) ++ ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen))) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int test_aes_gcm_ivlen_change_cve_2023_5363(void) ++{ ++ /* AES-GCM test data obtained from NIST public test vectors */ ++ static const unsigned char gcm_key[] = { ++ 0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf, ++ 0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84, ++ 0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b, ++ }; ++ static const unsigned char gcm_iv[] = { ++ 0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8, ++ 0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca, ++ 0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14, ++ 0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09, ++ 0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8, ++ 0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24, ++ 0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0, ++ 0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54, ++ 0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc, ++ 0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b, ++ 0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d, ++ }; ++ static const unsigned char gcm_pt[] = { ++ 0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07, ++ 0x4f, 0xe3, 0x6f, 0x81, ++ }; ++ static const unsigned char gcm_ct[] = { ++ 0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3, ++ 0xe2, 0xd0, 0xec, 0xed, ++ }; ++ static const unsigned char gcm_tag[] = { ++ 0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63, ++ 0xdb, 0x99, 0x6c, 0x21, ++ }; ++ ++ return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), ++ gcm_pt, sizeof(gcm_pt), NULL, 0, ++ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)) ++ && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), ++ gcm_pt, sizeof(gcm_pt), NULL, 0, ++ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)); ++} ++ ++#ifndef OPENSSL_NO_RC4 ++static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s, ++ const unsigned char *rc4_pt, size_t rc4_pt_s, ++ const unsigned char *rc4_ct, size_t rc4_ct_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen, tmplen; ++ unsigned char outbuf[1024]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", ""))) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, ++ &rc4_key_s); ++ ++ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) ++ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, ++ rc4_pt, rc4_pt_s)) ++ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) ++ goto err; ++ ++ if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s)) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s, ++ const unsigned char *rc4_pt, size_t rc4_pt_s, ++ const unsigned char *rc4_ct, size_t rc4_ct_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen; ++ unsigned char outbuf[1024]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) ++ goto err; ++ ++ if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, ++ &rc4_key_s); ++ ++ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) ++ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, ++ rc4_ct, rc4_ct_s)) ++ || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s)) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int test_aes_rc4_keylen_change_cve_2023_5363(void) ++{ ++ /* RC4 test data obtained from RFC 6229 */ ++ static const struct { ++ unsigned char key[5]; ++ unsigned char padding[11]; ++ } rc4_key = { ++ { /* Five bytes of key material */ ++ 0x83, 0x32, 0x22, 0x77, 0x2a, ++ }, ++ { /* Random padding to 16 bytes */ ++ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91 ++ } ++ }; ++ static const unsigned char rc4_pt[] = { ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++ }; ++ static const unsigned char rc4_ct[] = { ++ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, ++ 0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda ++ }; ++ ++ if (lgcyprov == NULL) ++ return TEST_skip("Test requires legacy provider to be loaded"); ++ ++ return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key), ++ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)) ++ && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key), ++ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)); ++} ++#endif ++ + int setup_tests(void) + { + OPTION_CHOICE o; +@@ -4994,6 +5241,12 @@ int setup_tests(void) + + ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids)); + ++ /* Test cases for CVE-2023-5363 */ ++ ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363); ++#ifndef OPENSSL_NO_RC4 ++ ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363); ++#endif ++ + return 1; + } + diff --git a/SOURCES/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch b/SOURCES/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch new file mode 100644 index 0000000..8ee8793 --- /dev/null +++ b/SOURCES/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch @@ -0,0 +1,49 @@ +From 0d873f9f647764df147d818a6e998b1c318bac31 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 16 Oct 2023 15:30:26 +0200 +Subject: [PATCH] rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check + +The code did not yet check that the length of the RSA key is positive +and even. + +Signed-off-by: Clemens Lang +Upstream-Status: Backport [8b268541d9aabee51699aef22963407362830ef9] +--- + crypto/rsa/rsa_sp800_56b_check.c | 5 +++++ + test/rsa_sp800_56b_test.c | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +index fc8f19b487..e6b79e953d 100644 +--- a/crypto/rsa/rsa_sp800_56b_check.c ++++ b/crypto/rsa/rsa_sp800_56b_check.c +@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed, + ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); + return 0; + } ++ /* (Step 3.c): check that the modulus length is a positive even integer */ ++ if (nbits <= 0 || (nbits & 0x1)) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); ++ return 0; ++ } + + ctx = BN_CTX_new_ex(rsa->libctx); + if (ctx == NULL) +diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c +index 7660019f47..aa58bbbe6c 100644 +--- a/test/rsa_sp800_56b_test.c ++++ b/test/rsa_sp800_56b_test.c +@@ -458,6 +458,10 @@ static int test_invalid_keypair(void) + && TEST_true(BN_add_word(n, 1)) + && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) + && TEST_true(BN_sub_word(n, 1)) ++ /* check that validation fails if len(n) is not even */ ++ && TEST_true(BN_lshift1(n, n)) ++ && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049)) ++ && TEST_true(BN_rshift1(n, n)) + /* check p */ + && TEST_true(BN_sub_word(p, 2)) + && TEST_true(BN_mul(n, p, q, ctx)) +-- +2.41.0 + diff --git a/SOURCES/Makefile.certificate b/SOURCES/Makefile.certificate new file mode 100644 index 0000000..cc88c52 --- /dev/null +++ b/SOURCES/Makefile.certificate @@ -0,0 +1,82 @@ +UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) +DAYS=365 +KEYLEN=2048 +TYPE=rsa:$(KEYLEN) +EXTRA_FLAGS= +ifdef SERIAL + EXTRA_FLAGS+=-set_serial $(SERIAL) +endif + +.PHONY: usage +.SUFFIXES: .key .csr .crt .pem +.PRECIOUS: %.key %.csr %.crt %.pem + +usage: + @echo "This makefile allows you to create:" + @echo " o public/private key pairs" + @echo " o SSL certificate signing requests (CSRs)" + @echo " o self-signed SSL test certificates" + @echo + @echo "To create a key pair, run \"make SOMETHING.key\"." + @echo "To create a CSR, run \"make SOMETHING.csr\"." + @echo "To create a test certificate, run \"make SOMETHING.crt\"." + @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." + @echo + @echo "To create a key for use with Apache, run \"make genkey\"." + @echo "To create a CSR for use with Apache, run \"make certreq\"." + @echo "To create a test certificate for use with Apache, run \"make testcert\"." + @echo + @echo "To create a test certificate with serial number other than random, add SERIAL=num" + @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n" + @echo "Any additional options can be passed to openssl req via EXTRA_FLAGS" + @echo + @echo Examples: + @echo " make server.key" + @echo " make server.csr" + @echo " make server.crt" + @echo " make stunnel.pem" + @echo " make genkey" + @echo " make certreq" + @echo " make testcert" + @echo " make server.crt SERIAL=1" + @echo " make stunnel.pem EXTRA_FLAGS=-sha384" + @echo " make testcert DAYS=600" + +%.pem: + umask 77 ; \ + PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ + PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ + /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \ + cat $$PEM1 > $@ ; \ + echo "" >> $@ ; \ + cat $$PEM2 >> $@ ; \ + $(RM) $$PEM1 $$PEM2 + +%.key: + umask 77 ; \ + /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@ + +%.csr: %.key + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $^ -out $@ + +%.crt: %.key + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS) + +TLSROOT=/etc/pki/tls +KEY=$(TLSROOT)/private/localhost.key +CSR=$(TLSROOT)/certs/localhost.csr +CRT=$(TLSROOT)/certs/localhost.crt + +genkey: $(KEY) +certreq: $(CSR) +testcert: $(CRT) + +$(CSR): $(KEY) + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR) + +$(CRT): $(KEY) + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS) diff --git a/SOURCES/configuration-prefix.h b/SOURCES/configuration-prefix.h new file mode 100644 index 0000000..13b6e23 --- /dev/null +++ b/SOURCES/configuration-prefix.h @@ -0,0 +1,7 @@ +/* Prepended at openssl package build-time. Don't include this file directly, + * use instead. */ + +#ifndef openssl_conf_multilib_redirection_h +#error "Don't include this file directly, use instead!" +#endif + diff --git a/SOURCES/configuration-switch.h b/SOURCES/configuration-switch.h new file mode 100644 index 0000000..1c4d238 --- /dev/null +++ b/SOURCES/configuration-switch.h @@ -0,0 +1,47 @@ +/* This file is here to prevent a file conflict on multiarch systems. A + * conflict will frequently occur because arch-specific build-time + * configuration options are stored (and used, so they can't just be stripped + * out) in configuration.h. The original configuration.h has been renamed. + * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ + +#ifdef openssl_conf_multilib_redirection_h +#error "Do not define openssl_conf_multilib_redirection_h!" +#endif +#define openssl_conf_multilib_redirection_h + +#if defined(__i386__) +#include "configuration-i386.h" +#elif defined(__ia64__) +#include "configuration-ia64.h" +#elif defined(__mips64) && defined(__MIPSEL__) +#include "configuration-mips64el.h" +#elif defined(__mips64) +#include "configuration-mips64.h" +#elif defined(__mips) && defined(__MIPSEL__) +#include "configuration-mipsel.h" +#elif defined(__mips) +#include "configuration-mips.h" +#elif defined(__powerpc64__) +#include +#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ +#include "configuration-ppc64.h" +#else +#include "configuration-ppc64le.h" +#endif +#elif defined(__powerpc__) +#include "configuration-ppc.h" +#elif defined(__s390x__) +#include "configuration-s390x.h" +#elif defined(__s390__) +#include "configuration-s390.h" +#elif defined(__sparc__) && defined(__arch64__) +#include "configuration-sparc64.h" +#elif defined(__sparc__) +#include "configuration-sparc.h" +#elif defined(__x86_64__) +#include "configuration-x86_64.h" +#else +#error "The openssl-devel package does not work your architecture?" +#endif + +#undef openssl_conf_multilib_redirection_h diff --git a/SOURCES/ec_curve.c b/SOURCES/ec_curve.c new file mode 100644 index 0000000..64ac40b --- /dev/null +++ b/SOURCES/ec_curve.c @@ -0,0 +1,628 @@ +/* + * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * ECDSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include +#include "ec_local.h" +#include +#include +#include +#include +#include "internal/nelem.h" + +typedef struct { + int field_type, /* either NID_X9_62_prime_field or + * NID_X9_62_characteristic_two_field */ + seed_len, param_len; + unsigned int cofactor; /* promoted to BN_ULONG */ +} EC_CURVE_DATA; + +/* the nist prime curves */ +static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 28 * 6]; +} _EC_NIST_PRIME_224 = { + { + NID_X9_62_prime_field, 20, 28, 1 + }, + { + /* seed */ + 0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F, + 0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5, + /* p */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x01, + /* a */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFE, + /* b */ + 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, + 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, + 0x23, 0x55, 0xFF, 0xB4, + /* x */ + 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, + 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, + 0x11, 0x5C, 0x1D, 0x21, + /* y */ + 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, + 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, + 0x85, 0x00, 0x7e, 0x34, + /* order */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, + 0x5C, 0x5C, 0x2A, 0x3D + } +}; + +static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 48 * 6]; +} _EC_NIST_PRIME_384 = { + { + NID_X9_62_prime_field, 20, 48, 1 + }, + { + /* seed */ + 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A, + 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73, + /* p */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, + /* a */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC, + /* b */ + 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, + 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, + 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, + 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF, + /* x */ + 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, + 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, + 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, + 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7, + /* y */ + 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, + 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, + 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce, + 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f, + /* order */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, + 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73 + } +}; + +static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 66 * 6]; +} _EC_NIST_PRIME_521 = { + { + NID_X9_62_prime_field, 20, 66, 1 + }, + { + /* seed */ + 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17, + 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA, + /* p */ + 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + /* a */ + 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, + /* b */ + 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A, + 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3, + 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, + 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, + 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45, + 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00, + /* x */ + 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E, + 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F, + 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, + 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, + 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, + 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66, + /* y */ + 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, + 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, + 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, + 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, + 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, + 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, + /* order */ + 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, + 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, + 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F, + 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09 + } +}; + +static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 32 * 6]; +} _EC_X9_62_PRIME_256V1 = { + { + NID_X9_62_prime_field, 20, 32, 1 + }, + { + /* seed */ + 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1, + 0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90, + /* p */ + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + /* a */ + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, + /* b */ + 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, + 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, + 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B, + /* x */ + 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, + 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, + 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, + /* y */ + 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, + 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, + 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, + /* order */ + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, + 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 + } +}; + +static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; +} _EC_SECG_PRIME_256K1 = { + { + NID_X9_62_prime_field, 0, 32, 1 + }, + { + /* no seed */ + /* p */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, + /* a */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + /* b */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, + /* x */ + 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, + 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, + 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98, + /* y */ + 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc, + 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, + 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8, + /* order */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, + 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 + } +}; + +typedef struct _ec_list_element_st { + int nid; + const EC_CURVE_DATA *data; + const EC_METHOD *(*meth) (void); + const char *comment; +} ec_list_element; + +#ifdef FIPS_MODULE +static const ec_list_element curve_list[] = { + /* prime field curves */ + /* secg curves */ + {NID_secp224r1, &_EC_NIST_PRIME_224.h, +# if !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp224_method, +# else + 0, +# endif + "NIST/SECG curve over a 224 bit prime field"}, + /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ + {NID_secp384r1, &_EC_NIST_PRIME_384.h, +# if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp384_method, +# else + 0, +# endif + "NIST/SECG curve over a 384 bit prime field"}, + + {NID_secp521r1, &_EC_NIST_PRIME_521.h, +# if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp521_method, +# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp521_method, +# else + 0, +# endif + "NIST/SECG curve over a 521 bit prime field"}, + + /* X9.62 curves */ + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, +# if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +# elif defined(S390X_EC_ASM) + EC_GFp_s390x_nistp256_method, +# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp256_method, +# else + 0, +# endif + "X9.62/SECG curve over a 256 bit prime field"}, +}; + +#else + +static const ec_list_element curve_list[] = { + /* prime field curves */ + /* secg curves */ +# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, + "NIST/SECG curve over a 224 bit prime field"}, +# else + {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, + "NIST/SECG curve over a 224 bit prime field"}, +# endif + {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, + "SECG curve over a 256 bit prime field"}, + /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ + {NID_secp384r1, &_EC_NIST_PRIME_384.h, +# if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp384_method, +# else + 0, +# endif + "NIST/SECG curve over a 384 bit prime field"}, + {NID_secp521r1, &_EC_NIST_PRIME_521.h, +# if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp521_method, +# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp521_method, +# else + 0, +# endif + "NIST/SECG curve over a 521 bit prime field"}, + /* X9.62 curves */ + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, +# if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +# elif defined(S390X_EC_ASM) + EC_GFp_s390x_nistp256_method, +# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp256_method, +# else + 0, +# endif + "X9.62/SECG curve over a 256 bit prime field"}, +}; +#endif /* FIPS_MODULE */ + +#define curve_list_length OSSL_NELEM(curve_list) + +static const ec_list_element *ec_curve_nid2curve(int nid) +{ + size_t i; + + if (nid <= 0) + return NULL; + + for (i = 0; i < curve_list_length; i++) { + if (curve_list[i].nid == nid) + return &curve_list[i]; + } + return NULL; +} + +static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx, + const char *propq, + const ec_list_element curve) +{ + EC_GROUP *group = NULL; + EC_POINT *P = NULL; + BN_CTX *ctx = NULL; + BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order = + NULL; + int ok = 0; + int seed_len, param_len; + const EC_METHOD *meth; + const EC_CURVE_DATA *data; + const unsigned char *params; + + /* If no curve data curve method must handle everything */ + if (curve.data == NULL) + return ossl_ec_group_new_ex(libctx, propq, + curve.meth != NULL ? curve.meth() : NULL); + + if ((ctx = BN_CTX_new_ex(libctx)) == NULL) { + ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); + goto err; + } + + data = curve.data; + seed_len = data->seed_len; + param_len = data->param_len; + params = (const unsigned char *)(data + 1); /* skip header */ + params += seed_len; /* skip seed */ + + if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL + || (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL + || (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) { + ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); + goto err; + } + + if (curve.meth != 0) { + meth = curve.meth(); + if (((group = ossl_ec_group_new_ex(libctx, propq, meth)) == NULL) || + (!(group->meth->group_set_curve(group, p, a, b, ctx)))) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } + } else if (data->field_type == NID_X9_62_prime_field) { + if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } + } +#ifndef OPENSSL_NO_EC2M + else { /* field_type == + * NID_X9_62_characteristic_two_field */ + + if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } + } +#endif + + EC_GROUP_set_curve_name(group, curve.nid); + + if ((P = EC_POINT_new(group)) == NULL) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } + + if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL + || (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) { + ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); + goto err; + } + if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } + if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL + || !BN_set_word(x, (BN_ULONG)data->cofactor)) { + ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); + goto err; + } + if (!EC_GROUP_set_generator(group, P, order, x)) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } + if (seed_len) { + if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } + } + ok = 1; + err: + if (!ok) { + EC_GROUP_free(group); + group = NULL; + } + EC_POINT_free(P); + BN_CTX_free(ctx); + BN_free(p); + BN_free(a); + BN_free(b); + BN_free(order); + BN_free(x); + BN_free(y); + return group; +} + +EC_GROUP *EC_GROUP_new_by_curve_name_ex(OSSL_LIB_CTX *libctx, const char *propq, + int nid) +{ + EC_GROUP *ret = NULL; + const ec_list_element *curve; + + if ((curve = ec_curve_nid2curve(nid)) == NULL + || (ret = ec_group_new_from_data(libctx, propq, *curve)) == NULL) { +#ifndef FIPS_MODULE + ERR_raise_data(ERR_LIB_EC, EC_R_UNKNOWN_GROUP, + "name=%s", OBJ_nid2sn(nid)); +#else + ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); +#endif + return NULL; + } + + return ret; +} + +#ifndef FIPS_MODULE +EC_GROUP *EC_GROUP_new_by_curve_name(int nid) +{ + return EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid); +} +#endif + +size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) +{ + size_t i, min; + + if (r == NULL || nitems == 0) + return curve_list_length; + + min = nitems < curve_list_length ? nitems : curve_list_length; + + for (i = 0; i < min; i++) { + r[i].nid = curve_list[i].nid; + r[i].comment = curve_list[i].comment; + } + + return curve_list_length; +} + +const char *EC_curve_nid2nist(int nid) +{ + return ossl_ec_curve_nid2nist_int(nid); +} + +int EC_curve_nist2nid(const char *name) +{ + return ossl_ec_curve_nist2nid_int(name); +} + +#define NUM_BN_FIELDS 6 +/* + * Validates EC domain parameter data for known named curves. + * This can be used when a curve is loaded explicitly (without a curve + * name) or to validate that domain parameters have not been modified. + * + * Returns: The nid associated with the found named curve, or NID_undef + * if not found. If there was an error it returns -1. + */ +int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) +{ + int ret = -1, nid, len, field_type, param_len; + size_t i, seed_len; + const unsigned char *seed, *params_seed, *params; + unsigned char *param_bytes = NULL; + const EC_CURVE_DATA *data; + const EC_POINT *generator = NULL; + const BIGNUM *cofactor = NULL; + /* An array of BIGNUMs for (p, a, b, x, y, order) */ + BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL}; + + /* Use the optional named curve nid as a search field */ + nid = EC_GROUP_get_curve_name(group); + field_type = EC_GROUP_get_field_type(group); + seed_len = EC_GROUP_get_seed_len(group); + seed = EC_GROUP_get0_seed(group); + cofactor = EC_GROUP_get0_cofactor(group); + + BN_CTX_start(ctx); + + /* + * The built-in curves contains data fields (p, a, b, x, y, order) that are + * all zero-padded to be the same size. The size of the padding is + * determined by either the number of bytes in the field modulus (p) or the + * EC group order, whichever is larger. + */ + param_len = BN_num_bytes(group->order); + len = BN_num_bytes(group->field); + if (len > param_len) + param_len = len; + + /* Allocate space to store the padded data for (p, a, b, x, y, order) */ + param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS); + if (param_bytes == NULL) + goto end; + + /* Create the bignums */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if ((bn[i] = BN_CTX_get(ctx)) == NULL) + goto end; + } + /* + * Fill in the bn array with the same values as the internal curves + * i.e. the values are p, a, b, x, y, order. + */ + /* Get p, a & b */ + if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx) + && ((generator = EC_GROUP_get0_generator(group)) != NULL) + /* Get x & y */ + && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx) + /* Get order */ + && EC_GROUP_get_order(group, bn[5], ctx))) + goto end; + + /* + * Convert the bignum array to bytes that are joined together to form + * a single buffer that contains data for all fields. + * (p, a, b, x, y, order) are all zero padded to be the same size. + */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0) + goto end; + } + + for (i = 0; i < curve_list_length; i++) { + const ec_list_element curve = curve_list[i]; + + data = curve.data; + /* Get the raw order byte data */ + params_seed = (const unsigned char *)(data + 1); /* skip header */ + params = params_seed + data->seed_len; + + /* Look for unique fields in the fixed curve data */ + if (data->field_type == field_type + && param_len == data->param_len + && (nid <= 0 || nid == curve.nid) + /* check the optional cofactor (ignore if its zero) */ + && (BN_is_zero(cofactor) + || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor)) + /* Check the optional seed (ignore if its not set) */ + && (data->seed_len == 0 || seed_len == 0 + || ((size_t)data->seed_len == seed_len + && memcmp(params_seed, seed, seed_len) == 0)) + /* Check that the groups params match the built-in curve params */ + && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS) + == 0) { + ret = curve.nid; + goto end; + } + } + /* Gets here if the group was not found */ + ret = NID_undef; +end: + OPENSSL_free(param_bytes); + BN_CTX_end(ctx); + return ret; +} diff --git a/SOURCES/ectest.c b/SOURCES/ectest.c new file mode 100644 index 0000000..b2708ea --- /dev/null +++ b/SOURCES/ectest.c @@ -0,0 +1,2311 @@ +/* + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * EC_KEY low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include +#include "internal/nelem.h" +#include "testutil.h" + +#include +#ifndef OPENSSL_NO_ENGINE +# include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static size_t crv_len = 0; +static EC_builtin_curve *curves = NULL; + +/* test multiplication with group order, long and negative scalars */ +static int group_order_tests(EC_GROUP *group) +{ + BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL; + EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL; + const EC_POINT *G = NULL; + BN_CTX *ctx = NULL; + int i = 0, r = 0; + + if (!TEST_ptr(n1 = BN_new()) + || !TEST_ptr(n2 = BN_new()) + || !TEST_ptr(order = BN_new()) + || !TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(G = EC_GROUP_get0_generator(group)) + || !TEST_ptr(P = EC_POINT_new(group)) + || !TEST_ptr(Q = EC_POINT_new(group)) + || !TEST_ptr(R = EC_POINT_new(group)) + || !TEST_ptr(S = EC_POINT_new(group))) + goto err; + + if (!TEST_true(EC_GROUP_get_order(group, order, ctx)) + || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, Q)) +#ifndef OPENSSL_NO_DEPRECATED_3_0 + || !TEST_true(EC_GROUP_precompute_mult(group, ctx)) +#endif + || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, Q)) + || !TEST_true(EC_POINT_copy(P, G)) + || !TEST_true(BN_one(n1)) + || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) + || !TEST_true(BN_sub(n1, order, n1)) + || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) + || !TEST_true(EC_POINT_invert(group, Q, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) + goto err; + + for (i = 1; i <= 2; i++) { +#ifndef OPENSSL_NO_DEPRECATED_3_0 + const BIGNUM *scalars[6]; + const EC_POINT *points[6]; +#endif + + if (!TEST_true(BN_set_word(n1, i)) + /* + * If i == 1, P will be the predefined generator for which + * EC_GROUP_precompute_mult has set up precomputation. + */ + || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) + || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx))) + || !TEST_true(BN_one(n1)) + /* n1 = 1 - order */ + || !TEST_true(BN_sub(n1, n1, order)) + || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) + + /* n2 = 1 + order */ + || !TEST_true(BN_add(n2, order, BN_value_one())) + || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) + + /* n2 = (1 - order) * (1 + order) = 1 - order^2 */ + || !TEST_true(BN_mul(n2, n1, n2, ctx)) + || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) + goto err; + + /* n2 = order^2 - 1 */ + BN_set_negative(n2, 0); + if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) + /* Add P to verify the result. */ + || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, Q)) + || !TEST_false(EC_POINT_is_at_infinity(group, P))) + goto err; + +#ifndef OPENSSL_NO_DEPRECATED_3_0 + /* Exercise EC_POINTs_mul, including corner cases. */ + scalars[0] = scalars[1] = BN_value_one(); + points[0] = points[1] = P; + + if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx)) + || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx))) + goto err; + + scalars[0] = n1; + points[0] = Q; /* => infinity */ + scalars[1] = n2; + points[1] = P; /* => -P */ + scalars[2] = n1; + points[2] = Q; /* => infinity */ + scalars[3] = n2; + points[3] = Q; /* => infinity */ + scalars[4] = n1; + points[4] = P; /* => P */ + scalars[5] = n2; + points[5] = Q; /* => infinity */ + if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, P))) + goto err; +#endif + } + + r = 1; +err: + if (r == 0 && i != 0) + TEST_info(i == 1 ? "allowing precomputation" : + "without precomputation"); + EC_POINT_free(P); + EC_POINT_free(Q); + EC_POINT_free(R); + EC_POINT_free(S); + BN_free(n1); + BN_free(n2); + BN_free(order); + BN_CTX_free(ctx); + return r; +} + +static int prime_field_tests(void) +{ + BN_CTX *ctx = NULL; + BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL; + EC_GROUP *group = NULL; + EC_POINT *P = NULL, *Q = NULL, *R = NULL; + BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL; +#ifndef OPENSSL_NO_DEPRECATED_3_0 + const EC_POINT *points[4]; + const BIGNUM *scalars[4]; +#endif + unsigned char buf[100]; + size_t len, r = 0; + int k; + + if (!TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(p = BN_new()) + || !TEST_ptr(a = BN_new()) + || !TEST_ptr(b = BN_new()) + /* + * applications should use EC_GROUP_new_curve_GFp so + * that the library gets to choose the EC_METHOD + */ + || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))) + goto err; + + buf[0] = 0; + if (!TEST_ptr(P = EC_POINT_new(group)) + || !TEST_ptr(Q = EC_POINT_new(group)) + || !TEST_ptr(R = EC_POINT_new(group)) + || !TEST_ptr(x = BN_new()) + || !TEST_ptr(y = BN_new()) + || !TEST_ptr(z = BN_new()) + || !TEST_ptr(yplusone = BN_new())) + goto err; + + /* Curve P-224 (FIPS PUB 186-2, App. 6) */ + + if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFF000000000000000000000001")) + || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) + || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256" + "5044B0B7D7BFD8BA270B39432355FFB4")) + || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) + || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9" + "4A03C1D356C21122343280D6115C1D21")) + || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFF16A2E0B8F03E13DD29455C5C2A3D")) + || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) + || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) + goto err; + + TEST_info("NIST curve P-224 -- Generator"); + test_output_bignum("x", x); + test_output_bignum("y", y); + /* G_y value taken from the standard: */ + if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6" + "CD4375A05A07476444D5819985007E34")) + || !TEST_BN_eq(y, z) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, + ctx)) + || !TEST_int_eq(EC_GROUP_get_degree(group), 224) + || !group_order_tests(group) + + /* Curve P-256 (FIPS PUB 186-2, App. 6) */ + + || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000" + "00000000FFFFFFFFFFFFFFFFFFFFFFFF")) + || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000" + "00000000FFFFFFFFFFFFFFFFFFFFFFFC")) + || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC" + "651D06B0CC53B0F63BCE3C3E27D2604B")) + || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) + + || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2" + "77037D812DEB33A0F4A13945D898C296")) + || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF" + "BCE6FAADA7179E84F3B9CAC2FC632551")) + || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) + || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) + goto err; + + TEST_info("NIST curve P-256 -- Generator"); + test_output_bignum("x", x); + test_output_bignum("y", y); + /* G_y value taken from the standard: */ + if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" + "2BCE33576B315ECECBB6406837BF51F5")) + || !TEST_BN_eq(y, z) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, + ctx)) + || !TEST_int_eq(EC_GROUP_get_degree(group), 256) + || !group_order_tests(group) + + /* Curve P-384 (FIPS PUB 186-2, App. 6) */ + + || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFF0000000000000000FFFFFFFF")) + || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFF0000000000000000FFFFFFFC")) + || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19" + "181D9C6EFE8141120314088F5013875A" + "C656398D8A2ED19D2A85C8EDD3EC2AEF")) + || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) + + || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74" + "6E1D3B628BA79B9859F741E082542A38" + "5502F25DBF55296C3A545E3872760AB7")) + || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFC7634D81F4372DDF" + "581A0DB248B0A77AECEC196ACCC52973")) + || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) + || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) + goto err; + + TEST_info("NIST curve P-384 -- Generator"); + test_output_bignum("x", x); + test_output_bignum("y", y); + /* G_y value taken from the standard: */ + if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29" + "F8F41DBD289A147CE9DA3113B5F0B8C0" + "0A60B1CE1D7E819D7A431D7C90EA0E5F")) + || !TEST_BN_eq(y, z) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, + ctx)) + || !TEST_int_eq(EC_GROUP_get_degree(group), 384) + || !group_order_tests(group) + + /* Curve P-521 (FIPS PUB 186-2, App. 6) */ + || !TEST_true(BN_hex2bn(&p, "1FF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")) + || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "1FF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC")) + || !TEST_true(BN_hex2bn(&b, "051" + "953EB9618E1C9A1F929A21A0B68540EE" + "A2DA725B99B315F3B8B489918EF109E1" + "56193951EC7E937B1652C0BD3BB1BF07" + "3573DF883D2C34F1EF451FD46B503F00")) + || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) + || !TEST_true(BN_hex2bn(&x, "C6" + "858E06B70404E9CD9E3ECB662395B442" + "9C648139053FB521F828AF606B4D3DBA" + "A14B5E77EFE75928FE1DC127A2FFA8DE" + "3348B3C1856A429BF97E7E31C2E5BD66")) + || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(BN_hex2bn(&z, "1FF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA" + "51868783BF2F966B7FCC0148F709A5D0" + "3BB5C9B8899C47AEBB6FB71E91386409")) + || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) + || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) + goto err; + + TEST_info("NIST curve P-521 -- Generator"); + test_output_bignum("x", x); + test_output_bignum("y", y); + /* G_y value taken from the standard: */ + if (!TEST_true(BN_hex2bn(&z, "118" + "39296A789A3BC0045C8A5FB42C7D1BD9" + "98F54449579B446817AFBD17273E662C" + "97EE72995EF42640C550B9013FAD0761" + "353C7086A272C24088BE94769FD16650")) + || !TEST_BN_eq(y, z) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, + ctx)) + || !TEST_int_eq(EC_GROUP_get_degree(group), 521) + || !group_order_tests(group) + + /* more tests using the last curve */ + + /* Restore the point that got mangled in the (x, y + 1) test. */ + || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) + || !TEST_true(EC_POINT_copy(Q, P)) + || !TEST_false(EC_POINT_is_at_infinity(group, Q)) + || !TEST_true(EC_POINT_dbl(group, P, P, ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */ + || !TEST_true(EC_POINT_add(group, R, P, Q, ctx)) + || !TEST_true(EC_POINT_add(group, R, R, Q, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */ + || !TEST_false(EC_POINT_is_at_infinity(group, Q))) + goto err; + +#ifndef OPENSSL_NO_DEPRECATED_3_0 + TEST_note("combined multiplication ..."); + points[0] = Q; + points[1] = Q; + points[2] = Q; + points[3] = Q; + + if (!TEST_true(EC_GROUP_get_order(group, z, ctx)) + || !TEST_true(BN_add(y, z, BN_value_one())) + || !TEST_BN_even(y) + || !TEST_true(BN_rshift1(y, y))) + goto err; + + scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ + scalars[1] = y; + + /* z is still the group order */ + if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) + || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)) + || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0)) + || !TEST_true(BN_add(z, z, y))) + goto err; + BN_set_negative(z, 1); + scalars[0] = y; + scalars[1] = z; /* z = -(order + y) */ + + if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, P)) + || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0)) + || !TEST_true(BN_add(z, x, y))) + goto err; + BN_set_negative(z, 1); + scalars[0] = x; + scalars[1] = y; + scalars[2] = z; /* z = -(x+y) */ + + if (!TEST_ptr(scalar3 = BN_new())) + goto err; + BN_zero(scalar3); + scalars[3] = scalar3; + + if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, P))) + goto err; +#endif + TEST_note(" ok\n"); + r = 1; +err: + BN_CTX_free(ctx); + BN_free(p); + BN_free(a); + BN_free(b); + EC_GROUP_free(group); + EC_POINT_free(P); + EC_POINT_free(Q); + EC_POINT_free(R); + BN_free(x); + BN_free(y); + BN_free(z); + BN_free(yplusone); + BN_free(scalar3); + return r; +} + +static int internal_curve_test(int n) +{ + EC_GROUP *group = NULL; + int nid = curves[n].nid; + + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { + TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n", + OBJ_nid2sn(nid)); + return 0; + } + if (!TEST_true(EC_GROUP_check(group, NULL))) { + TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid)); + EC_GROUP_free(group); + return 0; + } + EC_GROUP_free(group); + return 1; +} + +static int internal_curve_test_method(int n) +{ + int r, nid = curves[n].nid; + EC_GROUP *group; + + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { + TEST_info("Curve %s failed\n", OBJ_nid2sn(nid)); + return 0; + } + r = group_order_tests(group); + EC_GROUP_free(group); + return r; +} + +static int group_field_test(void) +{ + int r = 1; + BIGNUM *secp521r1_field = NULL; + BIGNUM *sect163r2_field = NULL; + EC_GROUP *secp521r1_group = NULL; + EC_GROUP *sect163r2_group = NULL; + + BN_hex2bn(&secp521r1_field, + "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFF"); + + + BN_hex2bn(§163r2_field, + "08000000000000000000000000000000" + "00000000C9"); + + secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1); + if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group))) + r = 0; + + # ifndef OPENSSL_NO_EC2M + sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2); + if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group))) + r = 0; + # endif + + EC_GROUP_free(secp521r1_group); + EC_GROUP_free(sect163r2_group); + BN_free(secp521r1_field); + BN_free(sect163r2_field); + return r; +} +/* + * nistp_test_params contains magic numbers for testing + * several NIST curves with characteristic > 3. + */ +struct nistp_test_params { + const int nid; + int degree; + /* + * Qx, Qy and D are taken from + * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf + * Otherwise, values are standard curve parameters from FIPS 180-3 + */ + const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d; +}; + +static const struct nistp_test_params nistp_tests_params[] = { + { + /* P-224 */ + NID_secp224r1, + 224, + /* p */ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", + /* a */ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", + /* b */ + "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", + /* Qx */ + "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", + /* Qy */ + "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", + /* Gx */ + "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", + /* Gy */ + "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", + /* order */ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", + /* d */ + "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", + }, + { + /* P-256 */ + NID_X9_62_prime256v1, + 256, + /* p */ + "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", + /* a */ + "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", + /* b */ + "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", + /* Qx */ + "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", + /* Qy */ + "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", + /* Gx */ + "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + /* Gy */ + "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", + /* order */ + "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", + /* d */ + "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", + }, + { + /* P-521 */ + NID_secp521r1, + 521, + /* p */ + "1ff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + /* a */ + "1ff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", + /* b */ + "051" + "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1" + "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", + /* Qx */ + "0098" + "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e" + "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", + /* Qy */ + "0164" + "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8" + "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", + /* Gx */ + "c6" + "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" + "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", + /* Gy */ + "118" + "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" + "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", + /* order */ + "1ff" + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa" + "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", + /* d */ + "0100" + "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee" + "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", + }, +}; + +static int nistp_single_test(int idx) +{ + const struct nistp_test_params *test = nistp_tests_params + idx; + BN_CTX *ctx = NULL; + BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL; + BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL; + EC_GROUP *NISTP = NULL; + EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL; + int r = 0; + + TEST_note("NIST curve P-%d (optimised implementation):", + test->degree); + if (!TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(p = BN_new()) + || !TEST_ptr(a = BN_new()) + || !TEST_ptr(b = BN_new()) + || !TEST_ptr(x = BN_new()) + || !TEST_ptr(y = BN_new()) + || !TEST_ptr(m = BN_new()) + || !TEST_ptr(n = BN_new()) + || !TEST_ptr(order = BN_new()) + || !TEST_ptr(yplusone = BN_new()) + + || !TEST_ptr(NISTP = EC_GROUP_new_by_curve_name(test->nid)) + || !TEST_true(BN_hex2bn(&p, test->p)) + || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, test->a)) + || !TEST_true(BN_hex2bn(&b, test->b)) + || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx)) + || !TEST_ptr(G = EC_POINT_new(NISTP)) + || !TEST_ptr(P = EC_POINT_new(NISTP)) + || !TEST_ptr(Q = EC_POINT_new(NISTP)) + || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP)) + || !TEST_true(BN_hex2bn(&x, test->Qx)) + || !TEST_true(BN_hex2bn(&y, test->Qy)) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, + yplusone, ctx)) + || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y, + ctx)) + || !TEST_true(BN_hex2bn(&x, test->Gx)) + || !TEST_true(BN_hex2bn(&y, test->Gy)) + || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx)) + || !TEST_true(BN_hex2bn(&order, test->order)) + || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) + || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree)) + goto err; + + TEST_note("NIST test vectors ... "); + if (!TEST_true(BN_hex2bn(&n, test->d))) + goto err; + /* fixed point multiplication */ + EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; + /* random point multiplication */ + EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) + + /* set generator to P = 2*G, where G is the standard generator */ + || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx)) + || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) + /* set the scalar to m=n/2, where n is the NIST test scalar */ + || !TEST_true(BN_rshift(m, n, 1))) + goto err; + + /* test the non-standard generator */ + /* fixed point multiplication */ + EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; + /* random point multiplication */ + EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) +#ifndef OPENSSL_NO_DEPRECATED_3_0 + /* We have not performed precomp so this should be false */ + || !TEST_false(EC_GROUP_have_precompute_mult(NISTP)) + /* now repeat all tests with precomputation */ + || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx)) +#endif + ) + goto err; + + /* fixed point multiplication */ + EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; + /* random point multiplication */ + EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) + + /* reset generator */ + || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))) + goto err; + /* fixed point multiplication */ + EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; + /* random point multiplication */ + EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; + + /* regression test for felem_neg bug */ + if (!TEST_true(BN_set_word(m, 32)) + || !TEST_true(BN_set_word(n, 31)) + || !TEST_true(EC_POINT_copy(P, G)) + || !TEST_true(EC_POINT_invert(NISTP, P, ctx)) + || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx))) + goto err; + + r = 1; +err: + EC_GROUP_free(NISTP); + EC_POINT_free(G); + EC_POINT_free(P); + EC_POINT_free(Q); + EC_POINT_free(Q_CHECK); + BN_free(n); + BN_free(m); + BN_free(p); + BN_free(a); + BN_free(b); + BN_free(x); + BN_free(y); + BN_free(order); + BN_free(yplusone); + BN_CTX_free(ctx); + return r; +} + +static const unsigned char p521_named[] = { + 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, +}; + +static const unsigned char p521_explicit[] = { + 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a, + 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72, + 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09, + 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0, + 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34, + 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00, + 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17, + 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04, + 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e, + 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f, + 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b, + 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff, + 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e, + 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, + 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, + 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, + 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, + 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, + 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, + 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa, + 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, + 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae, + 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01, +}; + +/* + * This test validates a named curve's group parameters using + * EC_GROUP_check_named_curve(). It also checks that modifying any of the + * group parameters results in the curve not being valid. + */ +static int check_named_curve_test(int id) +{ + int ret = 0, nid, field_nid, has_seed; + EC_GROUP *group = NULL, *gtest = NULL; + const EC_POINT *group_gen = NULL; + EC_POINT *other_gen = NULL; + BIGNUM *group_p = NULL, *group_a = NULL, *group_b = NULL; + BIGNUM *other_p = NULL, *other_a = NULL, *other_b = NULL; + BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; + BIGNUM *other_order = NULL; + const BIGNUM *group_order = NULL; + BN_CTX *bn_ctx = NULL; + static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; + static size_t invalid_seed_len = sizeof(invalid_seed); + + /* Do some setup */ + nid = curves[id].nid; + if (!TEST_ptr(bn_ctx = BN_CTX_new()) + || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) + || !TEST_ptr(gtest = EC_GROUP_dup(group)) + || !TEST_ptr(group_p = BN_new()) + || !TEST_ptr(group_a = BN_new()) + || !TEST_ptr(group_b = BN_new()) + || !TEST_ptr(group_cofactor = BN_new()) + || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) + || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) + || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) + || !TEST_true(EC_GROUP_get_curve(group, group_p, group_a, group_b, NULL)) + || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) + || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) + || !TEST_ptr(other_order = BN_dup(group_order)) + || !TEST_true(BN_add_word(other_order, 1)) + || !TEST_ptr(other_a = BN_dup(group_a)) + || !TEST_true(BN_add_word(other_a, 1)) + || !TEST_ptr(other_b = BN_dup(group_b)) + || !TEST_true(BN_add_word(other_b, 1)) + || !TEST_ptr(other_cofactor = BN_dup(group_cofactor)) + || !TEST_true(BN_add_word(other_cofactor, 1))) + goto err; + + /* Determine if the built-in curve has a seed field set */ + has_seed = (EC_GROUP_get_seed_len(group) > 0); + field_nid = EC_GROUP_get_field_type(group); + if (field_nid == NID_X9_62_characteristic_two_field) { + if (!TEST_ptr(other_p = BN_dup(group_p)) + || !TEST_true(BN_lshift1(other_p, other_p))) + goto err; + } else { + if (!TEST_ptr(other_p = BN_dup(group_p))) + goto err; + /* + * Just choosing any arbitrary prime does not work.. + * Setting p via ec_GFp_nist_group_set_curve() needs the prime to be a + * nist prime. So only select one of these as an alternate prime. + */ + if (!TEST_ptr(BN_copy(other_p, + BN_ucmp(BN_get0_nist_prime_192(), other_p) == 0 ? + BN_get0_nist_prime_256() : + BN_get0_nist_prime_192()))) + goto err; + } + + /* Passes because this is a valid curve */ + if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid) + /* Only NIST curves pass */ + || !TEST_int_eq(EC_GROUP_check_named_curve(group, 1, NULL), + EC_curve_nid2nist(nid) != NULL ? nid : NID_undef)) + goto err; + + /* Fail if the curve name doesn't match the parameters */ + EC_GROUP_set_curve_name(group, nid + 1); + ERR_set_mark(); + if (!TEST_int_le(EC_GROUP_check_named_curve(group, 0, NULL), 0)) + goto err; + ERR_pop_to_mark(); + + /* Restore curve name and ensure it's passing */ + EC_GROUP_set_curve_name(group, nid); + if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) + goto err; + + if (!TEST_int_eq(EC_GROUP_set_seed(group, invalid_seed, invalid_seed_len), + invalid_seed_len)) + goto err; + + if (has_seed) { + /* + * If the built-in curve has a seed and we set the seed to another value + * then it will fail the check. + */ + if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), 0)) + goto err; + } else { + /* + * If the built-in curve does not have a seed then setting the seed will + * pass the check (as the seed is optional). + */ + if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) + goto err; + } + /* Pass if the seed is unknown (as it is optional) */ + if (!TEST_int_eq(EC_GROUP_set_seed(group, NULL, 0), 1) + || !TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) + goto err; + + /* Check that a duped group passes */ + if (!TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) + goto err; + + /* check that changing any generator parameter fails */ + if (!TEST_true(EC_GROUP_set_generator(gtest, other_gen, group_order, + group_cofactor)) + || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) + || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, other_order, + group_cofactor)) + || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) + /* The order is not an optional field, so this should fail */ + || !TEST_false(EC_GROUP_set_generator(gtest, group_gen, NULL, + group_cofactor)) + || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, + other_cofactor)) + || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) + /* Check that if the cofactor is not set then it still passes */ + || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, + NULL)) + || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid) + /* check that restoring the generator passes */ + || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, + group_cofactor)) + || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) + goto err; + + /* + * check that changing any curve parameter fails + * + * Setting arbitrary p, a or b might fail for some EC_GROUPs + * depending on the internal EC_METHOD implementation, hence run + * these tests conditionally to the success of EC_GROUP_set_curve(). + */ + ERR_set_mark(); + if (EC_GROUP_set_curve(gtest, other_p, group_a, group_b, NULL)) { + if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) + goto err; + } else { + /* clear the error stack if EC_GROUP_set_curve() failed */ + ERR_pop_to_mark(); + ERR_set_mark(); + } + if (EC_GROUP_set_curve(gtest, group_p, other_a, group_b, NULL)) { + if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) + goto err; + } else { + /* clear the error stack if EC_GROUP_set_curve() failed */ + ERR_pop_to_mark(); + ERR_set_mark(); + } + if (EC_GROUP_set_curve(gtest, group_p, group_a, other_b, NULL)) { + if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) + goto err; + } else { + /* clear the error stack if EC_GROUP_set_curve() failed */ + ERR_pop_to_mark(); + ERR_set_mark(); + } + ERR_pop_to_mark(); + + /* Check that restoring the curve parameters passes */ + if (!TEST_true(EC_GROUP_set_curve(gtest, group_p, group_a, group_b, NULL)) + || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) + goto err; + + ret = 1; +err: + BN_free(group_p); + BN_free(other_p); + BN_free(group_a); + BN_free(other_a); + BN_free(group_b); + BN_free(other_b); + BN_free(group_cofactor); + BN_free(other_cofactor); + BN_free(other_order); + EC_POINT_free(other_gen); + EC_GROUP_free(gtest); + EC_GROUP_free(group); + BN_CTX_free(bn_ctx); + return ret; +} + +/* + * This checks the lookup capability of EC_GROUP_check_named_curve() + * when the given group was created with explicit parameters. + * + * It is possible to retrieve an alternative alias that does not match + * the original nid in this case. + */ +static int check_named_curve_lookup_test(int id) +{ + int ret = 0, nid, rv = 0; + EC_GROUP *g = NULL , *ga = NULL; + ECPARAMETERS *p = NULL, *pa = NULL; + BN_CTX *ctx = NULL; + + /* Do some setup */ + nid = curves[id].nid; + if (!TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(g = EC_GROUP_new_by_curve_name(nid)) + || !TEST_ptr(p = EC_GROUP_get_ecparameters(g, NULL))) + goto err; + + /* replace with group from explicit parameters */ + EC_GROUP_free(g); + if (!TEST_ptr(g = EC_GROUP_new_from_ecparameters(p))) + goto err; + + if (!TEST_int_gt(rv = EC_GROUP_check_named_curve(g, 0, NULL), 0)) + goto err; + if (rv != nid) { + /* + * Found an alias: + * fail if the returned nid is not an alias of the original group. + * + * The comparison here is done by comparing two explicit + * parameter EC_GROUPs with EC_GROUP_cmp(), to ensure the + * comparison happens with unnamed EC_GROUPs using the same + * EC_METHODs. + */ + if (!TEST_ptr(ga = EC_GROUP_new_by_curve_name(rv)) + || !TEST_ptr(pa = EC_GROUP_get_ecparameters(ga, NULL))) + goto err; + + /* replace with group from explicit parameters, then compare */ + EC_GROUP_free(ga); + if (!TEST_ptr(ga = EC_GROUP_new_from_ecparameters(pa)) + || !TEST_int_eq(EC_GROUP_cmp(g, ga, ctx), 0)) + goto err; + } + + ret = 1; + + err: + EC_GROUP_free(g); + EC_GROUP_free(ga); + ECPARAMETERS_free(p); + ECPARAMETERS_free(pa); + BN_CTX_free(ctx); + + return ret; +} + +/* + * Sometime we cannot compare nids for equality, as the built-in curve table + * includes aliases with different names for the same curve. + * + * This function returns TRUE (1) if the checked nids are identical, or if they + * alias to the same curve. FALSE (0) otherwise. + */ +static ossl_inline +int are_ec_nids_compatible(int n1d, int n2d) +{ + int ret = 0; + switch (n1d) { +#ifndef OPENSSL_NO_EC2M + case NID_sect113r1: + case NID_wap_wsg_idm_ecid_wtls4: + ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4); + break; + case NID_sect163k1: + case NID_wap_wsg_idm_ecid_wtls3: + ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3); + break; + case NID_sect233k1: + case NID_wap_wsg_idm_ecid_wtls10: + ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10); + break; + case NID_sect233r1: + case NID_wap_wsg_idm_ecid_wtls11: + ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11); + break; + case NID_X9_62_c2pnb163v1: + case NID_wap_wsg_idm_ecid_wtls5: + ret = (n2d == NID_X9_62_c2pnb163v1 + || n2d == NID_wap_wsg_idm_ecid_wtls5); + break; +#endif /* OPENSSL_NO_EC2M */ + case NID_secp112r1: + case NID_wap_wsg_idm_ecid_wtls6: + ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6); + break; + case NID_secp160r2: + case NID_wap_wsg_idm_ecid_wtls7: + ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7); + break; +#ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 + case NID_secp224r1: + case NID_wap_wsg_idm_ecid_wtls12: + ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12); + break; +#else + /* + * For SEC P-224 we want to ensure that the SECP nid is returned, as + * that is associated with a specialized method. + */ + case NID_wap_wsg_idm_ecid_wtls12: + ret = (n2d == NID_secp224r1); + break; +#endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ + + default: + ret = (n1d == n2d); + } + return ret; +} + +/* + * This checks that EC_GROUP_bew_from_ecparameters() returns a "named" + * EC_GROUP for built-in curves. + * + * Note that it is possible to retrieve an alternative alias that does not match + * the original nid. + * + * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. + */ +static int check_named_curve_from_ecparameters(int id) +{ + int ret = 0, nid, tnid; + EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL; + const EC_POINT *group_gen = NULL; + EC_POINT *other_gen = NULL; + BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; + BIGNUM *other_gen_x = NULL, *other_gen_y = NULL; + const BIGNUM *group_order = NULL; + BIGNUM *other_order = NULL; + BN_CTX *bn_ctx = NULL; + static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; + static size_t invalid_seed_len = sizeof(invalid_seed); + ECPARAMETERS *params = NULL, *other_params = NULL; + EC_GROUP *g_ary[8] = {NULL}; + EC_GROUP **g_next = &g_ary[0]; + ECPARAMETERS *p_ary[8] = {NULL}; + ECPARAMETERS **p_next = &p_ary[0]; + + /* Do some setup */ + nid = curves[id].nid; + TEST_note("Curve %s", OBJ_nid2sn(nid)); + if (!TEST_ptr(bn_ctx = BN_CTX_new())) + return ret; + BN_CTX_start(bn_ctx); + + if (/* Allocations */ + !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_order = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx)) + /* Generate reference group and params */ + || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) + || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL)) + || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) + || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) + || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) + /* compute `other_*` values */ + || !TEST_ptr(tmpg = EC_GROUP_dup(group)) + || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) + || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) + || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen, + other_gen_x, other_gen_y, bn_ctx)) + || !TEST_true(BN_copy(other_order, group_order)) + || !TEST_true(BN_add_word(other_order, 1)) + || !TEST_true(BN_copy(other_cofactor, group_cofactor)) + || !TEST_true(BN_add_word(other_cofactor, 1))) + goto err; + + EC_POINT_free(other_gen); + other_gen = NULL; + + if (!TEST_ptr(other_gen = EC_POINT_new(tmpg)) + || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen, + other_gen_x, other_gen_y, + bn_ctx))) + goto err; + + /* + * ########################### + * # Actual tests start here # + * ########################### + */ + + /* + * Creating a group from built-in explicit parameters returns a + * "named" EC_GROUP + */ + if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)) + goto err; + /* + * We cannot always guarantee the names match, as the built-in table + * contains aliases for the same curve with different names. + */ + if (!TEST_true(are_ec_nids_compatible(nid, tnid))) { + TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); + goto err; + } + /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */ + if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE)) + goto err; + + /* + * An invalid seed in the parameters should be ignored: expect a "named" + * group. + */ + if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len), + invalid_seed_len) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE)) { + TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); + goto err; + } + + /* + * A null seed in the parameters should be ignored, as it is optional: + * expect a "named" group. + */ + if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE)) { + TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); + goto err; + } + + /* + * Check that changing any of the generator parameters does not yield a + * match with the built-in curves + */ + if (/* Other gen, same group order & cofactor */ + !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order, + group_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + /* Same gen & cofactor, different order */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order, + group_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + /* The order is not an optional field, so this should fail */ + || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL, + group_cofactor)) + /* Check that a wrong cofactor is ignored, and we still match */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, + other_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE) + /* Check that if the cofactor is not set then it still matches */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, + NULL)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE) + /* check that restoring the generator passes */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, + group_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE)) + goto err; + + ret = 1; +err: + for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++) + EC_GROUP_free(*g_next); + for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++) + ECPARAMETERS_free(*p_next); + ECPARAMETERS_free(params); + EC_POINT_free(other_gen); + EC_GROUP_free(tmpg); + EC_GROUP_free(group); + BN_CTX_end(bn_ctx); + BN_CTX_free(bn_ctx); + return ret; +} + + +static int parameter_test(void) +{ + EC_GROUP *group = NULL, *group2 = NULL; + ECPARAMETERS *ecparameters = NULL; + unsigned char *buf = NULL; + int r = 0, len; + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1)) + || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL)) + || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters)) + || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0)) + goto err; + + EC_GROUP_free(group); + group = NULL; + + /* Test the named curve encoding, which should be default. */ + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1)) + || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) + || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named))) + goto err; + + OPENSSL_free(buf); + buf = NULL; + + /* + * Test the explicit encoding. P-521 requires correctly zero-padding the + * curve coefficients. + */ + EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); + if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) + || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit))) + goto err; + + r = 1; +err: + EC_GROUP_free(group); + EC_GROUP_free(group2); + ECPARAMETERS_free(ecparameters); + OPENSSL_free(buf); + return r; +} + +/*- + * random 256-bit explicit parameters curve, cofactor absent + * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) + * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit) + */ +static const unsigned char params_cf_pass[] = { + 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5, + 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, + 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, + 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5, + 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, + 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, + 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc, + 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27, + 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23, + 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77, + 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b, + 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4, + 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9, + 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a, + 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c, + 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96, + 0x14, 0xa8, 0x2f, 0x4f +}; + +/*- + * random 256-bit explicit parameters curve, cofactor absent + * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit) + * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit) + */ +static const unsigned char params_cf_fail[] = { + 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37, + 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, + 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, + 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37, + 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, + 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, + 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09, + 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d, + 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02, + 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59, + 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11, + 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24, + 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70, + 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73, + 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04, + 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e, + 0x34, 0xa2, 0x21, 0x01 +}; + +/*- + * Test two random 256-bit explicit parameters curves with absent cofactor. + * The two curves are chosen to roughly straddle the bounds at which the lib + * can compute the cofactor automatically, roughly 4*sqrt(p). So test that: + * + * - params_cf_pass: order is sufficiently close to p to compute cofactor + * - params_cf_fail: order is too far away from p to compute cofactor + * + * For standards-compliant curves, cofactor is chosen as small as possible. + * So you can see neither of these curves are fit for cryptographic use. + * + * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2: + * h <= 2**(t/8) where t is the security level of the curve, for which the lib + * will always succeed in computing the cofactor. Neither of these curves + * conform to that -- this is just robustness testing. + */ +static int cofactor_range_test(void) +{ + EC_GROUP *group = NULL; + BIGNUM *cf = NULL; + int ret = 0; + const unsigned char *b1 = (const unsigned char *)params_cf_fail; + const unsigned char *b2 = (const unsigned char *)params_cf_pass; + + if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail))) + || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group)) + || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2, + sizeof(params_cf_pass))) + || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0) + || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group))) + goto err; + ret = 1; + err: + BN_free(cf); + EC_GROUP_free(group); + return ret; +} + +/*- + * For named curves, test that: + * - the lib correctly computes the cofactor if passed a NULL or zero cofactor + * - a nonsensical cofactor throws an error (negative test) + * - nonsensical orders throw errors (negative tests) + */ +static int cardinality_test(int n) +{ + int ret = 0, is_binary = 0; + int nid = curves[n].nid; + BN_CTX *ctx = NULL; + EC_GROUP *g1 = NULL, *g2 = NULL; + EC_POINT *g2_gen = NULL; + BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL, + *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL; + + TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid)); + + if (!TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))) { + BN_CTX_free(ctx); + return 0; + } + + is_binary = (EC_GROUP_get_field_type(g1) == NID_X9_62_characteristic_two_field); + + BN_CTX_start(ctx); + g1_p = BN_CTX_get(ctx); + g1_a = BN_CTX_get(ctx); + g1_b = BN_CTX_get(ctx); + g1_x = BN_CTX_get(ctx); + g1_y = BN_CTX_get(ctx); + g1_order = BN_CTX_get(ctx); + g1_cf = BN_CTX_get(ctx); + + if (!TEST_ptr(g2_cf = BN_CTX_get(ctx)) + /* pull out the explicit curve parameters */ + || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx)) + || !TEST_true(EC_POINT_get_affine_coordinates(g1, + EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx)) + || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1))) + || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx)) + /* construct g2 manually with g1 parameters */ +#ifndef OPENSSL_NO_EC2M + || !TEST_ptr(g2 = (is_binary) ? + EC_GROUP_new_curve_GF2m(g1_p, g1_a, g1_b, ctx) : + EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx)) +#else + || !TEST_int_eq(0, is_binary) + || !TEST_ptr(g2 = EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx)) +#endif + || !TEST_ptr(g2_gen = EC_POINT_new(g2)) + || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx)) + /* pass NULL cofactor: lib should compute it */ + || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) + || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) + || !TEST_BN_eq(g1_cf, g2_cf) + /* pass zero cofactor: lib should compute it */ + || !TEST_true(BN_set_word(g2_cf, 0)) + || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) + || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) + || !TEST_BN_eq(g1_cf, g2_cf) + /* negative test for invalid cofactor */ + || !TEST_true(BN_set_word(g2_cf, 0)) + || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) + /* negative test for NULL order */ + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) + /* negative test for zero order */ + || !TEST_true(BN_set_word(g1_order, 0)) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) + /* negative test for negative order */ + || !TEST_true(BN_set_word(g2_cf, 0)) + || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) + /* negative test for too large order */ + || !TEST_true(BN_lshift(g1_order, g1_p, 2)) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) + goto err; + ret = 1; + err: + EC_POINT_free(g2_gen); + EC_GROUP_free(g1); + EC_GROUP_free(g2); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return ret; +} + +static int check_ec_key_field_public_range_test(int id) +{ + int ret = 0, type = 0; + const EC_POINT *pub = NULL; + const EC_GROUP *group = NULL; + const BIGNUM *field = NULL; + BIGNUM *x = NULL, *y = NULL; + EC_KEY *key = NULL; + + if (!TEST_ptr(x = BN_new()) + || !TEST_ptr(y = BN_new()) + || !TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid)) + || !TEST_ptr(group = EC_KEY_get0_group(key)) + || !TEST_ptr(field = EC_GROUP_get0_field(group)) + || !TEST_int_gt(EC_KEY_generate_key(key), 0) + || !TEST_int_gt(EC_KEY_check_key(key), 0) + || !TEST_ptr(pub = EC_KEY_get0_public_key(key)) + || !TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y, + NULL), 0)) + goto err; + + /* + * Make the public point out of range by adding the field (which will still + * be the same point on the curve). The add is different for char2 fields. + */ + type = EC_GROUP_get_field_type(group); +#ifndef OPENSSL_NO_EC2M + if (type == NID_X9_62_characteristic_two_field) { + /* test for binary curves */ + if (!TEST_true(BN_GF2m_add(x, x, field))) + goto err; + } else +#endif + if (type == NID_X9_62_prime_field) { + /* test for prime curves */ + if (!TEST_true(BN_add(x, x, field))) + goto err; + } else { + /* this should never happen */ + TEST_error("Unsupported EC_METHOD field_type"); + goto err; + } + if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0)) + goto err; + + ret = 1; +err: + BN_free(x); + BN_free(y); + EC_KEY_free(key); + return ret; +} + +/* + * Helper for ec_point_hex2point_test + * + * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given + * (group,P) pair. + * + * If P is NULL use point at infinity. + */ +static ossl_inline +int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P, + point_conversion_form_t form, + BN_CTX *bnctx) +{ + int ret = 0; + EC_POINT *Q = NULL, *Pinf = NULL; + char *hex = NULL; + + if (P == NULL) { + /* If P is NULL use point at infinity. */ + if (!TEST_ptr(Pinf = EC_POINT_new(group)) + || !TEST_true(EC_POINT_set_to_infinity(group, Pinf))) + goto err; + P = Pinf; + } + + if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx)) + || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx))) + goto err; + + /* + * The next check is most likely superfluous, as EC_POINT_cmp should already + * cover this. + * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity, + * so we include it anyway! + */ + if (Pinf != NULL + && !TEST_true(EC_POINT_is_at_infinity(group, Q))) + goto err; + + ret = 1; + + err: + EC_POINT_free(Pinf); + OPENSSL_free(hex); + EC_POINT_free(Q); + + return ret; +} + +/* + * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex() + */ +static int ec_point_hex2point_test(int id) +{ + int ret = 0, nid; + EC_GROUP *group = NULL; + const EC_POINT *G = NULL; + EC_POINT *P = NULL; + BN_CTX * bnctx = NULL; + + /* Do some setup */ + nid = curves[id].nid; + if (!TEST_ptr(bnctx = BN_CTX_new()) + || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) + || !TEST_ptr(G = EC_GROUP_get0_generator(group)) + || !TEST_ptr(P = EC_POINT_dup(G, group))) + goto err; + + if (!TEST_true(ec_point_hex2point_test_helper(group, P, + POINT_CONVERSION_COMPRESSED, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, NULL, + POINT_CONVERSION_COMPRESSED, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, P, + POINT_CONVERSION_UNCOMPRESSED, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, NULL, + POINT_CONVERSION_UNCOMPRESSED, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, P, + POINT_CONVERSION_HYBRID, + bnctx)) + || !TEST_true(ec_point_hex2point_test_helper(group, NULL, + POINT_CONVERSION_HYBRID, + bnctx))) + goto err; + + ret = 1; + + err: + EC_POINT_free(P); + EC_GROUP_free(group); + BN_CTX_free(bnctx); + + return ret; +} + +static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, + unsigned char *gen, int gen_size) +{ + int ret = 0, i_out; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *pkeyparam = NULL; + OSSL_PARAM_BLD *bld = NULL; + const char *field_name; + OSSL_PARAM *params = NULL; + const OSSL_PARAM *gettable; + BIGNUM *p, *a, *b; + BIGNUM *p_out = NULL, *a_out = NULL, *b_out = NULL; + BIGNUM *order_out = NULL, *cofactor_out = NULL; + char name[80]; + unsigned char buf[1024]; + size_t buf_len, name_len; +#ifndef OPENSSL_NO_EC2M + unsigned int k1 = 0, k2 = 0, k3 = 0; + const char *basis_name = NULL; +#endif + + p = BN_CTX_get(ctx); + a = BN_CTX_get(ctx); + b = BN_CTX_get(ctx); + + if (!TEST_ptr(b) + || !TEST_ptr(bld = OSSL_PARAM_BLD_new())) + goto err; + + if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) { + field_name = SN_X9_62_prime_field; + } else { + field_name = SN_X9_62_characteristic_two_field; +#ifndef OPENSSL_NO_EC2M + if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) { + basis_name = SN_X9_62_tpBasis; + if (!TEST_true(EC_GROUP_get_trinomial_basis(group, &k1))) + goto err; + } else { + basis_name = SN_X9_62_ppBasis; + if (!TEST_true(EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))) + goto err; + } +#endif /* OPENSSL_NO_EC2M */ + } + if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, + OSSL_PKEY_PARAM_EC_FIELD_TYPE, field_name, 0)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b))) + goto err; + + if (EC_GROUP_get0_seed(group) != NULL) { + if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, + OSSL_PKEY_PARAM_EC_SEED, EC_GROUP_get0_seed(group), + EC_GROUP_get_seed_len(group)))) + goto err; + } + if (EC_GROUP_get0_cofactor(group) != NULL) { + if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_COFACTOR, + EC_GROUP_get0_cofactor(group)))) + goto err; + } + + if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, + OSSL_PKEY_PARAM_EC_GENERATOR, gen, gen_size)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_ORDER, + EC_GROUP_get0_order(group)))) + goto err; + + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) + || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, + EVP_PKEY_KEY_PARAMETERS, params), 0)) + goto err; + + /*- Check that all the set values are retrievable -*/ + + /* There should be no match to a group name since the generator changed */ + if (!TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam, + OSSL_PKEY_PARAM_GROUP_NAME, name, sizeof(name), + &name_len))) + goto err; + + /* The encoding should be explicit as it has no group */ + if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, + OSSL_PKEY_PARAM_EC_ENCODING, + name, sizeof(name), &name_len)) + || !TEST_str_eq(name, OSSL_PKEY_EC_ENCODING_EXPLICIT)) + goto err; + + if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, + OSSL_PKEY_PARAM_EC_FIELD_TYPE, name, sizeof(name), + &name_len)) + || !TEST_str_eq(name, field_name)) + goto err; + + if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam, + OSSL_PKEY_PARAM_EC_GENERATOR, buf, sizeof(buf), &buf_len)) + || !TEST_mem_eq(buf, (int)buf_len, gen, gen_size)) + goto err; + + if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_P, &p_out)) + || !TEST_BN_eq(p_out, p) + || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_A, + &a_out)) + || !TEST_BN_eq(a_out, a) + || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_B, + &b_out)) + || !TEST_BN_eq(b_out, b) + || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_ORDER, + &order_out)) + || !TEST_BN_eq(order_out, EC_GROUP_get0_order(group))) + goto err; + + if (EC_GROUP_get0_cofactor(group) != NULL) { + if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, + OSSL_PKEY_PARAM_EC_COFACTOR, &cofactor_out)) + || !TEST_BN_eq(cofactor_out, EC_GROUP_get0_cofactor(group))) + goto err; + } + if (EC_GROUP_get0_seed(group) != NULL) { + if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam, + OSSL_PKEY_PARAM_EC_SEED, buf, sizeof(buf), &buf_len)) + || !TEST_mem_eq(buf, buf_len, EC_GROUP_get0_seed(group), + EC_GROUP_get_seed_len(group))) + goto err; + } + + if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) { + /* No extra fields should be set for a prime field */ + if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out)) + || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) + || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) + || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) + || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)) + || !TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name), + &name_len))) + goto err; + } else { +#ifndef OPENSSL_NO_EC2M + if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out)) + || !TEST_int_eq(EC_GROUP_get_degree(group), i_out) + || !TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name), + &name_len)) + || !TEST_str_eq(name, basis_name)) + goto err; + + if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) { + if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) + || !TEST_int_eq(k1, i_out) + || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) + || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) + || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))) + goto err; + } else { + if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) + || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) + || !TEST_int_eq(k1, i_out) + || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) + || !TEST_int_eq(k2, i_out) + || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, + OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)) + || !TEST_int_eq(k3, i_out)) + goto err; + } +#endif /* OPENSSL_NO_EC2M */ + } + if (!TEST_ptr(gettable = EVP_PKEY_gettable_params(pkeyparam)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_GROUP_NAME)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ENCODING)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_FIELD_TYPE)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_P)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_A)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_B)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_GENERATOR)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ORDER)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_COFACTOR)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_SEED)) +#ifndef OPENSSL_NO_EC2M + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_M)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TYPE)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K1)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K2)) + || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K3)) +#endif + ) + goto err; + ret = 1; +err: + BN_free(order_out); + BN_free(cofactor_out); + BN_free(a_out); + BN_free(b_out); + BN_free(p_out); + OSSL_PARAM_free(params); + OSSL_PARAM_BLD_free(bld); + EVP_PKEY_free(pkeyparam); + EVP_PKEY_CTX_free(pctx); + return ret; +} + +/* + * check the EC_METHOD respects the supplied EC_GROUP_set_generator G + */ +static int custom_generator_test(int id) +{ + int ret = 0, nid, bsize; + EC_GROUP *group = NULL; + EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; + BN_CTX *ctx = NULL; + BIGNUM *k = NULL; + unsigned char *b1 = NULL, *b2 = NULL; + + /* Do some setup */ + nid = curves[id].nid; + TEST_note("Curve %s", OBJ_nid2sn(nid)); + if (!TEST_ptr(ctx = BN_CTX_new())) + return 0; + + BN_CTX_start(ctx); + + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) + goto err; + + /* expected byte length of encoded points */ + bsize = (EC_GROUP_get_degree(group) + 7) / 8; + bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */ + + if (!TEST_ptr(k = BN_CTX_get(ctx)) + /* fetch a testing scalar k != 0,1 */ + || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, + BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + /* make k even */ + || !TEST_true(BN_clear_bit(k, 0)) + || !TEST_ptr(G2 = EC_POINT_new(group)) + || !TEST_ptr(Q1 = EC_POINT_new(group)) + /* Q1 := kG */ + || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) + /* pull out the bytes of that */ + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, NULL, + 0, ctx), bsize) + || !TEST_ptr(b1 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, b1, + bsize, ctx), bsize) + /* new generator is G2 := 2G */ + || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group), + ctx)) + || !TEST_true(EC_GROUP_set_generator(group, G2, + EC_GROUP_get0_order(group), + EC_GROUP_get0_cofactor(group))) + || !TEST_ptr(Q2 = EC_POINT_new(group)) + || !TEST_true(BN_rshift1(k, k)) + /* Q2 := k/2 G2 */ + || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q2, + POINT_CONVERSION_UNCOMPRESSED, NULL, + 0, ctx), bsize) + || !TEST_ptr(b2 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q2, + POINT_CONVERSION_UNCOMPRESSED, b2, + bsize, ctx), bsize) + /* Q1 = kG = k/2 G2 = Q2 should hold */ + || !TEST_mem_eq(b1, bsize, b2, bsize)) + goto err; + + if (!do_test_custom_explicit_fromdata(group, ctx, b1, bsize)) + goto err; + + ret = 1; + + err: + EC_POINT_free(Q1); + EC_POINT_free(Q2); + EC_POINT_free(G2); + EC_GROUP_free(group); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + OPENSSL_free(b1); + OPENSSL_free(b2); + + return ret; +} + +/* + * check creation of curves from explicit params through the public API + */ +static int custom_params_test(int id) +{ + int ret = 0, nid, bsize; + const char *curve_name = NULL; + EC_GROUP *group = NULL, *altgroup = NULL; + EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; + const EC_POINT *Q = NULL; + BN_CTX *ctx = NULL; + BIGNUM *k = NULL; + unsigned char *buf1 = NULL, *buf2 = NULL; + const BIGNUM *z = NULL, *cof = NULL, *priv1 = NULL; + BIGNUM *p = NULL, *a = NULL, *b = NULL; + int is_prime = 0; + EC_KEY *eckey1 = NULL, *eckey2 = NULL; + EVP_PKEY *pkey1 = NULL, *pkey2 = NULL; + EVP_PKEY_CTX *pctx1 = NULL, *pctx2 = NULL; + size_t sslen, t; + unsigned char *pub1 = NULL , *pub2 = NULL; + OSSL_PARAM_BLD *param_bld = NULL; + OSSL_PARAM *params1 = NULL, *params2 = NULL; + + /* Do some setup */ + nid = curves[id].nid; + curve_name = OBJ_nid2sn(nid); + TEST_note("Curve %s", curve_name); + + if (nid == NID_sm2) + return TEST_skip("custom params not supported with SM2"); + + if (!TEST_ptr(ctx = BN_CTX_new())) + return 0; + + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) + goto err; + + is_prime = EC_GROUP_get_field_type(group) == NID_X9_62_prime_field; +#ifdef OPENSSL_NO_EC2M + if (!is_prime) { + ret = TEST_skip("binary curves not supported in this build"); + goto err; + } +#endif + + BN_CTX_start(ctx); + if (!TEST_ptr(p = BN_CTX_get(ctx)) + || !TEST_ptr(a = BN_CTX_get(ctx)) + || !TEST_ptr(b = BN_CTX_get(ctx)) + || !TEST_ptr(k = BN_CTX_get(ctx))) + goto err; + + /* expected byte length of encoded points */ + bsize = (EC_GROUP_get_degree(group) + 7) / 8; + bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */ + + /* extract parameters from built-in curve */ + if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)) + || !TEST_ptr(G2 = EC_POINT_new(group)) + /* new generator is G2 := 2G */ + || !TEST_true(EC_POINT_dbl(group, G2, + EC_GROUP_get0_generator(group), ctx)) + /* pull out the bytes of that */ + || !TEST_int_eq(EC_POINT_point2oct(group, G2, + POINT_CONVERSION_UNCOMPRESSED, + NULL, 0, ctx), bsize) + || !TEST_ptr(buf1 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(group, G2, + POINT_CONVERSION_UNCOMPRESSED, + buf1, bsize, ctx), bsize) + || !TEST_ptr(z = EC_GROUP_get0_order(group)) + || !TEST_ptr(cof = EC_GROUP_get0_cofactor(group)) + ) + goto err; + + /* create a new group using same params (but different generator) */ + if (is_prime) { + if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GFp(p, a, b, ctx))) + goto err; + } +#ifndef OPENSSL_NO_EC2M + else { + if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) + goto err; + } +#endif + + /* set 2*G as the generator of altgroup */ + EC_POINT_free(G2); /* discard G2 as it refers to the original group */ + if (!TEST_ptr(G2 = EC_POINT_new(altgroup)) + || !TEST_true(EC_POINT_oct2point(altgroup, G2, buf1, bsize, ctx)) + || !TEST_int_eq(EC_POINT_is_on_curve(altgroup, G2, ctx), 1) + || !TEST_true(EC_GROUP_set_generator(altgroup, G2, z, cof)) + ) + goto err; + + /* verify math checks out */ + if (/* allocate temporary points on group and altgroup */ + !TEST_ptr(Q1 = EC_POINT_new(group)) + || !TEST_ptr(Q2 = EC_POINT_new(altgroup)) + /* fetch a testing scalar k != 0,1 */ + || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, + BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) + /* make k even */ + || !TEST_true(BN_clear_bit(k, 0)) + /* Q1 := kG on group */ + || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) + /* pull out the bytes of that */ + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, + NULL, 0, ctx), bsize) + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, + buf1, bsize, ctx), bsize) + /* k := k/2 */ + || !TEST_true(BN_rshift1(k, k)) + /* Q2 := k/2 G2 on altgroup */ + || !TEST_true(EC_POINT_mul(altgroup, Q2, k, NULL, NULL, ctx)) + /* pull out the bytes of that */ + || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2, + POINT_CONVERSION_UNCOMPRESSED, + NULL, 0, ctx), bsize) + || !TEST_ptr(buf2 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2, + POINT_CONVERSION_UNCOMPRESSED, + buf2, bsize, ctx), bsize) + /* Q1 = kG = k/2 G2 = Q2 should hold */ + || !TEST_mem_eq(buf1, bsize, buf2, bsize)) + goto err; + + /* create two `EC_KEY`s on altgroup */ + if (!TEST_ptr(eckey1 = EC_KEY_new()) + || !TEST_true(EC_KEY_set_group(eckey1, altgroup)) + || !TEST_true(EC_KEY_generate_key(eckey1)) + || !TEST_ptr(eckey2 = EC_KEY_new()) + || !TEST_true(EC_KEY_set_group(eckey2, altgroup)) + || !TEST_true(EC_KEY_generate_key(eckey2))) + goto err; + + /* retrieve priv1 for later */ + if (!TEST_ptr(priv1 = EC_KEY_get0_private_key(eckey1))) + goto err; + + /* + * retrieve bytes for pub1 for later + * + * We compute the pub key in the original group as we will later use it to + * define a provider key in the built-in group. + */ + if (!TEST_true(EC_POINT_mul(group, Q1, priv1, NULL, NULL, ctx)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, + NULL, 0, ctx), bsize) + || !TEST_ptr(pub1 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(group, Q1, + POINT_CONVERSION_UNCOMPRESSED, + pub1, bsize, ctx), bsize)) + goto err; + + /* retrieve bytes for pub2 for later */ + if (!TEST_ptr(Q = EC_KEY_get0_public_key(eckey2)) + || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q, + POINT_CONVERSION_UNCOMPRESSED, + NULL, 0, ctx), bsize) + || !TEST_ptr(pub2 = OPENSSL_malloc(bsize)) + || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q, + POINT_CONVERSION_UNCOMPRESSED, + pub2, bsize, ctx), bsize)) + goto err; + + /* create two `EVP_PKEY`s from the `EC_KEY`s */ + if(!TEST_ptr(pkey1 = EVP_PKEY_new()) + || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey1, eckey1), 1)) + goto err; + eckey1 = NULL; /* ownership passed to pkey1 */ + if(!TEST_ptr(pkey2 = EVP_PKEY_new()) + || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey2, eckey2), 1)) + goto err; + eckey2 = NULL; /* ownership passed to pkey2 */ + + /* Compute keyexchange in both directions */ + if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) + || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) + || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) + || !TEST_int_gt(bsize, sslen) + || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) + goto err; + if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) + || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) + || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) + || !TEST_int_gt(bsize, t) + || !TEST_int_le(sslen, t) + || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) + goto err; + + /* Both sides should expect the same shared secret */ + if (!TEST_mem_eq(buf1, sslen, buf2, t)) + goto err; + + /* Build parameters for provider-native keys */ + if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld, + OSSL_PKEY_PARAM_GROUP_NAME, + curve_name, 0)) + || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld, + OSSL_PKEY_PARAM_PUB_KEY, + pub1, bsize)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_PRIV_KEY, + priv1)) + || !TEST_ptr(params1 = OSSL_PARAM_BLD_to_param(param_bld))) + goto err; + + OSSL_PARAM_BLD_free(param_bld); + if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld, + OSSL_PKEY_PARAM_GROUP_NAME, + curve_name, 0)) + || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld, + OSSL_PKEY_PARAM_PUB_KEY, + pub2, bsize)) + || !TEST_ptr(params2 = OSSL_PARAM_BLD_to_param(param_bld))) + goto err; + + /* create two new provider-native `EVP_PKEY`s */ + EVP_PKEY_CTX_free(pctx2); + if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) + || !TEST_true(EVP_PKEY_fromdata_init(pctx2)) + || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR, + params1)) + || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY, + params2))) + goto err; + + /* compute keyexchange once more using the provider keys */ + EVP_PKEY_CTX_free(pctx1); + if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) + || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) + || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &t), 1) + || !TEST_int_gt(bsize, t) + || !TEST_int_le(sslen, t) + || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &t), 1) + /* compare with previous result */ + || !TEST_mem_eq(buf1, t, buf2, sslen)) + goto err; + + ret = 1; + + err: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + OSSL_PARAM_BLD_free(param_bld); + OSSL_PARAM_free(params1); + OSSL_PARAM_free(params2); + EC_POINT_free(Q1); + EC_POINT_free(Q2); + EC_POINT_free(G2); + EC_GROUP_free(group); + EC_GROUP_free(altgroup); + OPENSSL_free(buf1); + OPENSSL_free(buf2); + OPENSSL_free(pub1); + OPENSSL_free(pub2); + EC_KEY_free(eckey1); + EC_KEY_free(eckey2); + EVP_PKEY_free(pkey1); + EVP_PKEY_free(pkey2); + EVP_PKEY_CTX_free(pctx1); + EVP_PKEY_CTX_free(pctx2); + + return ret; +} + +int setup_tests(void) +{ + crv_len = EC_get_builtin_curves(NULL, 0); + if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) + || !TEST_true(EC_get_builtin_curves(curves, crv_len))) + return 0; + + ADD_TEST(parameter_test); + /*ADD_TEST(cofactor_range_test);*/ + ADD_ALL_TESTS(cardinality_test, crv_len); + ADD_TEST(prime_field_tests); +#ifndef OPENSSL_NO_EC2M + ADD_TEST(char2_field_tests); + ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests)); +#endif + ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); + ADD_ALL_TESTS(internal_curve_test, crv_len); + ADD_ALL_TESTS(internal_curve_test_method, crv_len); + ADD_TEST(group_field_test); + ADD_ALL_TESTS(check_named_curve_test, crv_len); + ADD_ALL_TESTS(check_named_curve_lookup_test, crv_len); + ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len); + ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); + ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); + /* ADD_ALL_TESTS(custom_generator_test, crv_len); + ADD_ALL_TESTS(custom_params_test, crv_len); */ + return 1; +} + +void cleanup_tests(void) +{ + OPENSSL_free(curves); +} diff --git a/SOURCES/genpatches b/SOURCES/genpatches new file mode 100755 index 0000000..60c36a4 --- /dev/null +++ b/SOURCES/genpatches @@ -0,0 +1,26 @@ +#!/bin/bash + +if [ $# -ne 2 ] ; then + echo "Usage:" + echo " $0 " + exit 1 +fi + +git_dir="$1" +base_tag="$2" + +target_dir="$(pwd)" + +pushd "$git_dir" >/dev/null +git format-patch -k -o "$target_dir" "$base_tag" >/dev/null +popd >/dev/null + +echo "# Patches exported from source git" + +i=1 +for p in *.patch ; do + printf "# " + sed '/^Subject:/{s/^Subject: //;p};d' "$p" + printf "Patch%s: %s\n" $i "$p" + i=$(($i + 1)) +done diff --git a/SOURCES/hobble-openssl b/SOURCES/hobble-openssl new file mode 100755 index 0000000..9a23ca6 --- /dev/null +++ b/SOURCES/hobble-openssl @@ -0,0 +1,40 @@ +#!/bin/sh + +# Quit out if anything fails. +set -e + +# Clean out patent-or-otherwise-encumbered code. +# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway +# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore +# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore +# EC: ????????? ??/??/2020 +# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore + +# Remove assembler portions of IDEA, MDC2, and RC5. +# (find crypto/rc5/asm -type f | xargs -r rm -fv) + +for c in `find crypto/bn -name "*gf2m.c"`; do + echo Destroying $c + > $c +done + +for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do + echo Destroying $c + > $c +done + +for c in `find test -name "ectest.c"`; do + echo Destroying $c + > $c +done + +for h in `find crypto ssl apps test -name "*.h"` ; do + echo Removing EC2M references from $h + cat $h | \ + awk 'BEGIN {ech=1;} \ + /^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \ + /^#[ \t]*if/ {if(ech < 1) ech--;} \ + {if(ech>0) {;print $0};} \ + /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \ + mv $h.hobbled $h +done diff --git a/SOURCES/make-dummy-cert b/SOURCES/make-dummy-cert new file mode 100755 index 0000000..f5f0453 --- /dev/null +++ b/SOURCES/make-dummy-cert @@ -0,0 +1,28 @@ +#!/bin/sh +umask 077 + +answers() { + echo -- + echo SomeState + echo SomeCity + echo SomeOrganization + echo SomeOrganizationalUnit + echo localhost.localdomain + echo root@localhost.localdomain +} + +if [ $# -eq 0 ] ; then + echo $"Usage: `basename $0` filename [...]" + exit 0 +fi + +for target in $@ ; do + PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` + PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` + trap "rm -f $PEM1 $PEM2" SIGINT + answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null + cat $PEM1 > ${target} + echo "" >> ${target} + cat $PEM2 >> ${target} + rm -f $PEM1 $PEM2 +done diff --git a/SOURCES/renew-dummy-cert b/SOURCES/renew-dummy-cert new file mode 100755 index 0000000..92e271c --- /dev/null +++ b/SOURCES/renew-dummy-cert @@ -0,0 +1,39 @@ +#!/bin/bash + +if [ $# -eq 0 ]; then + echo $"Usage: `basename $0` filename" 1>&2 + exit 1 +fi + +PEM=$1 +REQ=`/bin/mktemp /tmp/openssl.XXXXXX` +KEY=`/bin/mktemp /tmp/openssl.XXXXXX` +CRT=`/bin/mktemp /tmp/openssl.XXXXXX` +NEW=${PEM}_ + +trap "rm -f $REQ $KEY $CRT $NEW" SIGINT + +if [ ! -f $PEM ]; then + echo "$PEM: file not found" 1>&2 + exit 1 +fi + +umask 077 + +OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'` + +openssl rsa -inform pem -in $PEM -out $KEY +openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ +openssl x509 -req -in $REQ -signkey $KEY -days 365 \ + -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT + +(cat $KEY ; echo "" ; cat $CRT) > $NEW + +chown $OWNER $NEW + +mv -f $NEW $PEM + +rm -f $REQ $KEY $CRT + +exit 0 + diff --git a/SPECS/openssl-fips-provider.spec b/SPECS/openssl-fips-provider.spec new file mode 100644 index 0000000..7c58a9c --- /dev/null +++ b/SPECS/openssl-fips-provider.spec @@ -0,0 +1,347 @@ +# For the curious: +# 0.9.8jk + EAP-FAST soversion = 8 +# 1.0.0 soversion = 10 +# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols +# depends on build configuration options) +# 3.0.0 soversion = 3 (same as upstream) +%define soversion 3 + +# Arches on which we need to prevent arch conflicts on opensslconf.h, must +# also be handled in opensslconf-new.h. +%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 + +%global _performance_build 1 + +Summary: FIPS module for OpenSSL +Name: openssl-fips-provider +Version: 3.0.7 +Release: 2%{?dist} + +# We have to remove certain patented algorithms from the openssl source +# tarball with the hobble-openssl script which is included below. +# The original openssl upstream tarball cannot be shipped in the .src.rpm. +Source: openssl-%{version}-hobbled.tar.gz +Source1: hobble-openssl +Source2: Makefile.certificate +Source3: genpatches +Source6: make-dummy-cert +Source7: renew-dummy-cert +Source9: configuration-switch.h +Source10: configuration-prefix.h +Source12: ec_curve.c +Source13: ectest.c +Source14: 0025-for-tests.patch +Source15: fips_module-3.0.7-18.el9_2.tar.gz + +# Patches exported from source git +# Aarch64 and ppc64le use lib64 +Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch +# Use more general default values in openssl.cnf +Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch +# Do not install html docs +Patch3: 0003-Do-not-install-html-docs.patch +# Override default paths for the CA directory tree +Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch +# apps/ca: fix md option help text +Patch5: 0005-apps-ca-fix-md-option-help-text.patch +# Disable signature verification with totally unsafe hash algorithms +Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch +# Add support for PROFILE=SYSTEM system default cipherlist +Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +# Add FIPS_mode() compatibility macro +Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch +# Add check to see if fips flag is enabled in kernel +Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch +# remove unsupported EC curves +Patch11: 0011-Remove-EC-curves.patch +# Disable explicit EC curves +# https://bugzilla.redhat.com/show_bug.cgi?id=2066412 +Patch12: 0012-Disable-explicit-ec.patch +# Instructions to load legacy provider in openssl.cnf +Patch24: 0024-load-legacy-prov.patch +# Tmp: test name change +Patch31: 0031-tmp-Fix-test-names.patch +# We load FIPS provider and set FIPS properties implicitly +Patch32: 0032-Force-fips.patch +# Embed HMAC into the fips.so +Patch33: 0033-FIPS-embed-hmac.patch +# Comment out fipsinstall command-line utility +Patch34: 0034.fipsinstall_disable.patch +# Skip unavailable algorithms running `openssl speed` +Patch35: 0035-speed-skip-unavailable-dgst.patch +# Extra public/private key checks required by FIPS-140-3 +Patch44: 0044-FIPS-140-3-keychecks.patch +# Minimize fips services +Patch45: 0045-FIPS-services-minimize.patch +# Execute KATS before HMAC verification +Patch47: 0047-FIPS-early-KATS.patch +# Selectively disallow SHA1 signatures +Patch49: 0049-Selectively-disallow-SHA1-signatures.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2049265 +Patch50: 0050-FIPS-enable-pkcs12-mac.patch +# Backport of patch for RHEL for Edge rhbz #2027261 +Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch +# Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes +Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +# Originally from https://github.com/openssl/openssl/pull/18103 +# As we rebased to 3.0.7 and used the version of the function +# not matching the upstream one, we have to use aliasing. +# When we eliminate this patch, the `-Wl,--allow-multiple-definition` +# should also be removed +Patch56: 0056-strcasecmp.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2053289 +Patch58: 0058-FIPS-limit-rsa-encrypt.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2069235 +Patch60: 0060-FIPS-KAT-signature-tests.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2087147 +Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch +Patch62: 0062-fips-Expose-a-FIPS-indicator.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2130708 +# https://github.com/openssl/openssl/pull/18883 +Patch67: 0067-ppc64le-Montgomery-multiply.patch +# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c +# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd +Patch71: 0071-AES-GCM-performance-optimization.patch +# https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149 +# https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa +# hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 +Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch +# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) +# https://bugzilla.redhat.com/show_bug.cgi?id=2102541 +Patch76: 0076-FIPS-140-3-DRBG.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102542 +Patch77: 0077-FIPS-140-3-zeroization.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2114772 +# https://bugzilla.redhat.com/show_bug.cgi?id=2141695 +# https://bugzilla.redhat.com/show_bug.cgi?id=2160733 +# https://bugzilla.redhat.com/show_bug.cgi?id=2164763 +Patch78: 0078-KDF-Add-FIPS-indicators.patch +#https://bugzilla.redhat.com/show_bug.cgi?id=2141748 +Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2142131 +Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2136250 +Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2137557 +Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +#https://bugzilla.redhat.com/show_bug.cgi?id=2142121 +Patch85: 0085-FIPS-RSA-disable-shake.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 +Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 +Patch89: 0089-PSS-salt-length-from-provider.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 +Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2144561 +Patch91: 0091-FIPS-RSA-encapsulate.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2142517 +Patch92: 0092-provider-improvements.patch +# FIPS-95 +Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch + +# OpenSSL 3.0.8 CVEs +Patch101: 0101-CVE-2022-4203-nc-match.patch +Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch +Patch103: 0103-CVE-2022-4450-pem-read-bio.patch +Patch104: 0104-CVE-2023-0215-UAF-bio.patch +Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch +Patch106: 0106-CVE-2023-0217-dsa.patch +Patch107: 0107-CVE-2023-0286-X400.patch +Patch108: 0108-CVE-2023-0401-pkcs7-md.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=2169314 +Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2168289 +Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2175145 +Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch +Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2179331 +Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2157951 +Patch114: 0114-FIPS-enforce-EMS-support.patch + +# X.509 policies minor CVEs +Patch115: 0115-CVE-2023-0464.patch +Patch116: 0116-CVE-2023-0465.patch +Patch117: 0117-CVE-2023-0466.patch +# AES-XTS CVE +Patch118: 0118-CVE-2023-1255.patch +#https://github.com/openssl/openssl/pull/13817 +#https://bugzilla.redhat.com/show_bug.cgi?id=2153471 +Patch120: 0120-RSA-PKCS15-implicit-rejection.patch +# ASN.1 OID parse CVE +Patch122: 0122-CVE-2023-2650.patch +# https://github.com/openssl/openssl/pull/19386 +Patch123: 0123-ibmca-atexit-crash.patch +Patch128: 0128-CVE-2023-5363.patch +# https://github.com/openssl/openssl/pull/22403 +Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch + +License: ASL 2.0 +URL: http://www.openssl.org/ +BuildRequires: gcc g++ +BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp +BuildRequires: lksctp-tools-devel +BuildRequires: /usr/bin/rename +BuildRequires: /usr/bin/pod2man +BuildRequires: /usr/sbin/sysctl +BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt) +BuildRequires: perl(Module::Load::Conditional), perl(File::Temp) +BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA) +BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint) +BuildRequires: git-core +Requires: coreutils +Conflicts: openssl-libs < 1:3.0.7-26 + +%description +This package provides a custom build of the OpenSSL FIPS module that has been +submitted to NIST for certification. + +%prep +%autosetup -S git -n openssl-%{version} + +# The hobble_openssl is called here redundantly, just to be sure. +# The tarball has already the sources removed. +%{SOURCE1} > /dev/null + +cp %{SOURCE12} crypto/ec/ +cp %{SOURCE13} test/ +tar xf %{SOURCE15} + +## NOTE: we do a full build every time to endure our ability to build +## from source as needed, but in RHEL we ultimately throw away all +## binaries and replace with the certified one. +%build +# Figure out which flags we want to use. +# default +sslarch=%{_os}-%{_target_cpu} +%ifarch %ix86 +sslarch=linux-elf +if ! echo %{_target} | grep -q i686 ; then + sslflags="no-asm 386" +fi +%endif +%ifarch x86_64 +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch sparcv9 +sslarch=linux-sparcv9 +sslflags=no-asm +%endif +%ifarch sparc64 +sslarch=linux64-sparcv9 +sslflags=no-asm +%endif +%ifarch alpha alphaev56 alphaev6 alphaev67 +sslarch=linux-alpha-gcc +%endif +%ifarch s390 sh3eb sh4eb +sslarch="linux-generic32 -DB_ENDIAN" +%endif +%ifarch s390x +sslarch="linux64-s390x" +%endif +%ifarch %{arm} +sslarch=linux-armv4 +%endif +%ifarch aarch64 +sslarch=linux-aarch64 +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch sh3 sh4 +sslarch=linux-generic32 +%endif +%ifarch ppc64 ppc64p7 +sslarch=linux-ppc64 +%endif +%ifarch ppc64le +sslarch="linux-ppc64le" +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch mips mipsel +sslarch="linux-mips32 -mips32r2" +%endif +%ifarch mips64 mips64el +sslarch="linux64-mips64 -mips64r2" +%endif +%ifarch mips64el +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch riscv64 +sslarch=linux-generic64 +%endif + +# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be +# marked as not requiring an executable stack. +# Also add -DPURIFY to make using valgrind with openssl easier as we do not +# want to depend on the uninitialized memory as a source of entropy anyway. +RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" + +export HASHBANGPERL=/usr/bin/perl + +%define fips %{version}-395c1a240fbfffd8 +# ia64, x86_64, ppc are OK by default +# Configure the build tree. Override OpenSSL defaults with known-good defaults +# usable on all platforms. The Configure script already knows to use -fPIC and +# RPM_OPT_FLAGS, so we can skip specifiying them here. +./Configure \ + --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ + zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ + enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\ + no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\ + shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\ + -Wl,--allow-multiple-definition + +# Do not run this in a production package the FIPS symbols must be patched-in +#util/mkdef.pl crypto update + +make %{?_smp_mflags} all + +%check +#We re not using the actual built bits, so skip any checks on those binaries. + + +# Replace the binary after all debugging info is extracted so we can ship +# working debuginfo files +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + cp fips_module/fips.so.%{_arch} $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ +%{nil} + +%define __provides_exclude_from %{_libdir}/openssl + +%install +install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}} +%make_install +rm -fr $RPM_BUILD_ROOT%{_bindir} +rm -fr $RPM_BUILD_ROOT%{_includedir} +rm -fr $RPM_BUILD_ROOT%{_libdir}/engines-3 +rm -fr $RPM_BUILD_ROOT%{_libdir}/libcrypto.* +rm -fr $RPM_BUILD_ROOT%{_libdir}/libssl.* +rm -fr $RPM_BUILD_ROOT%{_libdir}/openssl +rm -fr $RPM_BUILD_ROOT%{_libdir}/ossl-modules/legacy.so +rm -fr $RPM_BUILD_ROOT%{_libdir}/pkgconfig +rm -fr $RPM_BUILD_ROOT%{_mandir} +rm -fr $RPM_BUILD_ROOT%{_pkgdocdir} +rm -fr $RPM_BUILD_ROOT%{_sysconfdir} + +%files +%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so + +%changelog +* Wed Feb 21 2024 Dmitry Belyavskiy - 3.0.7-2 +- Denote conflict with old versions of openssl-libs package + Related: RHEL-23474 + +* Wed Jan 24 2024 Simo Sorce - 3.0.7-1 +Initial packaging